From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OjxhW-0004f4-D8 for garchives@archives.gentoo.org; Fri, 13 Aug 2010 17:05:50 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 10D61E0B83 for ; Fri, 13 Aug 2010 17:05:40 +0000 (UTC) Received: from mail-wy0-f181.google.com (mail-wy0-f181.google.com [74.125.82.181]) by pigeon.gentoo.org (Postfix) with ESMTP id 0C5C5E0900 for ; Fri, 13 Aug 2010 16:25:49 +0000 (UTC) Received: by wyf28 with SMTP id 28so3414258wyf.40 for ; Fri, 13 Aug 2010 09:25:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type; bh=e7ip/diRIvkfx8/gETKQLSn8lslApIf+dr8oc2qNYwE=; b=qHCW8DiSNUC/ZSvawnECectHS9NsJ417MKD+orior4R7tpdJcfUE2+UFXzfMGmAQ+3 fB6+coHoFCIvmRF1fXn6ssmwX4Ek/7O2RZMDNdbNesBFiIKE8pD3Lyw1xNZLtOVRy8fO haYqVILI0y3Eo0/rTDMl1c5avDNC93Tup7t+I= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=S+tEwFxRa+jhdeXdVYPqTu5NThsMJy6whIRxcY5cMI6ZxM2JRGWmFDvARqTGIoRFPg 4XNp1Atn2AvcSpPSpxgQ61XxHUxyWmNORN2FYKj869pw1ureaAvbvz5KFU3bVbYW1NiA ULcfI3qbYO8zd2KZfc6nicsaucDevReKJC4y4= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Received: by 10.216.237.100 with SMTP id x78mr1430962weq.114.1281716749438; Fri, 13 Aug 2010 09:25:49 -0700 (PDT) Received: by 10.216.49.204 with HTTP; Fri, 13 Aug 2010 09:25:49 -0700 (PDT) In-Reply-To: <20100813152553.GB21326@nibiru.local> References: <20100813152553.GB21326@nibiru.local> Date: Fri, 13 Aug 2010 09:25:49 -0700 Message-ID: Subject: Re: [gentoo-user] Increasing security [WAS: Rooted/compromised Gentoo, seeking advice [Solved?] From: Mark Knecht To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset=UTF-8 X-Archives-Salt: 938d3931-af82-42ab-b3f0-c392c46e1645 X-Archives-Hash: 03b968cde1f67b72d45fd219aab2ef6e On Fri, Aug 13, 2010 at 8:25 AM, Enrico Weigelt wrote: > * Paul Hartman wrote: > > > > Apropos cracked machines: > > In recent years I often got trouble w/ cracked customer's boxes > (one eg. was abused for SIP-calling people around the world and > asking them for their debit card codes ;-o). So thought about > protection against those scenarios. The solution: > > Put all remotely available services into containers and make the > host system only accessible via special channels (eg. serial console). > You can run automatic sanity tests and security alerts from the hosts > system, which cannot be highjacked (as long as there's no kernel > bug which allows escaping a container ;-o). > > This also brings several other benefits, eg. easier backups, quick > migration to other machines, etc. > > > cu Hi Enrico, Since I'm not an IT guy could you please explain this just a bit more? What is 'a container'? Is it a chroot running on the same machine? A different machine? Something completely different? In the OP's case (I believe) he thought a personal machine at home was compromised. If that's the case then without doubling my electrical bill (2 computers) how would I implement your containers? Thanks, Mark