[arch-general] how many virtual machines
hello I currently host my personal webpage from a virtual machine at my house. I am looking to add a mailserver as well as an irc server. however I don't know if I should be using a separate vmachine for each service. I am more concerned about security than resource use. however the publicly reachable IP I have is through an external vpn provider (i believe it is strong vpn). any ideas suggestions would be appreciated.
hello I currently host my personal webpage from a virtual machine at my house. I am looking to add a mailserver as well as an irc server. however I don't know if I should be using a separate vmachine for each service. I am more concerned about security than resource use. however the publicly reachable IP I have is through an external vpn provider (i believe it is strong vpn). any ideas suggestions would be appreciated.
Take a look on XenCenter. It will make easier to divide services in a per machine basis. Em 3 de abril de 2012 17:56, Nicholas MIller <nick.kyky@gmail.com> escreveu:
hello
I currently host my personal webpage from a virtual machine at my house. I am looking to add a mailserver as well as an irc server. however I don't know if I should be using a separate vmachine for each service. I am more concerned about security than resource use. however the publicly reachable IP I have is through an external vpn provider (i believe it is strong vpn). any ideas suggestions would be appreciated.
On Tue, Apr 3, 2012 at 4:56 PM, Nicholas MIller <nick.kyky@gmail.com> wrote:
hello
I currently host my personal webpage from a virtual machine at my house. I am looking to add a mailserver as well as an irc server. however I don't know if I should be using a separate vmachine for each service. I am more concerned about security than resource use. however the publicly reachable IP I have is through an external vpn provider (i believe it is strong vpn). any ideas suggestions would be appreciated.
There's really no reason you need another VM for each of those services. Make sure you have proper privilege separation and you should be fine. --Kaiting. -- Kiwis and Limes: http://kaitocracy.blogspot.com/
On Apr 3, 2012 3:59 PM, "Kaiting Chen" <kaitocracy@gmail.com> wrote:
On Tue, Apr 3, 2012 at 4:56 PM, Nicholas MIller <nick.kyky@gmail.com>
wrote:
hello
I currently host my personal webpage from a virtual machine at my
house. I
am looking to add a mailserver as well as an irc server. however I don't know if I should be using a separate vmachine for each service. I am more concerned about security than resource use. however the publicly reachable IP I have is through an external vpn provider (i believe it is strong vpn). any ideas suggestions would be appreciated.
There's really no reason you need another VM for each of those services. Make sure you have proper privilege separation and you should be fine. --Kaiting.
-- Kiwis and Limes: http://kaitocracy.blogspot.com/
please correct me if I'm wrong but running each service as it's own user without access to anything it doesn't need it's what you mean? and this might be a stupid ? but do you agree with your statement still if I need to use nfs reachable outside my home network
On Tue, 3 Apr 2012 16:07:55 -0500 Nicholas MIller wrote:
please correct me if I'm wrong but running each service as it's own user without access to anything it doesn't need it's what you mean? and this might be a stupid ? but do you agree with your statement still if I need to use nfs reachable outside my home network
Using VMs for security isn't good practice. It's a fair enough compromise if your trying to share resources and save energy but it would be better to use a few low power machines if possible. The server security is more important. If an attacker can get root there's a good chance they can escape or spy on the other VMs.
On Tue, Apr 3, 2012 at 5:07 PM, Nicholas MIller <nick.kyky@gmail.com> wrote:
On Apr 3, 2012 3:59 PM, "Kaiting Chen" <kaitocracy@gmail.com> wrote:
On Tue, Apr 3, 2012 at 4:56 PM, Nicholas MIller <nick.kyky@gmail.com>
wrote:
hello
I currently host my personal webpage from a virtual machine at my
house. I
am looking to add a mailserver as well as an irc server. however I don't know if I should be using a separate vmachine for each service. I am more concerned about security than resource use. however the publicly reachable IP I have is through an external vpn provider (i believe it is strong vpn). any ideas suggestions would be appreciated.
There's really no reason you need another VM for each of those services. Make sure you have proper privilege separation and you should be fine. --Kaiting.
-- Kiwis and Limes: http://kaitocracy.blogspot.com/
please correct me if I'm wrong but running each service as it's own user without access to anything it doesn't need it's what you mean? and this might be a stupid ? but do you agree with your statement still if I need to use nfs reachable outside my home network
Yeah run each service as an unprivileged user and you should be fine. If security is very critical than run something like SELinux or a similar RBAC system. If you're doing NFS over the internet the best method is to use Kerberos + GSSAPI for authentication and IPsec to secure the channel. --Kaiting. -- Kiwis and Limes: http://kaitocracy.blogspot.com/
On Tue, 3 Apr 2012 18:10:12 -0400 Kaiting Chen wrote:
Yeah run each service as an unprivileged user and you should be fine. If security is very critical than run something like SELinux or a similar RBAC system.
If you don't mind compiling a kernel, grsecurity and it's accompanying rbac or using rsbac instead are even better than SELinux. rsbac will cost you the most time. Grsecurity's rbac has a learning mode but won't let you selectively apply as the author sees that as a false sense of security. OpenBSD is my favourite option for servers but not for nfsv4. Do you need file locking or can you use something like sftp (ssh file transfer)?
On Wed, Apr 4, 2012 at 7:36 AM, Kevin Chadwick <ma1l1ists@yahoo.co.uk> wrote:
On Tue, 3 Apr 2012 18:10:12 -0400 Kaiting Chen wrote:
Yeah run each service as an unprivileged user and you should be fine. If security is very critical than run something like SELinux or a similar
RBAC
system.
If you don't mind compiling a kernel, grsecurity and it's accompanying rbac or using rsbac instead are even better than SELinux.
rsbac will cost you the most time. Grsecurity's rbac has a learning mode but won't let you selectively apply as the author sees that as a false sense of security.
OpenBSD is my favourite option for servers but not for nfsv4. Do you need file locking or can you use something like sftp (ssh file transfer)?
why don't you like OpenBSD for nfs? and I am fairly sure nfs is better suited for most of my needs right now since the system has much more storage than my laptop which helps as an always mountable extra space
On Apr 4, 2012 5:17 PM, "Nicholas MIller" <nick.kyky@gmail.com> wrote:
On Wed, Apr 4, 2012 at 7:36 AM, Kevin Chadwick <ma1l1ists@yahoo.co.uk>
wrote:
On Tue, 3 Apr 2012 18:10:12 -0400 Kaiting Chen wrote:
Yeah run each service as an unprivileged user and you should be fine.
If
security is very critical than run something like SELinux or a similar RBAC system.
If you don't mind compiling a kernel, grsecurity and it's accompanying rbac or using rsbac instead are even better than SELinux.
rsbac will cost you the most time. Grsecurity's rbac has a learning mode but won't let you selectively apply as the author sees that as a false sense of security.
OpenBSD is my favourite option for servers but not for nfsv4. Do you need file locking or can you use something like sftp (ssh file transfer)?
why don't you like OpenBSD for nfs? and I am fairly sure nfs is better suited for most of my needs right now since the system has much more storage than my laptop which helps as an always mountable extra space
and I forgot to mention thanks for all the input everyone ...
On Wed, 4 Apr 2012 17:17:08 -0500 Nicholas MIller wrote:
OpenBSD is my favourite option for servers but not for nfsv4. Do you need file locking or can you use something like sftp (ssh file transfer)?
why don't you like OpenBSD for nfs?
OpenBSD only supports nfsv3. I don't think nfs is highly regarded security wise so that hasn't helped it to get a great deal of attention.
and I am fairly sure nfs is better suited for most of my needs right now since the system has much more storage than my laptop which helps as an always mountable extra space
If you want multi-users and file locking etc.. then cool otherwise I'd personally definately use sftp/ssh. Check out sshfs. Then you can use a public key, with top class security and no password. Chroot and multi-level priviledge seperation takes a second too (about 3 short config lines). It's also super slick.
On Tue, 3 Apr 2012 16:59:29 -0400 Kaiting Chen wrote:
There's really no reason you need another VM for each of those services. Make sure you have proper privilege separation and you should be fine. --Kaiting.
It would be best to use chroot or use an RBAC too to prevent priviledge escalation, so maybe a VM would be easier for you??
participants (4)
-
Kaiting Chen
-
Kevin Chadwick
-
Nicholas MIller
-
Victor Silva