Re: Securing Debian Manual: 3.2.1 Choose an intelligent partition scheme
Hi Stayvoid, how are you? If you'll install grub in MBR, there is no need for primary partitions since grub can nicely boot logical partitions. Regards, Fernando Mercês Linux Registered User #432779 www.mentebinaria.com.br "Ninguém pode ser escravo de sua identidade; quando surge uma possibilidade de mudança é preciso mudar". (Elliot Gould) On Mon, Mar 5, 2012 at 8:59 PM, Stayvoid wrote: > Hello. > > It's possible to create 4 primary partitions. > > How to allocate these: > /home > /tmp > /var/tmp/ > /var > /opt > /var/mail > Should I use extended partitions? > > http://www.debian.org/doc/manuals/securing-debian-howto/ch3.en.html > > Cheers > > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: > http://lists.debian.org/cak5fs_eu5x-vg9gxabgpztmed4gj-f7xyuxguwrsch7u0me...@mail.gmail.com > >
Securing Debian Manual: 3.2.1.1 Selecting the appropriate file systems
Hello. "During the system partitioning you also have to decide which file system you want to use. The default file system selected in the Debian installation for Linux partitions is ext3, a journaling file system." This manual covers only ext-related features. Should I use ext4 instead of ext3 for all partitions? http://www.debian.org/doc/manuals/securing-debian-howto/ch3.en.html Cheers -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cak5fs_gxyv+9ef_byf0mnyprnpuhefccz5rf1nojpr2pkj5...@mail.gmail.com
Securing Debian Manual: 3.2.1 Choose an intelligent partition scheme
Hello. It's possible to create 4 primary partitions. How to allocate these: /home /tmp /var/tmp/ /var /opt /var/mail Should I use extended partitions? http://www.debian.org/doc/manuals/securing-debian-howto/ch3.en.html Cheers -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cak5fs_eu5x-vg9gxabgpztmed4gj-f7xyuxguwrsch7u0me...@mail.gmail.com
Securing Debian Manual: 3.1 Choose a BIOS password
Hello. "Before you install any operating system on your computer, set up a BIOS password. After installation (once you have enabled bootup from the hard disk) you should go back to the BIOS and change the boot sequence to disable booting from floppy, CD-ROM and other devices that shouldn't boot. Otherwise a cracker only needs physical access and a boot disk to access your entire system." [1] Is there a way to prevent such actions while using a VPS? [1] http://www.debian.org/doc/manuals/securing-debian-howto/ch3.en.html Cheers -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cak5fs_e7qadpctvme30tsce1jh5c8ogzx3gcf2cye_5w_9j...@mail.gmail.com
Re: Dedicated server vs. VPS
I thought this wasnt a matter for the security mailing list. Would you mind taking this to a 1:1 discussion? Am 05.03.12 20:19, schrieb Stayvoid: >> Why? Where is the connection between "no encryption" and the use as a MTA >> and web server? > I don't know really. I've thought that data should be available. > Tell me more about it. > > -- Viele Grüße, Patrick Geschke ___ Osna-Solution UG (haftungsbeschränkt) Am Pappelgraben 56 49080 Osnabrück Germany Fon: +49 (0) 800 1 655 565 Fax: +49 (0) 541 34 74 5 73 E-Mail: patrick.gesc...@osna-solution.de Web: www.osna-solution.de ___ Sitz/Gerichtsstand: Osnabrück Registergericht Osnabrück, HRB 202745 Geschäftsführer: Patrick Geschke, Jan Steenhusen -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4f5514f0.7090...@osna-solution.de
Re: Dedicated server vs. VPS
> Why? Where is the connection between "no encryption" and the use as a MTA > and web server? I don't know really. I've thought that data should be available. Tell me more about it. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cak5fs_hq5zkoowjhguytuw1vuq6_vm-r0+jddsxvx6ugdo2...@mail.gmail.com
Re: Dedicated server vs. VPS
> I don't think that I can encrypt it. I want to use that machine for > MTA and a web server. Why? Where is the connection between "no encryption" and the use as a MTA and web server? -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/3ae93cb8f560778c1d8ea9cb913cffac.squir...@fulvetta.riseup.net
Re: Dedicated server vs. VPS
> I think that a dedicated server is far more secure than a VPS if you > encrypt the drive. I don't think that I can encrypt it. I want to use that machine for MTA and a web server. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAK5fS_G4tes8hBx7eFA61c=8zwofdpyojrtwxgebvlh1cik...@mail.gmail.com
Re: Dedicated server vs. VPS
On 05/03/12 10:30, Bedwell, Jordon wrote: > This is not true in any case, including a dedicated server. It takes > but a minute and your drive to get access to your server, root > password or not, adjusted grub bootloader or not. Saved in a control > panel or not. This is a quite talked about subject when it comes to > Linux, but it's not really a security problem for the most part unless > you plan to get a laptop stolen or something, but there are clear ways > to fix that problem. Unless that entire drive is encrypted and > requires the password to even boot they can get into it anytime they > want. Dedicated servers are no more secure then VM's when it comes to > this. It does however make them harder to manage and recover in user > error since they don't attach a TTY. I think that a dedicated server is far more secure than a VPS if you encrypt the drive. In a dedicated server you can encrypt the whole hard drive [1] and nobody would be able to access it. A successful cold boot attack would require physical access to the server. On a VPS no matter if you encrypt the disk since the master has access to the guest's RAM and therefore an attacker that has compromised the master can extract the key easily from there. Regards! [1] http://blog.neutrino.es/2011/unlocking-a-luks-encrypted-root-partition-remotely-via-ssh/ -- ~~~ Carlos Alberto Lopez Perez http://neutrino.es Igalia - Free Software Engineeringhttp://www.igalia.com ~~~ signature.asc Description: OpenPGP digital signature
Re: Dedicated server vs. VPS
On Mon, Mar 5, 2012 at 2:59 AM, Timh B wrote: > Hi, > > This should probably be discussed off-list, anyway - the one that has the > most dedicated resources and has the best security policy. Generally when > it comes to keeping the kernel/system tools updated it's all about your > own OS since it's usually "independent" from the hostnode. Except kernel > in the openvz-case where the provider is responsible of keeping the kernel > up to date. There will always be undiscovered holes in the kernel and/or > toolchain but a hoster that does not put their hardware nodes on the > internet is one step closer to good security. OpenVZ has nothing to do with it, all of them have that ability so specifically mentioning OpenVZ when Xen is like that and so is VMWare (to an extent I guess) is absolutely pointless. It's up to the provider to decide what type of VM you have, and the fact is that most of them chose not to give you access to the kernel because most of them know how many unknown exploits there are, and keeping the Kernel out of the VM space prevents kernel exploits (to a certain extent) but good providers give you the ability to select your kernel or kick it into a mode that allows you to use your own kernel. > There is no way you can "restrict" a hosters access to your VPS, that's > basically true for DS as well if you have the root-password in some sort > of control-panel or if the support has it for some reason. This is not true in any case, including a dedicated server. It takes but a minute and your drive to get access to your server, root password or not, adjusted grub bootloader or not. Saved in a control panel or not. This is a quite talked about subject when it comes to Linux, but it's not really a security problem for the most part unless you plan to get a laptop stolen or something, but there are clear ways to fix that problem. Unless that entire drive is encrypted and requires the password to even boot they can get into it anytime they want. Dedicated servers are no more secure then VM's when it comes to this. It does however make them harder to manage and recover in user error since they don't attach a TTY. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAN5oe=3epspsk27x4ovqblllshuj+c0ejfp34ey6yz2q46w...@mail.gmail.com
Re: Dedicated server vs. VPS
Hi, This should probably be discussed off-list, anyway - the one that has the most dedicated resources and has the best security policy. Generally when it comes to keeping the kernel/system tools updated it's all about your own OS since it's usually "independent" from the hostnode. Except kernel in the openvz-case where the provider is responsible of keeping the kernel up to date. There will always be undiscovered holes in the kernel and/or toolchain but a hoster that does not put their hardware nodes on the internet is one step closer to good security. There is no way you can "restrict" a hosters access to your VPS, that's basically true for DS as well if you have the root-password in some sort of control-panel or if the support has it for some reason. Basically, depending on what type of security you really want, both is as secure as you make them - or as the provider makes it. There will always be a risk of getting "owned". //T On Mon, March 5, 2012 00:28, Stayvoid wrote: > Hello! > > Which one is more secure? > VPS is usually cheaper then DS so I don't really want to pay extra > money for nothing. > > I also want to restrict hoster's access to my machine. Is it possible with > VPS? > There was an accident with Linode. [1] An intruder accessed one of > Linode's services and customers machines as well. > > [1] http://status.linode.com/2012/03/manager-security-incident.html > > Cheers > > -- Timh -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52b255c8764375abcd897d1a6f58cf8e.squir...@webmail.shiwebs.net