Re: [gentoo-user] Increasing security [WAS: Rooted/compromised Gentoo, seeking advice [Solved?]
* Jarry wrote: > The only service running on my "host" (main system) is sshd, > which I secured as much as I could. If you have some physical access (eg. serial console), you could even drop sshd (or only bind it to some local interface) to get around possible ssh attacks. That's what I'm doing on several machines. > Everything else (web, mail, dns, ftp, syslog, X, and plenty of > users' services) runs on its own guest-system, chrooted in > addition (where it was possible). Yes, that's also my approach. BTW: I'm currently trying to convice one of my customers - an major German ISP - to provide a generic solution for such kind of environments: customers can allocate and configure containers at will (also via robot interfaces), and the ISP takes care of the cluster of host machines ... maybe I get the leading product managers convinced some day ;-) cu -- -- Enrico Weigelt, metux IT service -- http://www.metux.de/ phone: +49 36207 519931 email: weig...@metux.de mobile: +49 151 27565287 icq: 210169427 skype: nekrad666 -- Embedded-Linux / Portierung / Opensource-QM / Verteilte Systeme --
Re: [gentoo-user] Increasing security [WAS: Rooted/compromised Gentoo, seeking advice [Solved?]
On 08/16/2010 09:07 AM, Jarry wrote: > On 16. 8. 2010 17:29, Mark Knecht wrote: >> On Mon, Aug 16, 2010 at 7:16 AM, Bill Longman: That is why I picked up Linux-VServer (actually, first I tried OpenVZ but could not make it run). It is a kind of compromise, where all guests share the same kernel. This brings certain security implications, but on the other side, I can run dozens of guest on a moderate machine, with 4-cores and 8GB memory (i.e. a guest running bind takes just about 20MB of memory)... >>> >>> This looks rather interesting, Jarry. Is it simply a matter of compiling >>> the vserver-sources and util-vserver? Did it take much time to set up >>> the kernel for your box? Or is it pretty much a typical kernel setup? >>> Any good tools in the util-vserver package? > > vserver-sources and util-vserver was all I needed. Kernel is > pretty much like common, with ~10 additional options. util-vserver > contains handy tools, like "v*" (* being emerge, esync, kill, > limit, mount, ps, sched, etc.). Updating all gentoo-guests can be > done with one command executed in host... > >>> Sounds very efficient. > > Really is. Now I'm running 27 guests, mostly gentoo but also > some ubuntu and opensuse. Actually, it is possible to run any > linux-based system (as I said all systems share the same kernel). > There is also pretty good control over resources allocated > to individual guests (disk, memory, cpu). > > Administration is very comfortable. Tasks like clonning, > backup/restore, moving, migration, etc, are very easy to... > >> I guess the baselayout-vserver packages is somehow for setting up each >> of the guests? > > Guests are installed using customised stage3 (baselayout2-based). > After that, you work with them as with normal gentoo-system. The Gentoo version of Solaris Zones! w00t!
Re: [gentoo-user] Increasing security [WAS: Rooted/compromised Gentoo, seeking advice [Solved?]
On 16. 8. 2010 17:29, Mark Knecht wrote: On Mon, Aug 16, 2010 at 7:16 AM, Bill Longman: That is why I picked up Linux-VServer (actually, first I tried OpenVZ but could not make it run). It is a kind of compromise, where all guests share the same kernel. This brings certain security implications, but on the other side, I can run dozens of guest on a moderate machine, with 4-cores and 8GB memory (i.e. a guest running bind takes just about 20MB of memory)... This looks rather interesting, Jarry. Is it simply a matter of compiling the vserver-sources and util-vserver? Did it take much time to set up the kernel for your box? Or is it pretty much a typical kernel setup? Any good tools in the util-vserver package? vserver-sources and util-vserver was all I needed. Kernel is pretty much like common, with ~10 additional options. util-vserver contains handy tools, like "v*" (* being emerge, esync, kill, limit, mount, ps, sched, etc.). Updating all gentoo-guests can be done with one command executed in host... Sounds very efficient. Really is. Now I'm running 27 guests, mostly gentoo but also some ubuntu and opensuse. Actually, it is possible to run any linux-based system (as I said all systems share the same kernel). There is also pretty good control over resources allocated to individual guests (disk, memory, cpu). Administration is very comfortable. Tasks like clonning, backup/restore, moving, migration, etc, are very easy to... I guess the baselayout-vserver packages is somehow for setting up each of the guests? Guests are installed using customised stage3 (baselayout2-based). After that, you work with them as with normal gentoo-system. QUESTION: Where does X run? In the host or separate copies in each guest? If you need X, you can create a special guest for it, and run X there. The only thing which must run in host are kernel-modules (i.e. nvidia driver). I tested this only as an experiment, but it works. I've heard of someone running X+Wine in vserver-guest. It is also possible to run X+VMware+Windows in vserver-guest... For a long time I've wanted to set up a single piece of hardware for my parents, but with two screens, two keyboards, two mice. Each user would have what they expect in front of them physically but it's really a single computer. Can that be done using this software? Frankly, I do not know. But for each guest you can setup different tty and IP, so maybe it would be possible. Though I think maybe some kind of terminal server would be more suitable... Jarry -- ___ This mailbox accepts e-mails only from selected mailing-lists! Everything else is considered to be spam and therefore deleted.
Re: [gentoo-user] Increasing security [WAS: Rooted/compromised Gentoo, seeking advice [Solved?]
On Mon, Aug 16, 2010 at 7:16 AM, Bill Longman wrote: > On 08/14/2010 12:32 PM, Jarry wrote: >> On 13. 8. 2010 21:05, Enrico Weigelt wrote: >>> * Bill Longman wrote: >>> Basically just run VMWare/Virtualbox etc and put the services in there. >>> >>> well, these solutions are way "bigger" (iow: more resource >>> intensive), since they run a complete operation system instance >>> within the virtual machine. >> >> That is why I picked up Linux-VServer (actually, first I tried >> OpenVZ but could not make it run). It is a kind of compromise, >> where all guests share the same kernel. This brings certain >> security implications, but on the other side, I can run dozens >> of guest on a moderate machine, with 4-cores and 8GB memory >> (i.e. a guest running bind takes just about 20MB of memory)... > > This looks rather interesting, Jarry. Is it simply a matter of compiling > the vserver-sources and util-vserver? Did it take much time to set up > the kernel for your box? Or is it pretty much a typical kernel setup? > Any good tools in the util-vserver package? > >> The only service running on my "host" (main system) is sshd, >> which I secured as much as I could. Everything else (web, mail, >> dns, ftp, syslog, X, and plenty of users' services) runs on its >> own guest-system, chrooted in addition (where it was possible). > > Sounds very efficient. > > TIA, > > Bill Certainly looks interesting. I guess the baselayout-vserver packages is somehow for setting up each of the guests? QUESTION: Where does X run? In the host or separate copies in each guest? For a long time I've wanted to set up a single piece of hardware for my parents, but with two screens, two keyboards, two mice. Each user would have what they expect in front of them physically but it's really a single computer. Can that be done using this software? Thanks, Mark
Re: [gentoo-user] Increasing security [WAS: Rooted/compromised Gentoo, seeking advice [Solved?]
On 08/14/2010 12:32 PM, Jarry wrote: > On 13. 8. 2010 21:05, Enrico Weigelt wrote: >> * Bill Longman wrote: >> >>> Basically just run VMWare/Virtualbox etc and put the services in there. >> >> well, these solutions are way "bigger" (iow: more resource >> intensive), since they run a complete operation system instance >> within the virtual machine. > > That is why I picked up Linux-VServer (actually, first I tried > OpenVZ but could not make it run). It is a kind of compromise, > where all guests share the same kernel. This brings certain > security implications, but on the other side, I can run dozens > of guest on a moderate machine, with 4-cores and 8GB memory > (i.e. a guest running bind takes just about 20MB of memory)... This looks rather interesting, Jarry. Is it simply a matter of compiling the vserver-sources and util-vserver? Did it take much time to set up the kernel for your box? Or is it pretty much a typical kernel setup? Any good tools in the util-vserver package? > The only service running on my "host" (main system) is sshd, > which I secured as much as I could. Everything else (web, mail, > dns, ftp, syslog, X, and plenty of users' services) runs on its > own guest-system, chrooted in addition (where it was possible). Sounds very efficient. TIA, Bill
Re: [gentoo-user] Increasing security [WAS: Rooted/compromised Gentoo, seeking advice [Solved?]
On 13. 8. 2010 21:05, Enrico Weigelt wrote: * Bill Longman wrote: Basically just run VMWare/Virtualbox etc and put the services in there. well, these solutions are way "bigger" (iow: more resource intensive), since they run a complete operation system instance within the virtual machine. That is why I picked up Linux-VServer (actually, first I tried OpenVZ but could not make it run). It is a kind of compromise, where all guests share the same kernel. This brings certain security implications, but on the other side, I can run dozens of guest on a moderate machine, with 4-cores and 8GB memory (i.e. a guest running bind takes just about 20MB of memory)... The only service running on my "host" (main system) is sshd, which I secured as much as I could. Everything else (web, mail, dns, ftp, syslog, X, and plenty of users' services) runs on its own guest-system, chrooted in addition (where it was possible). Jarry -- ___ This mailbox accepts e-mails only from selected mailing-lists! Everything else is considered to be spam and therefore deleted.
Re: [gentoo-user] Increasing security [WAS: Rooted/compromised Gentoo, seeking advice [Solved?]
On Fri, Aug 13, 2010 at 11:58 AM, Enrico Weigelt wrote: > * Mark Knecht wrote: > > Hi, > >> Since I'm not an IT guy could you please explain this just a bit >> more? What is 'a container'? Is it a chroot running on the same >> machine? A different machine? Something completely different? > > http://lxc.sourceforge.net/ > http://wiki.openvz.org/Main_Page > > Unlike VM solutions like kvm, vmware, etc, these (OS-side) > container implementations split off the operating system > resources (filesystem, network interfaces, process-IDs, ...) > into namespaces, so each container only sees its own resources, > not those of the host system or other containers. > > That's essentially what's behind the "virtual private server" > solutions offered by various ISPs. > >> In the OP's case (I believe) he thought a personal machine at home >> was compromised. If that's the case then without doubling my >> electrical bill (2 computers) how would I implement your containers? > > He would have several virtual servers running on just one metal. > If the host system is not accessible from the outside world, just > the virtual servers - an attacker could probably highjack what's > inside the virtual servers, but cant get to the host system. > > > cu Thank you Enrico. I'll have to learn about this. Cheers, Mark
Re: [gentoo-user] Increasing security [WAS: Rooted/compromised Gentoo, seeking advice [Solved?]
* Bill Longman wrote: > Basically just run VMWare/Virtualbox etc and put the services in there. well, these solutions are way "bigger" (iow: more resource intensive), since they run a complete operation system instance within the virtual machine. > No, chroots are NOT the same. They run on the same system. well, chroots have not much to do with containers (even contains could be said to include chroot as a building block) - they just run certain processes with a different root directory (iow: these processes see just see a subdirectory as it would be the whole filesystem). that's nice for testing porposes or to isolate different kind of isolate programs/libraries (eg. use different libc's, ABIs or calling conventions, 32bit subsystems on an native 64bit host, etc, etc), but don't really add security. cu -- -- Enrico Weigelt, metux IT service -- http://www.metux.de/ phone: +49 36207 519931 email: weig...@metux.de mobile: +49 151 27565287 icq: 210169427 skype: nekrad666 -- Embedded-Linux / Portierung / Opensource-QM / Verteilte Systeme --
Re: [gentoo-user] Increasing security [WAS: Rooted/compromised Gentoo, seeking advice [Solved?]
* Mark Knecht wrote: Hi, >Since I'm not an IT guy could you please explain this just a bit > more? What is 'a container'? Is it a chroot running on the same > machine? A different machine? Something completely different? http://lxc.sourceforge.net/ http://wiki.openvz.org/Main_Page Unlike VM solutions like kvm, vmware, etc, these (OS-side) container implementations split off the operating system resources (filesystem, network interfaces, process-IDs, ...) into namespaces, so each container only sees its own resources, not those of the host system or other containers. That's essentially what's behind the "virtual private server" solutions offered by various ISPs. >In the OP's case (I believe) he thought a personal machine at home > was compromised. If that's the case then without doubling my > electrical bill (2 computers) how would I implement your containers? He would have several virtual servers running on just one metal. If the host system is not accessible from the outside world, just the virtual servers - an attacker could probably highjack what's inside the virtual servers, but cant get to the host system. cu -- -- Enrico Weigelt, metux IT service -- http://www.metux.de/ phone: +49 36207 519931 email: weig...@metux.de mobile: +49 151 27565287 icq: 210169427 skype: nekrad666 -- Embedded-Linux / Portierung / Opensource-QM / Verteilte Systeme --
Re: [gentoo-user] Increasing security [WAS: Rooted/compromised Gentoo, seeking advice [Solved?]
On 08/13/2010 09:25 AM, Mark Knecht wrote: > On Fri, Aug 13, 2010 at 8:25 AM, Enrico Weigelt wrote: >> * Paul Hartman wrote: >> >> >> >> Apropos cracked machines: >> >> In recent years I often got trouble w/ cracked customer's boxes >> (one eg. was abused for SIP-calling people around the world and >> asking them for their debit card codes ;-o). So thought about >> protection against those scenarios. The solution: >> >> Put all remotely available services into containers and make the >> host system only accessible via special channels (eg. serial console). >> You can run automatic sanity tests and security alerts from the hosts >> system, which cannot be highjacked (as long as there's no kernel >> bug which allows escaping a container ;-o). >> >> This also brings several other benefits, eg. easier backups, quick >> migration to other machines, etc. >> >> >> cu > > Hi Enrico, >Since I'm not an IT guy could you please explain this just a bit > more? What is 'a container'? Is it a chroot running on the same > machine? A different machine? Something completely different? > >In the OP's case (I believe) he thought a personal machine at home > was compromised. If that's the case then without doubling my > electrical bill (2 computers) how would I implement your containers? Basically just run VMWare/Virtualbox etc and put the services in there. That's why I force my kids to use IE in a VM No, chroots are NOT the same. They run on the same system.
Re: [gentoo-user] Increasing security [WAS: Rooted/compromised Gentoo, seeking advice [Solved?]
On Fri, Aug 13, 2010 at 8:25 AM, Enrico Weigelt wrote: > * Paul Hartman wrote: > > > > Apropos cracked machines: > > In recent years I often got trouble w/ cracked customer's boxes > (one eg. was abused for SIP-calling people around the world and > asking them for their debit card codes ;-o). So thought about > protection against those scenarios. The solution: > > Put all remotely available services into containers and make the > host system only accessible via special channels (eg. serial console). > You can run automatic sanity tests and security alerts from the hosts > system, which cannot be highjacked (as long as there's no kernel > bug which allows escaping a container ;-o). > > This also brings several other benefits, eg. easier backups, quick > migration to other machines, etc. > > > cu Hi Enrico, Since I'm not an IT guy could you please explain this just a bit more? What is 'a container'? Is it a chroot running on the same machine? A different machine? Something completely different? In the OP's case (I believe) he thought a personal machine at home was compromised. If that's the case then without doubling my electrical bill (2 computers) how would I implement your containers? Thanks, Mark
[gentoo-user] Increasing security [WAS: Rooted/compromised Gentoo, seeking advice [Solved?]
* Paul Hartman wrote: Apropos cracked machines: In recent years I often got trouble w/ cracked customer's boxes (one eg. was abused for SIP-calling people around the world and asking them for their debit card codes ;-o). So thought about protection against those scenarios. The solution: Put all remotely available services into containers and make the host system only accessible via special channels (eg. serial console). You can run automatic sanity tests and security alerts from the hosts system, which cannot be highjacked (as long as there's no kernel bug which allows escaping a container ;-o). This also brings several other benefits, eg. easier backups, quick migration to other machines, etc. cu -- -- Enrico Weigelt, metux IT service -- http://www.metux.de/ phone: +49 36207 519931 email: weig...@metux.de mobile: +49 151 27565287 icq: 210169427 skype: nekrad666 -- Embedded-Linux / Portierung / Opensource-QM / Verteilte Systeme --
