1 |
Thanks Ewald- |
2 |
and thanks for the reminders re mod_deflate/mod_gzip :-) |
3 |
|
4 |
Look forward to seeing some more comments from you- if you have time. |
5 |
|
6 |
Regards |
7 |
Julian |
8 |
|
9 |
On 11/28/05, Ewald Wasscher <ewald@××××××××.net> wrote: |
10 |
> wandering.womble@×××××.com wrote: |
11 |
> > Hi there- |
12 |
> > |
13 |
> > I'd like to set up a hobby web-server, and I'd appreciate any |
14 |
> > thoughts/feedback from this community on what I'm planning- below. |
15 |
> > |
16 |
> > The server will be for two domains. I'd like them to be as |
17 |
> > independant of each other as possible, running on the same machine. |
18 |
> > I'd like the maintainance to be as straight-forward as possible. |
19 |
> > There's also a small chance one of the domains may end up on it's own |
20 |
> > hardware one day. The machine will be on the end of a cable modem, in |
21 |
> > a DMZ, running it's own secondary firewall- probably using shorewall. |
22 |
> > |
23 |
> > I've looked at chroots, jails, vserver patches, bsd, solaris- with |
24 |
> > only the later having any support for managing software installed |
25 |
> > inside the 'jail'. But I couldn't find an answer to if solaris zones |
26 |
> > can also manage manually installed software- I'm guessing not (there |
27 |
> > are no solaris packages for lots of web apps.) |
28 |
> > |
29 |
> > Then I read about Xen- and thought that could be reasonable; |
30 |
> > virtualize the machine, install two instances of the OS; disk is |
31 |
> > cheap, and although everything will have to be down twice (updates |
32 |
> > etc), at least I can use the standard package management tools. |
33 |
> > |
34 |
> > My thinking is that up-to-date SELinux + hardened gcc + apache + |
35 |
> > mod_security is enough of a headache that the majority of script |
36 |
> > kiddies/crackers won't be bothered. |
37 |
> |
38 |
> AFAIK the grsecurity patch can't be applied to the current xen-sources, |
39 |
> so you'll lose quite some of the protection of the hardened gcc without |
40 |
> pax (grsecurity). |
41 |
> |
42 |
> > Anyone who can get through that |
43 |
> > I'm never going to notice- I know I won't make time to run something |
44 |
> > like tripwire often enough to be that useful, and even if I did, if |
45 |
> > someone gets through the above, they're very likely to be smart enough |
46 |
> > to hide the evidence so I don't notice for a long time (if ever.) |
47 |
> > Again, this is for a hobby server- one domain for family pics, etc, |
48 |
> > the other for something like trac for me and some friends to have fun |
49 |
> > with with some hobby development. |
50 |
> > |
51 |
> > First question- does the above sound reasonable? |
52 |
> > |
53 |
> |
54 |
> Te me it does. Have you thought about using mod_deflate or mod_gzip it |
55 |
> will save some of your precious upstream bandwidth. |
56 |
> |
57 |
> Now I have to hurry to work, maybe more answers in the evening. |
58 |
> |
59 |
> -- |
60 |
> Ewald Wasscher |
61 |
> |
62 |
> |
63 |
> PGP Key Fingerprint: D3FE ED15 03B0 8385 DD5D 95CE F866 9E37 28E8 1D69 |
64 |
> |
65 |
> -- |
66 |
> gentoo-hardened@g.o mailing list |
67 |
> |
68 |
> |
69 |
|
70 |
-- |
71 |
gentoo-hardened@g.o mailing list |