Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Anders Bruun Olsen <anders@...>
Subject: Advice about security solution
Date: Tue, 8 Nov 2005 23:21:20 +0100
Hi,

I have a server that's doing just about everything a server can do. It's
serving webpages with Apache, running mysql, handling mail for around 30
people with Postfix, running subversion for a couple of development
projects, running both a Ventrilo and a CounterStrike server as well as
having a bunch of local users via ssh which use it to run mutt,
centericq, irssi and stuff like that. In general a very active server.
I have been having my doubts about the security on this server lately
however, and have been looking into different solutions.
A quick analysis will show that the solution needs to take into account
both attacks from outside and local attacks since local users can't be
trusted 100%.
My first idea was to use linux-vserver, put everything into their own
vservers and have users log into a vserver with just the programs they
need there to minimize the threat from them. Unfortunately screen does
not work inside vservers so this solution is no good as most users have
their mailclient, irc client, icq client etc. running in a screen and
just reattach to it when they log in.
Now I could run everything in vservers and just let users login to the
host as they do now. That would certainly limit the threat from security
bugs in things like the CS server, and would limit the users ability to
mess with running processes. Not that they have rights to do that
anyway, but a layer of protection has been added. I would have liked
this solution to use SELinux or grsecurity to give me access control to
further boost security, but it seems that there aren't any current
vserver+grsec patches available and the don't apply cleanly on top of
each other. And SELinux is incompatible with vserver (I have read).
Yet another solution would be to drop vserver and just use grsecurity or
SELinux, but I am uncertain how good the protection against security
holes in i.e. CS-server would be in contrast with the vserver solution.
Yet another solution would of course be Xen, but since 3.0 is not yet in
stable, I don't really think that's a viable solution yet.

I might be missing some possible solution scenarios and would very much
appreciate advice. Both regarding my ideas so far, and anything I have
missed.

And no, buying a second server to isolate users on is not an option.
This is a private server and I am not a rich guy :)

Thanks in advance.

-- 
Anders
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/O d--@ s:+ a-- C++ UL+++$ P++ L+++ E- W+ N(+) o K? w O-- M- V
PS+ PE@ Y+ PGP+ t 5 X R+ tv+ b++ DI+++ D+ G e- h !r y?
------END GEEK CODE BLOCK------
PGPKey: http://random.sks.keyserver.penguin.de:11371/pks/lookup?op=get&search=0xD4DEFED0
-- 
gentoo-security@g.o mailing list


Replies:
Re: Advice about security solution
-- Nathanael Hoyle
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Re: [gentoo-security] Snort alert with Squid ?
Next by thread:
Re: Advice about security solution
Previous by date:
Re: Snort alert with Squid ?
Next by date:
Re: Advice about security solution


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.