[nycbug-talk] Apache, ftp, samba, etc....
Sun Oct 2 10:11:08 EDT 2005
On Sun, 2 Oct 2005, Marc Spitzer wrote:
>> To protect in case someone breaks into apache/ftp?
> yes. With a script you can rebuild a jail, including saving all the
> data(web site etc), and recover from an incident automatically.
Sounds like a good idea.
> you are running apps that give you root you only get root in the jail
I have actually used jails, just have never set one up. Now will have a
machine where I think it may make sense.
> and your tripwire( or mtree if you want to be bsdish(and who does
> not)) should be running out of the main box that has not been
I like that idea. Specially for files one does not expect to change.
I already have a little script to use mtree to compare directories.
How about CPU overhead?
I like the concept of a jail, but in the past I always wondered if the
extra complexity and CPU overhead were necessary for my needs. I think a
current box I am setting up is the first time I think it make sense.
I will have both confidential services/data AND at the same time need to
serve an app through http to the public. In an ideal world I would like
two machines, but given how little load I expect to have on the machine
it's hard to justify.
More information about the talk