Hello,
We're migrating a webserver from RedHat 7.x to CentOS 4.2. In the process, we'd like to improve security.
We're currently planning on making sure SELinux is enabled, mounting the /tmp partition noexec, and running PHP in safe mode, hide_errors on, register_globals off by default.
vsftpd is set to chroot logins.
I've seen Apache run inside a chroot jail, but that was always very hassle-prone, and ironically, when security updates came out, they weren't applied within the chroot jail, (eg, installed via yum) making it more likely to get compromised! Is there an easier/better way to do this? Can you mix/match chroot'ed websites with those that aren't, without running a wholy separate webserver daemon?
What other actions would the knowledgeable crowd here suggest?
-Ben