[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security question concerning jail or virtualization




On Thu, Mar 13, 2014 at 11:39 PM, shawn wilson <ag4ve.us@gmail.com> wrote:

Well Linux has LXC which is supposed to be equivalent to jails (also see docker). But use whatever suits you.

As are the older-school OpenVZ and Linux VServer technologies. 

Idk what's current for breaking out of VMs is. It might be good to pay attention to who is using the most entropy and make sure you don't run out. Most VMs use processor VT to isolate things (I don't think any 'jail' does this).

The main difference between the jail/container technology and "real" VMs is that containers share the host node's kernel, while a full virtualization involves representing, to some degree, everything about a physical machine, e.g. BIOS, kernel, etc.

I think most providers use OpenStack (a suite of technologies). YMMV

On Mar 13, 2014 11:06 PM, "Martin Braun" <yellowgoldmine@gmail.com> wrote:
Hi

I have recently experienced a server being "hacked" due to a security problem with a PHP application that made it possible for the "hacker" to gain a web shell.

It sounds like perhaps you should investigate a web application test suite. Whether this was running on a physical machine, a VM, or a container, it would not have changed the result of your php app getting hacked.
 
Due to this experience I would like to know what the best way to limit such problems is, especially when hosting web servers for users who may or may not installed unsecure applications on the web server.

Auditing your security is probably your best bet. As I said above, maybe some web app testing tools, run scans against your server regularly with Nessus or OpenVAS, plus the security best practices...Good password hygene, bastion hosts (only one type of app on a machine), turning off/uninstalling unneeded apps, especially those with a network presence, etc.
 
What does the big hosters do? What do they use?

They hire staffs of sysadmins and security folks. :)
 
The solution can't be too complecated to maintain and I would prefer each user being completely seperated from the main OS and from other users.

Depends on what you are trying to protect and what you are trying to defend against.
 
--b
Reply to: