From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OjwlS-0000hj-Ul for garchives@archives.gentoo.org; Fri, 13 Aug 2010 16:05:51 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3864EE0B04 for ; Fri, 13 Aug 2010 16:05:50 +0000 (UTC) Received: from mailgate.caprica.metux.de (caprica.metux.de [82.165.128.25]) by pigeon.gentoo.org (Postfix) with ESMTP id 3123CE076C for ; Fri, 13 Aug 2010 15:34:27 +0000 (UTC) Received: from mailgate.caprica.metux.de (localhost.localdomain [127.0.0.1]) by mailgate.caprica.metux.de (8.14.4/8.14.4) with ESMTP id o7DFY159016168 for ; Fri, 13 Aug 2010 17:34:06 +0200 Received: (from uucp@localhost) by mailgate.caprica.metux.de (8.14.4/8.14.4/Submit) with UUCP id o7DFXWZU016129 for gentoo-user@lists.gentoo.org; Fri, 13 Aug 2010 17:33:32 +0200 Received: (from weigelt@localhost) by nibiru.metux.de (8.12.10/8.12.10) id o7DFPrk7025051 for gentoo-user@lists.gentoo.org; Fri, 13 Aug 2010 17:25:53 +0200 Date: Fri, 13 Aug 2010 17:25:53 +0200 From: Enrico Weigelt To: gentoo-user@lists.gentoo.org Subject: [gentoo-user] Increasing security [WAS: Rooted/compromised Gentoo, seeking advice [Solved?] Message-ID: <20100813152553.GB21326@nibiru.local> References: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i X-Terror: bin laden, kill bush, Briefbombe, Massenvernichtung, KZ, X-Nazi: Weisse Rasse, Hitlers Wiederauferstehung, 42, X-Antichrist: weg mit schaeuble, ausrotten, heiliger krieg, al quaida, X-Killer: 23, endloesung, Weltuntergang, X-Doof: wer das liest ist doof X-Archives-Salt: c4fc5dce-7c72-4078-bee1-f6c4418979a0 X-Archives-Hash: 6aec508efcf8279054e375b1d6be5645 * Paul Hartman wrote: Apropos cracked machines: In recent years I often got trouble w/ cracked customer's boxes (one eg. was abused for SIP-calling people around the world and asking them for their debit card codes ;-o). So thought about protection against those scenarios. The solution: Put all remotely available services into containers and make the host system only accessible via special channels (eg. serial console). You can run automatic sanity tests and security alerts from the hosts system, which cannot be highjacked (as long as there's no kernel bug which allows escaping a container ;-o). This also brings several other benefits, eg. easier backups, quick migration to other machines, etc. cu -- ---------------------------------------------------------------------- Enrico Weigelt, metux IT service -- http://www.metux.de/ phone: +49 36207 519931 email: weigelt@metux.de mobile: +49 151 27565287 icq: 210169427 skype: nekrad666 ---------------------------------------------------------------------- Embedded-Linux / Portierung / Opensource-QM / Verteilte Systeme ----------------------------------------------------------------------