1 |
Hi Michael, |
2 |
|
3 |
Michael wrote: |
4 |
> I co-admin 2 servers running x86_64 gentoo installs. Due to not updating |
5 |
> the servers for a longer period, there were several major security |
6 |
> issues which at least allowed for someone to run a ftp server on it |
7 |
> without me knowing about it. |
8 |
> |
9 |
> Because a lot of stuff is still outdated and this was the first install |
10 |
> for the servers I want to reinstall them, again using gentoo. My own |
11 |
> idea was to isolate the web and mail-server in Xen virtual machines, so |
12 |
> that if someone's ever able to get in they can only bring down a small |
13 |
> part, which can easily be restored. |
14 |
> |
15 |
> Now my question is, would this be a good way to at least partly secure |
16 |
> the machine? Or should I use something from the hardened depot to |
17 |
> increase the security levels on these servers? The problem now was that |
18 |
> one program had a bug in it which could even give remote users root |
19 |
> access to the entire machine, which could've also caused loss of data |
20 |
> the program was not related to. By isolating in Xen domains this problem |
21 |
> is partly solved, but it does also bring a few other problems along. |
22 |
|
23 |
Chroot hardening using grsecurity (with TPE enabled) IMHO provides even |
24 |
better protection (but your opinion may differ), because it prevents |
25 |
several common types of attacks. |
26 |
Xen = protection against mythical attacks |
27 |
GRsecurity+PAX = protection against real-world script kiddies (99% of cases) |
28 |
|
29 |
GRSecurity makes hacking extremely inconvenient even if you have shell |
30 |
account in chroot, and unusual files are easily detectable via simple |
31 |
file monitoring tools running outside that chroot. You can also enable |
32 |
netconsole logging to secure loghost to catch hacking attempts/IPs in |
33 |
realtime. |
34 |
|
35 |
Regarding Xen, hacked website inside a Xen VM still can collect user |
36 |
data, credit card numbers, etc., as well as serve as a place to scan |
37 |
internal networks if they exist. |
38 |
|
39 |
If you use PHP, keep in mind that history tells that PHP is very |
40 |
insecure. You can: |
41 |
- improve your php.ini (disable allow_url_fopen, etc.) |
42 |
- check http://www.hardened-php.org/ |
43 |
- check http://www.modsecurity.org/ |
44 |
|
45 |
> I hope someone that has had or is avoiding these same problems can shed |
46 |
> some light on it... |
47 |
|
48 |
I'm very happy with grsec+hardened gentoo for several years, on >50 |
49 |
servers (athlon xp, amd64, some intels). |
50 |
|
51 |
> Greetings, |
52 |
> |
53 |
> Michael |
54 |
|
55 |
Best Wishes, |
56 |
Viktors | http://rotanovs.com |
57 |
-- |
58 |
gentoo-hardened@g.o mailing list |