Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] Dealing with software with wide attack surface



Thanks a lot for the great content in this thread, all.

On Sat, Aug 28, 2021 at 09:32:43PM +0200, Jens John wrote:
> [..]
>   - you should be using systemd and its containment features even with nginx,
>     apache etc provided by the main OS. When you use systemd properly and its
>     capabilities to contain and restrain processes, separate container runtimes
>     are obsolete and KVM level isolation almost overkill (for maximum security,
>     by all means, add micro VMs on top).

The system is already a KVM guest, and while nested KVM might be possible,
and would be nice (not perfect, there are issues every now and then) 
separation, I won't do it here.
This is a Debian system, kernels are compiled with CONFIG_SECURITY_SELINUX,
but I think the packages are not written with it in mind/no policies.
Debian makes upgrades between releases easier that Fedora/Centos/RHEL,
which come with selinux policies for most services.


>     Install nginx, configure it to serve your webstuff, then enter
>       systemctl edit nginx.service
>     and add settings like (demonstration ONLY):
>     [..]

The Debian Bullseye nginx systemd service file is more lean,
will have a look on whether it can be extended.

> Of course, in the end, you will have a persistence layer somewhere, a database
> server or a directory hierarchy with user-generated content. This type of stuff
> needs to be shipped off of the online system to a backup location that is
> write-only excluding overwrites from the source system or completely
> disconnected, like offline backups. Because in the end, no security is 100%.

All the comments opened up a new perspective on this.
So actually, as of today with fgallery, I am
- on my local desktop running fgallery over the imagedirs
- rsync that to the webserver
- have it just statically delivered

Lychee is not static, but running php, keeping data in 
filesystem + Sqlite3 or a database like Postgresql.
I should try to
- just host Lychee here locally in a Debian Bullseye KVM guest,
  which I have anyway for playing around
- upload pictures to that instance
- transferring the instance then to the actual webserver, and
  host it there - as far as possible readonly.

Christian


Home | Main Index | Thread Index