Discuss mailing list

[Brian Koontz <brian AT opennicproject.org>]

On Mon, May 07, 2012 at 11:14:16AM +1000, Tully Gray wrote:
> I was wondering what types of non-network related security measures
> people are using to secure their servers?  For instance I use hardened
> Gentoo which offers some great features like SELinux, RBAC, and the
> GRsecurity and PaX patches for the Linux kernel.  These features can
> be considered to be a second line of defense after network security
> features.  For instance; if an attacker does manage to hack into a server
> and gain control of a user or service account, SELinux/RBAC rules can
> provide fine-grained access permissions which should stop further
> privilege escalation.  The PaX team is responsible for pioneering ASLR
> (Address Space Layout Randomization) and other counter-measures
> which stop most forms of kernel hacking and return-to-libc type attacks.

To be truthful, the first thing I do is disable selinux...because it
seems like a never-ending battle to create the acls necessary that
every application seems to need.  I do run *all* my outward-facing
services under chroot. 

  --Brian

-- 
OpenNIC (the sequel) co-founder and wikimaster
IRC: Freenode.net channel #opennic

Attachment: pgpNW0AaqpAEc.pgp
Description: PGP signature