[gentoo-user] New Server, considering hardened, need pointers to tfm...

[gentoo-user] New Server, considering hardened, need pointers to tfm...

[Tanstaafl]

Hello all,

I'm considering rolling out a new server with gentoo, but wanted to base 
it on the hardened profile, but the docs I've read so far all seem to be 
a bit vague about all the details.

I've been using gentoo for a while on my hobby server, but I installed 
it about 8 years ago, and chose the 'server' profile, and I must say it 
has been a real pleasure to maintain, and the only real hiccup I ever 
experienced was the mailman update that moved the directories for the 
lists without telling me what to do about it (the fix was simple, and 
the devs swiftly fixed the lack of post-install docs).

Does anyone know of a good How-To that covers *all* of the bases? Ie, 
which model is best - grsecurity, PAX, SeLinux - and how best to 
implement it?

Thanks...

Re: [gentoo-user] New Server, considering hardened, need pointers to tfm...

[Matthew Finkel]

[-- Attachment #1: Type: text/plain, Size: 1759 bytes --]

On Sat, Dec 10, 2011 at 12:45 PM, Tanstaafl <tanstaafl@libertytrek.org>wrote:

> Hello all,
>
> I'm considering rolling out a new server with gentoo, but wanted to base
> it on the hardened profile, but the docs I've read so far all seem to be a
> bit vague about all the details.
>
> I've been using gentoo for a while on my hobby server, but I installed it
> about 8 years ago, and chose the 'server' profile, and I must say it has
> been a real pleasure to maintain, and the only real hiccup I ever
> experienced was the mailman update that moved the directories for the lists
> without telling me what to do about it (the fix was simple, and the devs
> swiftly fixed the lack of post-install docs).
>
> Does anyone know of a good How-To that covers *all* of the bases? Ie,
> which model is best - grsecurity, PAX, SeLinux - and how best to implement
> it?
>
> Thanks...
>
>
You may be able to get a better response from the -hardened list, but I
built a hardened server a few months ago without much difficulty. As far as
I know, the correct model to use depends on what you want to do with the
server/what security you are looking to implement. When I went hardened, I
used PaX and grsec [1] because it offered the security I was looking for
but didn't restrict userland usability on a server on which I was the only
user. My understanding is that this restriction would be a consequence of
using SeLinux.

[1] http://www.gentoo.org/proj/en/hardened/grsecurity.xml

As for a solid comparison of the different models and tutorials for them, I
don't know of any. I just used [1] as well as the PaX page to install and
configure them and I didn't run into any problems.

hope that helps a bit (and I hopefully didn't describe anything
incorrectly).

- Matt

[-- Attachment #2: Type: text/html, Size: 2235 bytes --]

Re: [gentoo-user] New Server, considering hardened, need pointers to tfm...

[Tanstaafl]

On 2011-12-10 3:07 PM, Matthew Finkel <matthew.finkel@gmail.com> wrote:
>
> You may be able to get a better response from the -hardened list,

Dang, I had forgotten gentoo has a bunch of other lists... thanks, just 
subscribed...

> but I built a hardened server a few months ago without much
> difficulty. As far as I know, the correct model to use depends on
> what you want to do with the server/what security you are looking to
> implement. When I went hardened, I used PaX and grsec [1] because it
> offered the security I was looking for but didn't restrict userland
> usability on a server on which I was the only user. My understanding
> is that this restriction would be a consequence of using SeLinux.

Yeah, I was leaning toward avoiding SeLinux already from what I've been 
reading, thanks...

> [1] http://www.gentoo.org/proj/en/hardened/grsecurity.xml
>
> As for a solid comparison of the different models and tutorials for
> them, I don't know of any. I just used [1] as well as the PaX page to
> install and configure them and I didn't run into any problems.

Good to know, and thanks again...

Re: [gentoo-user] New Server, considering hardened, need pointers to tfm...

[Pandu Poluan]

[-- Attachment #1: Type: text/plain, Size: 1633 bytes --]

On Dec 11, 2011 3:17 AM, "Tanstaafl" <tanstaafl@libertytrek.org> wrote:
>
> On 2011-12-10 3:07 PM, Matthew Finkel <matthew.finkel@gmail.com> wrote:
>>
>>
>> You may be able to get a better response from the -hardened list,
>
>
> Dang, I had forgotten gentoo has a bunch of other lists... thanks, just
subscribed...
>

Don't forget gentoo-server! It's full of people who deploy and manage
servers daily :-)

>> but I built a hardened server a few months ago without much
>> difficulty. As far as I know, the correct model to use depends on
>> what you want to do with the server/what security you are looking to
>> implement. When I went hardened, I used PaX and grsec [1] because it
>> offered the security I was looking for but didn't restrict userland
>> usability on a server on which I was the only user. My understanding
>> is that this restriction would be a consequence of using SeLinux.
>
>
> Yeah, I was leaning toward avoiding SeLinux already from what I've been
reading, thanks...
>

Nothing beats the security of SELinux. But along with that, there will be a
HUGE learning curve and management complexity.

GrSec + PaX are enough for me.

>> [1] http://www.gentoo.org/proj/en/hardened/grsecurity.xml
>>
>> As for a solid comparison of the different models and tutorials for
>> them, I don't know of any. I just used [1] as well as the PaX page to
>> install and configure them and I didn't run into any problems.
>
>
> Good to know, and thanks again...
>

If you decide to deploy PaX, do read the help pages for PaX options; there
are settings that might be severely detrimental for certain hardware
combinations.

Rgds,

[-- Attachment #2: Type: text/html, Size: 2139 bytes --]

Re: [gentoo-user] New Server, considering hardened, need pointers to tfm...

[Pandu Poluan]

[-- Attachment #1: Type: text/plain, Size: 1704 bytes --]

On Dec 11, 2011 12:48 AM, "Tanstaafl" <tanstaafl@libertytrek.org> wrote:
>
> Hello all,
>
> I'm considering rolling out a new server with gentoo, but wanted to base
it on the hardened profile, but the docs I've read so far all seem to be a
bit vague about all the details.
>
> I've been using gentoo for a while on my hobby server, but I installed it
about 8 years ago, and chose the 'server' profile, and I must say it has
been a real pleasure to maintain, and the only real hiccup I ever
experienced was the mailman update that moved the directories for the lists
without telling me what to do about it (the fix was simple, and the devs
swiftly fixed the lack of post-install docs).
>
> Does anyone know of a good How-To that covers *all* of the bases? Ie,
which model is best - grsecurity, PAX, SeLinux - and how best to implement
it?
>
> Thanks...
>

Oh, one more thing:

If you don't need to milk your hardware for every last bit of performance,
consider running the server inside a VM like XenServer. You gain the
benefit of branchable snapshots, ease of migrating to a different physical
box (as long as you don't use -march=native), and simpler menuconfig. Plus,
if somehow your VM lost all connectivity, you don't need to visit the
server; you can still manage it through XenServer's virtual console.

I have been deploying my servers on top of XenServers, including one
gateway/firewall that used to oversee 5 internet links + 1 LAN with an
aggregate Internet bandwidth of 35 Mbps. Albeit running on an elderly
Pentium 4 box, I have no performance problems at all, even when the
gatewall does some very exotic iptables magic (my list of iptables rules is
already longer than 100 lines).

Rgds,

[-- Attachment #2: Type: text/html, Size: 1945 bytes --]