1 |
On Dec 11, 2011 12:48 AM, "Tanstaafl" <tanstaafl@×××××××××××.org> wrote: |
2 |
> |
3 |
> Hello all, |
4 |
> |
5 |
> I'm considering rolling out a new server with gentoo, but wanted to base |
6 |
it on the hardened profile, but the docs I've read so far all seem to be a |
7 |
bit vague about all the details. |
8 |
> |
9 |
> I've been using gentoo for a while on my hobby server, but I installed it |
10 |
about 8 years ago, and chose the 'server' profile, and I must say it has |
11 |
been a real pleasure to maintain, and the only real hiccup I ever |
12 |
experienced was the mailman update that moved the directories for the lists |
13 |
without telling me what to do about it (the fix was simple, and the devs |
14 |
swiftly fixed the lack of post-install docs). |
15 |
> |
16 |
> Does anyone know of a good How-To that covers *all* of the bases? Ie, |
17 |
which model is best - grsecurity, PAX, SeLinux - and how best to implement |
18 |
it? |
19 |
> |
20 |
> Thanks... |
21 |
> |
22 |
|
23 |
Oh, one more thing: |
24 |
|
25 |
If you don't need to milk your hardware for every last bit of performance, |
26 |
consider running the server inside a VM like XenServer. You gain the |
27 |
benefit of branchable snapshots, ease of migrating to a different physical |
28 |
box (as long as you don't use -march=native), and simpler menuconfig. Plus, |
29 |
if somehow your VM lost all connectivity, you don't need to visit the |
30 |
server; you can still manage it through XenServer's virtual console. |
31 |
|
32 |
I have been deploying my servers on top of XenServers, including one |
33 |
gateway/firewall that used to oversee 5 internet links + 1 LAN with an |
34 |
aggregate Internet bandwidth of 35 Mbps. Albeit running on an elderly |
35 |
Pentium 4 box, I have no performance problems at all, even when the |
36 |
gatewall does some very exotic iptables magic (my list of iptables rules is |
37 |
already longer than 100 lines). |
38 |
|
39 |
Rgds, |