LFS Paper on Secure Servers
bdubbs at swbell.net
Sat May 1 14:16:39 PDT 2004
>Great job. Very interesting and useful. I will probably test it in a few
>weeks for my own environement. I no security expert, though.
Thanks for the feedback.
>I do have small comments/questions/suggestions..
>1) The use of sendmail as an MTA .. since it is secure oriented, isn't is
>more interesting to put postfix or qmail instead ?
Possibly. I'm more familiar with sendmail and I wanted to use the same
MTA as our other systems.
>2) Going to nALFS for the build will be great. I am newbie to LFS, but have
>already built dozens of LFS with it. It works great, profiles are quick to
>write, easy to maintain/change.
I'm not sure that nALFS is appropriate for this because I make several
changes to the 'stock' LFS. It may be possible to do that and go back
and modify the nALFS build. I'll look at that when I get the chance.
>3) isn't it interesting to use grsecurity in such environement ? Again, I'm
>no expert, but building such an security oriented system with grsecurity and
>a well desgined ACL seems useful.
This is a possibility too. However the paper was written from a
relatively mainstream perspective. As I said in the risk analysis, not
every possible security component is needed for the threat. Also, since
it is a dedicated system with no normal users, ACLs seems to be overkill
for this specific server. They may be appropriate for other types of
You bring up some great points for me to consider. Thanks again.
More information about the lfs-security