Hacker News new | past | comments | ask | show | jobs | submit login
Automatic server hardening framework (telekomlabs.github.io)
120 points by dewey on Jan 12, 2015 | hide | past | favorite | 20 comments

Seems like a nice and comfortable way to set sane defaults for nginx, Apache, MySQL, PostgreSQL and some Unix stuff - but they really should have been set by each software in the first place.

I like, the private touch the screencast and the developer-designed website gives the project, even if part of a big company. This actually raises its credibility.

they really should have been set by each software

Yes, and it seems to me that distros (at least those intended for "enterprise") should be hardened by default also. If I install RHEL or OEL and then have to run a Chef or Puppet config to "harden" it, something is wrong.

Well, thats been tried and rejected by the user base. If you harden too much it becomes a real PITA to do anything productive (SELinux running in strict mode).

RHEL aims to be secure, while also remaining fairly compatible with previous versions.

Red Hat do have documentation on how to harden, but most users don't use it and instead turn SELinux completely off as one of the first configuration steps.

Very cool, but seems like it would be nice to have the hardening steps documented outside of code too (for those of us with more exotic provisioning tastes).

I completely agree. I was looking for the SSH settings but I don't use Puppet or Chef. This is why I prefer shell scripts so I can see what's going on and run parts of it on my own.

You can check the references here in the lifecycle section: http://telekomlabs.github.io/docs/

Seems bad that it disables IPv6 "for security".

Disable anything you don't use. I wish it weren't so but IPv6 is probably a safe assumption there.

I don't really have a problem with that, to be honest--I certainly don't run an IPv6 network internally (and neither does anyone else on AWS) and IPv6 translation can happen at the edges.

Ansible support would be spiffy.

I was looking for the same thing; however I can't find any acknowledgement of Ansible's existence anywhere on the site or in the docs :(

or Salt for the cool kids.

tldr its a set of open source puppet/chef/others modules to harden the default configuration of common daemons.

The audio on the demo video is really choppy, is that just me?

The same is happening for me, didn't notice it when I watched it before I posted it though. Maybe Vimeo is having problems.

It's not vimeo. Downloading the video and playing it locally with VLC yields the same problems.

It this an arm of T-Mobile (the US carrier)? Their logos are strikingly similar, but their websites make no reference to each other.

Telekom Labs logo: http://www.laboratories.telekom.com/public/Deutsch/Pages/def...

T-Mobile logo: http://www.t-mobile.com/

T-Mobile is German. And yes, same company (http://en.wikipedia.org/wiki/T-Mobile).

T-Mobile is the US subsidiary of Deutsche Telekom.

Nitpicking: T-Mobile is the international mobile branch of Deutsche Telekom, not just in the US (though there is a US subsidiary).

Other branches include T-Online (private ISP, actually a former subsidiary), T-Systems (subsidiary proving services to the public sector and larger corporations) and T-Home (which I have trouble telling apart from T-Online). There may be other branches too, but in practice most people in Germany just lump them all together anyway.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact