在 Linux 上沙箱 Apache 的最佳方法 [英] Best way to sandbox Apache on Linux
问题描述
我在面向公众的 Debian 服务器上运行 Apache,我有点担心安装的安全性.这是一台承载几个空闲时间爱好项目的机器,所以我们使用这台机器的人都没有真正有时间持续关注上游补丁、注意安全问题等.但我想让坏人远离,或者如果他们进来了,就把他们放在沙箱里.
I have Apache running on a public-facing Debian server, and am a bit worried about the security of the installation. This is a machine that hosts several free-time hobby projects, so none of us who use the machine really have the time to constantly watch for upstream patches, stay aware of security issues, etc. But I would like to keep the bad guys out, or if they get in, keep them in a sandbox.
那么这里最好的、易于设置、易于维护的解决方案是什么?在 Debian 上设置用户模式 linux 沙箱容易吗?或者也许是 chroot 监狱?我想从外部轻松访问 sadbox 内的文件.这是我非常清楚我是程序员而不是系统管理员的时候之一.任何帮助将不胜感激!
So what's the best, easy to set up, easy to maintain solution here? Is it easy to set up a user-mode linux sandbox on Debian? Or maybe a chroot jail? I'd like to have easy access to files inside the sadbox from the outside. This is one of those times where it becomes very clear to me that I'm a programmer, not a sysadmin. Any help would be much appreciated!
推荐答案
当您运行完整的沙盒环境时,Chroot 监狱可能非常不安全.攻击者可以完全访问内核功能,例如可以挂载驱动器来访问主机"系统.
Chroot jails can be really insecure when you are running a complete sandbox environment. Attackers have complete access to kernel functionality and for example may mount drives to access the "host" system.
我建议您使用 linux-vserver.您可以将 linux-vserver 视为一个改进的 chroot 监狱,其中包含完整的 debian 安装.它非常快,因为它在一个内核中运行,并且所有代码都是本地执行的.
I would suggest that you use linux-vserver. You can see linux-vserver as an improved chroot jail with a complete debian installation inside. It is really fast since it is running within one single kernel, and all code is executed natively.
我个人使用 linux-vserver 来分离我的所有服务,并且几乎没有明显的性能差异.
I personally use linux-vserver for seperation of all my services and there are only barely noticeable performance differences.
查看 linux-vserver wiki 了解安装说明.
Have a look at the linux-vserver wiki for installation instructions.
问候,丹尼斯
这篇关于在 Linux 上沙箱 Apache 的最佳方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
