From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OtsEZ-0003yO-Jc for garchives@archives.gentoo.org; Fri, 10 Sep 2010 01:16:56 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8AB68E07DF; Fri, 10 Sep 2010 01:16:40 +0000 (UTC) Received: from mailgate.caprica.metux.de (caprica.metux.de [82.165.128.25]) by pigeon.gentoo.org (Postfix) with ESMTP id 45C54E07DF for ; Fri, 10 Sep 2010 01:16:38 +0000 (UTC) Received: from mailgate.caprica.metux.de (localhost.localdomain [127.0.0.1]) by mailgate.caprica.metux.de (8.14.4/8.14.4) with ESMTP id o8A1H2Ig023772 for ; Fri, 10 Sep 2010 03:17:02 +0200 Received: (from uucp@localhost) by mailgate.caprica.metux.de (8.14.4/8.14.4/Submit) with UUCP id o8A1GBfk023731 for gentoo-user@lists.gentoo.org; Fri, 10 Sep 2010 03:16:11 +0200 Received: (from weigelt@localhost) by nibiru.metux.de (8.12.10/8.12.10) id o8A16Oo7023025 for gentoo-user@lists.gentoo.org; Fri, 10 Sep 2010 03:06:24 +0200 Date: Fri, 10 Sep 2010 03:06:24 +0200 From: Enrico Weigelt To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Increasing security [WAS: Rooted/compromised Gentoo, seeking advice [Solved?] Message-ID: <20100910010624.GF8209@nibiru.local> References: <20100813152553.GB21326@nibiru.local> <4C657BCA.9000703@gmail.com> <20100813190533.GB26738@nibiru.local> <4C66EF53.3050701@gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4C66EF53.3050701@gmail.com> User-Agent: Mutt/1.4.1i X-Terror: bin laden, kill bush, Briefbombe, Massenvernichtung, KZ, X-Nazi: Weisse Rasse, Hitlers Wiederauferstehung, 42, X-Antichrist: weg mit schaeuble, ausrotten, heiliger krieg, al quaida, X-Killer: 23, endloesung, Weltuntergang, X-Doof: wer das liest ist doof X-Archives-Salt: 89dddb8e-d65b-434e-9e73-8f13aeed0acd X-Archives-Hash: 8e07a29d52d61d01fb0f9d47615f4c4d * Jarry wrote: > The only service running on my "host" (main system) is sshd, > which I secured as much as I could. If you have some physical access (eg. serial console), you could even drop sshd (or only bind it to some local interface) to get around possible ssh attacks. That's what I'm doing on several machines. > Everything else (web, mail, dns, ftp, syslog, X, and plenty of > users' services) runs on its own guest-system, chrooted in > addition (where it was possible). Yes, that's also my approach. BTW: I'm currently trying to convice one of my customers - an major German ISP - to provide a generic solution for such kind of environments: customers can allocate and configure containers at will (also via robot interfaces), and the ISP takes care of the cluster of host machines ... maybe I get the leading product managers convinced some day ;-) cu -- ---------------------------------------------------------------------- Enrico Weigelt, metux IT service -- http://www.metux.de/ phone: +49 36207 519931 email: weigelt@metux.de mobile: +49 151 27565287 icq: 210169427 skype: nekrad666 ---------------------------------------------------------------------- Embedded-Linux / Portierung / Opensource-QM / Verteilte Systeme ----------------------------------------------------------------------