On 08/13/2010 09:25 AM, Mark Knecht wrote: > On Fri, Aug 13, 2010 at 8:25 AM, Enrico Weigelt <[email protected]> wrote: >> * Paul Hartman <[email protected]> wrote: >> >> <snip> >> >> Apropos cracked machines: >> >> In recent years I often got trouble w/ cracked customer's boxes >> (one eg. was abused for SIP-calling people around the world and >> asking them for their debit card codes ;-o). So thought about >> protection against those scenarios. The solution: >> >> Put all remotely available services into containers and make the >> host system only accessible via special channels (eg. serial console). >> You can run automatic sanity tests and security alerts from the hosts >> system, which cannot be highjacked (as long as there's no kernel >> bug which allows escaping a container ;-o). >> >> This also brings several other benefits, eg. easier backups, quick >> migration to other machines, etc. >> >> >> cu > > Hi Enrico, > Since I'm not an IT guy could you please explain this just a bit > more? What is 'a container'? Is it a chroot running on the same > machine? A different machine? Something completely different? > > In the OP's case (I believe) he thought a personal machine at home > was compromised. If that's the case then without doubling my > electrical bill (2 computers) how would I implement your containers?
Basically just run VMWare/Virtualbox etc and put the services in there. That's why I force my kids to use IE in a VM.... No, chroots are NOT the same. They run on the same system.
