[solved] [hardened] about gentoo hardened

opc0de.fr · n00b Joined: 20 Apr 2013 Posts: 9

Hello,
I have a server and it's my first. I already use gentoo for my desktop. I would like to know if gentoo hardened is really secure and stable ? If it is a good idea to install it on my server ?
Thank you to develop and explain your answer.

chithanh · Posted: Sat Apr 20, 2013 11:20 pm Post subject:

Hardened is as secure as it gets in most measurable ways.
http://labs.mwrinfosecurity.com/blog/2010/06/29/assessing-the-tux-strength-part-1---userspace-memory-protection/
http://labs.mwrinfosecurity.com/blog/2010/09/02/assessing-the-tux-strength-part-2---into-the-kernel/

However, the security comes at the cost of functionality and convenience (and to a lesser extent, performance). A number of packages do not work properly or need extra attention. To get an idea, have a look at the various package.mask and package.use.mask files under /usr/portage/profiles/hardened/.

NeddySeagoon · Posted: Sat Apr 20, 2013 11:27 pm Post subject:

opc0de.fr,

Welcome to Gentoo.

What is security and what do you want to secure against?

If you consider security in layers, rather like an onion, then hardened adds more layers to make remote attacks and local priviledge escalation attacks harder to execute successfully.
It does nothing to prevent someone with physical access to your system doing what they will. For that, you need to encrypt your data. You can do that anyway but its not a part of hardened.

Yes its a good thing on servers because it makes attacks harder. That will make random attackers go away and find an easier target.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

opc0de.fr · n00b Joined: 20 Apr 2013 Posts: 9

Thank you both,

It's not for prevent someone with physical access to my system.

When i mention "security" i want say : a gentoo that will hardly hackable.

In my server, there will be apache/php/mysql for one website, two wordpress, two repository, one gitlab or something like it (hm, what is the best in your opinion ?) for several projects in C, C++, ASM, ...

There will also be a dns server (bind), a mail server and a media server (deezer-like, here also, what is your opinion on the more better ?)

What do you think about chrooting / jailing services ?

Have you urls website telling about hardening gentoo for more informations and tutorials ?

For the hardened kernel, what are essential / inevitable modules ?

I wait your answers impatiently, thank you verry much.

chithanh · Posted: Sun Apr 21, 2013 12:31 pm Post subject:

The various components of a hardened system protect against a very specific list of threats. Mostly they are related to making it difficult to exploit buffer overflow vulnerabilities, or limiting the options an attacker has after gaining control of the execution flow of a process.

Hardened does not help against SQL injections / directory traversal / XSS / CSRF style attacks. Look into Apache mod_security for that. It also does not help against weak passwords (look at pam_cracklib) or detecting whether someone has already compromised your system (look at aide, chkrootkit) or network (look at snort).

Virtualization can be used to isolate services from each other, so that - barring exploitable conditions in the hypervisor - a vulnerability in one service does not put the others in danger.

Sven Vermeulen · Posted: Sun Apr 21, 2013 1:59 pm Post subject:

Gentoo Hardened has a number of subprojects, including SELinux and integrity. Securing a box can be done using several methods, but imo the most important one is to have educated administrators ;-)

That being said, if you want to run multiple services on the same system, using virtualization and/or a mandatory access control system like SELinux makes sense imo. It reduces the risk that an exploit against one system affects the others.
_________________
Please add "[solved]" to the initial topic title when it is solved.