Re: [gentoo-hardened] Hardened SELinux Gentoo + Xen & Apache: workable?

[<wandering.womble@gmail.com>]

Thanks Ewald-
and thanks for the reminders re mod_deflate/mod_gzip :-)

Look forward to seeing some more comments from you- if you have time.

Regards
Julian

On 11/28/05, Ewald Wasscher <ewald@wasscher.net> wrote:
> wandering.womble@gmail.com wrote:
> > Hi there-
> >
> > I'd like to set up a hobby web-server, and I'd appreciate any
> > thoughts/feedback from this community on what I'm planning- below.
> >
> > The server will be for two domains.  I'd like them to be as
> > independant of each other as possible, running on the same machine.
> > I'd like the maintainance to be as straight-forward as possible.
> > There's also a small chance one of the domains may end up on it's own
> > hardware one day.  The machine will be on the end of a cable modem, in
> > a DMZ, running it's own secondary firewall- probably using shorewall.
> >
> > I've looked at chroots, jails, vserver patches, bsd, solaris- with
> > only the later having any support for managing software installed
> > inside the 'jail'.  But I couldn't find an answer to if solaris zones
> > can also manage manually installed software- I'm guessing not (there
> > are no solaris packages for lots of web apps.)
> >
> > Then I read about Xen- and thought that could be reasonable;
> > virtualize the machine, install two instances of the OS; disk is
> > cheap, and although everything will have to be down twice (updates
> > etc), at least I can use the standard package management tools.
> >
> > My thinking is that up-to-date SELinux + hardened gcc + apache +
> > mod_security is enough of a headache that the majority of script
> > kiddies/crackers won't be bothered.
>
> AFAIK the grsecurity patch can't be applied to the current xen-sources,
> so you'll lose quite some of the protection of the hardened gcc without
> pax (grsecurity).
>
> >   Anyone who can get through that
> > I'm never going to notice- I know I won't make time to run something
> > like tripwire often enough to be that useful, and even if I did, if
> > someone gets through the above, they're very likely to be smart enough
> > to hide the evidence so I don't notice for a long time (if ever.)
> > Again, this is for a hobby server- one domain for family pics, etc,
> > the other for something like trac for me and some friends to have fun
> > with with some hobby development.
> >
> > First question- does the above sound reasonable?
> >
>
> Te me it does. Have you thought about using mod_deflate or mod_gzip it
> will save some of your precious upstream bandwidth.
>
> Now I have to hurry to work, maybe more answers in the evening.
>
> --
> Ewald Wasscher
>
>
> PGP Key Fingerprint: D3FE ED15 03B0 8385 DD5D 95CE F866 9E37 28E8 1D69
>
> --
> gentoo-hardened@gentoo.org mailing list
>
>

-- 
gentoo-hardened@gentoo.org mailing list