• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

security how too

N

nos4

Guest
i would like to offer an attempt to have a sticky security forum here on sw soft . possibly a whole top level thread.
i feel that no control panel is worth its weight if we cannot secure it . what is the use in supporting a cp if we lose control of our server our livelyhood and our forrn of income and to continue to support any form of net application - business - society. this is in no way is sw-softs responsibility but i feel it is highly needed and should be stuck up top right in front for every novice to superuser to see. security issues shouldnt be looked for . especially for thoes ever so frequant hacks we all miss . i can enforce this arguement by saying "where is the spell checker on this thing" . nuff said were not all that . please support this thread and move it up to the front for thoes who want to participate.
 
I don't know about anybody else, but I'm extremely scared about fiddling with the kernel on a machine I don't have console access to in case of serious kernel screw ups. But I'm desparate to try the grsecurity patch.

The .pdf manual for it is very clear -- but ..well, I could really do with a howto written by someone who has actually done this and knows of the pitfalls associated with doing this on a hosting server (plesk in particular).

And, just for example, although I can't find it right now, I'm sure I read something about restricting the ability of applications changing to the root user. Now isn't bash effectly an application (or is it?)? If so, and you have sensibly disabled direct root logins, there could be trouble ahead if you enable this (but like I said, I can't find this reference now. Maybe I misread it, or misunderstood it).

Faris.
 
From a personal point of view I'm not sure I'd like an RPM. This is something you need a lot of control over -- specifically including the version of the kernel being patched. Having said that, I'm sure Scott mentioned something about it being quite easy to plug things into FC2 on his forum. Shame I'm on rh9/rhe3 :)

Faris.
 
I don't necessarily think an RPM of a grsecurity kernel is a bad thing ... but some sort of donation to encourage development would be nice.
 
A kernel rpm for grsec is something Ive wanted to do for a long long time (was the 2nd project I started on ART!). You're right it is difficult to do, however lately Ive been doing some kernel rpms internally for FC3, and they've gone a long long way to streamlining kernel production. Im trying to take that design and apply it backwards to rh9 (currently the largest userbase). But its a lot of work, and like faris said, not the kind of thing people are comfortable with doing without a lot of testing and console access (btw, serial consoles are fantastic for this.)

The good news is that Ive done grsec kernels at just about every hosting company out there, and aside from 1&1, they're all the same process.
 
I think I've changed my mind regarding a kernel rpm.

I've just tried to do the grsecurity thing - three times. Nothing goes wrong during the (3 hour!) compilation nor the installation, but I get a kernel panic when booting from it -- it can't find the file system :)

This is on the same test system that has occasionally thrown up unusual errors that I can't (thankfully) duplicate on my live servers. but..

And having done it all and understood a bit better about how things work and what the patching does etc etc, an rpm that just installs a pre-compiled kernel, completele with a sensible set of security settings, but DOES NOT, set the new kernel as the default boot option would actually be very handy.

Anyway, I'd better be off the visit the grsecurity forums to make a newbie fool of myself by asking some dumb questions about smp kernels and this error I'm getting :-(

Faris.
 
I just finished the first shot at the i386 grsec kernel rpm, and Im working on the i686 version now. Probably should have both in the atomic-testing channel sometime today. Stay tuned
 
atomicturtle can this kernel rpm be made ethtoo and via-rhine ethernet compat i have a few peoples servers on 11 and cant even explain what a pain it is to get a custom kernel on their servers . old tricks dont seem to work anymore . modules.conf eth0 via-rhine . it really escapes me why they dont support/offer standard kernel rpm's . i will also try to either post all comments on security to the top msg asap, one i format them .
 
so just to confirm the kernels in your atomic-testing are 1&1 compatable or more-so compiled with the eth driver and xfs .
thanks again for the reply.
 
Back
Top