| View previous topic :: View next topic |
| Author |
Message |
Elleni
Veteran
Joined: 23 May 2006
Posts: 1270
|
 Posted: Thu Nov 14, 2019 9:55 pm Post subject: [solved] Status of securityhandbook and hardening gentoo |
 |
|
I am a not sure, what the status of security related projects are. Looking at the security handbook, there is a warning, that it hast not been modified since 2010. Then on the project: Hardened there are mentioned three contributors who all had a role in SELinux project and are all marked as not active. I also got aware long ago that the hardened sources where dropped because grsecurity developers had decided to limit access to their patches.
So my question is for a small private server serving web, mail, cloud and vpn services is it worth trying to implement some sort of hardening, and if so - which projects are well supported, maintained and suitable?
Last edited by Elleni on Fri Nov 22, 2019 3:54 pm; edited 1 time in total |
|
| Back to top |
|
 |
Elleni
Veteran
Joined: 23 May 2006
Posts: 1270
|
| Posted: Mon Nov 18, 2019 2:34 am Post subject: |
|
|
I would really appreciate some thoughts about my questions.
I am thinking of installing and configuring fail2ban for the services of my server, but other than that, I am wondering if its worth the effort to try to harden the system even further or if sane setup of services and firewall rules might be sufficient? |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Mon Nov 18, 2019 4:28 am Post subject: |
|
|
The best cure is usually prevention. Minimise potential attack surface, don't run unnecessary non-TLS services (and consider not having ssh on a low port) - that should cut down a lot of log noise. Make sure the userid your web services runs as doesn't have write permissions to their own code. Run separate things as separate subdomains and fastcgi processes (especially PHP) if possible. If practical, you might want to add a basic Content-Security-Policy header on your webserver so it can only make internal requests; in the attempt something does inject bad stuff onto a page, it won't be able to phone home via the browser.
If you can make any services accessible only behind the VPN, that's good too - I have my IMAP set up that way. |
|
| Back to top |
|
|
Goverp
Advocate
Joined: 07 Mar 2007
Posts: 2004
|
| Posted: Mon Nov 18, 2019 9:20 am Post subject: |
|
|
I know nothing about hardening, but note that kernel 5.x (~amd64, not AFAIK the current stable series) contain a growing number of grsecurity-inspired security settings.
That said, I found little about grsecurity in a quick glance at the security handbook.
_________________
Greybeard |
|
| Back to top |
|
|
forrestfunk81
Guru
Joined: 07 Feb 2006
Posts: 565
Location: münchen.de
|
| Posted: Thu Nov 21, 2019 3:00 pm Post subject: |
|
|
I run hardened profiles on all my 24/7 installations. And like Goverp said, since the removal of hardened-sources many similar features have been merged to the main kernel line. I also prefer having separate LXC containers on separate partitions for each service but that's less security related than preventing one service going crazy and tear down the whole system.
_________________
# cd /pub/
# more beer |
|
| Back to top |
|
|
Elleni
Veteran
Joined: 23 May 2006
Posts: 1270
|
| Posted: Fri Nov 22, 2019 1:33 pm Post subject: |
|
|
Thanks a lot guys. Part of your suggestions I head already implemented, like no http only ssl access on sites, ssh on non standard high port and separate subdomains and cgiprocesses for separate services. Additionally I added csp header in apache configuration. I probably will try to switch to hardened no-multilib profile.
Switching from
| Code: | | default/linux/amd64/17.1/no-multilib (stable) * |
to | Code: | | default/linux/amd64/17.1/no-multilib/hardened (stable) |
would mean adding +cli use to php. And the following changed uses.
| Code: | emerge world -uDNav --with-bdeps=y
These are the packages that would be merged, in order:
Calculating dependencies ... done!
[ebuild R ] dev-libs/libpcre-8.42:3::gentoo USE="bzip2 cxx readline recursion-limit (split-usr) (unicode) zlib -jit* -libedit -pcre16 -pcre32 -static-libs" 0 KiB
[ebuild R ] dev-libs/libpcre2-10.33-r1::gentoo USE="bzip2 readline recursion-limit (split-usr) unicode zlib -jit* -libedit -pcre16 -pcre32 -static-libs" 0 KiB
[ebuild R ] sys-devel/gcc-9.2.0-r2:9.2.0::gentoo USE="(cxx) hardened* nls nptl openmp (pie) sanitize (ssp) vtv (-altivec) -d -debug -doc (-fixed-point) -fortran* -go -graphite (-jit) (-libssp) -lto (-multilib) -objc -objc++ -objc-gc (-pch*) -pgo -systemtap -test -vanilla" 0 KiB
[ebuild R ] dev-lang/perl-5.28.2-r1:0/5.28::gentoo USE="-berkdb* -debug -doc -gdbm* -ithreads" 0 KiB
[ebuild R ] dev-libs/jemalloc-5.2.1:0/2::gentoo USE="hardened* -debug -lazy-lock -prof -static-libs -stats -xmalloc" 0 KiB
[ebuild R ] sys-apps/man-db-2.7.6.1-r2::gentoo USE="manpager nls zlib -berkdb* -gdbm* (-selinux) -static-libs" 0 KiB
[ebuild R ] dev-lang/python-3.6.9:3.6/3.6m::gentoo USE="gdbm hardened* ncurses readline sqlite ssl (threads) xml -bluetooth -build -examples -ipv6 -libressl -test -tk -wininst" 0 KiB
[ebuild R ] dev-lang/python-2.7.16:2.7::gentoo USE="gdbm hardened* ncurses readline sqlite ssl (threads) (wide-unicode) xml (-berkdb) -bluetooth -build -doc -examples -ipv6 -libressl -tk -wininst" 0 KiB
[ebuild N ] dev-python/pypax-0.9.5::gentoo USE="xtpax -ptpax" PYTHON_TARGETS="python2_7 python3_6 (-pypy) -python3_5 (-python3_7)" 393 KiB
[ebuild N ] sys-apps/elfix-0.9.5::gentoo USE="xtpax -ptpax" 0 KiB
[ebuild R ] dev-libs/apr-util-1.6.1-r3:1::gentoo USE="mysql sqlite -berkdb* -doc -gdbm* -ldap -libressl -nss -odbc -openssl -postgres -static-libs" 0 KiB
[ebuild R ] dev-libs/redland-1.0.17-r2::gentoo USE="mysql sqlite -berkdb* -iodbc -odbc -postgres -static-libs" 0 KiB
[ebuild R ] www-servers/apache-2.4.41:2::gentoo USE="(split-usr) ssl suexec-caps -debug -doc -gdbm* -ldap -libressl (-selinux) -static -suexec -suexec-syslog -threads" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_core authn_dbm authn_file authz_core authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir env expires ext_filter file_cache filter headers include info log_config logio mime mime_magic negotiation proxy proxy_http proxy_wstunnel rewrite setenvif socache_shmcb speling status unique_id unixd userdir usertrack vhost_alias -access_compat -asis -auth_digest -auth_form -authn_dbd -authn_socache -authz_dbd -brotli -cache_disk -cache_socache -cern_meta -charset_lite -dbd -dumpio -http2 -ident -imagemap -lbmethod_bybusyness -lbmethod_byrequests -lbmethod_bytraffic -lbmethod_heartbeat -log_forensic -macro -md -proxy_ajp -proxy_balancer -proxy_connect -proxy_fcgi -proxy_ftp -proxy_html -proxy_http2 -proxy_scgi -ratelimit -remoteip -reqtimeout -session -session_cookie -session_crypto -session_dbd -slotmem_shm -substitute -version -watchdog -xml2enc" APACHE2_MPMS="-event -prefork -worker" 0 KiB
[ebuild R ~] mail-filter/rspamd-2.1::gentoo USE="-blas -jemalloc -jit* -libressl -pcre2" CPU_FLAGS_X86="ssse3" 0 KiB
[ebuild R ] sys-apps/iproute2-5.2.0-r1::gentoo USE="caps iptables -atm -berkdb* -elf -ipv6 -minimal (-selinux)" 0 KiB
[ebuild R ] app-admin/syslog-ng-3.22.1::gentoo USE="caps geoip -amqp -dbi -geoip2 -http -ipv6 -json -kafka -libressl -mongodb -pacct -python -redis -smtp -snmp -spoof-source -systemd -tcpd*" PYTHON_SINGLE_TARGET="python3_6 -python2_7 -python3_5 (-python3_7)" PYTHON_TARGETS="python2_7 python3_6 -python3_5 (-python3_7)" 0 KiB
[ebuild R ] dev-vcs/git-2.23.0-r1::gentoo USE="blksha1 cgi curl gpg iconv nls pcre perl threads webdav -cvs -doc -emacs -gnome-keyring -highlight -libressl -mediawiki -mediawiki-experimental (-pcre-jit*) -perforce (-ppcsha1) -subversion -test -tk -xinetd" PYTHON_SINGLE_TARGET="python3_6 -python2_7 -python3_5 (-python3_7)" PYTHON_TARGETS="python2_7 python3_6 -python3_5 (-python3_7)" 0 KiB
[ebuild R ] sys-libs/pam-1.3.0-r2::gentoo USE="cracklib filecaps nls (pie) (split-usr) -audit -berkdb* -debug -nis (-selinux) -test -vim-syntax" 0 KiB
[ebuild R ] mail-mta/postfix-3.4.5-r1::gentoo USE="dovecot-sasl eai hardened* mysql pam sqlite ssl -berkdb* -cdb -ldap -ldap-bind -libressl -lmdb -mbox -memcached -nis -postgres -sasl (-selinux)" 0 KiB
[ebuild R ] net-mail/dovecot-2.3.7.2::gentoo USE="bzip2 caps managesieve mysql pam sieve sqlite zlib -argon2 -doc -ipv6 -kerberos -ldap -libressl -lua -lucene -lz4 -lzma -postgres (-selinux) -solr -static-libs -suid -tcpd* -textcat -vpopmail" 0 KiB
[ebuild R ] net-mail/mailutils-3.4-r3::gentoo USE="clients mysql nls pam (split-usr) ssl threads -berkdb* -bidi -emacs -gdbm* -guile -ipv6 -kerberos -kyotocabinet -ldap -postgres -python -sasl -servers -static-libs -tcpd* -tokyocabinet" PYTHON_TARGETS="python2_7" 0 KiB
Total: 21 packages (2 new, 19 reinstalls), Size of downloads: 393 KiB
WARNING: One or more updates/rebuilds have been skipped due to a dependency conflict:
dev-lang/php:7.3
(dev-lang/php-7.3.11:7.3/7.3::gentoo, ebuild scheduled for merge) conflicts with
dev-lang/php:*[cli,xml,zlib] required by (dev-php/PEAR-PEAR-1.10.6:0/0::gentoo, installed)
^^^
dev-lang/php[cli,ctype,json,simplexml] required by (app-admin/drush-6.7.0-r1:0/0::gentoo, installed)
^^^
Would you like to merge these packages? [Yes/No] |
Maybe I should just try that and see if everything still works.
I will use demerge in order to easily revert back, if needed.
As for emerging ~amd64 gentoo-sources. Will the mentioned grsecurity-inspired security settings be enabled by default? Otherwise, I'll look around and see if I can find a tutorial with the recommended kernel options with security in mind.
Finally I wil check tools like logcheck and fail2ban to see if it's worth implementing.
Thanks again for your thoughts.  |
|
| Back to top |
|
|
Goverp
Advocate
Joined: 07 Mar 2007
Posts: 2004
|
|
| Back to top |
|
|
Elleni
Veteran
Joined: 23 May 2006
Posts: 1270
|
| Posted: Sat Nov 23, 2019 12:40 pm Post subject: |
|
|
Very nice. I'll have a look thank you.
Btw. I re-enabled gdbm and berkdb useflags in make.conf after finding out, that postfix was not able to query some of its configured databases anymore. (And I am wondering, if it was a good idea to put those two flags in make.conf or if it would have been sufficient to only add them for postfix or reconfigure postfix to not need them - which I don't know exactly how to do)
Without them I could not retrieve emails anymore and I had the following errors in mail.err without:
| Code: | postfix/tlsmgr[16175]: error: unsupported dictionary type: btree
postfix/smtpd[16267]: error: unsupported dictionary type: hash
|
I hope this does not weaken my hardened setup too much.
Edit: Comparison of useflags for hardened vs. non hardened profile is showing following differences.
Apart from the mentioned above (berkdb and gdbm) use flags I now have packages compiled
| Code: | without:
-jit
-fortran
-pcre-jittcpd
-tcpcd
|
Everything seems still to work fine, but I am wondering on jit for rspamd and on tcpcd for dovecot if they would still be needed. Especially the ladder because I have found the following in postfix' master.cf:
| Code: | smtps inet n - n - - smtpd
....
-o smtpd_tls_wrappermode=yes
....
|
|
|
| Back to top |
|
|
Elleni
Veteran
Joined: 23 May 2006
Posts: 1270
|
| Posted: Sat Nov 23, 2019 4:16 pm Post subject: |
|
|
Going through the kernel selfprotection settings and adapting where needed, there was one thing that was not clear to me.
| Quote: | | # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. |
How can I check, if this is active for my server?
Apart from that - everything else worked like a charm, changed few options that were not yet set like recommended, added kernel boot parameters in/etc/default/grub GRUB_CMDLINE_LINUX, recompiled kernel and it still boots and everything is up and running, so I am fine |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21619
|
| Posted: Sat Nov 23, 2019 5:18 pm Post subject: |
|
|
| Elleni wrote: | | Quote: | | # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. |
How can I check, if this is active for my server? |
Check whether the Kconfig symbol presented on the next lines is set to =y in your server configuration. Quoting from that page, in case it changes later:For any recent kernel, you want the uncommented forms. |
|
| Back to top |
|
|
Elleni
Veteran
Joined: 23 May 2006
Posts: 1270
|
| Posted: Sat Nov 23, 2019 5:37 pm Post subject: |
|
|
I have those in my kernel config
| Quote: | CONFIG_STACKPROTECTOR=y
CONFIG_STACKPROTECTOR_STRONG=y |
Is that enough, no gcc configuration needed in make.conf or elsewhere? Then I am fine  |
|
| Back to top |
|
|
freke
l33t
Joined: 23 Jan 2003
Posts: 977
Location: Somewhere in Denmark
|
| Posted: Sat Nov 23, 2019 8:34 pm Post subject: |
|
|
| Elleni wrote: | Everything seems still to work fine, but I am wondering on jit for rspamd and on tcpcd for dovecot if they would still be needed. Especially the ladder because I have found the following in postfix' master.cf:
| Code: | smtps inet n - n - - smtpd
....
-o smtpd_tls_wrappermode=yes
....
|
|
I'm running a hardened profile and enabled jit for rspamd but not tcpd for dovecot, it doesn't seem to be needed. My smtps service is with -o smtpd_tls_wrappermode=yes, too |
|
| Back to top |
|
|
Elleni
Veteran
Joined: 23 May 2006
Posts: 1270
|
| Posted: Sat Nov 23, 2019 10:41 pm Post subject: |
|
|
| Great, thats what I have now too. Thanks for confirmation |
|
| Back to top |
|
|
gengreen
Apprentice
Joined: 23 Dec 2017
Posts: 150
|
|
| Back to top |
|
|
Terry_Davis
n00b
Joined: 20 Dec 2019
Posts: 35
|
| Posted: Sat Jan 11, 2020 12:18 am Post subject: |
|
|
| Any thoughts on the quality of different distro's hardened kernel's? Let's take Arch & Gentoo, for example... It takes a lot of work for a user to determine how many of which patches they might want got into their hardened kernel. So it is definitely a huge time saver to be on a distro with the most thought & care put into its hardened kernel fork (or "branch"?). |
|
| Back to top |
|
|
Elleni
Veteran
Joined: 23 May 2006
Posts: 1270
|
| Posted: Sat Jan 11, 2020 9:53 pm Post subject: |
|
|
gengreen thanks for your links. I'll have a look as soon as I find some time.
Terry_Davis, I only know gentoo as its the only distro I am using and the one I started with many years ago, it tought me everything I know about linux and I feel comfortable using it. I personally enjoy the opportunity to learn, as for me linux is a hobby and unfortunatelly I am not in a position to use it professionally yet. Which other distro would you consider a good choice as an alternative? Lately noticing how big players manipulate distributions to restrict freedom of choice and push init systems to de facto standards to pursue their own interests of user lockin to make money, my trust in them has decreased even more, and I feel very comfortable in this incredibly helpful and knowledgeable community, which is also willing to share its know-how, and I especially feel very comfortable to have all these guys here, not willing to swallow this systemd thing but continue to support openrc, not many other distros out there did resist, and I hope Poettering and his followers will not succeed to force gentoo to its knees in the future, heck - having guys like dantrell here, who put so much energy in providing gnome without systemd even though upstream decided to make systemd mandatory just feels good, not to forget all the others around being so patient with all these users asking for help, and help them by teaching them, not just giving solutions but opportunities to learn.
You're probably right that relying on a distribution or branch to take care of security and make these decisions for you might be a time saver, but on the other hand, for me one of the biggest advantages of gentoo is that you don't have to let others decide, you decide for yourself how your system should be. Not to mention that from my point of view it is pointless to worry about security of your system as long as you use systemd, especially watching the attitude of their main developer.
If I could use Linux professionally in production, I would probably still choose redhat, but only because my boss would probably want to have the theoretical/imaginary possibility to blame someone if something goes south, or he would believe that this would increase the chance of getting (so called professional, rather meaning payed) help. |
|
| Back to top |
|
|
Terry_Davis
n00b
Joined: 20 Dec 2019
Posts: 35
|
| Posted: Sun Jan 12, 2020 2:13 pm Post subject: |
|
|
| Elleni wrote: | gengreen thanks for your links. I'll have a look as soon as I find some time.
Terry_Davis, I only know gentoo as its the only distro I am using and the one I started with many years ago, it tought me everything I know about linux and I feel comfortable using it. I personally enjoy the opportunity to learn, as for me linux is a hobby and unfortunatelly I am not in a position to use it professionally yet. Which other distro would you consider a good choice as an alternative? Lately noticing how big players manipulate distributions to restrict freedom of choice and push init systems to de facto standards to pursue their own interests of user lockin to make money, my trust in them has decreased even more, and I feel very comfortable in this incredibly helpful and knowledgeable community, which is also willing to share its know-how, and I especially feel very comfortable to have all these guys here, not willing to swallow this systemd thing but continue to support openrc, not many other distros out there did resist, and I hope Poettering and his followers will not succeed to force gentoo to its knees in the future, heck - having guys like dantrell here, who put so much energy in providing gnome without systemd even though upstream decided to make systemd mandatory just feels good, not to forget all the others around being so patient with all these users asking for help, and help them by teaching them, not just giving solutions but opportunities to learn.
You're probably right that relying on a distribution or branch to take care of security and make these decisions for you might be a time saver, but on the other hand, for me one of the biggest advantages of gentoo is that you don't have to let others decide, you decide for yourself how your system should be. Not to mention that from my point of view it is pointless to worry about security of your system as long as you use systemd, especially watching the attitude of their main developer.
If I could use Linux professionally in production, I would probably still choose redhat, but only because my boss would probably want to have the theoretical/imaginary possibility to blame someone if something goes south, or he would believe that this would increase the chance of getting (so called professional, rather meaning payed) help. |
I'm on the same page about systemd - and personally wouldn't care if I couldn't use gnome on my systems. I actually use Arch in production. I used to run Gentoo primarily, and my interest has been piqued again to see how much compiling from source can take advantage of the latest hardware.
I just posted in this thread to gain clarity on the various "hardened" kernels out there - as they are hard to compare without doing a deep dive. |
|
| Back to top |
|
|
Vulgar
n00b
Joined: 15 Sep 2004
Posts: 63
|
|
| Back to top |
|
|
|
Networking & Security
