Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Anders Bruun Olsen <anders@...>
Subject: Re: Advice about security solution
Date: Wed, 9 Nov 2005 09:16:38 +0100
On Tue, Nov 08, 2005 at 04:47:49PM -0600, Nathanael Hoyle wrote:
> grsecurity does offer several things that I would look into here,
> notably the things dealing with restricting users to only see their own
> processes and the like.  In general though, you need to be careful about
> the security basics:

Ahh yes, I remember that from playing around with grsecurity some years
back. That would be very nice to have on my server.

> 1) Don't run *anything* setuid root that you don't trust 100%.  Even
> then, avoid it if possible.

I am fairly certain I don't run anything at all setuid.

> 2) Don't use a global 'nobody' account for daemons (as this allows one
> daemon running as nobody to compromise another one if compromised).  Use
> separate uids/gids for each daemon process and make sure they have
> minimal priviledges to run.

I use the default Gentoo accounts for daemons - fairly certain none of
them use "nobody". I may be wrong?

> 3) Chroot jail daemon processes wherever possible.

Hmm.. any good guides or pointers to get Apache, MySQL, Postfix,
Courier-imap, rsyncd, ventrilo, cs-server, zope and so on to run in
jails?

> 4) Consider a shell for use with ssh which allows for restricting users
> to their home dirs (a la jail-shell).

That's a very good idea, only they still need to be able to start their
programs as they are used to. I can't seem to find jail-shell anywhere.
Is it just a concept for configuring i.e. Bash or is it actually
available somewhere?

> 5) Log everything possible about user logins and commands.  Consider
> moving logs to a second system on a regular basis to avoid potential log
> compromises.

Unfortunately I don't have a second system to move logs to, but I can
see why it would be a very good idea.

> 6) Deny remote root login via ssh.  Further consider using
> public/private key pair authentication for ssh.

All Linux installations with sshd running I have ever setup (quite a
few) have had root-login via ssh blocked :).

> How secure you want to be is up to you in the end.  vservers, while
> nice, are usually not required if you are diligent about the basics.

I see your point - if I get grsecurity up and running, do sensible
configurations and jail as many processes as possible I should be fine.
And anyway, this isn't exactly Pentagon or NASA - my server does not
hold any secrets worth breaking into, so the biggest threat is likely to
be scriptkiddies who should be easily twarted by sensible configuration,
grsec, jails and up-to-date program versions.

Thanks!

-- 
Anders
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/O d--@ s:+ a-- C++ UL+++$ P++ L+++ E- W+ N(+) o K? w O-- M- V
PS+ PE@ Y+ PGP+ t 5 X R+ tv+ b++ DI+++ D+ G e- h !r y?
------END GEEK CODE BLOCK------
PGPKey: http://random.sks.keyserver.penguin.de:11371/pks/lookup?op=get&search=0xD4DEFED0
-- 
gentoo-security@g.o mailing list


Replies:
Re: Advice about security solution
-- Shane Hickey
Re: Advice about security solution
-- Nathanael Hoyle
Re: Advice about security solution
-- unaos
Re: Advice about security solution
-- Leonid Chaichenets
Re: Advice about security solution
-- Anthony Metcalf
References:
Advice about security solution
-- Anders Bruun Olsen
Re: Advice about security solution
-- Nathanael Hoyle
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Advice about security solution
Next by thread:
Re: Advice about security solution
Previous by date:
Re: Advice about security solution
Next by date:
Re: Advice about security solution


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.