[Wolves] Linux Security

Thu Oct 2 08:30:21 UTC 2008

On Thu, 2008-10-02 at 09:23 +0100, Simon C. Burke wrote:
> On Thu, 2 Oct 2008, David Goodwin wrote:
> 
> > Simon C. Burke wrote:
> >> Hi all,
> >>
> >> I recently acquired a Compaq CL380 that I'm currently upgrading and
> >> making to a couple of servers, (I think two people may know from where I
> >> acquired this server *looks at Chris and Dave*).
> >
> > Is that me [Dave] ?
> > If Chris is involved, I can guess where it's from.
> >
> >>
> >> Are things like SELinux worthwhile? Or can the same effect be achieved
> >> by hand per process? (would take an eon I know)
> >>
> >
> > My minimal experiences with SELinux (RHEL5 on a LAMP server) are that it
> > can be a right pain in the bum and caused me enough grief to disable it.
> > The theory behind it is great - but in my case, it seemed that it
> > convienantly forgot the custom modifications I'd made to the SELinux
> > policy after a random amount of time - causing the app to stop working.
> >
> > You might also want to look at AppArmo[u]r
> >
> > If you're really paranoid about security, I think using Gentoo with a
> > kernel with the various PaX stuff enabled it probably the way to go -
> > but this may cause other issues (i.e. if $customer expects to get
> > support from someone like RedHat)
> >
> > David.
> >
> Yeah, it is yourself, I should of mentioned which Chris and Dave to be 
> honest. Though, you would of known if it was you or not regardsless (I 
> would of hoped anyway).
> 
> Luckily the server will serve nothing but mail and web (to replace my 
> current server) with a userbase of 3 users currently.
> 
> Support is not really an issue as it's effectivly my play server, though 
> has some production servers (if you can call it that).
> 
> I'm currently looking at apparmour now as well as fwsnort and psad to 
> secure it up a little. Thanks for the suggestion.
> 
> Regards,
> Simon.
> 
Apparmor is the default in Ubuntu anyway which means you won't have to
fight to get rid of it to install selinux :)

UFW has some great firewall tricks to it and again is installed by
default.

Apparmor like selinux is a bitch but apparently once your used to it,
it's a, I use the term loosely the people telling me work with it all
day, doddle to use
-- 
Seek That Thy Might Know

www.davmor2.co.uk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.lug.org.uk/pipermail/wolves/attachments/20081002/5ced830a/attachment.pgp 