1 |
Hi there- |
2 |
|
3 |
I'd like to set up a hobby web-server, and I'd appreciate any |
4 |
thoughts/feedback from this community on what I'm planning- below. |
5 |
|
6 |
The server will be for two domains. I'd like them to be as |
7 |
independant of each other as possible, running on the same machine. |
8 |
I'd like the maintainance to be as straight-forward as possible. |
9 |
There's also a small chance one of the domains may end up on it's own |
10 |
hardware one day. The machine will be on the end of a cable modem, in |
11 |
a DMZ, running it's own secondary firewall- probably using shorewall. |
12 |
|
13 |
I've looked at chroots, jails, vserver patches, bsd, solaris- with |
14 |
only the later having any support for managing software installed |
15 |
inside the 'jail'. But I couldn't find an answer to if solaris zones |
16 |
can also manage manually installed software- I'm guessing not (there |
17 |
are no solaris packages for lots of web apps.) |
18 |
|
19 |
Then I read about Xen- and thought that could be reasonable; |
20 |
virtualize the machine, install two instances of the OS; disk is |
21 |
cheap, and although everything will have to be down twice (updates |
22 |
etc), at least I can use the standard package management tools. |
23 |
|
24 |
My thinking is that up-to-date SELinux + hardened gcc + apache + |
25 |
mod_security is enough of a headache that the majority of script |
26 |
kiddies/crackers won't be bothered. Anyone who can get through that |
27 |
I'm never going to notice- I know I won't make time to run something |
28 |
like tripwire often enough to be that useful, and even if I did, if |
29 |
someone gets through the above, they're very likely to be smart enough |
30 |
to hide the evidence so I don't notice for a long time (if ever.) |
31 |
Again, this is for a hobby server- one domain for family pics, etc, |
32 |
the other for something like trac for me and some friends to have fun |
33 |
with with some hobby development. |
34 |
|
35 |
First question- does the above sound reasonable? |
36 |
|
37 |
So my next decision will be a distribution. I see two choices: |
38 |
1. fedora core |
39 |
2. Gentoo hardened (SELinux variant) |
40 |
|
41 |
I prefer 2- RedHat is very good, but rpm gave me so many headaches I |
42 |
switched to Debian, then to gentoo (as I learnt more.) On the other |
43 |
hand, I get the impression that RedHat is actively integrating both |
44 |
Xen and SELinux into their mainline releases, and I believe they also |
45 |
use a hardened gcc (not 100% sure about that), and I'm sure things |
46 |
have improved since last I used RedHat. There are also quite a few |
47 |
documents on the web describing how to make Xen work on fedora- |
48 |
although so far it looks like most people are turning of SELinux in |
49 |
the guest domains(!) |
50 |
|
51 |
Second question: does anyone have a SELinux hardened gentoo Xen host |
52 |
domain successfully running SELinux hardened gentoo guests? I'm |
53 |
assuming if you get that working, getting apache running is relatively |
54 |
simple ;-) |
55 |
|
56 |
(I want a hardened OS in both places as at the moment I think the host |
57 |
domain will have to forward packets to the right guest; I'll probably |
58 |
differentiate the domains by port numbers- the joy of only having a |
59 |
single public IP address.) |
60 |
|
61 |
Final questions: |
62 |
Is the following a reasonable summary of the steps required? |
63 |
1. downloading the 2005.1 hardened liveCD |
64 |
2. follow the guidebook, install using a stage three tarball |
65 |
3. rsync emerge update to the equivalent of a stage 2 installation |
66 |
4. emerge Xen, build the Xen host kernel |
67 |
5. reboot to hardened SELinux + Xen - check things are running |
68 |
6. reboot into permissive mode, so I can chroot and create a guest domain OS |
69 |
7. repeat steps 2 & 3 in chroot |
70 |
8. compile Xen hardened SELinux guest kernel |
71 |
9. reboot into normal secure mode |
72 |
10. configure Xen and start the first guest domain with the image and |
73 |
kernel created in steps 6-8 |
74 |
11. start the guest domain- test to ensure it boots/works |
75 |
12. stop the guest domain |
76 |
13. duplicate & backup the guest domain image. |
77 |
14. configure the second guest domain |
78 |
15. start both guest domains, and then do the normal work of |
79 |
configuring the three environments |
80 |
|
81 |
What steps/issues am I missing? (e.g. I think I saw something about |
82 |
having to use the non-hardened gcc to compile Xen- is that correct?) |
83 |
|
84 |
Or are there a lot of steps missing in the above- would I better to |
85 |
use RedHat for the moment? |
86 |
|
87 |
And if anyone is interested, I'm happy to document it all/work with |
88 |
others to make a sort of recipe- assuming this type of configuration |
89 |
is of interest to anyone else. |
90 |
|
91 |
Thanks in advance, |
92 |
|
93 |
Julian |
94 |
|
95 |
-- |
96 |
gentoo-hardened@g.o mailing list |