| 1 |
Thanks Ewald- |
| 2 |
and thanks for the reminders re mod_deflate/mod_gzip :-) |
| 3 |
|
| 4 |
Look forward to seeing some more comments from you- if you have time. |
| 5 |
|
| 6 |
Regards |
| 7 |
Julian |
| 8 |
|
| 9 |
On 11/28/05, Ewald Wasscher <ewald@××××××××.net> wrote: |
| 10 |
> wandering.womble@×××××.com wrote: |
| 11 |
> > Hi there- |
| 12 |
> > |
| 13 |
> > I'd like to set up a hobby web-server, and I'd appreciate any |
| 14 |
> > thoughts/feedback from this community on what I'm planning- below. |
| 15 |
> > |
| 16 |
> > The server will be for two domains. I'd like them to be as |
| 17 |
> > independant of each other as possible, running on the same machine. |
| 18 |
> > I'd like the maintainance to be as straight-forward as possible. |
| 19 |
> > There's also a small chance one of the domains may end up on it's own |
| 20 |
> > hardware one day. The machine will be on the end of a cable modem, in |
| 21 |
> > a DMZ, running it's own secondary firewall- probably using shorewall. |
| 22 |
> > |
| 23 |
> > I've looked at chroots, jails, vserver patches, bsd, solaris- with |
| 24 |
> > only the later having any support for managing software installed |
| 25 |
> > inside the 'jail'. But I couldn't find an answer to if solaris zones |
| 26 |
> > can also manage manually installed software- I'm guessing not (there |
| 27 |
> > are no solaris packages for lots of web apps.) |
| 28 |
> > |
| 29 |
> > Then I read about Xen- and thought that could be reasonable; |
| 30 |
> > virtualize the machine, install two instances of the OS; disk is |
| 31 |
> > cheap, and although everything will have to be down twice (updates |
| 32 |
> > etc), at least I can use the standard package management tools. |
| 33 |
> > |
| 34 |
> > My thinking is that up-to-date SELinux + hardened gcc + apache + |
| 35 |
> > mod_security is enough of a headache that the majority of script |
| 36 |
> > kiddies/crackers won't be bothered. |
| 37 |
> |
| 38 |
> AFAIK the grsecurity patch can't be applied to the current xen-sources, |
| 39 |
> so you'll lose quite some of the protection of the hardened gcc without |
| 40 |
> pax (grsecurity). |
| 41 |
> |
| 42 |
> > Anyone who can get through that |
| 43 |
> > I'm never going to notice- I know I won't make time to run something |
| 44 |
> > like tripwire often enough to be that useful, and even if I did, if |
| 45 |
> > someone gets through the above, they're very likely to be smart enough |
| 46 |
> > to hide the evidence so I don't notice for a long time (if ever.) |
| 47 |
> > Again, this is for a hobby server- one domain for family pics, etc, |
| 48 |
> > the other for something like trac for me and some friends to have fun |
| 49 |
> > with with some hobby development. |
| 50 |
> > |
| 51 |
> > First question- does the above sound reasonable? |
| 52 |
> > |
| 53 |
> |
| 54 |
> Te me it does. Have you thought about using mod_deflate or mod_gzip it |
| 55 |
> will save some of your precious upstream bandwidth. |
| 56 |
> |
| 57 |
> Now I have to hurry to work, maybe more answers in the evening. |
| 58 |
> |
| 59 |
> -- |
| 60 |
> Ewald Wasscher |
| 61 |
> |
| 62 |
> |
| 63 |
> PGP Key Fingerprint: D3FE ED15 03B0 8385 DD5D 95CE F866 9E37 28E8 1D69 |
| 64 |
> |
| 65 |
> -- |
| 66 |
> gentoo-hardened@g.o mailing list |
| 67 |
> |
| 68 |
> |
| 69 |
|
| 70 |
-- |
| 71 |
gentoo-hardened@g.o mailing list |
Archives