View previous topic :: View next topic |
Author |
Message |
opc0de.fr n00b
Joined: 20 Apr 2013 Posts: 9
|
Posted: Sat Apr 20, 2013 10:33 pm Post subject: [solved] [hardened] about gentoo hardened |
|
|
Hello,
I have a server and it's my first. I already use gentoo for my desktop. I would like to know if gentoo hardened is really secure and stable ? If it is a good idea to install it on my server ?
Thank you to develop and explain your answer.
Last edited by opc0de.fr on Mon Apr 22, 2013 11:03 am; edited 1 time in total |
|
Back to top |
|
|
chithanh Developer
Joined: 05 Aug 2006 Posts: 2158 Location: Berlin, Germany
|
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54220 Location: 56N 3W
|
Posted: Sat Apr 20, 2013 11:27 pm Post subject: |
|
|
opc0de.fr,
Welcome to Gentoo.
What is security and what do you want to secure against?
If you consider security in layers, rather like an onion, then hardened adds more layers to make remote attacks and local priviledge escalation attacks harder to execute successfully.
It does nothing to prevent someone with physical access to your system doing what they will. For that, you need to encrypt your data. You can do that anyway but its not a part of hardened.
Yes its a good thing on servers because it makes attacks harder. That will make random attackers go away and find an easier target. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
opc0de.fr n00b
Joined: 20 Apr 2013 Posts: 9
|
Posted: Sun Apr 21, 2013 12:13 pm Post subject: |
|
|
Thank you both,
It's not for prevent someone with physical access to my system.
When i mention "security" i want say : a gentoo that will hardly hackable.
In my server, there will be apache/php/mysql for one website, two wordpress, two repository, one gitlab or something like it (hm, what is the best in your opinion ?) for several projects in C, C++, ASM, ...
There will also be a dns server (bind), a mail server and a media server (deezer-like, here also, what is your opinion on the more better ?)
What do you think about chrooting / jailing services ?
Have you urls website telling about hardening gentoo for more informations and tutorials ?
For the hardened kernel, what are essential / inevitable modules ?
I wait your answers impatiently, thank you verry much. |
|
Back to top |
|
|
chithanh Developer
Joined: 05 Aug 2006 Posts: 2158 Location: Berlin, Germany
|
Posted: Sun Apr 21, 2013 12:31 pm Post subject: |
|
|
The various components of a hardened system protect against a very specific list of threats. Mostly they are related to making it difficult to exploit buffer overflow vulnerabilities, or limiting the options an attacker has after gaining control of the execution flow of a process.
Hardened does not help against SQL injections / directory traversal / XSS / CSRF style attacks. Look into Apache mod_security for that. It also does not help against weak passwords (look at pam_cracklib) or detecting whether someone has already compromised your system (look at aide, chkrootkit) or network (look at snort).
Virtualization can be used to isolate services from each other, so that - barring exploitable conditions in the hypervisor - a vulnerability in one service does not put the others in danger. |
|
Back to top |
|
|
Sven Vermeulen Retired Dev
Joined: 29 Aug 2002 Posts: 1345 Location: Mechelen, Belgium
|
Posted: Sun Apr 21, 2013 1:59 pm Post subject: |
|
|
Gentoo Hardened has a number of subprojects, including SELinux and integrity. Securing a box can be done using several methods, but imo the most important one is to have educated administrators
That being said, if you want to run multiple services on the same system, using virtualization and/or a mandatory access control system like SELinux makes sense imo. It reduces the risk that an exploit against one system affects the others. _________________ Please add "[solved]" to the initial topic title when it is solved. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|