Re: [seul-edu] Slowest Computers and security risks

[Leon Brooks <leon@brooks.fdns.net>]

On Thursday 31 October 2002 09:16 am, Ken Barber wrote:
> In fact, for any server to which the world is allowed access, I
> strongly recommend that each service resides on its own separate
> server.  Web, mail, DNS etc. -- each needs to have its own dedicated
> server.  Same reason as above:  when (not if) one gets compromised,
> that is ALL the 'hacker' has gotten, instead of unfettered access to
> your entire Crown Jewels.

Chrooting, capabilities, and even the lowly Immute bit can save you a lot of 
heartache if you don't have enough spondoolies for all of theose servers. I 
also make free use of mount attributes like ro, nosuid and noexec.

For servers that have no removable storage devices (ie no need to mount stuff 
after startup) you can also do cute things like running 100% journalled 
and/or readonly, then mounting a small (maybe loopback) partition over your 
only copy of key utilities like chattr, mount and unmount -or compiling a 
kernel that doesn't klnow how to unmount. Poor man's capabilities: shutdown 
consists of sync; sync; pull-the-plug.

Linux harbours no end of cute tricks like that.

> Ken Barber

Two letters away from an unforgettable name. (-:

Cheers; Leon