security question.

Amer Shah amerrahman at gmail.com
Fri Apr 11 21:48:57 MSD 2008


Hello All.

Thanks for the feedback.

Igor, as for the jail, it's nothing nginx specific, but as a relative
FreeBsd newbie, it's a little overwhelming to setup the jail. I've gotten
most of the way there but usually am at a loss at the last few steps.

I've moved my ftpd to listen only on the internal network now and so now the
only internet facing daemons I have are sshd (running on a non-standard port
with root logins disabled) and the nginxd which I will chroot now. I think
this along with ipfw should be safe enough for now until I have a better
handle on freebsd.

As always, thanks for your helps guys. And as the original poster of the
'config for static files', I've now finalized the setup and configs and ran
ab against it and am consistently clocking in 6000 RPS when running ab
against it from  a remote machine. This really is quite amazing.


On Fri, Apr 11, 2008 at 1:25 PM, Ed W <lists at wildgooses.com> wrote:

>  Cliff Wells wrote:
>
> On Fri, 2008-04-11 at 05:36 -0400, Amer Shah wrote:
>
>
>  I'm about to throw the towel in. I was wondering how big a deal is it
> to not run it in a jail. Is chrooting it sufficient. What do people
> around here normally
> do ?
>
>
>  I usually run it as a normal process (as user nginx).  It's the
> applications I worry about more than the web server itself.  Since Nginx
> (unlike a typical Apache configuration), doesn't run applications within
> its own process space (unlike Apache's mod_php, mod_python, etc), it's
> fairly easy to run those applicatons under separate users and this
> greatly alleviates many security risks.
>
>
>
> Have you played with any MAC schemes, eg grsecurity?  Quite good for
> locking a user into a defined set of directories and you can even limit
> permissions to do stuff like incoming or outgoing net connections (why would
> your PHP user need to create an outgoing network connection other than when
> the user account is compromised...).  This can greatly decrease the damage
> an attacher can do
>
> Ed W
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nginx.org/pipermail/nginx/attachments/20080411/b4fb52d1/attachment.html>


More information about the nginx mailing list