On Mon, 20 Jan 2003 15:15, Andrius Adomaitis wrote: > > The FTP server and IMP cause me the most concerns.... > > > > Any ideas? Anyone used UML and changed back? > > UML is not solution here. For security use capabilities system along with > chroot environments. > Check out http://www.grsecurity.org/papers.php , > http://www.openwall.com/linux , man chroot. Of corse dedicated machines for > smtp/pop3/imap, web/ftp, sql, dns are better, but still consider using some > system wide security system.
Grsec and similar kernel patches are good. However one problem that they face is that you don't have a single system image any more. If you have separate chroots for mail delivery, POP, DNS, FTP, and Apache then you have 5 different environments to keep up to date with security patches etc. If you use SE Linux then you get more isolation between processes than you get in a chroot on a non-patched kernel, and you get a single system image so that dselect can be used once to update things. Also it should be noted that if you use separate hardware for the separate services then you need to have different passwords on the different machines... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
