# Pimp My Gentoo Server Box!

## YEL

Hello everyone,

   im interessted and i guess a plenty of you out there are also interessted what gentoo gurus 

uses as tricks to pimp theire boxes

im specially interessted about 

 *Quote:*   

> 
> 
> how do you Pimp the Security of your SERVER (apache/mysql / php/java/mod_jk/tomcat/...) system? 
> 
> how do you Pimp the Backup  of your SERVER (apache/mysql/php/java/mod_jk/tomcat/...) system? 
> ...

 

tips and tricks are all welcome too dont hesitate to share your know-how!

Thanks in Advance

YEL

----------

## exklusve

must we sink to the level of using such 'mtv' 'ghetto speak' terms? 

jesus christ, i thought at LEAST a linux software forum would be free of that s%#$

----------

## YEL

 *exklusve wrote:*   

> must we sink to the level of using such 'mtv' 'ghetto speak' terms? 
> 
> jesus christ, i thought at LEAST a linux software forum would be free of that s%#$

 

dear exklusve, the main goal of this thread was to get a kind of usefull tips and tricks for server optimisation and usefull scenarios on how doese gentoo veterans configure theire systems  not to sink to x level 

to be honest i dont even have a tv and i only heard of that series

the main message ist much important than the such comment thanks for your add

----------

## DNAspark99

I've been daydreaming about an impressive piece of hardware for a machine, raid array, opteron dual core, obscene amount of ram, the full 9, running a hardened gentoo 'parent' system, with multiple 'children' usermode instances doing the 'real' work (apache/mysql/mail etc), the parent as 'invisible' as possible to the outside world, and having enough resources for the children so that they are indistinguishable from a 'normal' box under heavy load...  

can you harden usermode sources ? are the patchsets compatible? 

(I dunno, not on a gentoo box right now)

edit: now that would be pimpizzle, fo shizzle, ma nizzel!

----------

## groovin

ive used UML before, but not usermode-sources. I patched the kernel manually (at that time i didnt check to see if there was a usermode-sources otherwise i woulda used that). UML with the SKAS patch (seperate kernel address space?) creates a pretty effective isolation of the UML children. From what I understand, if youre going to use UML to isolate dangerous services, then the skas patch is a must. but with xen now hitting the scene in a big way, that might be the way to go.

i might have to build a web server soon that runs some type of LAMP stack... the P will either by Perl or PHP, probaly the latter. So, my first quickie idea was to isolate the file, db, and apache components from each other using xen. i havent read any security papers on xen, but ive heard it had great isolation, so ill go upon that assumption (for now).

*i am by no means a security guru, so i hope that if someone spots a glaring problem in my setup, theyll please let me know!*

the file server will share with the other xens via nfs read-only and have tight access control. nfs will not be accessible from the outside. apache will mount it's html and other files from the file server and grab the database from the db xen. the parent, db, and file servers will not be directly accessible from the outside... the parent might be via ssh, but thatll be locked down and port knocked up. apache will also be chrooted.

I will have a staging server that I can build packages on and distribute to the production machine. of course chrootkit and the pig will be snorting around there someplace.

ill operate the 'fantastic 4' as if it was going to be breached... all good policies should include a breach plan. i guess ill need to figure out:

-how to know ive been h4xor3d

-how to contain the h4x0rz

-how to recover 

this is of course just a quickie idea... what this basically does is multiply the amount of machines I need to admin by 4... maybe itll be easier to just use openbsd?

----------

## DNAspark99

actually, now that redhat is pushing to put xen into the kernel, I think this is perhaps a better line of thinking, so it's something I'd like to see make it's way to gentoo (as it should, if it gets included in the mainline kernel), in the meantime, I think i'll emerge and play with it standalone

time will tell

----------

