[CLUE-Tech] Hack information
Eric Jorgensen
jorgy at yahoo.com
Fri Jul 30 16:10:56 MDT 2004
Hi,
I would like to add to the discussion my favorite way
to deal with the "crack one service, crack my whole
box" problem: vservers
http://www.linux-vserver.org/
With this patched kernel, you can instantiate multiple
virtual linux machines inside your single physical
linux box. This makes it nice to set up a firewall,
with ftp in a vserver, smtp and pop in a vserver,
httpd in a vserver, all isolated from the others. It
is a "chroot jail on steroids". The one problem that
I've found is that the releases always seem to lag
behind kernel releases substantially.
I don't know if it would have helped in this case, but
I been using it for a while now and I'm very happy
with it.
Eric
--- David Anselmi <anselmi at anselmi.us> wrote:
> Angelo Bertolli wrote:
> [...]
> > I think it's more risky to run a "personal box"
> also as a server (if
> > that's what you're doing). I've decided the
> safest way to go is to have
> > a separate box for each service you want to
> provide, if possible, and
> > then just strip down or firewall off everything
> else (removing those
> > packages is safer).
>
> I wouldn't necessarily use a separate box for each
> service, but I would
> definately separate a machine that supports user
> logins, or desktop
> environments ("personal box") from other services.
> And think about
> trust that may exist between the boxes.
>
> IMO Debian is much easier to strip down than Red
> Hat. I think it pays
> off too. My response to most Debian security
> advisories is "I don't
> have that". (I also run testing, so my access to
> security patches a) is
> delayed while they go from upstream through
> unstable, and b) isn't
> dependent on upgrading to a new release when it
> might not be convenient.)
>
> Haven't you been hacked before? Maybe a security
> class, or consultant,
> is in order?
>
> Dave
>
>
>
>
> _______________________________________________
> CLUE-Tech mailing list
> Post messages to: CLUE-Tech at clue.denver.co.us
> Unsubscribe or manage your options:
> http://clue.denver.co.us/mailman/listinfo/clue-tech
>
More information about the clue-tech
mailing list