New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Do you have to rebuild that each time the kernel is updated?
Dedicated server + FDE (unlock at boot with dropbear listening - many tutorials on the internets) + grsec + iptables + snort would be better than any container as using a KVM or XEN VPS you have no way to know is the host is compromised or not.
If there is a single KVM instance, and you have all the ressources for yourself, then there is no real difference with a dedicated server (and KVM is useless).
It's not really more complicated to setup the software you need using the ports or package system & PF (or whatever you like) than say using apt-get & setting up iptables. And well, portaudit is quite great, isn't it?
;-)
After well over 15 years with BSDs I would find it unfair to say "BSD is as simple to configure as linux"; sure, for me it is but I'm sometimes swearing when I find myself in a bad spot with linux (not because it's bad but because I don't know it as well), so I assume the same is true from the other side.
Yes, probably my ubuntu/debian example wasn't the best. I originally wanted to say ubuntu/slack but thought that debian is much wider used and better known. The point was: ubuntu is a desktop clicky clicky system while many debian (and certainly alpine) linux users rarely see a desktop.
It also came in my head because it was here that a while ago I helped someone and was completely stunned that he rdp managed a server (of course with full X).
But again: My point wasn't BSD vs linux or "ubuntu is evil, use debian", certainly not. My point was "Think well which OS (and distro) and software you use and be sure to properly configure both the system and the software!" plus "Know against what to defend".
I had some discussions with a company I'm sure you've heard of, that was in the process of colo'ing a bunch of servers in various data centers, some of them overseas. They were specifically concerned about personnel at the data centers themselves trying to tamper with the servers and get at the data. The concern seemed plausible to me given what the company does. But I don't think of it as an extreme situation, just wise practice.
I also went to a talk by a security person from a much bigger company (think Google size) who said they don't colo anything in other companies' DC's. If they want to install servers in country X, they build out or buy the physical data center, and own and operate it themselves. This again was partly because of such security concerns (as well as being the economic way of doing a big installation). That wasn't a realistic option for the first company I mentioned since their remote stuff was just a few racks of equipment per DC.
The small company where I used to work had a few racks in a DC cage, though I don't think we had cameras in the cage or anything like that. I'm not sure why we did it that way.
Yes, the initramfs is kernel-specific. It's not really a problem though because the build script is included in the system hook directory. So if Debian releases a kernel update then the keyserver functionality should automatically get rebuilt as well.
I haven't tried the setup on non-Debian distros but I assume they have something functionally equivalent to the /etc/initramfs-tools/hooks directory.