On 04/12/2017 06:18 PM, John R Pierce wrote:> On 4/12/2017 3:11 PM, Nicolas Kovacs wrote: >> On my public servers, I usually run BIND for DNS. I see CentOS offers a >> preconfigured (sort of) bind-chroot package. I wonder what's the >> effective benefit of this vs. a "normal" BIND setup without chroot. On >> my Slackware servers, I have a rather Keep-It-Simple approach to all >> things security, e. g. run no unneed services, open only needed ports >> etc. but I don't run the extra mile (and haven't been bitten so far). >> >> Any suggestions? (No flamefest please.) > > > bind went through a rocky stage where there were a LOT of security > holes in it. by running it in a chroot, you limit its ability to be > used as a hacking point of entry. recent versions of bind > (basicially, 9 and newer) are much more secure, so this is less of a > concern. > >But make sure to have SELinux enabled if you do not run it chrooted. I have mine running that way.
Le 13/04/2017 ? 04:27, Robert Moskowitz a ?crit :> But make sure to have SELinux enabled if you do not run it chrooted. > > I have mine running that way.I bluntly admit not using SELinux, because until now, I mainly used more bone-headed systems that didn't implement it. Maybe this is the right time to get started. I understand there's a wealth of information about SELinux. Any recommendations for a newbie-friendly primer? I don't mind to RTFM, even extensive documentation, but I prefer stuff that's well-written. Cheers, Niki -- Microlinux - Solutions informatiques durables 7, place de l'?glise - 30730 Montpezat Web : http://www.microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32
On 04/13/2017 01:05 AM, Nicolas Kovacs wrote:> Le 13/04/2017 ? 04:27, Robert Moskowitz a ?crit : >> But make sure to have SELinux enabled if you do not run it chrooted. >> >> I have mine running that way. > > I bluntly admit not using SELinux, because until now, I mainly used more > bone-headed systems that didn't implement it. Maybe this is the right > time to get started. > > I understand there's a wealth of information about SELinux. Any > recommendations for a newbie-friendly primer? I don't mind to RTFM, even > extensive documentation, but I prefer stuff that's well-written. > > Cheers, > > Niki >I don't use SELinux because it gets in my way far more than it every actually protects me from anything. I'm sure there are systems where it absolutely is necessary, but I don't like to have stuff fail because I used mv instead of cp to install a certificate, for example. For authoritative DNS I also do not use chroot but authoritative DNS is all those servers do, and I use zones signed externally via DNSSEC (no private keys on the server)
On 04/13/2017 04:05 AM, Nicolas Kovacs wrote:> Le 13/04/2017 ? 04:27, Robert Moskowitz a ?crit : >> But make sure to have SELinux enabled if you do not run it chrooted. >> >> I have mine running that way. > I bluntly admit not using SELinux, because until now, I mainly used more > bone-headed systems that didn't implement it. Maybe this is the right > time to get started. > > I understand there's a wealth of information about SELinux. Any > recommendations for a newbie-friendly primer? I don't mind to RTFM, even > extensive documentation, but I prefer stuff that's well-written.For basic authoritative server, I have the one magic setting needed in your configuration. Otherwise it is working 'out of the box'.
On Thu, April 13, 2017 3:05 am, Nicolas Kovacs wrote:> Le 13/04/2017 ? 04:27, Robert Moskowitz a ?crit : >> But make sure to have SELinux enabled if you do not run it chrooted. >> >> I have mine running that way. > > I bluntly admit not using SELinux, because until now, I mainly used more > bone-headed systems that didn't implement it. Maybe this is the right > time to get started.Another alternative with at least same level of security, though not giving me any trouble I hear people sometimes have with SELinux is to run services in separate jails (or other containers) - with base system mounted inside jail read-only (I use FreeBSD jails - apologies for mentioning, but Linux experts here can suggest fair Linux equivalent). Valeri> > I understand there's a wealth of information about SELinux. Any > recommendations for a newbie-friendly primer? I don't mind to RTFM, even > extensive documentation, but I prefer stuff that's well-written. > > Cheers, > > Niki > > -- > Microlinux - Solutions informatiques durables > 7, place de l'?glise - 30730 Montpezat > Web : http://www.microlinux.fr > Mail : info at microlinux.fr > T?l. : 04 66 63 10 32 > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++