LFS Paper on Secure Servers

Bruce Dubbs bdubbs at swbell.net
Sat May 1 14:16:39 PDT 2004


EC wrote:

>Great job. Very interesting and useful. I will probably test it in a few
>weeks for my own environement. I no security expert, though.
>  
>
Thanks for the feedback.

>I do have small comments/questions/suggestions..
>1) The use of sendmail as an MTA .. since it is secure oriented, isn't is
>more interesting to put postfix or qmail instead ?
>

Possibly.  I'm more familiar with sendmail and I wanted to use the same 
MTA as our other systems. 

>2) Going to nALFS for the build will be great. I am newbie to LFS, but have
>already built dozens of LFS with it. It works great, profiles are quick to
>write, easy to maintain/change.
>

I'm not sure that nALFS is appropriate for this because I make several 
changes to the 'stock' LFS.  It may be possible to do that and go back 
and modify the nALFS build.  I'll look at that when I get the chance.

>3) isn't it interesting to use grsecurity in such environement ? Again, I'm
>no expert, but building such an security oriented system with grsecurity and
>a well desgined ACL seems useful.
>

This is a possibility too.  However the paper was written from a 
relatively mainstream perspective.  As I said in the risk analysis, not 
every possible security component is needed for the threat.  Also, since 
it is a dedicated system with no normal users, ACLs seems to be overkill 
for this specific server.  They may be appropriate for other types of 
servers.

You bring up some great points for me to consider.  Thanks again.

  -- Bruce




More information about the lfs-security mailing list