|
|
|
|
|
|
by z3t4
2679 days ago
|
|
|
I think the most useful for sysadmins are the network namespace that lets you put an app into it's own network, so it can not see the rest of the network. Container technology makes use of namespaces to create lightweight VM/containers. See man namespaces, lxc nmap is a popular tool for network scanning. I've also found tcpdump to be useful for looking at network traffic. setuid and chroot are useful for programmers, so once the app is up and running, it can chroot into a data-dir and drop root privileges using setuid to a unprivileged user. As a sysadmin you can also start the app from within a chroot and run it as a
unprivileged user which is preferably. Most (free)BSD tutorials go though setting up a chroot jail, it's not as common in Linux. Containers, VM's, and chroot will not stop a very determined attacker, but the more restrictions the harder it will get. Security is applied in layers: First you want to prevent people from the outside. Access is most often gained through exploiting some service/daemon/app running on the server. So the app should have as little privileges as possible.
System access is often then gained by exploiting another app (so you want all apps to be locked down, not just the network facing ones), like getting Apache to run curl, that sends a internal request to another app that has a known vulnerability and happens to run as root. (nobody thought that app not accessible from the outside needed to get patched).
Once the attacker is inside the server, you also want to prevent access to other computers in the network. |
|
|