1 |
* Jarry <mr.jarry@×××××.com> wrote: |
2 |
|
3 |
> The only service running on my "host" (main system) is sshd, |
4 |
> which I secured as much as I could. |
5 |
|
6 |
If you have some physical access (eg. serial console), you |
7 |
could even drop sshd (or only bind it to some local interface) |
8 |
to get around possible ssh attacks. That's what I'm doing on |
9 |
several machines. |
10 |
|
11 |
> Everything else (web, mail, dns, ftp, syslog, X, and plenty of |
12 |
> users' services) runs on its own guest-system, chrooted in |
13 |
> addition (where it was possible). |
14 |
|
15 |
Yes, that's also my approach. |
16 |
|
17 |
BTW: I'm currently trying to convice one of my customers - an |
18 |
major German ISP - to provide a generic solution for such kind |
19 |
of environments: customers can allocate and configure containers |
20 |
at will (also via robot interfaces), and the ISP takes care of |
21 |
the cluster of host machines ... maybe I get the leading product |
22 |
managers convinced some day ;-) |
23 |
|
24 |
|
25 |
cu |
26 |
-- |
27 |
---------------------------------------------------------------------- |
28 |
Enrico Weigelt, metux IT service -- http://www.metux.de/ |
29 |
|
30 |
phone: +49 36207 519931 email: weigelt@×××××.de |
31 |
mobile: +49 151 27565287 icq: 210169427 skype: nekrad666 |
32 |
---------------------------------------------------------------------- |
33 |
Embedded-Linux / Portierung / Opensource-QM / Verteilte Systeme |
34 |
---------------------------------------------------------------------- |