Silly idea: Web server with a GUI as an every-day client

kgdrenefort

Hello,

Today I open this topic because I'll soon achieve a project of mine:

TL;DR: I make a server with a GUI to also use it as a main desktop, saving energy (no cheap anymore!) and I'm aware that is not the best move when it's about security, I did not set yet the Hardened profile and I'm seeking any good advice for such project.

Long story: I host a very few websites, running on Raspberry Pi OS (known as Raspbian in the ol' time), actually an old stable because of my current project, I do not want to waste time to upgrade an OS I won't use soon and still maintained.
I have to use another computer than my RPI4 which start to be too weak for my needs, specially: I'm hosting a french website association around neurodevelopmental disorder, and it start to be too small regarding our traffics and specially Matomo which is sweating hard with the database on such hardware.

So, I took my HP Elitebook 8560w, set Gentoo on it with SystemD and AwesomeWM as a GUI, to keep as much as possible CPU usage and memory to be eaten by """useless GUI""". Some tools would already cannibalize it as Firefox, I have to be very picky because the CPUs are weak, cores not numerous (8) and I only got 4Gb of RAM.

So far, I know this is mostly a bad idea: Each layers of code could bring bugs, waste of resources and worst of all is security. I laugh at Windows server for that matter. But here, this is no professional project, I think the worst we could had is (D)DoS. My bandwidth is crazy (5Gbs capped to 1 with my ethernet port / wire). But even a simple DoS could bring apocalypse on a such awfully weak device as Rasperry Pi 4 and it's SD card I/O of prehistoric age.

If I do this, it's simply because this laptop should be enough for both usage, if I manage to get a GUI as AwesomeWM and lightweight tool. Electricity price is huge in France, the RPI was about 5-10W, while my desktop is up to around 1000K… And the laptop 230W max. I think, even if this laptop will run all the time, I can save some energy and money if I stop using my desktop for anything that doesn't need such powerful hardware (as compilation, or game in my case).

To avoid even more wasting resource, my actual main desktop which is very powerful regarding this laptop is used as it's binhost.

I know Gentoo have a project: Gentoo Hardened, which for simplicity and ease of installation and settings is not sets yet. I'm not experienced in such things for now.

That is probably the first step: I have to get into regarding the security for server as desktop part.

I'm new to Gentoo, less than 9 months, but not to Linux (started around 2006). For security on a server, I usually do these steps:

- Close all ports that are not useful with iptables
- Make SSH awfully hard to get in for undesired scripts: fail2ban with strict rules, SSH keys with a passphrase with the longest recommended key and best cipher to use these days, remove root by settings the value AllowUsers without it as forcing key connection, etc.
- Removing undesired packages or services

Also, this laptop has obviously wifi, which was disabled by -wifi use flag, notably for networkmanager package, using only ethernet for obvious reasons. As the webcam would have to be disabled, just in case.

I do not attend to cipher the hard drive, it'll never move from it's place (my desk) and if I get robbed, honestly I do not really care at this point…

In this case, I see these very big risks of security:

- Firefox
- Discord (what an awful piece of software)
- Mail client (usually I use Thunderbird, but here it'll be Claws-mail)
- Spotify (non-free software)
- Skype (for a specific use case I can't get without, sadly)
- Whatsapp for family / friends client

I know you can run these software into a chroot and access them by typing your root password, with only missing a feature if Firefox's case: You can't open a link by clicking on it, you have to manually paste it. Who cares ! :)

But otherwise, I see a *lot* of unfree software that will be… Not the best to sets, on a server. The best workaround could be to use the web-client into firefox for Discord, Spotify and Whatsapp, but there is not for Skype, sadly.

I guess the safest way is to run these into firefox, which will be into a chroot/sandbox re-enforced, to mitigate any problem that would occurs.

Also, for better stability, Firefox will be kept to ESR, since last release are more likely to bring bugs or worst, security hole.

Virus: I'll add ClamAV and sets it to run a few times a day, or each day and report any problem. I'm also considering to use RKHunter or such tools.
Firefox: Will containerize this big piece of code, specially if it runs some weird stuff as Discord or Spotify. I also wants to remove any proprietary blobed stuff for DRM, despite I'll lose some functionality, I do not think I'll be much bothered.
Skype: I'll, maybe, use the Android version on my phone instead of installing that.
Graphic card and drivers: Not supported by the last NVidia and proprietary driver, anyway this computer will not be intended to play games, merely plays HTML video… So it's nouveau driver, which will also avoid to use the legacy and unmaintained driver, which will be stupid to use regarding security anyway !
Kernel: Will try to remove as most as possible anything that is not necessary, as wifi, bluetooth, webcam, any modules that is not in use. As said, less layers is the best in my case, for power usage as security and bugs avoiding. That will take some times to experience this I guess, but I also think it could be worth it. And maybe, anything unfree that is not needed or has a non-important features I could avoid to have.
Ciphering hard drive: I'll, despite what I says above, probably does that… As a last step, I think. My main concern is: If I'm not at home and have to ask someone to boot it for me because it crashed / turned down somehow, it'll be hell to ask someone to type a password to uncipher root partition if it's not my fiancée. Once a year I'm not at home for around 2 weeks, that is concerning to me. If I can't SSH it, well, it's down.
Firewall: I'm used to IPTables, blocking any incoming traffic and open only what is needed. It should be simple as usual.
Protecting from unwanted connection: Fail2Ban it is for SSH as HTTP auth, with very few allowed retry and 24h long bans. Or even more, I'll have physical access to it anyway 95% of the year.
Blocking unwanted country: Let's be honest, I'll not need to be reachable from China, Russia, and more. As far as I know. From my professional and personal experience, these IPs are 99,99% of the time unwanted traffic. I know you can block country-wide range of IP, but a true attack won't be bothered by such minor protection. It's merely to avoid useless power usage to really take care of such useless HTTP request, avoiding easy (D)DoS… Etc.
Mail client: Will use for now Claws-Mail, because it's very light. Maybe I'll consider moving on Mutt for even more resource saving. My main concern is security here: Clicking on a bad link, opening a bad file from an e-mail or get rekt by HTML code into an HTML e-mail… Wondering if it also needs to be containerized. As 'litehtml' USE flag disabled, so no HTML reading of a e-mail from my desktop. I can probably, maybe, not have to pay much attention to it. I do not know.
AppArmor VS SELinux: So far as I know, SELinux is better to enhance security, but is a pain if you compare it to AppArmor. I do not know which will be the best, but SELinux seems like a 'Seek&Destroy' for all weird behavior that could occur on your system. The only time I used it was on Fedora, ages ago, it was plain hell.

In the end, the server part will have to manage theses services: HTTP, Database and PHP/Python for interactivity. It is also a project to make it a mail server with Postfix, but that is for later.

This is merely a mind stub I post here, I also realize it starts to be heavy to read and not very well formated. I'll move from this subject for now, but I'll very happy to get any advice on such matter from you peoples.

Have a nice week-end.

Regards,
GASPARD DE RENEFORT Kévin
_________________
«Gentoo does not have problems, only learning opportunities.» - NeddySeagoon
«If your Gentoo installation isn't valuable to you, feel free to continue to ignore the instructions.» - figueroa

BurningMemory · n00b Joined: 17 Jan 2023 Posts: 28

Hello there.
Considering your tight hardware limits, this will be very difficult to achieve with the amount of ram
modern apps tend to consume. Though, I have an idea - virtualization server. You can set up the server
with the most minimal approach and run all your software in a VM via libvirt for example.
The way to do this would be to set up libvirt to use VNC as graphics and then optionally do SSH tunneling.
Another thing you can also take a look at is musl libc. It's very minimal as well.

As for your other points:
Running an antivirus will only bring overhead and honestly if you set everything up properly
it's not necessary to have it.

Using nouveau is pretty much fine since it will only be used to render the tty,
also if someone does manage to get into your server, for some reason,
you'll have a much bigger problem to worry about than nouveau.

Removing bloat from the kernel is a great idea. For the most part just enable the drivers your
hardware actually needs and disable anything you don't need. Of course, you probably won't get it
right from the start. So, just explore the configuration category by category, item by item, read the
description, etc.

Encryption on your drives may not be really needed, it depends on how and where you store
sensitive data (if you do). It's a good model to run the server on an SSD (optionally encrypted)
with encrypted hard drives added into the mix and to store sensitive data only on the hard drives.
And if you're concerned you won't be able to boot the server, then just don't encrypt the system drive
Also maybe either try to get it working with TPM (don't actually know if you can do that with luks)
or just set up an encrypted partition just for sensitive data.

Worrying about distributed DoS attacks isn't very useful in your case.
That kind of attacks usually hit big targets, they're not directed at single servers
but at whole networks.

SELinux is a great security module. The only downside it has is, perhaps, complexity.
And even though technically SELinux can be bypassed, it is worth looking into.
If you're going to try to set up virtualization as I suggested, SELinux with the strict policy
can be a nice touch. But again, in your case it might be overkill. You do you.

Or if you're planning to literally use the laptop both as a server and a daily driver machine,
then I don't know, I guess you could try to containerize some things.

You have a nice weekend too :)

kgdrenefort · Posted: Fri Apr 19, 2024 3:11 pm Post subject:

NeddySeagoon · Posted: Fri Apr 19, 2024 9:12 pm Post subject:

kgdrenefort,

I think you are putting the cart before the horse with your security ideas.
Just because you can do something does not mean that you should.

The first step is to define your threats. You need to do this in writing as the threats may change with time and the list will need to be updated.
With your threats listed, define the defences you will deploy. There is no point in defending against threads you don't have.
You are making a security/usability trade off here.

e.g. on a mobile device that you may leave on a bus, some degree of at rest data encryption may be a good idea. Consider the data content though. It may not be required.
On a physically secure server, the risk of at rest data falling into the wrong hands is much lower.

Assess your threats. Deploy your defences.

Always remember this too.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

pietinger

kgdrenefort

NeddySeagoon · Posted: Sat Apr 20, 2024 1:18 pm Post subject:

kgdrenefort,