[Question] Secure a Virtual System

Don´t be shy, Linux is fun! =)
Post Reply
User avatar
ayu
Staff
Staff
Posts: 8109
Joined: 27 Aug 2005, 16:00
18
Contact:

[Question] Secure a Virtual System

Post by ayu »

I have been thinking about this a lot now, and I see a great danger with having a virtual system on my server that might not be as secure as the core system (parent system).

I found an example here:

Code: Select all

http://www.ditii.com/2008/02/25/vmware-exploit-lets-attackers-zap-real-windows/
Although this is an issue that has been fixed, it's still proof that issues like this exist, and I want to avoid it at all costs (because my servers different virtual systems contain a lot of sensitive data).

So I was thinking, is there anyway that you could chroot a virtual system? Like a system run under VMware? I mean, wouldn't that be hard? Seeing that VMware needs a lot of libraries, and access to the kernel headers as well as access to the different hardware on the comp so that the guest operating systems can use optical devices, network interfaces and such.

Would it be possible, easy, hard, and does anyone have any kind of experience doing it?

Thanks for any answer in advance :)

EDIT: I moved it from hacking to Linux, because I just realized that it's Linux I'm talking about and not VMware in general ^^
"The best place to hide a tree, is in a forest"

User avatar
Lyecdevf
cyber Idi Amin
cyber Idi Amin
Posts: 1222
Joined: 16 Mar 2006, 17:00
18
Location: In between life and death.
Contact:

Post by Lyecdevf »

Well I just wanted to ask a similar question. Would it be safer to run certain cervices in a virutal environment than on the host if you are already on the lan?
We will either find a way, or make one.
- Hannibal

User avatar
ayu
Staff
Staff
Posts: 8109
Joined: 27 Aug 2005, 16:00
18
Contact:

Post by ayu »

Lyecdevf wrote:Well I just wanted to ask a similar question. Would it be safer to run certain cervices in a virutal environment than on the host if you are already on the lan?
Well, it wouldn't be much safer, the only difference would be that it would be harder to gain access to the host system maybe, and since it's on a LAN it wouldn't be a problem. But then again, if the virtual system is more vulnerable then the host, then that would be a big hole.

There's a lot you have to think about =/
"The best place to hide a tree, is in a forest"

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11636
Joined: 06 Apr 2005, 16:00
18
Location: In your eye floaters.
Contact:

Post by bad_brain »

@cats
well, chrooting would not be enough to be real safe, you would also need to get rid of the root user so that no process in the chroot environment runs with root privileges that may allow an intruder to tamper with paths outside the chroot environment.
this would need a lot of configuration, but it's possible...

@Lyec
imo there is no real security gain, a well configured and up to date Linux system IS safe...ok, you can do a total-paranoia-config to make it "super-safe", but if an attacker already made it into the chroot environment there must have been something wrong with the general config already.
the "dangerous" services (dangerous because public to anyone) like Apache or ftp usually run with limited user permissions already, not as root. Apache for example as user www-data, ftp as user nobody (on Debian, might be different on other distros).... :wink:

Post Reply