| 1 |
On 27/03/16 12:51, 80x24 wrote: |
| 2 |
> Hunter Jozwiak wrote: |
| 3 |
>> Hello, |
| 4 |
>> |
| 5 |
>> I am going to now host my web site on a Gentoo server. Firstly, is there |
| 6 |
>> a recommended profile for this, or will the default amd64 profile |
| 7 |
|
| 8 |
It depends on your use-case and preference, but hardened is often a good |
| 9 |
choice for something that will offer external services (as in over the |
| 10 |
Internet). |
| 11 |
|
| 12 |
>> suffice? Or would it be better to use a hardened profile for this task? |
| 13 |
>> Secondly, does Linode offer the requisite information for things you |
| 14 |
>> MUST have while building a kernel? |
| 15 |
|
| 16 |
The Linode configurations, last time I checked, were significantly out |
| 17 |
of date (including their Gentoo deployment image). Depending on your |
| 18 |
level of paranoia, it may be reasonable for you to boot your Linode |
| 19 |
using their rescue environment and perform a stage-3 install that way. |
| 20 |
Otherwise, you can simply deploy their Gentoo image and update/harden as |
| 21 |
necessary. |
| 22 |
|
| 23 |
As for kernel configuration, I don't recall seeing anything |
| 24 |
specifically, however they do include their default kernel configuration |
| 25 |
in either /boot/config* or /proc/config.gz, so you can use that as a base. |
| 26 |
|
| 27 |
>> And finally, I am going to have |
| 28 |
>> multiple servers. Is there a package that I can use to distribute my |
| 29 |
>> built kernels? |
| 30 |
|
| 31 |
There isn't a package, however depending on how you configure the |
| 32 |
kernel, you can either just copy the .config from one host or another, |
| 33 |
or the kernel make program has options to build archives of the built |
| 34 |
kernel - see `make help` for details. |
| 35 |
|
| 36 |
>> Thanks, you guys are awesome, and keep up the good work, |
| 37 |
>> |
| 38 |
>> Hunter |
| 39 |
>> |
| 40 |
> As far as you know how to hardened security of your servers. Normal |
| 41 |
> profile will be good (Though I still recommend hardened if you're |
| 42 |
> familiar with GRsecurity and other ``hardeded'' stuff). |
| 43 |
> |
| 44 |
> If you go with the hardened version, you will also need to build custom |
| 45 |
> kernel and set kernel to pygrub in Linode profile settings (which |
| 46 |
> selects proper generic kernel by default). And yes you will need a |
| 47 |
> bootloader. |
| 48 |
|
| 49 |
Hardened is not one be-all solution - you can use some hardened features |
| 50 |
and not others. For example, you can convert to the hardened profile and |
| 51 |
do not necessarily need to use hardened-sources. Similarly, if you *do* |
| 52 |
use hardened-sources, you do not need to enable an RBAC (such as |
| 53 |
GRSecurity or SELinux). |
| 54 |
|
| 55 |
If you do use PaX in the kernel, though, you will need to also be on a |
| 56 |
hardened profile to have binaries marked appropriately. |
| 57 |
|
| 58 |
Cheers; |
| 59 |
-- |
| 60 |
Sam Jorna (wraeth) <wraeth@g.o> |
| 61 |
GnuPG Key: D6180C26 |
Archives