Chroot jails can be really insecure when you are running a complete sandbox environment. Attackers have complete access to kernel functionality and for example may mount drives to access the "host" system.

当您运行完整的沙箱环境时，Chroot jails 可能非常不安全。攻击者可以完全访问内核功能，例如可以挂载驱动器来访问“主机”系统。

I would suggest that you use linux-vserver. You can see linux-vserver as an improved chroot jail with a complete debian installation inside. It is really fast since it is running within one single kernel, and all code is executed natively.

我建议您使用 linux-vserver。你可以将 linux-vserver 看作是一个改进的 chroot jail，里面有一个完整的 debian 安装。它非常快，因为它在一个内核中运行，并且所有代码都是本地执行的。

I personally use linux-vserver for seperation of all my services and there are only barely noticeable performance differences.

我个人使用 linux-vserver 来分离我的所有服务，并且几乎没有明显的性能差异。

Have a look at the linux-vserver wikifor installation instructions.

查看linux-vserver wiki以获取安装说明。

regards, Dennis

问候，丹尼斯

I second what xardias says, but recommend OpenVZinstead.

我赞同 xardias 所说的，但推荐OpenVZ。

It's similar to Linux-Vserver, so you might want to compare those two when going this route.

它与 Linux-Vserver 类似，因此您可能需要在走这条路线时比较这两者。

I've setup a webserver with a proxy http server (nginx), which then delegates traffic to different OpenVZ containers (based on hostname or requested path). Inside each container you can setup Apache or any other webserver (e.g. nginx, lighttpd, ..). This way you don't have one Apache for everything, but could create a container for any subset of services (e.g. per project).

我已经设置了一个带有代理 http 服务器 ( nginx)的网络服务器，然后它将流量委托给不同的 OpenVZ 容器（基于主机名或请求的路径）。在每个容器中，您可以设置 Apache 或任何其他网络服务器（例如 nginx、lighttpd、..）。这样一来，您就不必为所有事情都使用一个 Apache，但可以为任何服务子集（例如，每个项目）创建一个容器。

OpenVZ containers can quite easily get updated altogether ("for i in $(vzlist); do vzctl exec apt-get upgrade; done")

OpenVZ 容器可以很容易地完全更新（“for i in $(vzlist); do vzctl exec apt-get upgrade; done”）

The files of the different containers are stored in the hardware node and therefore you can quite easily access them by SFTPing into the hardware node. Apart from that you couldadd a public IP address to some of your containers, install SSH there and then access them directly from the container. I've even heard from SSH proxies, so the extra public IP address might be unnecessary even in that case.

不同容器的文件存储在硬件节点中，因此您可以通过 SFTP 进入硬件节点轻松访问它们。除此之外，您可以向某些容器添加公共 IP 地址，在那里安装 SSH，然后直接从容器访问它们。我什至听说过 SSH 代理，因此即使在这种情况下，额外的公共 IP 地址也可能是不必要的。

To make sure it is said, CHRoot Jails are rarely a good idea it is, despite the intention, very easy to break out of, infact I have seen it done by users accidentally!

可以肯定的是，CHRoot Jails 很少是一个好主意，尽管有意图，但很容易突破，事实上我已经看到用户不小心这样做了！

No offense, but if you don't have time to watch for security patches, and stay aware of security issues, you should be concerned, no matter what your setup. On the other hand, the mere fact that you're thinking about these issues sets you apart from the other 99.9% of owners of such machines. You're on the right path!

无意冒犯，但如果您没有时间关注安全补丁并注意安全问题，那么无论您的设置如何，您都应该担心。另一方面，仅仅考虑这些问题这一事实就使您与其他 99.9% 的此类机器所有者区别开来。你走在正确的道路上！

You could always set it up inside a virtual machine and keep an image of it, so you can re-roll it if need be. That way the server is abstracted from your actual computer, and any virus' or so forth are contained inside the virtual machine. As I said before, if you keep an image as a backup you can restore to your previous state quite easy.

您始终可以在虚拟机中设置它并保留它的映像，以便在需要时可以重新滚动它。这样，服务器就从您的实际计算机中抽象出来，并且任何病毒等都包含在虚拟机中。正如我之前所说，如果您保留一个图像作为备份，您可以很容易地恢复到以前的状态。

I find it astonishing that nobody mentioned mod_chrootand suEXEC, which are the basic things you should start with, and, most likely the only things you need.

令人惊讶的是，没有人提到mod_chroot和suEXEC，它们是您应该开始的基本东西，而且很可能是您唯一需要的东西。

You should use SELinux. I don't know how well it's supported on Debian; if it's not, just install a Centos 5.2 with SELinux enabled in a VM. Shouldn't be too much work, and much much safer than any amateur chrooting, which is not as safe as most people believe. SELinux has a reputation for being difficult to admin, but if you're just running a webserver, that shouldn't be an issue. You might just have to do a few "sebool" to let httpd connect to the DB, but that's about it.

您应该使用 SELinux。我不知道它在 Debian 上的支持情况如何；如果不是，只需在 VM 中安装启用 SELinux 的 Centos 5.2。不应该做太多的工作，而且比任何业余 chroot 安全得多，这并不像大多数人认为的那样安全。SELinux 以难以管理而著称，但如果您只是运行网络服务器，那应该不是问题。您可能只需要执行一些“sebool”即可让 httpd 连接到数据库，但仅此而已。

While all of the above are good suggestions, I also suggest adding a iptables rule to disallow unexpected outgoing network connections. Since the first thing most automated web exploits do is download the rest of their payload, preventing the network connection can slow the attacker down.

虽然以上都是很好的建议，但我还建议添加一个 iptables 规则来禁止意外的传出网络连接。由于大多数自动化 Web 漏洞利用所做的第一件事是下载其余的有效载荷，因此阻止网络连接可以减慢攻击者的速度。

Some rules similar to these can be used (Beware, your webserver may need access to other protocols): iptables --append OUTPUT -m owner --uid-owner apache -m state --state ESTABLISHED,RELATED --jump ACCEPT iptables --append OUTPUT -m owner --uid-owner apache --protocol udp --destination-port 53 --jump ACCEPT iptables --append OUTPUT -m owner --uid-owner apache --jump REJECT

可以使用与这些类似的一些规则（注意，您的网络服务器可能需要访问其他协议）： iptables --append OUTPUT -m owner --uid-owner apache -m state --state ESTABLISHED,RELATED --jump ACCEPT iptables - -append OUTPUT -m owner --uid-owner apache --protocol udp --destination-port 53 --jump ACCEPT iptables --append OUTPUT -m owner --uid-owner apache --jump REJECT

If using Debian, debootstrap is your friend coupled with QEMU, Xen, OpenVZ, Lguest or a plethora of others.

如果使用 Debian，debootstrap 与 QEMU、Xen、OpenVZ、Lguest 或众多其他产品相结合，是您的朋友。

Make a virtual machine. try something like vmware or qemu

制作虚拟机。尝试像 vmware 或 qemu 这样的东西