Hi Michael,

Michael wrote:
I co-admin 2 servers running x86_64 gentoo installs. Due to not updating
the servers for a longer period, there were several major security
issues which at least allowed for someone to run a ftp server on it
without me knowing about it.

Because a lot of stuff is still outdated and this was the first install
for the servers I want to reinstall them, again using gentoo. My own
idea was to isolate the web and mail-server in Xen virtual machines, so
that if someone's ever able to get in they can only bring down a small
part, which can easily be restored.

Now my question is, would this be a good way to at least partly secure
the machine? Or should I use something from the hardened depot to
increase the security levels on these servers? The problem now was that
one program had a bug in it which could even give remote users root
access to the entire machine, which could've also caused loss of data
the program was not related to. By isolating in Xen domains this problem
is partly solved, but it does also bring a few other problems along.

Chroot hardening using grsecurity (with TPE enabled) IMHO provides even better protection (but your opinion may differ), because it prevents several common types of attacks.
Xen = protection against mythical attacks
GRsecurity+PAX = protection against real-world script kiddies (99% of cases)

GRSecurity makes hacking extremely inconvenient even if you have shell account in chroot, and unusual files are easily detectable via simple file monitoring tools running outside that chroot. You can also enable netconsole logging to secure loghost to catch hacking attempts/IPs in realtime.

Regarding Xen, hacked website inside a Xen VM still can collect user data, credit card numbers, etc., as well as serve as a place to scan internal networks if they exist.

If you use PHP, keep in mind that history tells that PHP is very insecure. You can:
 - improve your php.ini (disable allow_url_fopen, etc.)
 - check http://www.hardened-php.org/
 - check http://www.modsecurity.org/

I hope someone that has had or is avoiding these same problems can shed
some light on it...

I'm very happy with grsec+hardened gentoo for several years, on >50 servers (athlon xp, amd64, some intels).

Greetings,

Michael

Best Wishes,
Viktors | http://rotanovs.com
--
[email protected] mailing list

Reply via email to