Hi Viktors, Thanks for all your answers. You mentioned some things I wasn't thinking about at all. My solution would only work if I or the other admin (who is the owner) would notice increased use in bandwith, and it would only work to the point that they can't harm the installation on the server a lot.
You've quite convinced me of your solution, but should I expect a lot more work to build and maintain gentoo installs with grsec and hardened? For me it won't be much of a problem, but the other admin is still learning gentoo (he never used linux before) but he should be able to maintain the server without me so it shouldn't be to hard for him either... Security is more important of course, but the easier the better (or the more automation the better). Should I expect to be able to install grsec and hardened and have it work just like a normal gentoo install? Greetings, Michael Op maandag 15-01-2007 om 19:32 uur [tijdzone +0200], schreef Viktors Rotanovs: > Hi Michael, > > Michael wrote: > > I co-admin 2 servers running x86_64 gentoo installs. Due to not updating > > the servers for a longer period, there were several major security > > issues which at least allowed for someone to run a ftp server on it > > without me knowing about it. > > > > Because a lot of stuff is still outdated and this was the first install > > for the servers I want to reinstall them, again using gentoo. My own > > idea was to isolate the web and mail-server in Xen virtual machines, so > > that if someone's ever able to get in they can only bring down a small > > part, which can easily be restored. > > > > Now my question is, would this be a good way to at least partly secure > > the machine? Or should I use something from the hardened depot to > > increase the security levels on these servers? The problem now was that > > one program had a bug in it which could even give remote users root > > access to the entire machine, which could've also caused loss of data > > the program was not related to. By isolating in Xen domains this problem > > is partly solved, but it does also bring a few other problems along. > > Chroot hardening using grsecurity (with TPE enabled) IMHO provides even > better protection (but your opinion may differ), because it prevents > several common types of attacks. > Xen = protection against mythical attacks > GRsecurity+PAX = protection against real-world script kiddies (99% of cases) > > GRSecurity makes hacking extremely inconvenient even if you have shell > account in chroot, and unusual files are easily detectable via simple > file monitoring tools running outside that chroot. You can also enable > netconsole logging to secure loghost to catch hacking attempts/IPs in > realtime. > > Regarding Xen, hacked website inside a Xen VM still can collect user > data, credit card numbers, etc., as well as serve as a place to scan > internal networks if they exist. > > If you use PHP, keep in mind that history tells that PHP is very > insecure. You can: > - improve your php.ini (disable allow_url_fopen, etc.) > - check http://www.hardened-php.org/ > - check http://www.modsecurity.org/ > > > I hope someone that has had or is avoiding these same problems can shed > > some light on it... > > I'm very happy with grsec+hardened gentoo for several years, on >50 > servers (athlon xp, amd64, some intels). > > > Greetings, > > > > Michael > > Best Wishes, > Viktors | http://rotanovs.com -- [email protected] mailing list
