1 |
On 08/13/2010 09:25 AM, Mark Knecht wrote: |
2 |
> On Fri, Aug 13, 2010 at 8:25 AM, Enrico Weigelt <weigelt@×××××.de> wrote: |
3 |
>> * Paul Hartman <paul.hartman+gentoo@×××××.com> wrote: |
4 |
>> |
5 |
>> <snip> |
6 |
>> |
7 |
>> Apropos cracked machines: |
8 |
>> |
9 |
>> In recent years I often got trouble w/ cracked customer's boxes |
10 |
>> (one eg. was abused for SIP-calling people around the world and |
11 |
>> asking them for their debit card codes ;-o). So thought about |
12 |
>> protection against those scenarios. The solution: |
13 |
>> |
14 |
>> Put all remotely available services into containers and make the |
15 |
>> host system only accessible via special channels (eg. serial console). |
16 |
>> You can run automatic sanity tests and security alerts from the hosts |
17 |
>> system, which cannot be highjacked (as long as there's no kernel |
18 |
>> bug which allows escaping a container ;-o). |
19 |
>> |
20 |
>> This also brings several other benefits, eg. easier backups, quick |
21 |
>> migration to other machines, etc. |
22 |
>> |
23 |
>> |
24 |
>> cu |
25 |
> |
26 |
> Hi Enrico, |
27 |
> Since I'm not an IT guy could you please explain this just a bit |
28 |
> more? What is 'a container'? Is it a chroot running on the same |
29 |
> machine? A different machine? Something completely different? |
30 |
> |
31 |
> In the OP's case (I believe) he thought a personal machine at home |
32 |
> was compromised. If that's the case then without doubling my |
33 |
> electrical bill (2 computers) how would I implement your containers? |
34 |
|
35 |
Basically just run VMWare/Virtualbox etc and put the services in there. |
36 |
|
37 |
That's why I force my kids to use IE in a VM.... |
38 |
|
39 |
No, chroots are NOT the same. They run on the same system. |