What Are You Doing Right Now
-
If I set an alarm I end up not being able to sleep because I spend my time thinking about the alarm going off. If I don't set one, I tend to get more and better sleep and get up earlier than the alarm would have gone off anyway.
-
On coffee number two. Dominica just woke up.
-
Playing with HAProxy. I can't get it to display the proxied webpage, just tries to download an application/octet file.
-
Here's a great "tutorial" by howtoforge. "The Perfect Server" that has Apache, PHP, MySQL, BIND, Postfix, Dovecot, FTP, and ISPConfig 3 all on the same box. The article also instructs you to disable AppArmor because "you don't need it to configure a secure system."
-
What is their logic for why AppArmor is unnecessary?
-
@scottalanmiller said:
What is their logic for why AppArmor is unnecessary?
"AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem)."
Seems like sound logic /sarcasm
Not to mention the fact that all of this is installed along with Bind.
-
@johnhooks said:
@scottalanmiller said:
What is their logic for why AppArmor is unnecessary?
"AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem)."
Seems like sound logic /sarcasm
Yeah, he doesn't say why he feels it doesn't aid security only that the advantages aren't enough. That the advantages aren't enough might be valid, but that's not the same as not being important for security. Long passwords aren't always worth it either
-
@scottalanmiller said:
Long passwords aren't always worth it either
Sure they are... That is why I use KeePass, lol.
-
@scottalanmiller said:
@johnhooks said:
@scottalanmiller said:
What is their logic for why AppArmor is unnecessary?
"AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem)."
Seems like sound logic /sarcasm
Yeah, he doesn't say why he feels it doesn't aid security only that the advantages aren't enough. That the advantages aren't enough might be valid, but that's not the same as not being important for security. Long passwords aren't always worth it either
I don't know anything about how AppArmor works, but I would be concerned to have Bind on a server with those other services and disable SELinux.
-
@johnhooks said:
I don't know anything about how AppArmor works, but I would be concerned to have Bind on a server with those other services
FTFY
-
@johnhooks said:
@scottalanmiller said:
@johnhooks said:
@scottalanmiller said:
What is their logic for why AppArmor is unnecessary?
"AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem)."
Seems like sound logic /sarcasm
Yeah, he doesn't say why he feels it doesn't aid security only that the advantages aren't enough. That the advantages aren't enough might be valid, but that's not the same as not being important for security. Long passwords aren't always worth it either
I don't know anything about how AppArmor works, but I would be concerned to have Bind on a server with those other services and disable SELinux.
In this day and age does it make sense to have multiple services on a server? That just seems like asking for trouble...
-
@coliver said:
@johnhooks said:
@scottalanmiller said:
@johnhooks said:
@scottalanmiller said:
What is their logic for why AppArmor is unnecessary?
"AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem)."
Seems like sound logic /sarcasm
Yeah, he doesn't say why he feels it doesn't aid security only that the advantages aren't enough. That the advantages aren't enough might be valid, but that's not the same as not being important for security. Long passwords aren't always worth it either
I don't know anything about how AppArmor works, but I would be concerned to have Bind on a server with those other services and disable SELinux.
In this day and age does it make sense to have multiple services on a server? That just seems like asking for trouble...
No, not really. I can understand LAMP and postfix to send out emails from a small site, but I can't imagine DNS with all of that other stuff.
-
@coliver said:
In this day and age does it make sense to have multiple services on a server? That just seems like asking for trouble...
Depends on what kind of server you are on, lol. If you are on one that will let you run docker, then why not use docker to separate them out?
-
@johnhooks said:
@coliver said:
@johnhooks said:
@scottalanmiller said:
@johnhooks said:
@scottalanmiller said:
What is their logic for why AppArmor is unnecessary?
"AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem)."
Seems like sound logic /sarcasm
Yeah, he doesn't say why he feels it doesn't aid security only that the advantages aren't enough. That the advantages aren't enough might be valid, but that's not the same as not being important for security. Long passwords aren't always worth it either
I don't know anything about how AppArmor works, but I would be concerned to have Bind on a server with those other services and disable SELinux.
In this day and age does it make sense to have multiple services on a server? That just seems like asking for trouble...
No, not really. I can understand LAMP and postfix to send out emails from a small site, but I can't imagine DNS with all of that other stuff.
I've never understood why they do that at all. I wouldn't host DNS myself no matter what. Lumping it all into a single server is extra nuts.
-
@dafyre said:
@coliver said:
In this day and age does it make sense to have multiple services on a server? That just seems like asking for trouble...
Depends on what kind of server you are on, lol. If you are on one that will let you run docker, then why not use docker to separate them out?
Sure but aren't those "independent" servers at that point? They are sandboxed to not interact with one another.
-
@dafyre said:
@coliver said:
In this day and age does it make sense to have multiple services on a server? That just seems like asking for trouble...
Depends on what kind of server you are on, lol. If you are on one that will let you run docker, then why not use docker to separate them out?
That's separated out, though, not lumped together. The issue here is that the "Perfect Server" goal from HowToForge is to throw as many services onto a single image as possible. It's not a good design at all for nearly any purpose. If you are running a web host, you would not want your LAMP on a single box even, let alone extra stuff.
-
@coliver said:
@dafyre said:
@coliver said:
In this day and age does it make sense to have multiple services on a server? That just seems like asking for trouble...
Depends on what kind of server you are on, lol. If you are on one that will let you run docker, then why not use docker to separate them out?
Sure but aren't those "independent" servers at that point? They are sandboxed to not interact with one another.
Yes, those are considered individual containers, essentially the same as VMs.
-
@coliver said:
@dafyre said:
@coliver said:
In this day and age does it make sense to have multiple services on a server? That just seems like asking for trouble...
Depends on what kind of server you are on, lol. If you are on one that will let you run docker, then why not use docker to separate them out?
Sure but aren't those "independent" servers at that point? They are sandboxed to not interact with one another.
By default, yes.... Throw up an Apache + PHP container.... and a separate MySQL Container... Then point your Apache / PHP Apps to the MySQL Container for the databse... No different than if you put Apache + PHP on a VM and MySQL on a separate VM.
-
Me thinks I might be getting to grips with Docker. Kind of
-
@hobbit666 Good... once you get your grips with Docker, write up a how to for the rest of us, lol.