Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Gentoo security tips for noob. Advice pls
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
NeverSloppy
n00b
n00b


Joined: 03 Nov 2022
Posts: 29

PostPosted: Tue Nov 08, 2022 6:02 am    Post subject: Gentoo security tips for noob. Advice pls Reply with quote

How difficult will maintaining a secure Gentoo install be for a beginner?

Just recently, I stumbled on this blog post in which the person claims Gentoo is a security hazard: http://coldattic.info/post/105/

I don't believe it as Gentoo removes so much bloat that other Distros ship with. But then again I haven't used it for more than a
month some years ago. My hardware was too slow back then so I had to switch.

I've tried Arch, Debian, Fedora, FreeBSD.

I can set up a firewall in Debian and FreeBSD as I occasionally delve into web development.
My goto programming language is Go, but I'm now learning Rust and C.

My goal, switching to Gentoo, is gaining knowledge of the lower level stuff. Hardware and software.
I'm sick of the automagic in other Distros.

Should I just stick with a virtual machine until I'm decent with Gentoo?
Back to top
View user's profile Send private message
Juippisi
Developer
Developer


Joined: 30 Sep 2005
Posts: 722
Location: /home

PostPosted: Tue Nov 08, 2022 6:22 am    Post subject: Re: Gentoo security tips for noob. Advice pls Reply with quote

NeverSloppy wrote:

Just recently, I stumbled on this blog post in which the person claims Gentoo is a security hazard: http://coldattic.info/post/105/


Did you actually read the post before linking it? Let me quote the relevant part:
"A computer that hasn’t been updated for years, and is open to the network is a security risk."

it has nothing to do with Gentoo itself, but the author neglecting to update their system.

To answer your question, keeping the above site in mind, it's "easy" if you invest the time to learn to use it.
Back to top
View user's profile Send private message
Goverp
Veteran
Veteran


Joined: 07 Mar 2007
Posts: 1972

PostPosted: Tue Nov 08, 2022 8:58 am    Post subject: Reply with quote

The blogger was suffering dependency hell in 2017; at a guess the system was a hybrid of stable and leading-edge stuff - my experience is that if you stick to one or the other, you should avoid dependency issues nearly all the time.

One caveat - the blog mentions long compile times; there are some notorious packages that can be hard to avoid; worst are qtwebengine and rust (for the latter, if you need rust, use rust-bin unless you really need the latest versions), then libreoffice (also available as a -bin version). It's an unfortunate side-effect of Moore's Law; packages expand to consume the leading-edge hardware's capabilities - as cpu power doubles, so does the work needed to compile bloated packages... Of course, if you have a water-cooled Threadripper with 128GB memory and wall-to-wall NVMe storage, this isn't an issue.

Oh, and plan to "emerge --update --deep --changed-use @world" at least once a month, better every fortnight, best weekly. The more often, the less work to be done in one big chunk.
_________________
Greybeard
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 4019
Location: Bavaria

PostPosted: Tue Nov 08, 2022 10:19 am    Post subject: Reply with quote

You should never get a dependency hell if you update your Gentoo once in a month (better: once a week) with:
Code:
# emerge -uUDv @world


If you think you want update only one or some specific packages with "emerge -u PACKAGE" then you should always do this with parameter "-1"
Code:
# emerge -1uDv PACKAGE

Why ?

If you dont do it with "-1" (--oneshot) this package will be recorded in /var/lib/portage/world ... and this will lead to a dependency hell over time.

See more here: https://forums.gentoo.org/viewtopic-t-1143543-highlight-.html

.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54099
Location: 56N 3W

PostPosted: Tue Nov 08, 2022 10:52 am    Post subject: Reply with quote

NeverSloppy,

Gentoo is a toolkit. You use it to design and install your own distro. So, is your distro insecure?

Gentoo only gives you what you ask for and what you must have to support what you have asked for.
The corollary is that if you haven't asked for it, its not installed.

This keeps things out that you don't use, which is good.
It's a case of the wider you open the window, the more dirt blows in.

Any neglected install will become insecure with the passage of time. The key here is neglect.
The install has not changed but security problems its always had have become public knowledge.

You can make your install insecure with the choices you make.
e.g. Disable password logins for ssh from the internet. Then all the bots trying to brute force you get nowhere.

Don't run insecure services, like telnet, ftp.

Do run a paranoid boundary firewall, to stop any evil that gets in from phoning home.

That's user space.

Then there is the Kernel Self Protection Project
gentoo-sources provides a patch to enable a choice selection of those settings.

Security and usability is a trade off. You could unplug the network cable.
That's secure but not very usable.

Security needs to be taken in context too.
We have to ask secure against what threats?
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
NeverSloppy
n00b
n00b


Joined: 03 Nov 2022
Posts: 29

PostPosted: Tue Nov 08, 2022 2:45 pm    Post subject: Reply with quote

OK got it.. Thanks for the tips.

I do want to build the kernel myself and tweak it to harden it against memory corruption stuff.

Will be learning in a VM for the meantime to learn more about how everything works in Gentoo.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54099
Location: 56N 3W

PostPosted: Tue Nov 08, 2022 3:28 pm    Post subject: Reply with quote

NeverSloppy,

Memory corruption detection, as I know it, depends on hardware support in the form of ECC RAM.
The extra 8 bits provide single bit Hamming error detection and correction and detection but not correction of two bit errors.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
pa4wdh
l33t
l33t


Joined: 16 Dec 2005
Posts: 806

PostPosted: Tue Nov 08, 2022 3:44 pm    Post subject: Reply with quote

The main reason the blogger got a very insecure setup is that he didn't update because he was scared something would break. I remember having the same fear when i just started with gentoo, but also experience that with other distro's.
New versions bring new bugs and they might just bite you. The solution is not to be scared and have faith you can solve the problems you might run in to.
One of the best things in gentoo is that you can mask individual packages and rollback to a previous (know working) version when needed. I've never seen a binary distro giving that level of control.
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world

My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com
Back to top
View user's profile Send private message
NeverSloppy
n00b
n00b


Joined: 03 Nov 2022
Posts: 29

PostPosted: Tue Nov 08, 2022 7:42 pm    Post subject: Reply with quote

I was thinking more of using Hardened malloc in my Gentoo build. My PC does not have ECC :/ but that
seems to only be helpful against natural causes and not malicious programs. Could be wrong as I'm noob :D
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 4019
Location: Bavaria

PostPosted: Tue Nov 08, 2022 7:47 pm    Post subject: Reply with quote

NeverSloppy wrote:
I was thinking more of using Hardened malloc in my Gentoo build. [...]

=>
NeddySeagoon wrote:
Then there is the Kernel Self Protection Project
gentoo-sources provides a patch to enable a choice selection of those settings.


... here is an article for this:
https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/Kernel_Hardening_with_KSPP

;-)
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21498

PostPosted: Wed Nov 09, 2022 1:36 am    Post subject: Reply with quote

Error Correction Code memory is intended to let your RAM return the value that ideal RAM would return, even if less than ideal conditions occur in practice. Ideal RAM always returns exactly the data that it was previously told to store. RAM has no way to determine whether the value stored in it is what the ideal software would have stored, so if a logic bug causes logically incorrect data to be stored to RAM, your RAM will remember and later return that incorrect data. ECC cannot help with the presence of logic bugs in the software, because ECC only seeks to return what data your program put there. If your program puts garbage data into RAM, ECC will faithfully return that garbage data on request.

Hardened malloc is intended to cause some types of software bugs to fail in a less dangerous way than non-hardened malloc would fail. As with ECC ram, it is a mitigation for non-ideal operating conditions. If all your software was free of logic bugs, hardened malloc would be unnecessary.
Back to top
View user's profile Send private message
NeverSloppy
n00b
n00b


Joined: 03 Nov 2022
Posts: 29

PostPosted: Wed Nov 09, 2022 3:50 am    Post subject: Reply with quote

So if all programs were written in a functional programming language such as Haskell or Lisp
there would be way way less of all these security bugs?

Not that I know a functional language. Just curious. This post makes me kinda want to
learn a functional langauge, but I'm assuming the learning curve is steep. I did want
to use Haskell as a web server some time back.
https://crypto.stanford.edu/~blynn/haskell/curry-howard.html
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21498

PostPosted: Wed Nov 09, 2022 12:36 pm    Post subject: Reply with quote

Functional programming languages take away the ability to write certain types of data processing bugs, but it's still very possible to write catastrophically bad security bugs in a functional language. A simple language-independent bug would be failing to validate that the requested action is permitted under the program's security model. For example, suppose someone patched the Linux kernel such that openat never checked mode bits, so any user could open any file read-write, even if the Linux security model says the caller cannot access the file at all. That would be a major security bug, but it can be done in any language because the bug is absence of code that should have been present.
Back to top
View user's profile Send private message
NeverSloppy
n00b
n00b


Joined: 03 Nov 2022
Posts: 29

PostPosted: Wed Nov 09, 2022 2:54 pm    Post subject: Reply with quote

So I should just run Gentoo inside of QubesOS because bugs will always exist?
Or am I insane?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21498

PostPosted: Wed Nov 09, 2022 3:53 pm    Post subject: Reply with quote

This comes back to your threat model. Are you worried about someone specifically targeting you, or do you just want to avoid the bulk exploits that circulate on the Internet looking for easy prey? If you are being targeted, how competent is your hypothetical adversary? Describe what you want to stop, then you can determine how to stop it.
Back to top
View user's profile Send private message
NeverSloppy
n00b
n00b


Joined: 03 Nov 2022
Posts: 29

PostPosted: Wed Nov 09, 2022 4:37 pm    Post subject: Reply with quote

Just wanting to develop a thorough understanding of gentoo security options and procedures as I will soon be installing
it on my hardware. Sad that hardened-sources is no longer an option :/
Back to top
View user's profile Send private message
alecStewart1
Tux's lil' helper
Tux's lil' helper


Joined: 03 Jul 2022
Posts: 103

PostPosted: Wed Nov 09, 2022 5:06 pm    Post subject: Reply with quote

NeverSloppy,

You don't necessarily need the hardened sources if you're on a hardened profile. If you use the sys-devel/gentoo-kernel you can have

Code:

sys-kernel/gentoo-kernel hardened


in your /etc/portage/package.use.

You can also have it in your make.conf in the USE variable:

Code:

USE="hardened"


Any package that can compile with hardening options will do so, then.

Gentoo does a decent job of enable some secure hardening options for the kernel. You can add/take away things yourself, but be mindful of what you're adding/taking away in your kernel config.
See here for some other options you might want to enable, but again, but cautious of what who add/take away.

I can't remember who, but someone on the Gentoo wiki has a guide for further hardening.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54099
Location: 56N 3W

PostPosted: Wed Nov 09, 2022 10:08 pm    Post subject: Reply with quote

NeverSloppy

The aim of security is to make it difficult for attackers to get in and difficult for them do do anything useful when (not if) they have the determination to break in.
The idea is to convince them to find an easier target before they break into your system, no keep a determined well resourced attacker, like a government out.

A government would just send the boys round anyway. They would not try to break your security.

Determine your threats, then deploy your defences.

e.g. You probably don't need an encrypted file system on a physically secure system.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 20054

PostPosted: Thu Nov 10, 2022 3:26 am    Post subject: Reply with quote

NeverSloppy wrote:
So I should just run Gentoo inside of QubesOS because bugs will always exist?
Or am I insane?
NeverSloppy wrote:
Just wanting to develop a thorough understanding of gentoo security options and procedures as I will soon be installing
it on my hardware. Sad that hardened-sources is no longer an option :/
It sounds like you are interested in learning rather than having a "real and present danger," so the upside is you don't have to do everything at once. Pick a starting point with one or a few goals, then go from there.

Have you ever used QubesOS? I haven't, but I'm curious about some of their methods. They have or had templates that might be useful for a Gentoo install (https://www.qubes-os.org/doc/templates/). My "some day" list is long.
_________________
Quis separabit? Quo animo?
Back to top
View user's profile Send private message
NeverSloppy
n00b
n00b


Joined: 03 Nov 2022
Posts: 29

PostPosted: Thu Nov 10, 2022 6:09 pm    Post subject: Reply with quote

My goal is to become a competent Linux user and to learn the ins and outs of hardening a system.

As a newb I began my journey in Gentoo by learning how to encrypt /root in a VM. This step seems important
as I will soon install on a laptop and laptops are prone to theft.

I have done this before on a raspberry pi in which I set up dropbear in initramfs to ssh into the pi and
decrypt the files. Next time I want to setup wpa_supplicant in initramfs so that I don't have to connect
the pi to ethernet before ssh'ing.

I didn't really understand UUID in my pi so I basically swapped one for the other until it booted. But now
that I've done it on Gentoo I do have a better understanding about how this works!

Also I found the Security Handbook .
https://wiki.gentoo.org/wiki/Security_Handbook/Full
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54099
Location: 56N 3W

PostPosted: Thu Nov 10, 2022 7:09 pm    Post subject: Reply with quote

NeverSloppy,

There are lots of different UUIDs. They all mean something different, so its important to distinguish which UUID you are talking about.

Partitioned whole disks have a Disk identifier. Thats a UUID by another name.
Partitions have a UUID. The kernel calls that PARTUUID.
Filesystems have a UUID. That's normally just UUID.
mdadm raid sets have a UUID. Its common across all members of the set.
Logical Volume Manager Physical Volumes have PV UUID
Logical Volume Manager Logical Volumes have a LV UUID

Some of those I've never used. :)
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 4019
Location: Bavaria

PostPosted: Fri Nov 11, 2022 1:36 pm    Post subject: Reply with quote

NeverSloppy wrote:
My goal is to become a competent Linux user and to learn the ins and outs of hardening a system.

[...]

Also I found the Security Handbook .
https://wiki.gentoo.org/wiki/Security_Handbook/Full


NeverSloppy,

it is sad that our Security Handbook is a little bit outdated ... :-(

Maybe you want to read my (short) article about security at all: https://forums.gentoo.org/viewtopic-p-8754227.html#8754227
Back to top
View user's profile Send private message
NeverSloppy
n00b
n00b


Joined: 03 Nov 2022
Posts: 29

PostPosted: Sat Nov 12, 2022 12:16 am    Post subject: Reply with quote

Today, I discovered the distro Alpine Linux. :/

They seem to have what i am trying to implement in Gentoo. Small with only the bare minimum programs.
Hardened kernel. Gaming occasionally.

I am now torn between using Gentoo's Hardened Stage3 with musl and openrc or learning this other distro.

I do not feel confident that I will be able to edit the kernel with hardened features and have it work
with Steam for the occasional gaming.

Heck I'm currently struggling with getting wayland/sway up and running in a VM let alone trying this on my laptop. Sigh.
Back to top
View user's profile Send private message
Spanik
l33t
l33t


Joined: 12 Dec 2003
Posts: 942
Location: Belgium

PostPosted: Sat Nov 12, 2022 11:25 am    Post subject: Reply with quote

Interesting read, also the links. Keeping your pc updated is a start for security, but I feel that sometimes I'm missing out on a lot of other simple security things because I do know that they exist but I have no clue on how to implement them.

Like you always read "disable telnet". But I have no clue as to how to check if it is active on my pc, even less if it could be activated remotely and wen I find it is there, how to deactivate it.
_________________
Expert in non-working solutions
Back to top
View user's profile Send private message
Leonardo.b
Apprentice
Apprentice


Joined: 10 Oct 2020
Posts: 294

PostPosted: Sat Nov 12, 2022 2:54 pm    Post subject: Reply with quote

Spanik wrote:
Like you always read "disable telnet". But I have no clue as to how to check if it is active on my pc, even less if it could be activated remotely and wen I find it is there, how to deactivate it.

It depends from your init/service-manager.
Same as sshd, syslogd, or anything else.
Probably you don't have telnetd installed at all.

Also, you can check using ps.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum