From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Ojxkp-0004pI-AB for garchives@archives.gentoo.org; Fri, 13 Aug 2010 17:09:15 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E100AE0B5D for ; Fri, 13 Aug 2010 17:09:14 +0000 (UTC) Received: from mail-pv0-f181.google.com (mail-pv0-f181.google.com [74.125.83.181]) by pigeon.gentoo.org (Postfix) with ESMTP id 1FC46E096C for ; Fri, 13 Aug 2010 17:07:25 +0000 (UTC) Received: by pvg16 with SMTP id 16so1187366pvg.40 for ; Fri, 13 Aug 2010 10:07:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:content-type:content-transfer-encoding; bh=HWTTIOGbxRWDS88FZAfFiY4jq3fZxd6eRxV66jNhjKM=; b=cfNyOWojz3Vse0V/2Gybgd3HoElPwB91q/hP95dzRR1aXX6ksAv0FAI6FH/M8X7H1E oj6fj1oHUmDCHdjHfK+3mLoNy1YMncEQA5Kidj2ZiDLmyNa7bX8izLJxaACSQSgH2axN aXMKWV9FCQvAKx9gTWXx8dyE+CIxyihks6JTo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; b=PcmNihRpeFsykWXn0PG64zrzg3Cm3b5PX13Yb1nMkMZP422ReAmEeWK0QNMWc8PINR SgbK8Iaziark2oDQeSzizjBUW5g+NcSu/5laK1k/TvldmSimrMgZ9OvSSsPxpqhu6N98 dO0/lwOIQZvZ/TnYevEGg897LJQo3m4ZnsQmU= Received: by 10.114.126.2 with SMTP id y2mr2067379wac.57.1281719244067; Fri, 13 Aug 2010 10:07:24 -0700 (PDT) Received: from [192.168.0.12] ([209.20.133.224]) by mx.google.com with ESMTPS id g4sm4940574wae.2.2010.08.13.10.07.22 (version=SSLv3 cipher=RC4-MD5); Fri, 13 Aug 2010 10:07:23 -0700 (PDT) Message-ID: <4C657BCA.9000703@gmail.com> Date: Fri, 13 Aug 2010 10:07:22 -0700 From: Bill Longman User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.7) Gecko/20100727 Thunderbird/3.1.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Increasing security [WAS: Rooted/compromised Gentoo, seeking advice [Solved?] References: <20100813152553.GB21326@nibiru.local> In-Reply-To: X-Enigmail-Version: 1.1.2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Archives-Salt: 3a51bce2-b0a5-48b5-a005-e4776e934866 X-Archives-Hash: 40d9f29e391952ba2ca708604fe65f21 On 08/13/2010 09:25 AM, Mark Knecht wrote: > On Fri, Aug 13, 2010 at 8:25 AM, Enrico Weigelt wrote: >> * Paul Hartman wrote: >> >> >> >> Apropos cracked machines: >> >> In recent years I often got trouble w/ cracked customer's boxes >> (one eg. was abused for SIP-calling people around the world and >> asking them for their debit card codes ;-o). So thought about >> protection against those scenarios. The solution: >> >> Put all remotely available services into containers and make the >> host system only accessible via special channels (eg. serial console). >> You can run automatic sanity tests and security alerts from the hosts >> system, which cannot be highjacked (as long as there's no kernel >> bug which allows escaping a container ;-o). >> >> This also brings several other benefits, eg. easier backups, quick >> migration to other machines, etc. >> >> >> cu > > Hi Enrico, > Since I'm not an IT guy could you please explain this just a bit > more? What is 'a container'? Is it a chroot running on the same > machine? A different machine? Something completely different? > > In the OP's case (I believe) he thought a personal machine at home > was compromised. If that's the case then without doubling my > electrical bill (2 computers) how would I implement your containers? Basically just run VMWare/Virtualbox etc and put the services in there. That's why I force my kids to use IE in a VM.... No, chroots are NOT the same. They run on the same system.