[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Securing Xen-Base System

On Mon, 2006-10-30 at 16:14 +0100, Gerhard Wendebourg wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello all,
> 
> since I want to build up a Xen-system with servers in its guest-systems
> reliable running, the question about the securing of the base-system / Dom0.
> 
> What kind of measures can / should be taken for preventing attacks and
> corruption of the system or the hacking from some guest ti the base-system?
> 

Xen brings some new challenges to the table. In particular you must now
deal with "trusted root" and "un-trusted root" .. meaning, do you know
and trust the people who have root access to guest systems?

> Is the network fully secured, if I set up a firewall on the
> eth0-Interface, while the (default-)Xen-bridge is running?
> 

Buttoning down ingress on dom-0 is a great start, as for egress, we go
back to how much do you trust the people who have root access to running
guests. 

I can say, no matter what .. if it malloc()'s or occupies a port and you
don't really need it, get rid of it on dom-0. Restrict root login via
ssh, force V2, don't host public sites , etc .. make dom-0 a vault. One
good brute force SSH attack could keep needed things on dom-0 from
forking if its > 128 MB. Lock down ingress to Xend via iptables, deny
from all and only allow from your own machines. Common sense should tell
you the rest.

Typically I leave dom-0 accessible only via private lan, leaving public
access open on a non xen utility box that also has access to that lan. 

I've also been known to just use a null modem cable and minicom from
another box to manage dom-0.

A little more information about your setup would be helpful ..
suggestions would really depend on that.

I use Xen mostly in the web hosting industry where anyone with $10 and a
valid (or stolen) credit card gets root on a guest .. so my setups would
seem way over-paranoid to most.. an example being pinning IP->MAC for
every guest to prevent one guest from hijacking another's IP, ebtables
on the bridges for rate limiting and snort to help stop spam before it
leaves the box. 

I don't use Shorewall .... nothing against it, but I find with my needs
its easier to write my own scripts.

Best,
-Tim



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.