1 |
Hi Viktors, |
2 |
|
3 |
Thanks for all your answers. You mentioned some things I wasn't thinking |
4 |
about at all. My solution would only work if I or the other admin (who |
5 |
is the owner) would notice increased use in bandwith, and it would only |
6 |
work to the point that they can't harm the installation on the server a |
7 |
lot. |
8 |
|
9 |
You've quite convinced me of your solution, but should I expect a lot |
10 |
more work to build and maintain gentoo installs with grsec and hardened? |
11 |
|
12 |
For me it won't be much of a problem, but the other admin is still |
13 |
learning gentoo (he never used linux before) but he should be able to |
14 |
maintain the server without me so it shouldn't be to hard for him |
15 |
either... Security is more important of course, but the easier the |
16 |
better (or the more automation the better). |
17 |
|
18 |
Should I expect to be able to install grsec and hardened and have it |
19 |
work just like a normal gentoo install? |
20 |
|
21 |
Greetings, |
22 |
|
23 |
Michael |
24 |
|
25 |
Op maandag 15-01-2007 om 19:32 uur [tijdzone +0200], schreef Viktors |
26 |
Rotanovs: |
27 |
> Hi Michael, |
28 |
> |
29 |
> Michael wrote: |
30 |
> > I co-admin 2 servers running x86_64 gentoo installs. Due to not updating |
31 |
> > the servers for a longer period, there were several major security |
32 |
> > issues which at least allowed for someone to run a ftp server on it |
33 |
> > without me knowing about it. |
34 |
> > |
35 |
> > Because a lot of stuff is still outdated and this was the first install |
36 |
> > for the servers I want to reinstall them, again using gentoo. My own |
37 |
> > idea was to isolate the web and mail-server in Xen virtual machines, so |
38 |
> > that if someone's ever able to get in they can only bring down a small |
39 |
> > part, which can easily be restored. |
40 |
> > |
41 |
> > Now my question is, would this be a good way to at least partly secure |
42 |
> > the machine? Or should I use something from the hardened depot to |
43 |
> > increase the security levels on these servers? The problem now was that |
44 |
> > one program had a bug in it which could even give remote users root |
45 |
> > access to the entire machine, which could've also caused loss of data |
46 |
> > the program was not related to. By isolating in Xen domains this problem |
47 |
> > is partly solved, but it does also bring a few other problems along. |
48 |
> |
49 |
> Chroot hardening using grsecurity (with TPE enabled) IMHO provides even |
50 |
> better protection (but your opinion may differ), because it prevents |
51 |
> several common types of attacks. |
52 |
> Xen = protection against mythical attacks |
53 |
> GRsecurity+PAX = protection against real-world script kiddies (99% of cases) |
54 |
> |
55 |
> GRSecurity makes hacking extremely inconvenient even if you have shell |
56 |
> account in chroot, and unusual files are easily detectable via simple |
57 |
> file monitoring tools running outside that chroot. You can also enable |
58 |
> netconsole logging to secure loghost to catch hacking attempts/IPs in |
59 |
> realtime. |
60 |
> |
61 |
> Regarding Xen, hacked website inside a Xen VM still can collect user |
62 |
> data, credit card numbers, etc., as well as serve as a place to scan |
63 |
> internal networks if they exist. |
64 |
> |
65 |
> If you use PHP, keep in mind that history tells that PHP is very |
66 |
> insecure. You can: |
67 |
> - improve your php.ini (disable allow_url_fopen, etc.) |
68 |
> - check http://www.hardened-php.org/ |
69 |
> - check http://www.modsecurity.org/ |
70 |
> |
71 |
> > I hope someone that has had or is avoiding these same problems can shed |
72 |
> > some light on it... |
73 |
> |
74 |
> I'm very happy with grsec+hardened gentoo for several years, on >50 |
75 |
> servers (athlon xp, amd64, some intels). |
76 |
> |
77 |
> > Greetings, |
78 |
> > |
79 |
> > Michael |
80 |
> |
81 |
> Best Wishes, |
82 |
> Viktors | http://rotanovs.com |
83 |
|
84 |
-- |
85 |
gentoo-hardened@g.o mailing list |