* Jarry <mr.ja...@gmail.com> wrote: > The only service running on my "host" (main system) is sshd, > which I secured as much as I could.
If you have some physical access (eg. serial console), you could even drop sshd (or only bind it to some local interface) to get around possible ssh attacks. That's what I'm doing on several machines. > Everything else (web, mail, dns, ftp, syslog, X, and plenty of > users' services) runs on its own guest-system, chrooted in > addition (where it was possible). Yes, that's also my approach. BTW: I'm currently trying to convice one of my customers - an major German ISP - to provide a generic solution for such kind of environments: customers can allocate and configure containers at will (also via robot interfaces), and the ISP takes care of the cluster of host machines ... maybe I get the leading product managers convinced some day ;-) cu -- ---------------------------------------------------------------------- Enrico Weigelt, metux IT service -- http://www.metux.de/ phone: +49 36207 519931 email: weig...@metux.de mobile: +49 151 27565287 icq: 210169427 skype: nekrad666 ---------------------------------------------------------------------- Embedded-Linux / Portierung / Opensource-QM / Verteilte Systeme ----------------------------------------------------------------------
