Re: webhosting
Sven Hoexter <sven@telelev.net> writes:
[snip]
>> I'm still under the impression that it's quite possible to do a
>> reasonably secure bind install. Bind9 has some nice security-related
>> features, and a completely rewritten codebase (as opposed to bind8). I'm
>> not sure what insecurities you'd impose upon yourself by installing it..
>
> You forgot to mention that you can chroot bind since a 8.x release. The
> chroot is not the non plus ultra solution but it throws a few more stones
> in the way of the script kiddies.
Heck, it's possible to run something listening on port 21 in a secure
fashion... all it means is that you've got to be awake!
> Anyway it looks like the normal flamewars like sendmail vs. *your
> alternativ MTA here* :)
Oh, definitely. Saying "just use <foo> instead" never got anyone anywhere.
It's perfectly possible to run services in a secure manner - tighten Bind
just like you would anything else - run in a virtual machine and/or
chrooted, as a non-root user, statically linked, 53/tcp restricted to
listed secondary NS boxes, use crypto sig things for updates, come back
tomorrow and keep it uptodate, ...
~Tim
--
<http://spodzone.org.uk/>
Reply to: