Gentoo Archives: gentoo-user

From: Mark Knecht <markknecht@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Increasing security [WAS: Rooted/compromised Gentoo, seeking advice [Solved?]
Date: Fri, 13 Aug 2010 17:05:50
Message-Id: AANLkTimT-fUKEohbn4M+rp9yd-5FfAzCGiGG4-BCmEAP@mail.gmail.com
In Reply to: [gentoo-user] Increasing security [WAS: Rooted/compromised Gentoo, seeking advice [Solved?] by Enrico Weigelt
1 On Fri, Aug 13, 2010 at 8:25 AM, Enrico Weigelt <weigelt@×××××.de> wrote:
2 > * Paul Hartman <paul.hartman+gentoo@×××××.com> wrote:
3 >
4 > <snip>
5 >
6 > Apropos cracked machines:
7 >
8 > In recent years I often got trouble w/ cracked customer's boxes
9 > (one eg. was abused for SIP-calling people around the world and
10 > asking them for their debit card codes ;-o). So thought about
11 > protection against those scenarios. The solution:
12 >
13 > Put all remotely available services into containers and make the
14 > host system only accessible via special channels (eg. serial console).
15 > You can run automatic sanity tests and security alerts from the hosts
16 > system, which cannot be highjacked (as long as there's no kernel
17 > bug which allows escaping a container ;-o).
18 >
19 > This also brings several other benefits, eg. easier backups, quick
20 > migration to other machines, etc.
21 >
22 >
23 > cu
24
25 Hi Enrico,
26 Since I'm not an IT guy could you please explain this just a bit
27 more? What is 'a container'? Is it a chroot running on the same
28 machine? A different machine? Something completely different?
29
30 In the OP's case (I believe) he thought a personal machine at home
31 was compromised. If that's the case then without doubling my
32 electrical bill (2 computers) how would I implement your containers?
33
34 Thanks,
35 Mark

Replies