gyptazy

@gyptazy@gyptazy.ch

Believer in the power of open-source & community-driven innovation.

Former AS20621 NetOp that loves FreeBSD & illumos. Currently mostly in DevOps & developing (Python, Rust). Contributes to & . Evaluating and production usage of hardware/software.

Projects:
* BoxyBSD.com - A free VM hosting service to provide some value back to the community.
* ProxLB - (Re)Balance your CTs/VMs across your nodes in your Proxmox cluster. ProxLB is a dynamic resource scheduler for Proxmox which rebalances objects to other nodes in cluster based on CPU, memory or disk resources.
* manpageblog.org - A static blog generator in manpage design.
* QualvoSec - A security patch management tool.
Xhttps://twitter.com/gyptazy
GitHubhttps://github.com/gyptazy
Bloghttps://gyptazy.ch
0 ★ 0 ↺
in reply to »

gyptazy »
@gyptazy@gyptazy.ch

@al1r4d@pegelinux.top I'd use UFS instead of ZFS unless you really have a reason for using ZFS (like snapshotting or send/receive functions). Next to it, for additional security you may set the following in the sysctl.conf:

security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.see_jail_proc=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=1

Beside this, running services in jails and keeping software up to update. All of this is already a pretty good way. You may also want to check pf (firewall) since your system is probably directly reachable from the internet. So, scrubbing the traffic and firewalling may also be an improvement.

History

about this site - powered by snac