| 1 |
wandering.womble@×××××.com wrote: |
| 2 |
> Hi there- |
| 3 |
> |
| 4 |
> I'd like to set up a hobby web-server, and I'd appreciate any |
| 5 |
> thoughts/feedback from this community on what I'm planning- below. |
| 6 |
> |
| 7 |
> The server will be for two domains. I'd like them to be as |
| 8 |
> independant of each other as possible, running on the same machine. |
| 9 |
> I'd like the maintainance to be as straight-forward as possible. |
| 10 |
> There's also a small chance one of the domains may end up on it's own |
| 11 |
> hardware one day. The machine will be on the end of a cable modem, in |
| 12 |
> a DMZ, running it's own secondary firewall- probably using shorewall. |
| 13 |
> |
| 14 |
> I've looked at chroots, jails, vserver patches, bsd, solaris- with |
| 15 |
> only the later having any support for managing software installed |
| 16 |
> inside the 'jail'. But I couldn't find an answer to if solaris zones |
| 17 |
> can also manage manually installed software- I'm guessing not (there |
| 18 |
> are no solaris packages for lots of web apps.) |
| 19 |
> |
| 20 |
> Then I read about Xen- and thought that could be reasonable; |
| 21 |
> virtualize the machine, install two instances of the OS; disk is |
| 22 |
> cheap, and although everything will have to be down twice (updates |
| 23 |
> etc), at least I can use the standard package management tools. |
| 24 |
> |
| 25 |
> My thinking is that up-to-date SELinux + hardened gcc + apache + |
| 26 |
> mod_security is enough of a headache that the majority of script |
| 27 |
> kiddies/crackers won't be bothered. |
| 28 |
|
| 29 |
AFAIK the grsecurity patch can't be applied to the current xen-sources, |
| 30 |
so you'll lose quite some of the protection of the hardened gcc without |
| 31 |
pax (grsecurity). |
| 32 |
|
| 33 |
> Anyone who can get through that |
| 34 |
> I'm never going to notice- I know I won't make time to run something |
| 35 |
> like tripwire often enough to be that useful, and even if I did, if |
| 36 |
> someone gets through the above, they're very likely to be smart enough |
| 37 |
> to hide the evidence so I don't notice for a long time (if ever.) |
| 38 |
> Again, this is for a hobby server- one domain for family pics, etc, |
| 39 |
> the other for something like trac for me and some friends to have fun |
| 40 |
> with with some hobby development. |
| 41 |
> |
| 42 |
> First question- does the above sound reasonable? |
| 43 |
> |
| 44 |
|
| 45 |
Te me it does. Have you thought about using mod_deflate or mod_gzip it |
| 46 |
will save some of your precious upstream bandwidth. |
| 47 |
|
| 48 |
Now I have to hurry to work, maybe more answers in the evening. |
| 49 |
|
| 50 |
-- |
| 51 |
Ewald Wasscher |
| 52 |
|
| 53 |
|
| 54 |
PGP Key Fingerprint: D3FE ED15 03B0 8385 DD5D 95CE F866 9E37 28E8 1D69 |
| 55 |
|
| 56 |
-- |
| 57 |
gentoo-hardened@g.o mailing list |
Archives