Language Selection

English French German Italian Portuguese Spanish

User Mode Linux: Maximizing performance, jailing attackers

Filed under
Interviews

User Mode Linux (UML)has ideal security features for controlling and jailing hackers once they've taken the sweetened bait of a 'honeypot,' says User Mode Linuxauthor and project architect Jeff Dike. UML can log all terminal traffic to the host in a way that's invisible and impossible to interfere with from inside the UML unlike Xen and VMware.

Take a tour of UML with Dike as he offers best practices, explains how to boot from an empty jail, talks about jailing attackers and more.

What are some unique issues of server consolidation with User Mode Linux?

Jeff Dike: From my point of view, server consolidation doesn't differ greatly from any other virtualization workload. So, the advantages of UML apply here the same as in other areas.

One aspect of server consolidation that may distinguish it from other virtualization workloads is that the host administrator may not trust the UML administrators. In this case, the UML administrators won't have shell access on the host, and the host administrator will need to decide how they will be allowed to access their UMLs.

The easy solution is to allow only network access. But this will increase the support burden when UML owners make their UMLs inaccessible by misconfiguring their networks. In this case, allowing the equivalent of logging in on a hardwired terminal would be nice, so that the UML admins still have access to their UMLs and can fix the network themselves.

So how should host administrators determine access criteria for UML?

Full Story.

More in Tux Machines

today's leftovers

  • 6 Excellent Console Linux File Managers
    A console application is computer software which can be used with a text-only computer interface, the command line interface, or a text-based interface included within a graphical user interface operating system, such as a terminal emulator (such as GNOME Terminal or the aforementioned Terminator). Whereas a graphical user interface application generally involves using the mouse and keyboard (or touch control), with a console application the primary (and often only) input method is the keyboard. Many console applications are command line tools, but there is a wealth of software that has a text-based user interface making use of ncurses, a library which allow programmers to write text-based user interfaces.
  • PHP Tour 2016 Clermont-Ferrand
  • Enlightenment's EFL Getting New DRM Library
    Chris Michael of Samsung has been working on a new DRM library for the Enlightenment Foundation Libraries (EFL) with a number of improvements. The initial implementation of this new library, Ecore_Drm2, has been added to EFL Git.
  • Antergos 2016.05.28 Screenshot Tour
  • Gentoo Linux 20160514 Screenshot Tour
  • First coding week with openSUSE, Google Summer of Code
    Embedded below is the blog of Google Summer of Code student Martin Garcia Monterde. Martin detailed his first week coding with openSUSE and the Google Summer of Code.
  • OpenPHT 1.5.2 for Debian/sid
    I have updated the openpht repository with builds of OpenPHT 1.5.2 for Debian/sid for both amd64 and i386 architecture. For those who have forgotten it, OpenPHT is the open source fork of Plex Home Theater that is used on RasPlex, see my last post concerning OpenPHT for details.
  • vcswatch is now looking for tags
    About a week ago, I extended vcswatch to also look at tags in git repositories. Previously, it was solely paying attention to the version number in the top paragraph in debian/changelog, and would alert if that version didn't match the package version in Debian unstable or experimental. The idea is that "UNRELEASED" versions will keep nagging the maintainer (via DDPO) not to forget that some day this package needs an upload. This works for git, svn, bzr, hg, cvs, mtn, and darcs repositories (in decreasing order of actual usage numbers in Debian. I had actually tried to add arch support as well, but that VCS is so weird that it wasn't worth the trouble).

Google and Oracle

Leftovers: OSS

Security Leftovers (Parrot Security OS 3.0 “Lithium”, Regulation)

  • Parrot Security OS 3.0 “Lithium” — Best Kali Linux Alternative Coming With New Features
    The Release Candidate of Parrot Security OS 3.0 ‘Lithium’ is now available for download. The much-anticipated final release will come in six different editions with the addition of Libre, LXDE, and Studio editions. The version 3.0 of this Kali Linux alternative is based on Debian Jessie and powered by custom hardened Linux 4.5 kernel.
  • Regulation can fix security, except you can't regulate security
    Every time I start a discussion about how we can solve some of our security problems it seems like the topics of professional organizations and regulation are where things end up. I think regulations and professional organizations can fix a lot of problems in an industry, I'm not sure they work for security. First let's talk about why regulation usually works, then, why it won't work for security.