Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved] Status of securityhandbook and hardening gentoo
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Elleni
Veteran
Veteran


Joined: 23 May 2006
Posts: 1044

PostPosted: Thu Nov 14, 2019 9:55 pm    Post subject: [solved] Status of securityhandbook and hardening gentoo Reply with quote

I am a not sure, what the status of security related projects are. Looking at the security handbook, there is a warning, that it hast not been modified since 2010. Then on the project: Hardened there are mentioned three contributors who all had a role in SELinux project and are all marked as not active. I also got aware long ago that the hardened sources where dropped because grsecurity developers had decided to limit access to their patches.

So my question is for a small private server serving web, mail, cloud and vpn services is it worth trying to implement some sort of hardening, and if so - which projects are well supported, maintained and suitable?


Last edited by Elleni on Fri Nov 22, 2019 3:54 pm; edited 1 time in total
Back to top
View user's profile Send private message
Elleni
Veteran
Veteran


Joined: 23 May 2006
Posts: 1044

PostPosted: Mon Nov 18, 2019 2:34 am    Post subject: Reply with quote

I would really appreciate some thoughts about my questions.

I am thinking of installing and configuring fail2ban for the services of my server, but other than that, I am wondering if its worth the effort to try to harden the system even further or if sane setup of services and firewall rules might be sufficient?
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6356

PostPosted: Mon Nov 18, 2019 4:28 am    Post subject: Reply with quote

The best cure is usually prevention. Minimise potential attack surface, don't run unnecessary non-TLS services (and consider not having ssh on a low port) - that should cut down a lot of log noise. Make sure the userid your web services runs as doesn't have write permissions to their own code. Run separate things as separate subdomains and fastcgi processes (especially PHP) if possible. If practical, you might want to add a basic Content-Security-Policy header on your webserver so it can only make internal requests; in the attempt something does inject bad stuff onto a page, it won't be able to phone home via the browser.

If you can make any services accessible only behind the VPN, that's good too - I have my IMAP set up that way.
Back to top
View user's profile Send private message
Goverp
l33t
l33t


Joined: 07 Mar 2007
Posts: 806

PostPosted: Mon Nov 18, 2019 9:20 am    Post subject: Reply with quote

I know nothing about hardening, but note that kernel 5.x (~amd64, not AFAIK the current stable series) contain a growing number of grsecurity-inspired security settings.
That said, I found little about grsecurity in a quick glance at the security handbook.
_________________
Greybeard
Back to top
View user's profile Send private message
forrestfunk81
Guru
Guru


Joined: 07 Feb 2006
Posts: 504
Location: münchen.de

PostPosted: Thu Nov 21, 2019 3:00 pm    Post subject: Reply with quote

I run hardened profiles on all my 24/7 installations. And like Goverp said, since the removal of hardened-sources many similar features have been merged to the main kernel line. I also prefer having separate LXC containers on separate partitions for each service but that's less security related than preventing one service going crazy and tear down the whole system.
_________________
# cd /pub/
# more beer
Back to top
View user's profile Send private message
Elleni
Veteran
Veteran


Joined: 23 May 2006
Posts: 1044

PostPosted: Fri Nov 22, 2019 1:33 pm    Post subject: Reply with quote

Thanks a lot guys. Part of your suggestions I head already implemented, like no http only ssl access on sites, ssh on non standard high port and separate subdomains and cgiprocesses for separate services. Additionally I added csp header in apache configuration. I probably will try to switch to hardened no-multilib profile.

Switching from
Code:
default/linux/amd64/17.1/no-multilib (stable) *

to
Code:
default/linux/amd64/17.1/no-multilib/hardened (stable)


would mean adding +cli use to php. And the following changed uses.
Code:
emerge world -uDNav --with-bdeps=y
These are the packages that would be merged, in order:

Calculating dependencies                          ... done! 
[ebuild   R    ] dev-libs/libpcre-8.42:3::gentoo  USE="bzip2 cxx readline recursion-limit (split-usr) (unicode) zlib -jit* -libedit -pcre16 -pcre32 -static-libs" 0 KiB
[ebuild   R    ] dev-libs/libpcre2-10.33-r1::gentoo  USE="bzip2 readline recursion-limit (split-usr) unicode zlib -jit* -libedit -pcre16 -pcre32 -static-libs" 0 KiB
[ebuild   R    ] sys-devel/gcc-9.2.0-r2:9.2.0::gentoo  USE="(cxx) hardened* nls nptl openmp (pie) sanitize (ssp) vtv (-altivec) -d -debug -doc (-fixed-point) -fortran* -go -graphite (-jit) (-libssp) -lto (-multilib) -objc -objc++ -objc-gc (-pch*) -pgo -systemtap -test -vanilla" 0 KiB
[ebuild   R    ] dev-lang/perl-5.28.2-r1:0/5.28::gentoo  USE="-berkdb* -debug -doc -gdbm* -ithreads" 0 KiB
[ebuild   R    ] dev-libs/jemalloc-5.2.1:0/2::gentoo  USE="hardened* -debug -lazy-lock -prof -static-libs -stats -xmalloc" 0 KiB
[ebuild   R    ] sys-apps/man-db-2.7.6.1-r2::gentoo  USE="manpager nls zlib -berkdb* -gdbm* (-selinux) -static-libs" 0 KiB
[ebuild   R    ] dev-lang/python-3.6.9:3.6/3.6m::gentoo  USE="gdbm hardened* ncurses readline sqlite ssl (threads) xml -bluetooth -build -examples -ipv6 -libressl -test -tk -wininst" 0 KiB
[ebuild   R    ] dev-lang/python-2.7.16:2.7::gentoo  USE="gdbm hardened* ncurses readline sqlite ssl (threads) (wide-unicode) xml (-berkdb) -bluetooth -build -doc -examples -ipv6 -libressl -tk -wininst" 0 KiB
[ebuild  N     ] dev-python/pypax-0.9.5::gentoo  USE="xtpax -ptpax" PYTHON_TARGETS="python2_7 python3_6 (-pypy) -python3_5 (-python3_7)" 393 KiB
[ebuild  N     ] sys-apps/elfix-0.9.5::gentoo  USE="xtpax -ptpax" 0 KiB
[ebuild   R    ] dev-libs/apr-util-1.6.1-r3:1::gentoo  USE="mysql sqlite -berkdb* -doc -gdbm* -ldap -libressl -nss -odbc -openssl -postgres -static-libs" 0 KiB
[ebuild   R    ] dev-libs/redland-1.0.17-r2::gentoo  USE="mysql sqlite -berkdb* -iodbc -odbc -postgres -static-libs" 0 KiB
[ebuild   R    ] www-servers/apache-2.4.41:2::gentoo  USE="(split-usr) ssl suexec-caps -debug -doc -gdbm* -ldap -libressl (-selinux) -static -suexec -suexec-syslog -threads" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_core authn_dbm authn_file authz_core authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir env expires ext_filter file_cache filter headers include info log_config logio mime mime_magic negotiation proxy proxy_http proxy_wstunnel rewrite setenvif socache_shmcb speling status unique_id unixd userdir usertrack vhost_alias -access_compat -asis -auth_digest -auth_form -authn_dbd -authn_socache -authz_dbd -brotli -cache_disk -cache_socache -cern_meta -charset_lite -dbd -dumpio -http2 -ident -imagemap -lbmethod_bybusyness -lbmethod_byrequests -lbmethod_bytraffic -lbmethod_heartbeat -log_forensic -macro -md -proxy_ajp -proxy_balancer -proxy_connect -proxy_fcgi -proxy_ftp -proxy_html -proxy_http2 -proxy_scgi -ratelimit -remoteip -reqtimeout -session -session_cookie -session_crypto -session_dbd -slotmem_shm -substitute -version -watchdog -xml2enc" APACHE2_MPMS="-event -prefork -worker" 0 KiB
[ebuild   R   ~] mail-filter/rspamd-2.1::gentoo  USE="-blas -jemalloc -jit* -libressl -pcre2" CPU_FLAGS_X86="ssse3" 0 KiB
[ebuild   R    ] sys-apps/iproute2-5.2.0-r1::gentoo  USE="caps iptables -atm -berkdb* -elf -ipv6 -minimal (-selinux)" 0 KiB
[ebuild   R    ] app-admin/syslog-ng-3.22.1::gentoo  USE="caps geoip -amqp -dbi -geoip2 -http -ipv6 -json -kafka -libressl -mongodb -pacct -python -redis -smtp -snmp -spoof-source -systemd -tcpd*" PYTHON_SINGLE_TARGET="python3_6 -python2_7 -python3_5 (-python3_7)" PYTHON_TARGETS="python2_7 python3_6 -python3_5 (-python3_7)" 0 KiB
[ebuild   R    ] dev-vcs/git-2.23.0-r1::gentoo  USE="blksha1 cgi curl gpg iconv nls pcre perl threads webdav -cvs -doc -emacs -gnome-keyring -highlight -libressl -mediawiki -mediawiki-experimental (-pcre-jit*) -perforce (-ppcsha1) -subversion -test -tk -xinetd" PYTHON_SINGLE_TARGET="python3_6 -python2_7 -python3_5 (-python3_7)" PYTHON_TARGETS="python2_7 python3_6 -python3_5 (-python3_7)" 0 KiB
[ebuild   R    ] sys-libs/pam-1.3.0-r2::gentoo  USE="cracklib filecaps nls (pie) (split-usr) -audit -berkdb* -debug -nis (-selinux) -test -vim-syntax" 0 KiB
[ebuild   R    ] mail-mta/postfix-3.4.5-r1::gentoo  USE="dovecot-sasl eai hardened* mysql pam sqlite ssl -berkdb* -cdb -ldap -ldap-bind -libressl -lmdb -mbox -memcached -nis -postgres -sasl (-selinux)" 0 KiB
[ebuild   R    ] net-mail/dovecot-2.3.7.2::gentoo  USE="bzip2 caps managesieve mysql pam sieve sqlite zlib -argon2 -doc -ipv6 -kerberos -ldap -libressl -lua -lucene -lz4 -lzma -postgres (-selinux) -solr -static-libs -suid -tcpd* -textcat -vpopmail" 0 KiB
[ebuild   R    ] net-mail/mailutils-3.4-r3::gentoo  USE="clients mysql nls pam (split-usr) ssl threads -berkdb* -bidi -emacs -gdbm* -guile -ipv6 -kerberos -kyotocabinet -ldap -postgres -python -sasl -servers -static-libs -tcpd* -tokyocabinet" PYTHON_TARGETS="python2_7" 0 KiB

Total: 21 packages (2 new, 19 reinstalls), Size of downloads: 393 KiB

WARNING: One or more updates/rebuilds have been skipped due to a dependency conflict:

dev-lang/php:7.3

  (dev-lang/php-7.3.11:7.3/7.3::gentoo, ebuild scheduled for merge) conflicts with
    dev-lang/php:*[cli,xml,zlib] required by (dev-php/PEAR-PEAR-1.10.6:0/0::gentoo, installed)
                   ^^^         
    dev-lang/php[cli,ctype,json,simplexml] required by (app-admin/drush-6.7.0-r1:0/0::gentoo, installed)
                 ^^^                     


Would you like to merge these packages? [Yes/No]


Maybe I should just try that and see if everything still works.

I will use demerge in order to easily revert back, if needed.

As for emerging ~amd64 gentoo-sources. Will the mentioned grsecurity-inspired security settings be enabled by default? Otherwise, I'll look around and see if I can find a tutorial with the recommended kernel options with security in mind.

Finally I wil check tools like logcheck and fail2ban to see if it's worth implementing.

Thanks again for your thoughts. :)
Back to top
View user's profile Send private message
Goverp
l33t
l33t


Joined: 07 Mar 2007
Posts: 806

PostPosted: Sat Nov 23, 2019 11:53 am    Post subject: Reply with quote

You might like the Kernel Self Protection Project's checklist
_________________
Greybeard
Back to top
View user's profile Send private message
Elleni
Veteran
Veteran


Joined: 23 May 2006
Posts: 1044

PostPosted: Sat Nov 23, 2019 12:40 pm    Post subject: Reply with quote

Very nice. I'll have a look thank you.

Btw. I re-enabled gdbm and berkdb useflags in make.conf after finding out, that postfix was not able to query some of its configured databases anymore. (And I am wondering, if it was a good idea to put those two flags in make.conf or if it would have been sufficient to only add them for postfix or reconfigure postfix to not need them - which I don't know exactly how to do)

Without them I could not retrieve emails anymore and I had the following errors in mail.err without:
Code:
postfix/tlsmgr[16175]: error: unsupported dictionary type: btree
postfix/smtpd[16267]: error: unsupported dictionary type: hash
I hope this does not weaken my hardened setup too much.

Edit: Comparison of useflags for hardened vs. non hardened profile is showing following differences.

Apart from the mentioned above (berkdb and gdbm) use flags I now have packages compiled
Code:
without:
-jit
-fortran
-pcre-jittcpd
-tcpcd


Code:
with:
+hardened


Everything seems still to work fine, but I am wondering on jit for rspamd and on tcpcd for dovecot if they would still be needed. Especially the ladder because I have found the following in postfix' master.cf:
Code:
smtps     inet  n       -       n       -       -       smtpd
      ....
     -o smtpd_tls_wrappermode=yes
      ....
Back to top
View user's profile Send private message
Elleni
Veteran
Veteran


Joined: 23 May 2006
Posts: 1044

PostPosted: Sat Nov 23, 2019 4:16 pm    Post subject: Reply with quote

Going through the kernel selfprotection settings and adapting where needed, there was one thing that was not clear to me.
Quote:
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.

How can I check, if this is active for my server?

Apart from that - everything else worked like a charm, changed few options that were not yet set like recommended, added kernel boot parameters in/etc/default/grub GRUB_CMDLINE_LINUX, recompiled kernel and it still boots and everything is up and running, so I am fine :)
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14973

PostPosted: Sat Nov 23, 2019 5:18 pm    Post subject: Reply with quote

Elleni wrote:
Quote:
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
How can I check, if this is active for my server?
Check whether the Kconfig symbol presented on the next lines is set to =y in your server configuration. Quoting from that page, in case it changes later:
http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings#Configs:
# Prior to v4.18, these are:
#  CONFIG_CC_STACKPROTECTOR=y
#  CONFIG_CC_STACKPROTECTOR_STRONG=y
CONFIG_STACKPROTECTOR=y
CONFIG_STACKPROTECTOR_STRONG=y
For any recent kernel, you want the uncommented forms.
Back to top
View user's profile Send private message
Elleni
Veteran
Veteran


Joined: 23 May 2006
Posts: 1044

PostPosted: Sat Nov 23, 2019 5:37 pm    Post subject: Reply with quote

I have those in my kernel config
Quote:
CONFIG_STACKPROTECTOR=y
CONFIG_STACKPROTECTOR_STRONG=y


Is that enough, no gcc configuration needed in make.conf or elsewhere? Then I am fine :D
Back to top
View user's profile Send private message
freke
Guru
Guru


Joined: 23 Jan 2003
Posts: 567
Location: Somewhere in Denmark

PostPosted: Sat Nov 23, 2019 8:34 pm    Post subject: Reply with quote

Elleni wrote:
Everything seems still to work fine, but I am wondering on jit for rspamd and on tcpcd for dovecot if they would still be needed. Especially the ladder because I have found the following in postfix' master.cf:
Code:
smtps     inet  n       -       n       -       -       smtpd
      ....
     -o smtpd_tls_wrappermode=yes
      ....


I'm running a hardened profile and enabled jit for rspamd but not tcpd for dovecot, it doesn't seem to be needed. My smtps service is with -o smtpd_tls_wrappermode=yes, too
Back to top
View user's profile Send private message
Elleni
Veteran
Veteran


Joined: 23 May 2006
Posts: 1044

PostPosted: Sat Nov 23, 2019 10:41 pm    Post subject: Reply with quote

Great, thats what I have now too. Thanks for confirmation :D
Back to top
View user's profile Send private message
gengreen
Tux's lil' helper
Tux's lil' helper


Joined: 23 Dec 2017
Posts: 123

PostPosted: Fri Dec 13, 2019 5:36 am    Post subject: Reply with quote

You may apply as well the following patch to the kernel :

https://github.com/anthraxx/linux-hardened

And better than hardened, hardened musl :

https://wiki.gentoo.org/wiki/Project:Hardened_musl

I
Back to top
View user's profile Send private message
Terry_Davis
n00b
n00b


Joined: 20 Dec 2019
Posts: 27

PostPosted: Sat Jan 11, 2020 12:18 am    Post subject: Reply with quote

Any thoughts on the quality of different distro's hardened kernel's? Let's take Arch & Gentoo, for example... It takes a lot of work for a user to determine how many of which patches they might want got into their hardened kernel. So it is definitely a huge time saver to be on a distro with the most thought & care put into its hardened kernel fork (or "branch"?).
Back to top
View user's profile Send private message
Elleni
Veteran
Veteran


Joined: 23 May 2006
Posts: 1044

PostPosted: Sat Jan 11, 2020 9:53 pm    Post subject: Reply with quote

gengreen thanks for your links. I'll have a look as soon as I find some time.

Terry_Davis, I only know gentoo as its the only distro I am using and the one I started with many years ago, it tought me everything I know about linux and I feel comfortable using it. I personally enjoy the opportunity to learn, as for me linux is a hobby and unfortunatelly I am not in a position to use it professionally yet. Which other distro would you consider a good choice as an alternative? Lately noticing how big players manipulate distributions to restrict freedom of choice and push init systems to de facto standards to pursue their own interests of user lockin to make money, my trust in them has decreased even more, and I feel very comfortable in this incredibly helpful and knowledgeable community, which is also willing to share its know-how, and I especially feel very comfortable to have all these guys here, not willing to swallow this systemd thing but continue to support openrc, not many other distros out there did resist, and I hope Poettering and his followers will not succeed to force gentoo to its knees in the future, heck - having guys like dantrell here, who put so much energy in providing gnome without systemd even though upstream decided to make systemd mandatory just feels good, not to forget all the others around being so patient with all these users asking for help, and help them by teaching them, not just giving solutions but opportunities to learn.

You're probably right that relying on a distribution or branch to take care of security and make these decisions for you might be a time saver, but on the other hand, for me one of the biggest advantages of gentoo is that you don't have to let others decide, you decide for yourself how your system should be. Not to mention that from my point of view it is pointless to worry about security of your system as long as you use systemd, especially watching the attitude of their main developer.

If I could use Linux professionally in production, I would probably still choose redhat, but only because my boss would probably want to have the theoretical/imaginary possibility to blame someone if something goes south, or he would believe that this would increase the chance of getting (so called professional, rather meaning payed) help.
Back to top
View user's profile Send private message
Terry_Davis
n00b
n00b


Joined: 20 Dec 2019
Posts: 27

PostPosted: Sun Jan 12, 2020 2:13 pm    Post subject: Reply with quote

Elleni wrote:
gengreen thanks for your links. I'll have a look as soon as I find some time.

Terry_Davis, I only know gentoo as its the only distro I am using and the one I started with many years ago, it tought me everything I know about linux and I feel comfortable using it. I personally enjoy the opportunity to learn, as for me linux is a hobby and unfortunatelly I am not in a position to use it professionally yet. Which other distro would you consider a good choice as an alternative? Lately noticing how big players manipulate distributions to restrict freedom of choice and push init systems to de facto standards to pursue their own interests of user lockin to make money, my trust in them has decreased even more, and I feel very comfortable in this incredibly helpful and knowledgeable community, which is also willing to share its know-how, and I especially feel very comfortable to have all these guys here, not willing to swallow this systemd thing but continue to support openrc, not many other distros out there did resist, and I hope Poettering and his followers will not succeed to force gentoo to its knees in the future, heck - having guys like dantrell here, who put so much energy in providing gnome without systemd even though upstream decided to make systemd mandatory just feels good, not to forget all the others around being so patient with all these users asking for help, and help them by teaching them, not just giving solutions but opportunities to learn.

You're probably right that relying on a distribution or branch to take care of security and make these decisions for you might be a time saver, but on the other hand, for me one of the biggest advantages of gentoo is that you don't have to let others decide, you decide for yourself how your system should be. Not to mention that from my point of view it is pointless to worry about security of your system as long as you use systemd, especially watching the attitude of their main developer.

If I could use Linux professionally in production, I would probably still choose redhat, but only because my boss would probably want to have the theoretical/imaginary possibility to blame someone if something goes south, or he would believe that this would increase the chance of getting (so called professional, rather meaning payed) help.


I'm on the same page about systemd - and personally wouldn't care if I couldn't use gnome on my systems. I actually use Arch in production. I used to run Gentoo primarily, and my interest has been piqued again to see how much compiling from source can take advantage of the latest hardware.

I just posted in this thread to gain clarity on the various "hardened" kernels out there - as they are hard to compare without doing a deep dive.
Back to top
View user's profile Send private message
Vulgar
n00b
n00b


Joined: 15 Sep 2004
Posts: 42

PostPosted: Mon Jan 13, 2020 6:13 pm    Post subject: Reply with quote

Void Linux uses runit, no systemd. https://voidlinux.org/
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum