[EMAIL PROTECTED] wrote: > Hi there- > > I'd like to set up a hobby web-server, and I'd appreciate any > thoughts/feedback from this community on what I'm planning- below. > > The server will be for two domains. I'd like them to be as > independant of each other as possible, running on the same machine. > I'd like the maintainance to be as straight-forward as possible. > There's also a small chance one of the domains may end up on it's own > hardware one day. The machine will be on the end of a cable modem, in > a DMZ, running it's own secondary firewall- probably using shorewall. > > I've looked at chroots, jails, vserver patches, bsd, solaris- with > only the later having any support for managing software installed > inside the 'jail'. But I couldn't find an answer to if solaris zones > can also manage manually installed software- I'm guessing not (there > are no solaris packages for lots of web apps.) > > Then I read about Xen- and thought that could be reasonable; > virtualize the machine, install two instances of the OS; disk is > cheap, and although everything will have to be down twice (updates > etc), at least I can use the standard package management tools. > > My thinking is that up-to-date SELinux + hardened gcc + apache + > mod_security is enough of a headache that the majority of script > kiddies/crackers won't be bothered.
AFAIK the grsecurity patch can't be applied to the current xen-sources, so you'll lose quite some of the protection of the hardened gcc without pax (grsecurity). > Anyone who can get through that > I'm never going to notice- I know I won't make time to run something > like tripwire often enough to be that useful, and even if I did, if > someone gets through the above, they're very likely to be smart enough > to hide the evidence so I don't notice for a long time (if ever.) > Again, this is for a hobby server- one domain for family pics, etc, > the other for something like trac for me and some friends to have fun > with with some hobby development. > > First question- does the above sound reasonable? > Te me it does. Have you thought about using mod_deflate or mod_gzip it will save some of your precious upstream bandwidth. Now I have to hurry to work, maybe more answers in the evening. -- Ewald Wasscher PGP Key Fingerprint: D3FE ED15 03B0 8385 DD5D 95CE F866 9E37 28E8 1D69 -- [email protected] mailing list
