I followed this tutorial http://wiki.debian.org/chroot on Debian Squeeze AMD64, to get a separated environment.

This chroot is really safe? In others chroot tutorials, create a chroot for an application is really hard, with this tutorial appears it install a small separated system in chroot, including a package manager.

My goal, is to make a chroot for nginx + php5-fpm, to hardening a linux server. Is that the right way?

  • 89
  • 7

1 Answers1


Debootstrap is intended for package building and testing.
And I would not consider chroot a security feature, to start with.

If your goal is to harden a server hosting a web server + web application, other measures are more appropriate, namely:

  • dedicated separated partitions/LVs with restricted mount options:

For example, I have the DocumentRoot of my webserver set to /srv/www, which is a dedicated logical volume mounted whit restrictive options

/dev/mapper/root_vg-srv_lv on /srv type ext4 (rw,nosuid,nodev,noexec,relatime,seclabel,quota,usrquota,grpquota,data=ordered,usrquota,grpquota)

the relevant ones being nodev, noexec, seclabel and *quota.
All because developers can upload content via git hub/live repositories, and I choose not to trust them regarding safe permissions, ownership, SELinux labeling, etc...

  • SELinux/AppArmor (the second possibly having better support in Debian as of now)

SELinux is, unfortunately, not fully functional in Debian (although squeeze is better supported than wheezy, IIRC). I suggest AppArmor for this reason. It should be easier to implement than SELinux.

  • ModSecurity

You definitely want a web application firewall.

  • IPTables + Fail2Ban

Combining these two tools can, at a very least, decrease the chances of an attack to succeed.

  • Possibly quite a lot more depending on what your application is for.

Does you application use fill-in forms? does it manage a database? user authentication?
Securing a website is not an easy task, I'd suggest to read a lot before exposing anything in the wild.

  • 14,918
  • 3
  • 41
  • 61
  • Hi, thank you for the help. Can you explain better or give me a link about the first point (separated partions/lvs with resticted mount options). Selinux, appears to be so complicated, because it's impossible to look for a nginx's policy. Is Apparmor as safe as selinux? What do you mean for "quite a lot more"? For a webserver ngnix+ssl+php-fpm, what else would it do? Thank you for the patience. – Eghes Apr 14 '13 at 16:15
  • Thanks again. "Does you application use fill-in forms? does it manage a database? user authentication?" Yes, my application is a typical dynamic website, ecomerce, with forms, user login, database, all typical webserver service. Yes, I know it's a really hard task, therefore I'm reading really much... But unlucky, the hardening tutorials are very generic and conflicting... – Eghes Apr 15 '13 at 00:07
  • Do you have no more tips about? Thanks – Eghes Apr 16 '13 at 20:30
  • Many, but that is not the way this site works: specific questions with specific answers. If you think my answer is valid, mark it so. If you think it's not valid, down-vote it. I think the question you made, as it stands, has been answered. I suggest starting by learning how to secure an OS, and then move onto securing a web server. – dawud Apr 16 '13 at 20:44
  • Yes, but from your final questions I supposed the answer could became more detailed. (My comments refers always to the same topic). Thank you. – Eghes Apr 16 '13 at 21:54
  • that was meant to imply there are a lot of things about your application that I dont know so I cannot be more specific. I will try editing my answer to add some hints, but bear in mind it is a broad subject. – dawud Apr 17 '13 at 04:31