Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Suggestions, please, for minimal, secure server installation
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
OctavioMasomenos
n00b
n00b


Joined: 15 Jan 2023
Posts: 1

PostPosted: Sun Jan 15, 2023 4:07 pm    Post subject: Suggestions, please, for minimal, secure server installation Reply with quote

Hello! I’m totally new to Gentoo and my knowledge of cybersecurity is very limited. For my homelab/self-hosting needs, I have thus far used a minimal Debian server install (with passwords disabled and public/private key authentication for SSH access) for hosting Docker containers which provide self-hosted websites and other services that I’m using. I’m at a critical juncture as I switch from a single, simple test machine to more powerful “production” servers. As I do so, I’d like to use hardened Gentoo to reduce my exposure to hacking, exploits, and malware. For now, my needs are very simple: my servers need to have the bare minimum kernel features and other system components required to run Docker containers and to run nano for editing config files (via bind volumes on the host machine) and HTML/CSS/PHP/database files. I am also considering installing pfSense on top of a hardened server installation in the future.

I need to get Docker containers running (primarily) publicly accessible web servers over a Cloudflare secure tunnel and NextCloud over a privately accessible CF tunnel - but I will be expanding very soon to run other services. I need to get these up ASAP, so if the general answer to this question is “read and learn”, then I will have to stick with what I know (minimal Debian installations) for now and switch over to Gentoo later when time allows. But I’m hoping that someone can point me toward a procedure and or a specific list of kernel and other options to select during a Gentoo installation that would result in a hardened server that meets my minimal requirements.

Thank you for your time and consideration.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54096
Location: 56N 3W

PostPosted: Sun Jan 15, 2023 4:48 pm    Post subject: Reply with quote

OctavioMasomenos,

Welcome to Gentoo.

For security, first identify your threats, then deploy defences against those threats.
Its like the layers of an onion. The idea is to make attackers give up and find an easier target, no to keep out a well funded determined attacker.
Keep in mind https://xkcd.com/538/

The first layer of defence is to not run anything that you don't need. The wider you open the window, the more the dirt blows in.
Gentoo makes that easy because it only installs what you ask for and what you must have to support the things you ask for.
The converse is also true. If you haven't asked, you won't have it.

Limit access to your servers. A firewall can help there, since you can permit connections only from IP ranges you choose.

The kernel self protection is a good read.

Gentoo offers a hardened stage3 to gen you started on the right foot but its possible to switch to the hardened profile too.

If you need 'at rest' data protection then encrypting the HDD may be worth while. If not, its an overhead with no benefit.

Read your logs. You need to know that the defences are working.

Its no so much read an learn as practice and improve on what you have. You may find your threat model evolves when you see what attackers are trying.

Keep up to date. There will always be zero day exploits but there is no excuse for a exploit fixed over a month ago.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum