Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved] [hardened] about gentoo hardened
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
opc0de.fr
n00b
n00b


Joined: 20 Apr 2013
Posts: 9

PostPosted: Sat Apr 20, 2013 10:33 pm    Post subject: [solved] [hardened] about gentoo hardened Reply with quote

Hello,
I have a server and it's my first. I already use gentoo for my desktop. I would like to know if gentoo hardened is really secure and stable ? If it is a good idea to install it on my server ?
Thank you to develop and explain your answer.


Last edited by opc0de.fr on Mon Apr 22, 2013 11:03 am; edited 1 time in total
Back to top
View user's profile Send private message
chithanh
Developer
Developer


Joined: 05 Aug 2006
Posts: 1656
Location: Berlin, Germany

PostPosted: Sat Apr 20, 2013 11:20 pm    Post subject: Reply with quote

Hardened is as secure as it gets in most measurable ways.
http://labs.mwrinfosecurity.com/blog/2010/06/29/assessing-the-tux-strength-part-1---userspace-memory-protection/
http://labs.mwrinfosecurity.com/blog/2010/09/02/assessing-the-tux-strength-part-2---into-the-kernel/

However, the security comes at the cost of functionality and convenience (and to a lesser extent, performance). A number of packages do not work properly or need extra attention. To get an idea, have a look at the various package.mask and package.use.mask files under /usr/portage/profiles/hardened/.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 31710
Location: 56N 3W

PostPosted: Sat Apr 20, 2013 11:27 pm    Post subject: Reply with quote

opc0de.fr,

Welcome to Gentoo.

What is security and what do you want to secure against?

If you consider security in layers, rather like an onion, then hardened adds more layers to make remote attacks and local priviledge escalation attacks harder to execute successfully.
It does nothing to prevent someone with physical access to your system doing what they will. For that, you need to encrypt your data. You can do that anyway but its not a part of hardened.

Yes its a good thing on servers because it makes attacks harder. That will make random attackers go away and find an easier target.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
opc0de.fr
n00b
n00b


Joined: 20 Apr 2013
Posts: 9

PostPosted: Sun Apr 21, 2013 12:13 pm    Post subject: Reply with quote

Thank you both,

It's not for prevent someone with physical access to my system.

When i mention "security" i want say : a gentoo that will hardly hackable.

In my server, there will be apache/php/mysql for one website, two wordpress, two repository, one gitlab or something like it (hm, what is the best in your opinion ?) for several projects in C, C++, ASM, ...

There will also be a dns server (bind), a mail server and a media server (deezer-like, here also, what is your opinion on the more better ?)

What do you think about chrooting / jailing services ?

Have you urls website telling about hardening gentoo for more informations and tutorials ?

For the hardened kernel, what are essential / inevitable modules ?

I wait your answers impatiently, thank you verry much. :)
Back to top
View user's profile Send private message
chithanh
Developer
Developer


Joined: 05 Aug 2006
Posts: 1656
Location: Berlin, Germany

PostPosted: Sun Apr 21, 2013 12:31 pm    Post subject: Reply with quote

The various components of a hardened system protect against a very specific list of threats. Mostly they are related to making it difficult to exploit buffer overflow vulnerabilities, or limiting the options an attacker has after gaining control of the execution flow of a process.

Hardened does not help against SQL injections / directory traversal / XSS / CSRF style attacks. Look into Apache mod_security for that. It also does not help against weak passwords (look at pam_cracklib) or detecting whether someone has already compromised your system (look at aide, chkrootkit) or network (look at snort).

Virtualization can be used to isolate services from each other, so that - barring exploitable conditions in the hypervisor - a vulnerability in one service does not put the others in danger.
Back to top
View user's profile Send private message
Sven Vermeulen
Developer
Developer


Joined: 29 Aug 2002
Posts: 1342
Location: Mechelen, Belgium

PostPosted: Sun Apr 21, 2013 1:59 pm    Post subject: Reply with quote

Gentoo Hardened has a number of subprojects, including SELinux and integrity. Securing a box can be done using several methods, but imo the most important one is to have educated administrators ;-)

That being said, if you want to run multiple services on the same system, using virtualization and/or a mandatory access control system like SELinux makes sense imo. It reduces the risk that an exploit against one system affects the others.
_________________
Please add "[solved]" to the initial topic title when it is solved. TIA.
Linux Sea (PDF), an online e-book on Gentoo Linux
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum