On Tue, Nov 08, 2005 at 04:47:49PM -0600, Nathanael Hoyle wrote:
> grsecurity does offer several things that I would look into here,
> notably the things dealing with restricting users to only see their own
> processes and the like. In general though, you need to be careful about
> the security basics:
Ahh yes, I remember that from playing around with grsecurity some years
back. That would be very nice to have on my server.
> 1) Don't run *anything* setuid root that you don't trust 100%. Even
> then, avoid it if possible.
I am fairly certain I don't run anything at all setuid.
> 2) Don't use a global 'nobody' account for daemons (as this allows one
> daemon running as nobody to compromise another one if compromised). Use
> separate uids/gids for each daemon process and make sure they have
> minimal priviledges to run.
I use the default Gentoo accounts for daemons - fairly certain none of
them use "nobody". I may be wrong?
> 3) Chroot jail daemon processes wherever possible.
Hmm.. any good guides or pointers to get Apache, MySQL, Postfix,
Courier-imap, rsyncd, ventrilo, cs-server, zope and so on to run in
jails?
> 4) Consider a shell for use with ssh which allows for restricting users
> to their home dirs (a la jail-shell).
That's a very good idea, only they still need to be able to start their
programs as they are used to. I can't seem to find jail-shell anywhere.
Is it just a concept for configuring i.e. Bash or is it actually
available somewhere?
> 5) Log everything possible about user logins and commands. Consider
> moving logs to a second system on a regular basis to avoid potential log
> compromises.
Unfortunately I don't have a second system to move logs to, but I can
see why it would be a very good idea.
> 6) Deny remote root login via ssh. Further consider using
> public/private key pair authentication for ssh.
All Linux installations with sshd running I have ever setup (quite a
few) have had root-login via ssh blocked :).
> How secure you want to be is up to you in the end. vservers, while
> nice, are usually not required if you are diligent about the basics.
I see your point - if I get grsecurity up and running, do sensible
configurations and jail as many processes as possible I should be fine.
And anyway, this isn't exactly Pentagon or NASA - my server does not
hold any secrets worth breaking into, so the biggest threat is likely to
be scriptkiddies who should be easily twarted by sensible configuration,
grsec, jails and up-to-date program versions.
Thanks!
--
Anders
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/O d--@ s:+ a-- C++ UL+++$ P++ L+++ E- W+ N(+) o K? w O-- M- V
PS+ PE@ Y+ PGP+ t 5 X R+ tv+ b++ DI+++ D+ G e- h !r y?
------END GEEK CODE BLOCK------
PGPKey: http://random.sks.keyserver.penguin.de:11371/pks/lookup?op=get&search=0xD4DEFED0
--
gentoo-security@g.o mailing list
|
