# Internet facing server - hardened or not?

## ReD-BaRoN

I plan on having my Gentoo server on the Internet (port forwarded behind my router) for DNS, Web and SSH for sharing photos/videos with family. In the past I've used hardened, but on this new server I'm not so sure. I always felt that hardened was complex for my needs, and often well behind the mainline release.

I'm curious if maintaining updated packages (apache, bind, openssh) is enough with my limited use server.

What do other folks do?

----------

## Bones McCracker

Hardened has now pretty much caught up to the main tree.  Unless you employ role-based access control lists (which is optional), there is not really any added complexity.  The hardened toolchain and extra hardening features provided by the grsec patch reduce the system's vulnerability to several categories of threat.

It's up to you, though.  Are you a likely target (e.g., running a website likely to have customer information or dealing with financial transactions)?  Do you stand to lose a lot if the server (and potentially the rest of the local network) are penetrated and exploited?  Is the server firewalled from the rest of your local network?  Do you conduct a lot of business using your computers (shopping or banking online)?

You could achieve more in terms of security by not running an internet-facing web server than by hardening the host.

----------

## phajdan.jr

That depends on what you do with hardened. There is hardened profile and hardened kernel. Hardened profile should generally just work with no additional maintenance (you don't have to run SELinux). You don't have to use grsecurity's RSBAC, and hardening features like PaX and other parts of grsecurity are generally recommended and shouldn't be "too complex".

----------

