What Are You Doing Right Now
-
Here's a great "tutorial" by howtoforge. "The Perfect Server" that has Apache, PHP, MySQL, BIND, Postfix, Dovecot, FTP, and ISPConfig 3 all on the same box. The article also instructs you to disable AppArmor because "you don't need it to configure a secure system."
-
What is their logic for why AppArmor is unnecessary?
-
@scottalanmiller said:
What is their logic for why AppArmor is unnecessary?
"AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem)."
Seems like sound logic /sarcasm
Not to mention the fact that all of this is installed along with Bind.
-
@johnhooks said:
@scottalanmiller said:
What is their logic for why AppArmor is unnecessary?
"AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem)."
Seems like sound logic /sarcasm
Yeah, he doesn't say why he feels it doesn't aid security only that the advantages aren't enough. That the advantages aren't enough might be valid, but that's not the same as not being important for security. Long passwords aren't always worth it either
-
@scottalanmiller said:
Long passwords aren't always worth it either
Sure they are... That is why I use KeePass, lol.
-
@scottalanmiller said:
@johnhooks said:
@scottalanmiller said:
What is their logic for why AppArmor is unnecessary?
"AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem)."
Seems like sound logic /sarcasm
Yeah, he doesn't say why he feels it doesn't aid security only that the advantages aren't enough. That the advantages aren't enough might be valid, but that's not the same as not being important for security. Long passwords aren't always worth it either
I don't know anything about how AppArmor works, but I would be concerned to have Bind on a server with those other services and disable SELinux.
-
@johnhooks said:
I don't know anything about how AppArmor works, but I would be concerned to have Bind on a server with those other services
FTFY
-
@johnhooks said:
@scottalanmiller said:
@johnhooks said:
@scottalanmiller said:
What is their logic for why AppArmor is unnecessary?
"AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem)."
Seems like sound logic /sarcasm
Yeah, he doesn't say why he feels it doesn't aid security only that the advantages aren't enough. That the advantages aren't enough might be valid, but that's not the same as not being important for security. Long passwords aren't always worth it either
I don't know anything about how AppArmor works, but I would be concerned to have Bind on a server with those other services and disable SELinux.
In this day and age does it make sense to have multiple services on a server? That just seems like asking for trouble...
-
@coliver said:
@johnhooks said:
@scottalanmiller said:
@johnhooks said:
@scottalanmiller said:
What is their logic for why AppArmor is unnecessary?
"AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem)."
Seems like sound logic /sarcasm
Yeah, he doesn't say why he feels it doesn't aid security only that the advantages aren't enough. That the advantages aren't enough might be valid, but that's not the same as not being important for security. Long passwords aren't always worth it either
I don't know anything about how AppArmor works, but I would be concerned to have Bind on a server with those other services and disable SELinux.
In this day and age does it make sense to have multiple services on a server? That just seems like asking for trouble...
No, not really. I can understand LAMP and postfix to send out emails from a small site, but I can't imagine DNS with all of that other stuff.
-
@coliver said:
In this day and age does it make sense to have multiple services on a server? That just seems like asking for trouble...
Depends on what kind of server you are on, lol. If you are on one that will let you run docker, then why not use docker to separate them out?
-
@johnhooks said:
@coliver said:
@johnhooks said:
@scottalanmiller said:
@johnhooks said:
@scottalanmiller said:
What is their logic for why AppArmor is unnecessary?
"AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem)."
Seems like sound logic /sarcasm
Yeah, he doesn't say why he feels it doesn't aid security only that the advantages aren't enough. That the advantages aren't enough might be valid, but that's not the same as not being important for security. Long passwords aren't always worth it either
I don't know anything about how AppArmor works, but I would be concerned to have Bind on a server with those other services and disable SELinux.
In this day and age does it make sense to have multiple services on a server? That just seems like asking for trouble...
No, not really. I can understand LAMP and postfix to send out emails from a small site, but I can't imagine DNS with all of that other stuff.
I've never understood why they do that at all. I wouldn't host DNS myself no matter what. Lumping it all into a single server is extra nuts.
-
@dafyre said:
@coliver said:
In this day and age does it make sense to have multiple services on a server? That just seems like asking for trouble...
Depends on what kind of server you are on, lol. If you are on one that will let you run docker, then why not use docker to separate them out?
Sure but aren't those "independent" servers at that point? They are sandboxed to not interact with one another.
-
@dafyre said:
@coliver said:
In this day and age does it make sense to have multiple services on a server? That just seems like asking for trouble...
Depends on what kind of server you are on, lol. If you are on one that will let you run docker, then why not use docker to separate them out?
That's separated out, though, not lumped together. The issue here is that the "Perfect Server" goal from HowToForge is to throw as many services onto a single image as possible. It's not a good design at all for nearly any purpose. If you are running a web host, you would not want your LAMP on a single box even, let alone extra stuff.
-
@coliver said:
@dafyre said:
@coliver said:
In this day and age does it make sense to have multiple services on a server? That just seems like asking for trouble...
Depends on what kind of server you are on, lol. If you are on one that will let you run docker, then why not use docker to separate them out?
Sure but aren't those "independent" servers at that point? They are sandboxed to not interact with one another.
Yes, those are considered individual containers, essentially the same as VMs.
-
@coliver said:
@dafyre said:
@coliver said:
In this day and age does it make sense to have multiple services on a server? That just seems like asking for trouble...
Depends on what kind of server you are on, lol. If you are on one that will let you run docker, then why not use docker to separate them out?
Sure but aren't those "independent" servers at that point? They are sandboxed to not interact with one another.
By default, yes.... Throw up an Apache + PHP container.... and a separate MySQL Container... Then point your Apache / PHP Apps to the MySQL Container for the databse... No different than if you put Apache + PHP on a VM and MySQL on a separate VM.
-
Me thinks I might be getting to grips with Docker. Kind of
-
@hobbit666 Good... once you get your grips with Docker, write up a how to for the rest of us, lol.
-
How useful are containers to the average IT person, excluding DevOps? It seems like they are designed for deploying hundreds of identical applications, not the one off apps that SMB IT generally uses.The learning curve seems to be much higher then a similar technology like virtualization which is pretty much set it and forget it.
-
@coliver said:
How useful are containers to the average IT person, excluding DevOps? It seems like they are designed for deploying hundreds of identical applications, not the one off apps that SMB IT generally uses.The learning curve seems to be much higher then a similar technology like virtualization which is pretty much set it and forget it.
Not very. Containers, especially Docker style ones, are very much not for standard IT and definitely not for the SMB world in general. VMs do more of what is needed.
-
@coliver said:
How useful are containers to the average IT person, excluding DevOps? It seems like they are designed for deploying hundreds of identical applications, not the one off apps that SMB IT generally uses.The learning curve seems to be much higher then a similar technology like virtualization which is pretty much set it and forget it.
I have my website in an LXC container. I mostly did it for practice, but if someone were able to gain access, they can't really do anything. It's run by a standard non-sudo user so they could affect the container and that users home dir but nothing else. Plus they are easy to backup and move around.