1 |
wandering.womble@×××××.com wrote: |
2 |
> Hi there- |
3 |
> |
4 |
> I'd like to set up a hobby web-server, and I'd appreciate any |
5 |
> thoughts/feedback from this community on what I'm planning- below. |
6 |
> |
7 |
> The server will be for two domains. I'd like them to be as |
8 |
> independant of each other as possible, running on the same machine. |
9 |
> I'd like the maintainance to be as straight-forward as possible. |
10 |
> There's also a small chance one of the domains may end up on it's own |
11 |
> hardware one day. The machine will be on the end of a cable modem, in |
12 |
> a DMZ, running it's own secondary firewall- probably using shorewall. |
13 |
> |
14 |
> I've looked at chroots, jails, vserver patches, bsd, solaris- with |
15 |
> only the later having any support for managing software installed |
16 |
> inside the 'jail'. But I couldn't find an answer to if solaris zones |
17 |
> can also manage manually installed software- I'm guessing not (there |
18 |
> are no solaris packages for lots of web apps.) |
19 |
> |
20 |
> Then I read about Xen- and thought that could be reasonable; |
21 |
> virtualize the machine, install two instances of the OS; disk is |
22 |
> cheap, and although everything will have to be down twice (updates |
23 |
> etc), at least I can use the standard package management tools. |
24 |
> |
25 |
> My thinking is that up-to-date SELinux + hardened gcc + apache + |
26 |
> mod_security is enough of a headache that the majority of script |
27 |
> kiddies/crackers won't be bothered. |
28 |
|
29 |
AFAIK the grsecurity patch can't be applied to the current xen-sources, |
30 |
so you'll lose quite some of the protection of the hardened gcc without |
31 |
pax (grsecurity). |
32 |
|
33 |
> Anyone who can get through that |
34 |
> I'm never going to notice- I know I won't make time to run something |
35 |
> like tripwire often enough to be that useful, and even if I did, if |
36 |
> someone gets through the above, they're very likely to be smart enough |
37 |
> to hide the evidence so I don't notice for a long time (if ever.) |
38 |
> Again, this is for a hobby server- one domain for family pics, etc, |
39 |
> the other for something like trac for me and some friends to have fun |
40 |
> with with some hobby development. |
41 |
> |
42 |
> First question- does the above sound reasonable? |
43 |
> |
44 |
|
45 |
Te me it does. Have you thought about using mod_deflate or mod_gzip it |
46 |
will save some of your precious upstream bandwidth. |
47 |
|
48 |
Now I have to hurry to work, maybe more answers in the evening. |
49 |
|
50 |
-- |
51 |
Ewald Wasscher |
52 |
|
53 |
|
54 |
PGP Key Fingerprint: D3FE ED15 03B0 8385 DD5D 95CE F866 9E37 28E8 1D69 |
55 |
|
56 |
-- |
57 |
gentoo-hardened@g.o mailing list |