Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] Dealing with software with wide attack surface
- Date: Sun, 29 Aug 2021 10:48:05 +0200
- From: Christian Horn <chorn@example.com>
- Subject: Re: [tlug] Dealing with software with wide attack surface
- References: <YSoy60UpAmmK5fyo@fluxcoil.net> <YSqPWwgCXPdJ6zaU@cobalt>
Thanks a lot for the great content in this thread, all. On Sat, Aug 28, 2021 at 09:32:43PM +0200, Jens John wrote: > [..] > - you should be using systemd and its containment features even with nginx, > apache etc provided by the main OS. When you use systemd properly and its > capabilities to contain and restrain processes, separate container runtimes > are obsolete and KVM level isolation almost overkill (for maximum security, > by all means, add micro VMs on top). The system is already a KVM guest, and while nested KVM might be possible, and would be nice (not perfect, there are issues every now and then) separation, I won't do it here. This is a Debian system, kernels are compiled with CONFIG_SECURITY_SELINUX, but I think the packages are not written with it in mind/no policies. Debian makes upgrades between releases easier that Fedora/Centos/RHEL, which come with selinux policies for most services. > Install nginx, configure it to serve your webstuff, then enter > systemctl edit nginx.service > and add settings like (demonstration ONLY): > [..] The Debian Bullseye nginx systemd service file is more lean, will have a look on whether it can be extended. > Of course, in the end, you will have a persistence layer somewhere, a database > server or a directory hierarchy with user-generated content. This type of stuff > needs to be shipped off of the online system to a backup location that is > write-only excluding overwrites from the source system or completely > disconnected, like offline backups. Because in the end, no security is 100%. All the comments opened up a new perspective on this. So actually, as of today with fgallery, I am - on my local desktop running fgallery over the imagedirs - rsync that to the webserver - have it just statically delivered Lychee is not static, but running php, keeping data in filesystem + Sqlite3 or a database like Postgresql. I should try to - just host Lychee here locally in a Debian Bullseye KVM guest, which I have anyway for playing around - upload pictures to that instance - transferring the instance then to the actual webserver, and host it there - as far as possible readonly. Christian
- References:
- [tlug] Dealing with software with wide attack surface
- From: Christian Horn
- Re: [tlug] Dealing with software with wide attack surface
- From: Jens John
- [tlug] Dealing with software with wide attack surface
- Prev by Date: Re: [tlug] Dealing with software with wide attack surface
- Next by Date: Re: [tlug] Dealing with software with wide attack surface
- Previous by thread: Re: [tlug] Dealing with software with wide attack surface
- Next by thread: Re: [tlug] Dealing with software with wide attack surface
- Index(es):