| 1 |
On 08/13/2010 09:25 AM, Mark Knecht wrote: |
| 2 |
> On Fri, Aug 13, 2010 at 8:25 AM, Enrico Weigelt <weigelt@×××××.de> wrote: |
| 3 |
>> * Paul Hartman <paul.hartman+gentoo@×××××.com> wrote: |
| 4 |
>> |
| 5 |
>> <snip> |
| 6 |
>> |
| 7 |
>> Apropos cracked machines: |
| 8 |
>> |
| 9 |
>> In recent years I often got trouble w/ cracked customer's boxes |
| 10 |
>> (one eg. was abused for SIP-calling people around the world and |
| 11 |
>> asking them for their debit card codes ;-o). So thought about |
| 12 |
>> protection against those scenarios. The solution: |
| 13 |
>> |
| 14 |
>> Put all remotely available services into containers and make the |
| 15 |
>> host system only accessible via special channels (eg. serial console). |
| 16 |
>> You can run automatic sanity tests and security alerts from the hosts |
| 17 |
>> system, which cannot be highjacked (as long as there's no kernel |
| 18 |
>> bug which allows escaping a container ;-o). |
| 19 |
>> |
| 20 |
>> This also brings several other benefits, eg. easier backups, quick |
| 21 |
>> migration to other machines, etc. |
| 22 |
>> |
| 23 |
>> |
| 24 |
>> cu |
| 25 |
> |
| 26 |
> Hi Enrico, |
| 27 |
> Since I'm not an IT guy could you please explain this just a bit |
| 28 |
> more? What is 'a container'? Is it a chroot running on the same |
| 29 |
> machine? A different machine? Something completely different? |
| 30 |
> |
| 31 |
> In the OP's case (I believe) he thought a personal machine at home |
| 32 |
> was compromised. If that's the case then without doubling my |
| 33 |
> electrical bill (2 computers) how would I implement your containers? |
| 34 |
|
| 35 |
Basically just run VMWare/Virtualbox etc and put the services in there. |
| 36 |
|
| 37 |
That's why I force my kids to use IE in a VM.... |
| 38 |
|
| 39 |
No, chroots are NOT the same. They run on the same system. |
Archives