| 1 |
* Jarry <mr.jarry@×××××.com> wrote: |
| 2 |
|
| 3 |
> The only service running on my "host" (main system) is sshd, |
| 4 |
> which I secured as much as I could. |
| 5 |
|
| 6 |
If you have some physical access (eg. serial console), you |
| 7 |
could even drop sshd (or only bind it to some local interface) |
| 8 |
to get around possible ssh attacks. That's what I'm doing on |
| 9 |
several machines. |
| 10 |
|
| 11 |
> Everything else (web, mail, dns, ftp, syslog, X, and plenty of |
| 12 |
> users' services) runs on its own guest-system, chrooted in |
| 13 |
> addition (where it was possible). |
| 14 |
|
| 15 |
Yes, that's also my approach. |
| 16 |
|
| 17 |
BTW: I'm currently trying to convice one of my customers - an |
| 18 |
major German ISP - to provide a generic solution for such kind |
| 19 |
of environments: customers can allocate and configure containers |
| 20 |
at will (also via robot interfaces), and the ISP takes care of |
| 21 |
the cluster of host machines ... maybe I get the leading product |
| 22 |
managers convinced some day ;-) |
| 23 |
|
| 24 |
|
| 25 |
cu |
| 26 |
-- |
| 27 |
---------------------------------------------------------------------- |
| 28 |
Enrico Weigelt, metux IT service -- http://www.metux.de/ |
| 29 |
|
| 30 |
phone: +49 36207 519931 email: weigelt@×××××.de |
| 31 |
mobile: +49 151 27565287 icq: 210169427 skype: nekrad666 |
| 32 |
---------------------------------------------------------------------- |
| 33 |
Embedded-Linux / Portierung / Opensource-QM / Verteilte Systeme |
| 34 |
---------------------------------------------------------------------- |
Archives