[CLUE-Tech] Hack information

Eric Jorgensen jorgy at yahoo.com
Fri Jul 30 16:10:56 MDT 2004 

Hi,

I would like to add to the discussion my favorite way
to deal with the "crack one service, crack my whole
box" problem:  vservers

http://www.linux-vserver.org/

With this patched kernel, you can instantiate multiple
virtual linux machines inside your single physical
linux box.  This makes it nice to set up a firewall,
with ftp in a vserver, smtp and pop in a vserver,
httpd in a vserver, all isolated from the others.  It
is a "chroot jail on steroids".  The one problem that
I've found is that the releases always seem to lag
behind kernel releases substantially.  

I don't know if it would have helped in this case, but
I been using it for a while now and I'm very happy
with it.

Eric




--- David Anselmi <anselmi at anselmi.us> wrote:

> Angelo Bertolli wrote:
> [...]
> > I think it's more risky to run a "personal box"
> also as a server (if 
> > that's what you're doing).  I've decided the
> safest way to go is to have 
> > a separate box for each service you want to
> provide, if possible, and 
> > then just strip down or firewall off everything
> else (removing those 
> > packages is safer).
> 
> I wouldn't necessarily use a separate box for each
> service, but I would
> definately separate a machine that supports user
> logins, or desktop 
> environments ("personal box") from other services. 
> And think about 
> trust that may exist between the boxes.
> 
> IMO Debian is much easier to strip down than Red
> Hat.  I think it pays 
> off too.  My response to most Debian security
> advisories is "I don't 
> have that".  (I also run testing, so my access to
> security patches a) is 
> delayed while they go from upstream through
> unstable, and b) isn't 
> dependent on upgrading to a new release when it
> might not be convenient.)
> 
> Haven't you been hacked before?  Maybe a security
> class, or consultant, 
> is in order?
> 
> Dave
> 
> 
> 
> 
> _______________________________________________
> CLUE-Tech mailing list
> Post messages to: CLUE-Tech at clue.denver.co.us
> Unsubscribe or manage your options:
> http://clue.denver.co.us/mailman/listinfo/clue-tech
>

More information about the clue-tech mailing list