I've Apache running on the public-facing Debian server, and am a little concerned about the safety from the installation. This can be a machine that hosts several free-time hobby projects, so none people who make use of the machine genuinely have time to constantly watch out for upstream patches, stay conscious of security issues, etc. But I must keep your criminals out, or maybe they enter, keep these questions sandbox.

So what is the best, easy to setup, simple to maintain solution here? Could it be easy to setup a person-mode linux sandbox on Debian? Or simply a chroot jail? Let me have quick access to files within the sadbox in the outdoors. This is just one of individuals occasions where it might be very obvious in my experience that I am a programmer, not really a sysadmin. Any help could be much appreciated!

Chroot jails can be very insecure when you're managing a complete sandbox atmosphere. Attackers have total use of kernel functionality and for instance may mount drives to gain access to the "host" system.

I recommend that you employ linux-vserver. You can observe linux-vserver being an enhanced chroot jail having a complete debian installation inside. It really is fast as it is running within a single kernel, and all sorts of code execution is a natively.

I take advantage of linux-vserver for seperation of my services and you will find only hardly noticeable performance variations.

Take a look in the linux-vserver wiki for installation instructions.

regards, Dennis

You can always arrange it in the virtual machine and a picture from it, to help you re-roll it if necessary. This way the server is abstracted out of your actual computer, and then any virus' approximately forth are contained within the virtual machine. When I stated before, should you keep a picture like a backup you are able to restore for your previous condition really simple.

To make certain it's stated, CHRoot Jails are hardly ever advisable it's, regardless of the intention, super easy to get out of, in reality I've come across it made by customers accidentally!

I've found it astonishing that nobody pointed out mod_chroot and suEXEC, what are fundamental things you can start with, and, possibly the only what exactly you need.

No offense, but when you do not have time for you to watch out for security patches, and remain conscious of security issues, you ought to be concerned, regardless of what your setup. However, the mere proven fact that you are considering these problems sets you aside from another 99.9% of proprietors of these machines. You are on the right track!

I second what xardias states, but recommend OpenVZ rather.

It's much like Linux-Vserver, so you might like to compare individuals two when going this route.

I have setup a webserver having a proxy http server (nginx), which in turn associates visitors to different OpenVZ containers (according to hostname or asked for path). Inside each container you are able to setup Apache or other webserver (e.g. nginx, lighttpd, ..). By doing this you do not have one Apache for everything, but tend to produce a container for just about any subset of services (e.g. per project).

OpenVZ containers can very easily get up-to-date altogether ("for i in $(vzlist) do vzctl professional apt-get upgrade done")

The files from the different containers are saved within the hardware node and for that reason you are able to very easily access them by SFTPing in to the hardware node. Aside from that you simply could give a public Ip with a of the containers, install SSH there after which access them from the container. I have even been told by SSH proxies, therefore the extra public Ip may be unnecessary even for the reason that situation.

Create a virtual machine. try something similar to vmware or qemu