# [solved] Status of securityhandbook and hardening gentoo

## Elleni

I am a not sure, what the status of security related projects are. Looking at the security handbook, there is a warning, that it hast not been modified since 2010. Then on the project: Hardened there are mentioned three contributors who all had a role in SELinux project and are all marked as not active. I also got aware long ago that the hardened sources where dropped because grsecurity developers had decided to limit access to their patches. 

So my question is for a small private server serving web, mail, cloud and vpn services is it worth trying to implement some sort of hardening, and if so - which projects are well supported, maintained and suitable?Last edited by Elleni on Fri Nov 22, 2019 3:54 pm; edited 1 time in total

----------

## Elleni

I would really appreciate some thoughts about my questions.  

I am thinking of installing and configuring fail2ban for the services of my server, but other than that, I am wondering if its worth the effort to try to harden the system even further or if sane setup of services and firewall rules might be sufficient?

----------

## Ant P.

The best cure is usually prevention. Minimise potential attack surface, don't run unnecessary non-TLS services (and consider not having ssh on a low port) - that should cut down a lot of log noise. Make sure the userid your web services runs as doesn't have write permissions to their own code. Run separate things as separate subdomains and fastcgi processes (especially PHP) if possible. If practical, you might want to add a basic Content-Security-Policy header on your webserver so it can only make internal requests; in the attempt something does inject bad stuff onto a page, it won't be able to phone home via the browser.

If you can make any services accessible only behind the VPN, that's good too - I have my IMAP set up that way.

----------

## Goverp

I know nothing about hardening, but note that kernel 5.x (~amd64, not AFAIK the current stable series) contain a growing number of grsecurity-inspired security settings.

That said, I found little about grsecurity in a quick glance at the security handbook.

----------

## forrestfunk81

I run hardened profiles on all my 24/7 installations. And like Goverp said, since the removal of hardened-sources many similar features have been merged to the main kernel line. I also prefer having separate LXC containers on separate partitions for each service but that's less security related than preventing one service going crazy and tear down the whole system.

----------

## Elleni

Thanks a lot guys. Part of your suggestions I head already implemented, like no http only ssl access on sites, ssh on non standard high port and separate subdomains and cgiprocesses for separate services. Additionally I added csp header in apache configuration. I probably will try to switch to hardened no-multilib profile. 

Switching from 

```
default/linux/amd64/17.1/no-multilib (stable) *
```

to 

```
default/linux/amd64/17.1/no-multilib/hardened (stable)
```

would mean adding +cli use to php. And the following changed uses. 

```
emerge world -uDNav --with-bdeps=y

These are the packages that would be merged, in order:

Calculating dependencies                          ... done!  

[ebuild   R    ] dev-libs/libpcre-8.42:3::gentoo  USE="bzip2 cxx readline recursion-limit (split-usr) (unicode) zlib -jit* -libedit -pcre16 -pcre32 -static-libs" 0 KiB

[ebuild   R    ] dev-libs/libpcre2-10.33-r1::gentoo  USE="bzip2 readline recursion-limit (split-usr) unicode zlib -jit* -libedit -pcre16 -pcre32 -static-libs" 0 KiB

[ebuild   R    ] sys-devel/gcc-9.2.0-r2:9.2.0::gentoo  USE="(cxx) hardened* nls nptl openmp (pie) sanitize (ssp) vtv (-altivec) -d -debug -doc (-fixed-point) -fortran* -go -graphite (-jit) (-libssp) -lto (-multilib) -objc -objc++ -objc-gc (-pch*) -pgo -systemtap -test -vanilla" 0 KiB

[ebuild   R    ] dev-lang/perl-5.28.2-r1:0/5.28::gentoo  USE="-berkdb* -debug -doc -gdbm* -ithreads" 0 KiB

[ebuild   R    ] dev-libs/jemalloc-5.2.1:0/2::gentoo  USE="hardened* -debug -lazy-lock -prof -static-libs -stats -xmalloc" 0 KiB

[ebuild   R    ] sys-apps/man-db-2.7.6.1-r2::gentoo  USE="manpager nls zlib -berkdb* -gdbm* (-selinux) -static-libs" 0 KiB

[ebuild   R    ] dev-lang/python-3.6.9:3.6/3.6m::gentoo  USE="gdbm hardened* ncurses readline sqlite ssl (threads) xml -bluetooth -build -examples -ipv6 -libressl -test -tk -wininst" 0 KiB

[ebuild   R    ] dev-lang/python-2.7.16:2.7::gentoo  USE="gdbm hardened* ncurses readline sqlite ssl (threads) (wide-unicode) xml (-berkdb) -bluetooth -build -doc -examples -ipv6 -libressl -tk -wininst" 0 KiB

[ebuild  N     ] dev-python/pypax-0.9.5::gentoo  USE="xtpax -ptpax" PYTHON_TARGETS="python2_7 python3_6 (-pypy) -python3_5 (-python3_7)" 393 KiB

[ebuild  N     ] sys-apps/elfix-0.9.5::gentoo  USE="xtpax -ptpax" 0 KiB

[ebuild   R    ] dev-libs/apr-util-1.6.1-r3:1::gentoo  USE="mysql sqlite -berkdb* -doc -gdbm* -ldap -libressl -nss -odbc -openssl -postgres -static-libs" 0 KiB

[ebuild   R    ] dev-libs/redland-1.0.17-r2::gentoo  USE="mysql sqlite -berkdb* -iodbc -odbc -postgres -static-libs" 0 KiB

[ebuild   R    ] www-servers/apache-2.4.41:2::gentoo  USE="(split-usr) ssl suexec-caps -debug -doc -gdbm* -ldap -libressl (-selinux) -static -suexec -suexec-syslog -threads" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_core authn_dbm authn_file authz_core authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir env expires ext_filter file_cache filter headers include info log_config logio mime mime_magic negotiation proxy proxy_http proxy_wstunnel rewrite setenvif socache_shmcb speling status unique_id unixd userdir usertrack vhost_alias -access_compat -asis -auth_digest -auth_form -authn_dbd -authn_socache -authz_dbd -brotli -cache_disk -cache_socache -cern_meta -charset_lite -dbd -dumpio -http2 -ident -imagemap -lbmethod_bybusyness -lbmethod_byrequests -lbmethod_bytraffic -lbmethod_heartbeat -log_forensic -macro -md -proxy_ajp -proxy_balancer -proxy_connect -proxy_fcgi -proxy_ftp -proxy_html -proxy_http2 -proxy_scgi -ratelimit -remoteip -reqtimeout -session -session_cookie -session_crypto -session_dbd -slotmem_shm -substitute -version -watchdog -xml2enc" APACHE2_MPMS="-event -prefork -worker" 0 KiB

[ebuild   R   ~] mail-filter/rspamd-2.1::gentoo  USE="-blas -jemalloc -jit* -libressl -pcre2" CPU_FLAGS_X86="ssse3" 0 KiB

[ebuild   R    ] sys-apps/iproute2-5.2.0-r1::gentoo  USE="caps iptables -atm -berkdb* -elf -ipv6 -minimal (-selinux)" 0 KiB

[ebuild   R    ] app-admin/syslog-ng-3.22.1::gentoo  USE="caps geoip -amqp -dbi -geoip2 -http -ipv6 -json -kafka -libressl -mongodb -pacct -python -redis -smtp -snmp -spoof-source -systemd -tcpd*" PYTHON_SINGLE_TARGET="python3_6 -python2_7 -python3_5 (-python3_7)" PYTHON_TARGETS="python2_7 python3_6 -python3_5 (-python3_7)" 0 KiB

[ebuild   R    ] dev-vcs/git-2.23.0-r1::gentoo  USE="blksha1 cgi curl gpg iconv nls pcre perl threads webdav -cvs -doc -emacs -gnome-keyring -highlight -libressl -mediawiki -mediawiki-experimental (-pcre-jit*) -perforce (-ppcsha1) -subversion -test -tk -xinetd" PYTHON_SINGLE_TARGET="python3_6 -python2_7 -python3_5 (-python3_7)" PYTHON_TARGETS="python2_7 python3_6 -python3_5 (-python3_7)" 0 KiB

[ebuild   R    ] sys-libs/pam-1.3.0-r2::gentoo  USE="cracklib filecaps nls (pie) (split-usr) -audit -berkdb* -debug -nis (-selinux) -test -vim-syntax" 0 KiB

[ebuild   R    ] mail-mta/postfix-3.4.5-r1::gentoo  USE="dovecot-sasl eai hardened* mysql pam sqlite ssl -berkdb* -cdb -ldap -ldap-bind -libressl -lmdb -mbox -memcached -nis -postgres -sasl (-selinux)" 0 KiB

[ebuild   R    ] net-mail/dovecot-2.3.7.2::gentoo  USE="bzip2 caps managesieve mysql pam sieve sqlite zlib -argon2 -doc -ipv6 -kerberos -ldap -libressl -lua -lucene -lz4 -lzma -postgres (-selinux) -solr -static-libs -suid -tcpd* -textcat -vpopmail" 0 KiB

[ebuild   R    ] net-mail/mailutils-3.4-r3::gentoo  USE="clients mysql nls pam (split-usr) ssl threads -berkdb* -bidi -emacs -gdbm* -guile -ipv6 -kerberos -kyotocabinet -ldap -postgres -python -sasl -servers -static-libs -tcpd* -tokyocabinet" PYTHON_TARGETS="python2_7" 0 KiB

Total: 21 packages (2 new, 19 reinstalls), Size of downloads: 393 KiB

WARNING: One or more updates/rebuilds have been skipped due to a dependency conflict:

dev-lang/php:7.3

  (dev-lang/php-7.3.11:7.3/7.3::gentoo, ebuild scheduled for merge) conflicts with

    dev-lang/php:*[cli,xml,zlib] required by (dev-php/PEAR-PEAR-1.10.6:0/0::gentoo, installed)

                   ^^^          

    dev-lang/php[cli,ctype,json,simplexml] required by (app-admin/drush-6.7.0-r1:0/0::gentoo, installed)

                 ^^^                      

Would you like to merge these packages? [Yes/No]
```

Maybe I should just try that and see if everything still works. 

I will use demerge in order to easily revert back, if needed. 

As for emerging ~amd64 gentoo-sources. Will the mentioned grsecurity-inspired security settings be enabled by default? Otherwise, I'll look around and see if I can find a tutorial with the recommended kernel options with security in mind. 

Finally I wil check tools like logcheck and fail2ban to see if it's worth implementing. 

Thanks again for your thoughts.  :Smile: 

----------

## Goverp

You might like the Kernel Self Protection Project's checklist

----------

## Elleni

Very nice. I'll have a look thank you. 

Btw. I re-enabled gdbm and berkdb useflags in make.conf after finding out, that postfix was not able to query some of its configured databases anymore. (And I am wondering, if it was a good idea to put those two flags in make.conf or if it would have been sufficient to only add them for postfix or reconfigure postfix to not need them - which I don't know exactly how to do)

Without them I could not retrieve emails anymore and I had the following errors in mail.err without: 

```
postfix/tlsmgr[16175]: error: unsupported dictionary type: btree

postfix/smtpd[16267]: error: unsupported dictionary type: hash

```

I hope this does not weaken my hardened setup too much.

Edit: Comparison of useflags for hardened vs. non hardened profile is showing following differences. 

Apart from the mentioned above (berkdb and gdbm) use flags I now have packages compiled 

```
without: 

-jit

-fortran 

-pcre-jittcpd

-tcpcd

```

```
with: 

+hardened
```

Everything seems still to work fine, but I am wondering on jit for rspamd and on tcpcd for dovecot if they would still be needed. Especially the ladder because I have found the following in postfix' master.cf: 

```
smtps     inet  n       -       n       -       -       smtpd

      ....

     -o smtpd_tls_wrappermode=yes

      ....

```

----------

## Elleni

Going through the kernel selfprotection settings and adapting where needed, there was one thing that was not clear to me.

 *Quote:*   

> # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.

 

How can I check, if this is active for my server?

Apart from that - everything else worked like a charm, changed few options that were not yet set like recommended, added kernel boot parameters in/etc/default/grub GRUB_CMDLINE_LINUX, recompiled kernel and it still boots and everything is up and running, so I am fine  :Smile: 

----------

## Hu

 *Elleni wrote:*   

>  *Quote:*   # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. How can I check, if this is active for my server?

 Check whether the Kconfig symbol presented on the next lines is set to =y in your server configuration.  Quoting from that page, in case it changes later:

```
# Prior to v4.18, these are:

#  CONFIG_CC_STACKPROTECTOR=y

#  CONFIG_CC_STACKPROTECTOR_STRONG=y

CONFIG_STACKPROTECTOR=y

CONFIG_STACKPROTECTOR_STRONG=y
```

For any recent kernel, you want the uncommented forms.

----------

## Elleni

I have those in my kernel config

 *Quote:*   

> CONFIG_STACKPROTECTOR=y
> 
> CONFIG_STACKPROTECTOR_STRONG=y

 

Is that enough, no gcc configuration needed in make.conf or elsewhere? Then I am fine   :Very Happy: 

----------

## freke

 *Elleni wrote:*   

> Everything seems still to work fine, but I am wondering on jit for rspamd and on tcpcd for dovecot if they would still be needed. Especially the ladder because I have found the following in postfix' master.cf: 
> 
> ```
> smtps     inet  n       -       n       -       -       smtpd
> 
> ...

 

I'm running a hardened profile and enabled jit for rspamd but not tcpd for dovecot, it doesn't seem to be needed. My smtps service is with -o smtpd_tls_wrappermode=yes, too

----------

## Elleni

Great, thats what I have now too. Thanks for confirmation   :Very Happy: 

----------

## gengreen

You may apply as well the following patch to the kernel :

https://github.com/anthraxx/linux-hardened

And better than hardened, hardened musl :

https://wiki.gentoo.org/wiki/Project:Hardened_musl

I

----------

## Terry_Davis

Any thoughts on the quality of different distro's hardened kernel's? Let's take Arch & Gentoo, for example... It takes a lot of work for a user to determine how many of which patches they might want got into their hardened kernel. So it is definitely a huge time saver to be on a distro with the most thought & care put into its hardened kernel fork (or "branch"?).

----------

## Elleni

gengreen thanks for your links. I'll have a look as soon as I find some time. 

Terry_Davis, I only know gentoo as its the only distro I am using and the one I started with many years ago, it tought me everything I know about linux and I feel comfortable using it. I personally enjoy the opportunity to learn, as for me linux is a hobby and unfortunatelly I am not in a position to use it professionally yet. Which other distro would you consider a good choice as an alternative? Lately noticing how big players manipulate distributions to restrict freedom of choice and push init systems to de facto standards to pursue their own interests of user lockin to make money, my trust in them has decreased even more, and I feel very comfortable in this incredibly helpful and knowledgeable community, which is also willing to share its know-how, and I especially feel very comfortable to have all these guys here, not willing to swallow this systemd thing but continue to support openrc, not many other distros out there did resist, and I hope Poettering and his followers will not succeed to force gentoo to its knees in the future, heck - having guys like dantrell here, who put so much energy in providing gnome without systemd even though upstream decided to make systemd mandatory just feels good, not to forget all the others around being so patient with all these users asking for help, and help them by teaching them, not just giving solutions but opportunities to learn. 

You're probably right that relying on a distribution or branch to take care of security and make these decisions for you might be a time saver, but on the other hand, for me one of the biggest advantages of gentoo is that you don't have to let others decide, you decide for yourself how your system should be. Not to mention that from my point of view it is pointless to worry about security of your system as long as you use systemd, especially watching the attitude of their main developer.

If I could use Linux professionally in production, I would probably still choose redhat, but only because my boss would probably want to have the theoretical/imaginary possibility to blame someone if something goes south, or he would believe that this would increase the chance of getting (so called professional, rather meaning payed) help.

----------

## Terry_Davis

 *Elleni wrote:*   

> gengreen thanks for your links. I'll have a look as soon as I find some time. 
> 
> Terry_Davis, I only know gentoo as its the only distro I am using and the one I started with many years ago, it tought me everything I know about linux and I feel comfortable using it. I personally enjoy the opportunity to learn, as for me linux is a hobby and unfortunatelly I am not in a position to use it professionally yet. Which other distro would you consider a good choice as an alternative? Lately noticing how big players manipulate distributions to restrict freedom of choice and push init systems to de facto standards to pursue their own interests of user lockin to make money, my trust in them has decreased even more, and I feel very comfortable in this incredibly helpful and knowledgeable community, which is also willing to share its know-how, and I especially feel very comfortable to have all these guys here, not willing to swallow this systemd thing but continue to support openrc, not many other distros out there did resist, and I hope Poettering and his followers will not succeed to force gentoo to its knees in the future, heck - having guys like dantrell here, who put so much energy in providing gnome without systemd even though upstream decided to make systemd mandatory just feels good, not to forget all the others around being so patient with all these users asking for help, and help them by teaching them, not just giving solutions but opportunities to learn. 
> 
> You're probably right that relying on a distribution or branch to take care of security and make these decisions for you might be a time saver, but on the other hand, for me one of the biggest advantages of gentoo is that you don't have to let others decide, you decide for yourself how your system should be. Not to mention that from my point of view it is pointless to worry about security of your system as long as you use systemd, especially watching the attitude of their main developer.
> ...

 

I'm on the same page about systemd - and personally wouldn't care if I couldn't use gnome on my systems. I actually use Arch in production. I used to run Gentoo primarily, and my interest has been piqued again to see how much compiling from source can take advantage of the latest hardware.

I just posted in this thread to gain clarity on the various "hardened" kernels out there - as they are hard to compare without doing a deep dive.

----------

## Vulgar

Void Linux uses runit, no systemd. https://voidlinux.org/

----------

