Security :: Running Services Securely - Chroot And Virtualization?
May 26, 2011
I'd like to run a Tor relay, but am trying to understand the security implications. For some time I've run my torrent client in a VirtualBox virtual machine, which is run as a very non-prived user, bridges directly to The Internets, and writes to one directory on the host. My belief is this is about as secure as it can be, but am open to suggestion.If I run a relay in the VM it wouldn't be associated with my use of Tor as a client, which is fine since there is no technical need for them to be connected and it's desirable for security.I read that chroot jails can be broken, particularly when run as root, so I don't really trust that. Also studied a vserver, but it must share the network setup which doesn't strike me as isolated enough.
To copy from production to standby over the internet I use a cron job doing rsync -avze 'ssh -p 8022' --exclude-from= ....
My question is: should the cron job run on the production or the standby system. Root access to the remote system is given by a pass phrase-less ssh key. Currently I run rsync on the production system. I guess that it is more secure because the standby needs no ssh login to production. Running rsync on the standby would use less resources on production. I am concerned that in this case there would be pass phrase-less access from standby to production.
I have a small network at my office (3 workstations, 1 ubuntu desktop that I'm using as a file server). I'm using a WRT54G2 router for networking and internet connectivity. Here's what I'm trying to accomplish: I want to be able to access my little file server from home, across town. I think ssh might be the best way to go now. What I don't know: How do I set up the ssh server on my machine/network without compromising my network security and the security of my server? Do I just set up port/ip forwarding on my router, install openssh, and that's it?
This one being Ubuntu 9.10 (yes, I know I really should upgrade). I keep a number of confidential files in a TrueCrypt container which is a standalone file in my Documents folder. I'd like to delete some of these, but I want to do it as securely as I can, but I believe if I simply hit 'Delete' with the file selected it'll move the file to the Deleted Items folder. This, I assume, means that the file is taken out of the encrypted volume and stored unencrypted in the Deleted folder.
I've been reading a little about the Shred command, and there seems to be some question about whether it works effectively with a journalled file system; and since I have no idea whether I'm using a journalled file system, or how to find out, I'm treating Shred and other over-writing secure deletion tools as ineffective for now.
With this in mind, can anyone advise me how I can protect the file stored in the TrueCrypt volume, and delete it in place, without taking it out of the encrypted area? And, further to that, can anyone tell me whether in fact the file is actually secured while it's in the encrypted volume? For all I know, just opening the volume may result in copies being made somewhere (apart from RAM).
My company needs to send sensitive data across to another company, 800gb of .dpx. The way I have thought of is: E-Sata/1TB WD black. True-encrypted/ hw accelerated aes (3x machines being built with 2600k) Sha1sum on each file.
The main goal is to make sure that 1. The files that were transferred off the server onto the drive, are exactly the same. 2. Secure. 3. Fast.
I'm installing a new server after this weekend, and it musth have both windows server 2008 r2 and linux (probably ubuntu) running, but I'm wondering which one of them I should run virtual. Windows will be used mostly for rdp and for serving asp.net webpages, linux will host some django-applications and a postgreSQL server etc.
I am trying to figure out how to get an almost bare metal virtualization running, and having a hard time getting it going I tryied the Virtual Machine manager, but it wont let me do full virtualization.
I was hoping to set up a Kubuntu 10.04 Chroot on a PC with no internet access (I only have dialup anyway, not Broadband). All the information I have been able to find refers to downloading debootstrap in order to do this.I purchased a set of DVDs with all of the Ubuntu packages on them and created a single repository of them on my harddrive.Is there some way that I can create the Chroot using the packages on my hard drive without having to access the internet to download stuff as I do it?
Its been two days over, after my search started . But I didn't find answer any where ?. I need to call chroot as part of normal user, but to my surprise it can only be called by SUper user with CAP_SYS_CHROOT capabilities. I am not sure how to add this capability to my user .
I want to make a sandbox for my music streaming server(subsonic). I was going to make a directory and chroot to it. I don't really have any room on my HD for new partitions. For the sandbox/chroot jail to be proper does it need to be on a seperate filesystem/mount point?
recently we decided to make our own panel (like Plesk or cPanel) but for Ubuntu and it will be licenced under GPL (like any other professional sofware).want to make a panel not only that fits our needs but also the needs of other system administrators and domain owners. We researched other panels and found out that non of them has security/look/ease of use in one package. Bad codig is another problem found in other panels.I made a short overwiev of what I think we have to have in the beginning.I Security :1. Completely chroot enviornoment where every single service is in chroot mode (bind,mysql, postfix, .... )2. Easily managed IPtables trough web-based interface. 3. Coding rules has to be strict.
II Software selection : 1. MTA - Postfix 2. POP - dovecot
I have one requirement i.e I want to call the java file from the php function using shell_exec command , i am using the chroot jail concept , if i using this command i am getting the empty file because java environment is outside the chroot jail,so how to access the the files those are out side the chroot jail.
I had just put the last touch on a snort, mysql, apache, barnyard, base isntall to CentOs 5.3. I noticed that ifconfig displayed an odd virtual nic, and I wanted as little running on this machine as possible. I don't remember specifying that I wanted XEN installed. And on the old lowend machine that is powering this server, Virtualization was the last thing I wanted running on it. I did a google, discovered that the way to remove XEN completely (yum uninstall xen' only removed 'xen' but still, oddly, xen was running after a reboot. Talk about perplexing.
After upgrade of 11.1 to 11.2 I noticed that none of services that was started in 11.1 at boot are starting now in 11.2. I check run-level of services with
When I start services manually everything is OK, but on restart they do not starting. Another weired thing is that my SuSEfirewall2 is filtering everything on input, nevertheless my previous configuration is still there, but ports are closed.
i know that there is already a command for it but it comes out with a lot of letters that makes it hard to find the services that are runningi'm talking about services like DNS, APACHE, DHCP, SAMBA, SSH etcis there a command that will list these services and related services that are running instead of showing a bunch of jumbled and lettered mess thats hard to comprehend
I am trying to run two different copies of vsFTPd service in the same server, one for IPv4 and the other one for IPv6. Because as I know that you cant run one vsFTPd server for IPv4 and IPv6 in the same time.
I have installed release CentOS 5.5 w/ fetchmail services. I've already configured the /.fetchmailrc in the correct format that I've learned from topics and I've checked also the sedmail running status. When I invoke the #fetchmail command this often happens:
fetchmail: WARNING: : Running as root is discouraged. 2 messages for user1 at mx.mailserver.com.ca: (1 of 2) (4353 octets) .....flushed
I have configured two NIC 's One for the public IP and another for the local network, I've tried to use the two IP's in the POP3 and SMTP settings of Mozilla Thunderbird but still user1 can't get messages.
I am baffled by fedora's feeble attempts to work with Samba. I have ran various versions of Fedora for the last few years, and sporadically, the Samba gui and samba itself have had such problems. My current problem in Fedora 11 (64bit) is that samba doesn't seem to be running correctly. It is allowing the hosting of shares, but it does not show that it is running in the services gui. It shows enabled, but when I attempt to change it by starting or stopping, nothing happens. The samba gui also shows that it launches but then never actually starts. I saw very similar problems with Fedora 9.
Last time I installed the ATI graphics driver on my PC, it was'nt working fine so I uninstalled that driver. I restarted the PC after uninstalling the driver but then, when PC boots and start running the services the screen just hangs and I don't get into the desktop.
I tried to run the xfs service using service xfs restart and also gdm service using service gdm restart, but in both the cases it shows that Unrecognized Service. So, I think it means that the package for xfs and gdm service is not available in my PC. Is that so?
I tried to get into the desktop by running startx but it gave the following error :-
Fatal Server Error: no screen found
consult the fedora project support at [URL] for help.
check the log file at "/var/log/Xorg.0.log" for additional information.
xinit: connection refused (errno 111): unable to connect to X server xinit: no such process (errno 3): server error.
I have a little bit of a problem, I run openSUSE as a server on a Dell PowerEdge T610. I use it for sharing files in a local network and as a web server accessible through the public IP (configured through router DMZ). Also, I use Teamviewer for remote control in order to avoid some compatibility and network problems. Generally the computer runs flawless but from time to time, as about once in two weeks, all network related services except the Apache server which runs just fine, and is still accesible, crash. The Samba share can't be accessed anymore, the Teamviewer is also dead and the only way to put everything back in order is a restart. The thing is I don't know if an error occurs since the server hasn't got a monitor installed, and more than that I do most of my work remotely (as in miles and miles away from the location) and it takes me quite some time to actually get there and see what's happening.
So, any ideas what might be happening? I belive that there might be some information in some of the logs, but as I am not an expert in Unix like operating systems I don't exactly know where to start from.
I downloaded the latest 10.4 server CD with the intention of running a small Ubuntu Enterprise Cloud. I am following the directions here: [URL] Ive got 2 laptops that are capable of the tasks assigned to them. Both have dual core Intel chips that are VT enabled, 4GB of RAM, 250GB hard drives. Ill use one ( "server" ) as the front end server running cc, clc, walrus and sc.The other one ( "node1" ) will be the only node controller on my little network. Ive also got another laptop as a client, running euca commands to make instances and what not.These three laptops are connected to a switch. server is 192.168.1.100, node1 is going to be 192.168.1.110, the client laptop is 192.168.1.120.
the server seems to install fine, I select Install Ubuntu Enterprise Cloud, use it as the Cluster, give the cluster a name and 10 IPs to assign, 192.168.1.150-192.168.1.160 After the server is done installing and reboots, I boot the node machine off the CD and again select Ubuntu Enterprise Cloud. It's at this point the install craps out, because it does not recognize a cloud computer on the network.
Indeed, as I go to the server I run
ps -aux | grep euca
and see nothing running. So I start the eucalyptus service, and run
sudo euca_conf --list-clusters
and nothing shows up. Ive done some googling, ran some more euca_conf commands, registering the cluster, enabling walrus, cloud and sc. I can access the web gui on the client laptop, then restart the node install on the node laptop. This time it does see the server as a cluster controller, but when it tries to fetch the preseed file, it seems to not know the cluster's IP, as the red box that complains about the lack of a preseed file lists the URL as [URL] ( or whatever the file is called, I dont have the error in front of me. )
In my server the iptables and ip6tables services are not running. But still i am getting some iptables and ip6tables related alerts on my /var/log/messages. My technical leader told me that there might be some mis-configuration in iptables configuration file. But i didnt see anything wrong.
What does it mean "Jan 25 11:01:32 beteduibsrv3 avahi-daemon: Leaving mDNS multicast group on interface eth0.IPv6 with address fe80::226:b9ff:fefc:6ec4."
I'm trying to avoid having to migrate my machine to Fedora: it's either learn to clone some existing Puppet manifests from Fedora to Ubuntu, or move back to Fedora. I'm running into several problems, including parsing errors for rules that work for Fedora and fail for Ubuntu, presumably because the version of libaugeas-ruby is older for Ubuntu (0.3.0) than Fedora (0.4.0). For Ubuntu, these rules fail with "Could not evaluate: Could not retrieve information from source(s)". Another one is a failure of augeas to use the 'ins' command to insert a rule into krb5.conf. I can't think of any good reason for these other than the older versions of the libraries render Puppet unable to parse properly.
At any rate, I was wondering whether anyone has had experience and success controlling security services in Ubuntu (Natty), such as krb5, pam, screensaver locking, etc. I should be able to hack my way through these, but I keep hitting walls like the evaluation error above.
I was wondering if there is any way in Linux in general and Fedora 13 in particular to configure system so that any service that needs access to internet will have to ask for password/permission to do so. So that I can