| 1 |
Hi there- |
| 2 |
|
| 3 |
I'd like to set up a hobby web-server, and I'd appreciate any |
| 4 |
thoughts/feedback from this community on what I'm planning- below. |
| 5 |
|
| 6 |
The server will be for two domains. I'd like them to be as |
| 7 |
independant of each other as possible, running on the same machine. |
| 8 |
I'd like the maintainance to be as straight-forward as possible. |
| 9 |
There's also a small chance one of the domains may end up on it's own |
| 10 |
hardware one day. The machine will be on the end of a cable modem, in |
| 11 |
a DMZ, running it's own secondary firewall- probably using shorewall. |
| 12 |
|
| 13 |
I've looked at chroots, jails, vserver patches, bsd, solaris- with |
| 14 |
only the later having any support for managing software installed |
| 15 |
inside the 'jail'. But I couldn't find an answer to if solaris zones |
| 16 |
can also manage manually installed software- I'm guessing not (there |
| 17 |
are no solaris packages for lots of web apps.) |
| 18 |
|
| 19 |
Then I read about Xen- and thought that could be reasonable; |
| 20 |
virtualize the machine, install two instances of the OS; disk is |
| 21 |
cheap, and although everything will have to be down twice (updates |
| 22 |
etc), at least I can use the standard package management tools. |
| 23 |
|
| 24 |
My thinking is that up-to-date SELinux + hardened gcc + apache + |
| 25 |
mod_security is enough of a headache that the majority of script |
| 26 |
kiddies/crackers won't be bothered. Anyone who can get through that |
| 27 |
I'm never going to notice- I know I won't make time to run something |
| 28 |
like tripwire often enough to be that useful, and even if I did, if |
| 29 |
someone gets through the above, they're very likely to be smart enough |
| 30 |
to hide the evidence so I don't notice for a long time (if ever.) |
| 31 |
Again, this is for a hobby server- one domain for family pics, etc, |
| 32 |
the other for something like trac for me and some friends to have fun |
| 33 |
with with some hobby development. |
| 34 |
|
| 35 |
First question- does the above sound reasonable? |
| 36 |
|
| 37 |
So my next decision will be a distribution. I see two choices: |
| 38 |
1. fedora core |
| 39 |
2. Gentoo hardened (SELinux variant) |
| 40 |
|
| 41 |
I prefer 2- RedHat is very good, but rpm gave me so many headaches I |
| 42 |
switched to Debian, then to gentoo (as I learnt more.) On the other |
| 43 |
hand, I get the impression that RedHat is actively integrating both |
| 44 |
Xen and SELinux into their mainline releases, and I believe they also |
| 45 |
use a hardened gcc (not 100% sure about that), and I'm sure things |
| 46 |
have improved since last I used RedHat. There are also quite a few |
| 47 |
documents on the web describing how to make Xen work on fedora- |
| 48 |
although so far it looks like most people are turning of SELinux in |
| 49 |
the guest domains(!) |
| 50 |
|
| 51 |
Second question: does anyone have a SELinux hardened gentoo Xen host |
| 52 |
domain successfully running SELinux hardened gentoo guests? I'm |
| 53 |
assuming if you get that working, getting apache running is relatively |
| 54 |
simple ;-) |
| 55 |
|
| 56 |
(I want a hardened OS in both places as at the moment I think the host |
| 57 |
domain will have to forward packets to the right guest; I'll probably |
| 58 |
differentiate the domains by port numbers- the joy of only having a |
| 59 |
single public IP address.) |
| 60 |
|
| 61 |
Final questions: |
| 62 |
Is the following a reasonable summary of the steps required? |
| 63 |
1. downloading the 2005.1 hardened liveCD |
| 64 |
2. follow the guidebook, install using a stage three tarball |
| 65 |
3. rsync emerge update to the equivalent of a stage 2 installation |
| 66 |
4. emerge Xen, build the Xen host kernel |
| 67 |
5. reboot to hardened SELinux + Xen - check things are running |
| 68 |
6. reboot into permissive mode, so I can chroot and create a guest domain OS |
| 69 |
7. repeat steps 2 & 3 in chroot |
| 70 |
8. compile Xen hardened SELinux guest kernel |
| 71 |
9. reboot into normal secure mode |
| 72 |
10. configure Xen and start the first guest domain with the image and |
| 73 |
kernel created in steps 6-8 |
| 74 |
11. start the guest domain- test to ensure it boots/works |
| 75 |
12. stop the guest domain |
| 76 |
13. duplicate & backup the guest domain image. |
| 77 |
14. configure the second guest domain |
| 78 |
15. start both guest domains, and then do the normal work of |
| 79 |
configuring the three environments |
| 80 |
|
| 81 |
What steps/issues am I missing? (e.g. I think I saw something about |
| 82 |
having to use the non-hardened gcc to compile Xen- is that correct?) |
| 83 |
|
| 84 |
Or are there a lot of steps missing in the above- would I better to |
| 85 |
use RedHat for the moment? |
| 86 |
|
| 87 |
And if anyone is interested, I'm happy to document it all/work with |
| 88 |
others to make a sort of recipe- assuming this type of configuration |
| 89 |
is of interest to anyone else. |
| 90 |
|
| 91 |
Thanks in advance, |
| 92 |
|
| 93 |
Julian |
| 94 |
|
| 95 |
-- |
| 96 |
gentoo-hardened@g.o mailing list |
Archives