[H-GEN] Fixes for excalibur's backup

Russell Stuart russell-humbug at stuart.id.au
Mon Jul 13 19:42:10 EDT 2009


On Mon, 2009-07-13 at 18:40 -0400, Robert Brockway wrote:
> Do we want to remount the filesystem noatime?  It offers a small 
> performance advantage.  A few apps dislike this however, but I don't think 
> it should matter to us.

Nah.  As I said, the backup should cope with this.  There are other
issues besides - like directory modification times.  These are things I
can fix easily enough now I am aware of it.

> This is standard for firewalls I setup so it got added by default when I 
> loaded the ruleset.  It's useful for diagnostics, tracking attacks, etc. 
> It isn't essential but my preference is to retain it if we can.

We are writing 2.4M of log files per hour.  Either it gets reduced, or
it isn't backed up.  I am not sure how useful backing up syslog and
friends is.  Anybody got some thoughts they would like to share?

My personal view is a small log file is a good log file.  No one is
going to look at the 50M of log files we produce per day.  That said, I
don't particularly care as I am not planning to look at them and the
machine seems to handle the load OK.  The only issue is it too expensive
to back up.

> I'd rather not.  There are better ways to deal with ssh attacks.

I am curious.  How do these better ways make excalibur more secure?

> We can use fail2ban, which will raise a firewall in the face of an attack 
> against ssh.  In fact we _should_ use this anyway.  I'll add it unless I 
> hear howls of objection.

I don't particularly care one way or the other, although I am not a huge
fan of adding complexity for no good reason.  These dictionary attacks
on ssh aren't a security issue as we don't allow password
authentication.




More information about the General mailing list