Too paranoid? Sensible security for a strictly internal server

geekosupremo · 2017-02-15 20:13:53

Because tinkering and building things are fun, I've been looking at the wonderful world of COW file systems and have talked about containerization before.

But I am wondering, on a server that will never be outside a firewall, would I really nead to put Samba, CUPS, ISC DHCP, etc. in a Firejaill/LXC container?

Am I just completely over building this? I'm starting to second guess myself.

Last edited by geekosupremo (2017-02-15 20:14:20)

Head_on_a_Stick · 2017-02-15 20:25:36

Containers don't really offer any increased security.

This article is a little old but it gives some idea of the problems:

http://www.itworld.com/article/2920349/ … lem-1.html

The CONFIG_USER_NS kernel option used to create unprivileged containers is *not* secure in any way:

falconindy wrote:

There are still multiple vulnerabilities every month

https://bugs.archlinux.org/task/36969

Unfortunately, there is a lot of marketing drive & hyperbole behind the new wave of containerisation.

If you are concerned about securing your server then consult this excellent guide:

https://www.debian.org/doc/manuals/secu … ian-howto/

Or switch to OpenBSD, ofc ]:D

Last edited by Head_on_a_Stick (2017-02-15 20:27:18)

#1 2017-02-15 20:13:53

Too paranoid? Sensible security for a strictly internal server

#2 2017-02-15 20:25:36

Re: Too paranoid? Sensible security for a strictly internal server

Board footer