On 21/7/24 07:28, Nicholas Geovanis wrote:
Again lacking data center experience? Every server in your data center
that is outward-facing will be contacted by intruders on its open ports.
That includes your Debian servers. If your apache server or application
server running on Debian is vulnerable and open to outside, they will
knock on your door. What happens _after_ that determines how vulnerable
you are.
A plug for SELinux. It's been around for a long time. It was invented by
the NSA for use by Government agencies but they kindly open sourced it
and it's available on many Distros including Debian.
SELinux is a real pain to get right but when it finally works it's a
tremendous security boost for internet facing systems.
It assumes, correctly, that your internet facing service will be
compromised and the baddy will try to further the exploit. It's
Permissive Action in that unless you specifically permit something to
happen it won't. A web server trying to read any directories that aren't
specified as valid by SELinux will be blocked. A web service trying to
do any system calls not permitted by the policy will be blocked. A web
server trying to send an email will be blocked. etc. etc.
Even better it logs every attempted breach so log monitors can identify
anomalous behaviour in seconds if not milliseconds.
The philosophy of SELinux seems quite different to CrowdStrike
SElinux: "If I don't permit it, it won't happen"
CrowdStrike: "I permit eveything until I get an update to block
something or I suspect something is dodgy"
