From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.50) id 1EZbzQ-0002f2-ML for garchives@archives.gentoo.org; Tue, 08 Nov 2005 22:30:53 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.5/8.13.5) with SMTP id jA8MRMV0009199; Tue, 8 Nov 2005 22:27:22 GMT Received: from elmer.skumleren.net ([130.226.232.146]) by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id jA8MLOZu011531 for ; Tue, 8 Nov 2005 22:21:24 GMT Received: from localhost (localhost [127.0.0.1]) by elmer.skumleren.net (Postfix) with ESMTP id 300D31D8038 for ; Tue, 8 Nov 2005 23:21:24 +0100 (CET) Received: from elmer.skumleren.net ([127.0.0.1]) by localhost (elmer.skumleren.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 30209-05 for ; Tue, 8 Nov 2005 23:21:20 +0100 (CET) Received: by elmer.skumleren.net (Postfix, from userid 1000) id A68021D8037; Tue, 8 Nov 2005 23:21:20 +0100 (CET) Date: Tue, 8 Nov 2005 23:21:20 +0100 From: Anders Bruun Olsen To: gentoo-security@lists.gentoo.org Subject: [gentoo-security] Advice about security solution Message-ID: <20051108222120.GJ14230@elmer.skumleren.net> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@gentoo.org Reply-to: gentoo-security@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline "X-PGP-Key: http://random.sks.keyserver.penguin.de:11371/pks/lookup?op=get&search=0xD4DEFED0" User-Agent: Mutt/1.5.8i X-Virus-Scanned: amavisd-new at skumleren.net X-Archives-Salt: 3d4c0e90-3690-41ef-88f3-7d031b35263b X-Archives-Hash: 6291c422e5522981a45d836dccc35e98 Hi, I have a server that's doing just about everything a server can do. It's serving webpages with Apache, running mysql, handling mail for around 30 people with Postfix, running subversion for a couple of development projects, running both a Ventrilo and a CounterStrike server as well as having a bunch of local users via ssh which use it to run mutt, centericq, irssi and stuff like that. In general a very active server. I have been having my doubts about the security on this server lately however, and have been looking into different solutions. A quick analysis will show that the solution needs to take into account both attacks from outside and local attacks since local users can't be trusted 100%. My first idea was to use linux-vserver, put everything into their own vservers and have users log into a vserver with just the programs they need there to minimize the threat from them. Unfortunately screen does not work inside vservers so this solution is no good as most users have their mailclient, irc client, icq client etc. running in a screen and just reattach to it when they log in. Now I could run everything in vservers and just let users login to the host as they do now. That would certainly limit the threat from security bugs in things like the CS server, and would limit the users ability to mess with running processes. Not that they have rights to do that anyway, but a layer of protection has been added. I would have liked this solution to use SELinux or grsecurity to give me access control to further boost security, but it seems that there aren't any current vserver+grsec patches available and the don't apply cleanly on top of each other. And SELinux is incompatible with vserver (I have read). Yet another solution would be to drop vserver and just use grsecurity or SELinux, but I am uncertain how good the protection against security holes in i.e. CS-server would be in contrast with the vserver solution. Yet another solution would of course be Xen, but since 3.0 is not yet in stable, I don't really think that's a viable solution yet. I might be missing some possible solution scenarios and would very much appreciate advice. Both regarding my ideas so far, and anything I have missed. And no, buying a second server to isolate users on is not an option. This is a private server and I am not a rich guy :) Thanks in advance. -- Anders -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS/O d--@ s:+ a-- C++ UL+++$ P++ L+++ E- W+ N(+) o K? w O-- M- V PS+ PE@ Y+ PGP+ t 5 X R+ tv+ b++ DI+++ D+ G e- h !r y? ------END GEEK CODE BLOCK------ PGPKey: http://random.sks.keyserver.penguin.de:11371/pks/lookup?op=get&search=0xD4DEFED0 -- gentoo-security@gentoo.org mailing list