[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [seul-edu] Slowest Computers and security risks
On Thursday 31 October 2002 09:16 am, Ken Barber wrote:
> In fact, for any server to which the world is allowed access, I
> strongly recommend that each service resides on its own separate
> server. Web, mail, DNS etc. -- each needs to have its own dedicated
> server. Same reason as above: when (not if) one gets compromised,
> that is ALL the 'hacker' has gotten, instead of unfettered access to
> your entire Crown Jewels.
Chrooting, capabilities, and even the lowly Immute bit can save you a lot of
heartache if you don't have enough spondoolies for all of theose servers. I
also make free use of mount attributes like ro, nosuid and noexec.
For servers that have no removable storage devices (ie no need to mount stuff
after startup) you can also do cute things like running 100% journalled
and/or readonly, then mounting a small (maybe loopback) partition over your
only copy of key utilities like chattr, mount and unmount -or compiling a
kernel that doesn't klnow how to unmount. Poor man's capabilities: shutdown
consists of sync; sync; pull-the-plug.
Linux harbours no end of cute tricks like that.
> Ken Barber
Two letters away from an unforgettable name. (-:
Cheers; Leon