问题描述
我有一个面向公众的Debian的服务器上运行的Apache和我有点担心安装的安全性。这是承载几个空闲时间的业余爱好项目的机器,所以我们没有谁使用的机器真的有时间去不断地为上游补丁看,留意识到安全问题等,但我想保持坏人,或者如果他们得到的,让他们在沙箱中。
I have Apache running on a public-facing Debian server, and am a bit worried about the security of the installation. This is a machine that hosts several free-time hobby projects, so none of us who use the machine really have the time to constantly watch for upstream patches, stay aware of security issues, etc. But I would like to keep the bad guys out, or if they get in, keep them in a sandbox.
那么,什么是最好的,易于设置,易于维护这里的解决方案?它是容易建立了Debian用户模式Linux沙盒?或者,也许一个chroot监牢?我想有来自外部的sadbox内方便地访问文件。这就是我是一个程序员,而不是一个系统管理员就变得对我很清楚这样的一个时期。任何帮助将是非常美联社preciated!
So what's the best, easy to set up, easy to maintain solution here? Is it easy to set up a user-mode linux sandbox on Debian? Or maybe a chroot jail? I'd like to have easy access to files inside the sadbox from the outside. This is one of those times where it becomes very clear to me that I'm a programmer, not a sysadmin. Any help would be much appreciated!
推荐答案
的chroot监狱可真不安全,当你正在运行一个完整的沙盒环境。攻击者拥有完全访问内核功能和例如可安装驱动器来访问主持人的系统。
Chroot jails can be really insecure when you are running a complete sandbox environment. Attackers have complete access to kernel functionality and for example may mount drives to access the "host" system.
我会建议你使用Linux的虚拟服务器。你可以看到Linux的虚拟服务器与内部完整的Debian安装改进的chroot监牢。这实在是快,因为它是一个单一的内核中运行,并且所有code执行一个本身。
I would suggest that you use linux-vserver. You can see linux-vserver as an improved chroot jail with a complete debian installation inside. It is really fast since it is running within one single kernel, and all code execution is one natively.
我个人使用Linux的虚拟服务器我所有服务的分离,有只几乎没有明显的性能差异。
I personally use linux-vserver for seperation of all my services and there are only barely noticeable performance differences.
看一看的安装说明。
问候,丹尼斯
这篇关于沙箱Linux上的Apache最好的方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!