1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice

security how too

Discussion in 'Plesk for Linux - 8.x and Older' started by nos4, Dec 23, 2004.

  1. nos4

    nos4 Guest

    0
     
    i would like to offer an attempt to have a sticky security forum here on sw soft . possibly a whole top level thread.
    i feel that no control panel is worth its weight if we cannot secure it . what is the use in supporting a cp if we lose control of our server our livelyhood and our forrn of income and to continue to support any form of net application - business - society. this is in no way is sw-softs responsibility but i feel it is highly needed and should be stuck up top right in front for every novice to superuser to see. security issues shouldnt be looked for . especially for thoes ever so frequant hacks we all miss . i can enforce this arguement by saying "where is the spell checker on this thing" . nuff said were not all that . please support this thread and move it up to the front for thoes who want to participate.
     
  2. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    960
    Likes Received:
    28
    Location:
    Romania
  3. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    I cant recommend the grsecurity.net kernel patch enough, its the closest thing to a silver bullet out there.
     
  4. faris

    faris Guest

    0
     
    I don't know about anybody else, but I'm extremely scared about fiddling with the kernel on a machine I don't have console access to in case of serious kernel screw ups. But I'm desparate to try the grsecurity patch.

    The .pdf manual for it is very clear -- but ..well, I could really do with a howto written by someone who has actually done this and knows of the pitfalls associated with doing this on a hosting server (plesk in particular).

    And, just for example, although I can't find it right now, I'm sure I read something about restricting the ability of applications changing to the root user. Now isn't bash effectly an application (or is it?)? If so, and you have sensibly disabled direct root logins, there could be trouble ahead if you enable this (but like I said, I can't find this reference now. Maybe I misread it, or misunderstood it).

    Faris.
     
  5. Griffith

    Griffith Guest

    0
     
    atomic: can you make a rpm of the grsecurity.net kernel?
     
  6. faris

    faris Guest

    0
     
    From a personal point of view I'm not sure I'd like an RPM. This is something you need a lot of control over -- specifically including the version of the kernel being patched. Having said that, I'm sure Scott mentioned something about it being quite easy to plug things into FC2 on his forum. Shame I'm on rh9/rhe3 :)

    Faris.
     
  7. Cranky

    Cranky Guest

    0
     
    I don't necessarily think an RPM of a grsecurity kernel is a bad thing ... but some sort of donation to encourage development would be nice.
     
  8. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    A kernel rpm for grsec is something Ive wanted to do for a long long time (was the 2nd project I started on ART!). You're right it is difficult to do, however lately Ive been doing some kernel rpms internally for FC3, and they've gone a long long way to streamlining kernel production. Im trying to take that design and apply it backwards to rh9 (currently the largest userbase). But its a lot of work, and like faris said, not the kind of thing people are comfortable with doing without a lot of testing and console access (btw, serial consoles are fantastic for this.)

    The good news is that Ive done grsec kernels at just about every hosting company out there, and aside from 1&1, they're all the same process.
     
  9. faris

    faris Guest

    0
     
    I think I've changed my mind regarding a kernel rpm.

    I've just tried to do the grsecurity thing - three times. Nothing goes wrong during the (3 hour!) compilation nor the installation, but I get a kernel panic when booting from it -- it can't find the file system :)

    This is on the same test system that has occasionally thrown up unusual errors that I can't (thankfully) duplicate on my live servers. but..

    And having done it all and understood a bit better about how things work and what the patching does etc etc, an rpm that just installs a pre-compiled kernel, completele with a sensible set of security settings, but DOES NOT, set the new kernel as the default boot option would actually be very handy.

    Anyway, I'd better be off the visit the grsecurity forums to make a newbie fool of myself by asking some dumb questions about smp kernels and this error I'm getting :-(

    Faris.
     
  10. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    I just finished the first shot at the i386 grsec kernel rpm, and Im working on the i686 version now. Probably should have both in the atomic-testing channel sometime today. Stay tuned
     
  11. nos4

    nos4 Guest

    0
     
    atomicturtle can this kernel rpm be made ethtoo and via-rhine ethernet compat i have a few peoples servers on 11 and cant even explain what a pain it is to get a custom kernel on their servers . old tricks dont seem to work anymore . modules.conf eth0 via-rhine . it really escapes me why they dont support/offer standard kernel rpm's . i will also try to either post all comments on security to the top msg asap, one i format them .
     
  12. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    sure, no problem. Should be working in the rpm already
     
  13. nos4

    nos4 Guest

    0
     
    so just to confirm the kernels in your atomic-testing are 1&1 compatable or more-so compiled with the eth driver and xfs .
    thanks again for the reply.
     
Loading...