1 |
On 27/03/16 12:51, 80x24 wrote: |
2 |
> Hunter Jozwiak wrote: |
3 |
>> Hello, |
4 |
>> |
5 |
>> I am going to now host my web site on a Gentoo server. Firstly, is there |
6 |
>> a recommended profile for this, or will the default amd64 profile |
7 |
|
8 |
It depends on your use-case and preference, but hardened is often a good |
9 |
choice for something that will offer external services (as in over the |
10 |
Internet). |
11 |
|
12 |
>> suffice? Or would it be better to use a hardened profile for this task? |
13 |
>> Secondly, does Linode offer the requisite information for things you |
14 |
>> MUST have while building a kernel? |
15 |
|
16 |
The Linode configurations, last time I checked, were significantly out |
17 |
of date (including their Gentoo deployment image). Depending on your |
18 |
level of paranoia, it may be reasonable for you to boot your Linode |
19 |
using their rescue environment and perform a stage-3 install that way. |
20 |
Otherwise, you can simply deploy their Gentoo image and update/harden as |
21 |
necessary. |
22 |
|
23 |
As for kernel configuration, I don't recall seeing anything |
24 |
specifically, however they do include their default kernel configuration |
25 |
in either /boot/config* or /proc/config.gz, so you can use that as a base. |
26 |
|
27 |
>> And finally, I am going to have |
28 |
>> multiple servers. Is there a package that I can use to distribute my |
29 |
>> built kernels? |
30 |
|
31 |
There isn't a package, however depending on how you configure the |
32 |
kernel, you can either just copy the .config from one host or another, |
33 |
or the kernel make program has options to build archives of the built |
34 |
kernel - see `make help` for details. |
35 |
|
36 |
>> Thanks, you guys are awesome, and keep up the good work, |
37 |
>> |
38 |
>> Hunter |
39 |
>> |
40 |
> As far as you know how to hardened security of your servers. Normal |
41 |
> profile will be good (Though I still recommend hardened if you're |
42 |
> familiar with GRsecurity and other ``hardeded'' stuff). |
43 |
> |
44 |
> If you go with the hardened version, you will also need to build custom |
45 |
> kernel and set kernel to pygrub in Linode profile settings (which |
46 |
> selects proper generic kernel by default). And yes you will need a |
47 |
> bootloader. |
48 |
|
49 |
Hardened is not one be-all solution - you can use some hardened features |
50 |
and not others. For example, you can convert to the hardened profile and |
51 |
do not necessarily need to use hardened-sources. Similarly, if you *do* |
52 |
use hardened-sources, you do not need to enable an RBAC (such as |
53 |
GRSecurity or SELinux). |
54 |
|
55 |
If you do use PaX in the kernel, though, you will need to also be on a |
56 |
hardened profile to have binaries marked appropriately. |
57 |
|
58 |
Cheers; |
59 |
-- |
60 |
Sam Jorna (wraeth) <wraeth@g.o> |
61 |
GnuPG Key: D6180C26 |