* [gentoo-user] New Server, considering hardened, need pointers to tfm...
@ 2011-12-10 17:45 Tanstaafl
2011-12-10 20:07 ` Matthew Finkel
2011-12-11 0:41 ` Pandu Poluan
0 siblings, 2 replies; 5+ messages in thread
From: Tanstaafl @ 2011-12-10 17:45 UTC (permalink / raw
To: gentoo-user
Hello all,
I'm considering rolling out a new server with gentoo, but wanted to base
it on the hardened profile, but the docs I've read so far all seem to be
a bit vague about all the details.
I've been using gentoo for a while on my hobby server, but I installed
it about 8 years ago, and chose the 'server' profile, and I must say it
has been a real pleasure to maintain, and the only real hiccup I ever
experienced was the mailman update that moved the directories for the
lists without telling me what to do about it (the fix was simple, and
the devs swiftly fixed the lack of post-install docs).
Does anyone know of a good How-To that covers *all* of the bases? Ie,
which model is best - grsecurity, PAX, SeLinux - and how best to
implement it?
Thanks...
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-user] New Server, considering hardened, need pointers to tfm...
2011-12-10 17:45 [gentoo-user] New Server, considering hardened, need pointers to tfm Tanstaafl
@ 2011-12-10 20:07 ` Matthew Finkel
2011-12-10 20:14 ` Tanstaafl
2011-12-11 0:41 ` Pandu Poluan
1 sibling, 1 reply; 5+ messages in thread
From: Matthew Finkel @ 2011-12-10 20:07 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 1759 bytes --]
On Sat, Dec 10, 2011 at 12:45 PM, Tanstaafl <tanstaafl@libertytrek.org>wrote:
> Hello all,
>
> I'm considering rolling out a new server with gentoo, but wanted to base
> it on the hardened profile, but the docs I've read so far all seem to be a
> bit vague about all the details.
>
> I've been using gentoo for a while on my hobby server, but I installed it
> about 8 years ago, and chose the 'server' profile, and I must say it has
> been a real pleasure to maintain, and the only real hiccup I ever
> experienced was the mailman update that moved the directories for the lists
> without telling me what to do about it (the fix was simple, and the devs
> swiftly fixed the lack of post-install docs).
>
> Does anyone know of a good How-To that covers *all* of the bases? Ie,
> which model is best - grsecurity, PAX, SeLinux - and how best to implement
> it?
>
> Thanks...
>
>
You may be able to get a better response from the -hardened list, but I
built a hardened server a few months ago without much difficulty. As far as
I know, the correct model to use depends on what you want to do with the
server/what security you are looking to implement. When I went hardened, I
used PaX and grsec [1] because it offered the security I was looking for
but didn't restrict userland usability on a server on which I was the only
user. My understanding is that this restriction would be a consequence of
using SeLinux.
[1] http://www.gentoo.org/proj/en/hardened/grsecurity.xml
As for a solid comparison of the different models and tutorials for them, I
don't know of any. I just used [1] as well as the PaX page to install and
configure them and I didn't run into any problems.
hope that helps a bit (and I hopefully didn't describe anything
incorrectly).
- Matt
[-- Attachment #2: Type: text/html, Size: 2235 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-user] New Server, considering hardened, need pointers to tfm...
2011-12-10 20:07 ` Matthew Finkel
@ 2011-12-10 20:14 ` Tanstaafl
2011-12-11 0:16 ` Pandu Poluan
0 siblings, 1 reply; 5+ messages in thread
From: Tanstaafl @ 2011-12-10 20:14 UTC (permalink / raw
To: gentoo-user
On 2011-12-10 3:07 PM, Matthew Finkel <matthew.finkel@gmail.com> wrote:
>
> You may be able to get a better response from the -hardened list,
Dang, I had forgotten gentoo has a bunch of other lists... thanks, just
subscribed...
> but I built a hardened server a few months ago without much
> difficulty. As far as I know, the correct model to use depends on
> what you want to do with the server/what security you are looking to
> implement. When I went hardened, I used PaX and grsec [1] because it
> offered the security I was looking for but didn't restrict userland
> usability on a server on which I was the only user. My understanding
> is that this restriction would be a consequence of using SeLinux.
Yeah, I was leaning toward avoiding SeLinux already from what I've been
reading, thanks...
> [1] http://www.gentoo.org/proj/en/hardened/grsecurity.xml
>
> As for a solid comparison of the different models and tutorials for
> them, I don't know of any. I just used [1] as well as the PaX page to
> install and configure them and I didn't run into any problems.
Good to know, and thanks again...
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-user] New Server, considering hardened, need pointers to tfm...
2011-12-10 20:14 ` Tanstaafl
@ 2011-12-11 0:16 ` Pandu Poluan
0 siblings, 0 replies; 5+ messages in thread
From: Pandu Poluan @ 2011-12-11 0:16 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 1633 bytes --]
On Dec 11, 2011 3:17 AM, "Tanstaafl" <tanstaafl@libertytrek.org> wrote:
>
> On 2011-12-10 3:07 PM, Matthew Finkel <matthew.finkel@gmail.com> wrote:
>>
>>
>> You may be able to get a better response from the -hardened list,
>
>
> Dang, I had forgotten gentoo has a bunch of other lists... thanks, just
subscribed...
>
Don't forget gentoo-server! It's full of people who deploy and manage
servers daily :-)
>> but I built a hardened server a few months ago without much
>> difficulty. As far as I know, the correct model to use depends on
>> what you want to do with the server/what security you are looking to
>> implement. When I went hardened, I used PaX and grsec [1] because it
>> offered the security I was looking for but didn't restrict userland
>> usability on a server on which I was the only user. My understanding
>> is that this restriction would be a consequence of using SeLinux.
>
>
> Yeah, I was leaning toward avoiding SeLinux already from what I've been
reading, thanks...
>
Nothing beats the security of SELinux. But along with that, there will be a
HUGE learning curve and management complexity.
GrSec + PaX are enough for me.
>> [1] http://www.gentoo.org/proj/en/hardened/grsecurity.xml
>>
>> As for a solid comparison of the different models and tutorials for
>> them, I don't know of any. I just used [1] as well as the PaX page to
>> install and configure them and I didn't run into any problems.
>
>
> Good to know, and thanks again...
>
If you decide to deploy PaX, do read the help pages for PaX options; there
are settings that might be severely detrimental for certain hardware
combinations.
Rgds,
[-- Attachment #2: Type: text/html, Size: 2139 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-user] New Server, considering hardened, need pointers to tfm...
2011-12-10 17:45 [gentoo-user] New Server, considering hardened, need pointers to tfm Tanstaafl
2011-12-10 20:07 ` Matthew Finkel
@ 2011-12-11 0:41 ` Pandu Poluan
1 sibling, 0 replies; 5+ messages in thread
From: Pandu Poluan @ 2011-12-11 0:41 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 1704 bytes --]
On Dec 11, 2011 12:48 AM, "Tanstaafl" <tanstaafl@libertytrek.org> wrote:
>
> Hello all,
>
> I'm considering rolling out a new server with gentoo, but wanted to base
it on the hardened profile, but the docs I've read so far all seem to be a
bit vague about all the details.
>
> I've been using gentoo for a while on my hobby server, but I installed it
about 8 years ago, and chose the 'server' profile, and I must say it has
been a real pleasure to maintain, and the only real hiccup I ever
experienced was the mailman update that moved the directories for the lists
without telling me what to do about it (the fix was simple, and the devs
swiftly fixed the lack of post-install docs).
>
> Does anyone know of a good How-To that covers *all* of the bases? Ie,
which model is best - grsecurity, PAX, SeLinux - and how best to implement
it?
>
> Thanks...
>
Oh, one more thing:
If you don't need to milk your hardware for every last bit of performance,
consider running the server inside a VM like XenServer. You gain the
benefit of branchable snapshots, ease of migrating to a different physical
box (as long as you don't use -march=native), and simpler menuconfig. Plus,
if somehow your VM lost all connectivity, you don't need to visit the
server; you can still manage it through XenServer's virtual console.
I have been deploying my servers on top of XenServers, including one
gateway/firewall that used to oversee 5 internet links + 1 LAN with an
aggregate Internet bandwidth of 35 Mbps. Albeit running on an elderly
Pentium 4 box, I have no performance problems at all, even when the
gatewall does some very exotic iptables magic (my list of iptables rules is
already longer than 100 lines).
Rgds,
[-- Attachment #2: Type: text/html, Size: 1945 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2011-12-11 0:42 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-12-10 17:45 [gentoo-user] New Server, considering hardened, need pointers to tfm Tanstaafl
2011-12-10 20:07 ` Matthew Finkel
2011-12-10 20:14 ` Tanstaafl
2011-12-11 0:16 ` Pandu Poluan
2011-12-11 0:41 ` Pandu Poluan
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox