# How safe is Gentoo?

## Loko123

Hey guys,

After setting up Gentoo (It took almost 72 hours - Good old Intel Pentium D  :Smile:  ), I was going to ask myself how secure Gentoo is. Yeah I know, installing no external packages and keep the system up to date will gain the security level.

So... What are the full risks and is it necessary running clam-av & some rootkit scanners?

Which tools are you going to use to scan your system for vermin?

Best wishes,

Loko 123

----------

## Sven Vermeulen

You can make gentoo as secure as you want it to be. Note though that a systems' security is never beyond the ability of its adminstrator. Adding security tools to a system doesn't improve that systems' security if the tools aren't used properly.

Definitely check Gentoo's security handbook which gives great pointers on general security aspects. You can also take a look at the Gentoo hardened project which offers various improvements (like grsecurity/pax and/or SELinux) to further harden your Gentoo system.

----------

## Telemin

Hi there and welcome to Gentoo,

In answer to your question:

As secure or as insecure as you make it.

In the case of gentoo we have the majority of the strengths and weaknesses of any flavour of unix, in my opinion easy to lock down hard when you know how, sometimes a serious pain to get hold of the right information.

One thing that has to be said is gentoo has a *lot* going for it on the security side of things in the hardened project.  Check them out they are doing some awesome things, like PIE/SSP and support for just about every security setup invented for linux.  http://www.gentoo.org/proj/en/hardened/

Rootkit scanners are never a bad idea, equally av *should* (bugs and exploits notwithstanding) certainly do no harm.

If you are running web servers make sure to lock them down hard, apache is not sensibly set up out of the box and needs some knowledge of how to make things more secure, same to be said for any web service, especially ssh will let you do daft things in default config, like root logins(!)

Disabling access to compilers except for root is also a sensible precaution to cut down on the possibility of rootkits, and running things like apache in chroot jails can also be a highly sensible precaution.

There are always safer and more secure ways to do everything but remember that security usually comes as the direct inverse of practicality and you yourself have to learn where to draw the line.

Bottom line with gentoo is that it provides the structure with which to do almost anything, but you will need to go away and find out how to do what you want to.

Forums and IRC will always help with specific problems but in an essentially open-ended field like that of security there can never be any substitute for doing some good solid research.  There are doubtless many books available on the topic of system security and any of them should give you a good start into what to think about and a good mindset to have for thinking about keeping a system secure.

I hope this has some helpful things to think about in it, but your question is so general that I can't possibly begin to say anything more specific right now.

Have fun

-Telemin-

----------

## Loko123

 *Sven Vermeulen wrote:*   

> You can make gentoo as secure as you want it to be. Note though that a systems' security is never beyond the ability of its adminstrator. Adding security tools to a system doesn't improve that systems' security if the tools aren't used properly.
> 
> Definitely check Gentoo's security handbook which gives great pointers on general security aspects. You can also take a look at the Gentoo hardened project which offers various improvements (like grsecurity/pax and/or SELinux) to further harden your Gentoo system.

 

Thank you for your response,

yeah I thought about the Gentoo hardened project. But I'm a little bit skeptic, because I think SE Linux got maybe some backdoors (You know... Paranoia^100 - I hate this..).

So, is it possible to run Gentoo hardened without SELinux? After a long conversation in IRC, many people did also say, that a good configured router (with firewall) is enough. (But I am wet behind the ears about security).

Best wishes,

Loko 123

P.S. Have a great day!

----------

## Sven Vermeulen

First time I heard that SELinux might have a backdoor... it's integrated in the main linux kernel, so I'm quite confident that it doesn't have one. 

But to answer your question, yes, you can use hardened without SELinux.

----------

## Loko123

 *Telemin wrote:*   

> Hi there and welcome to Gentoo,
> 
> In answer to your question:
> 
> As secure or as insecure as you make it.
> ...

 

Hey Telemin,

Thank you for you long and detailed response!  :Smile: 

I'm sorry, that I did not specify my question, but I'm going to run only desktop systems (I have no experience with servers; maybe I'll start a project in summer and dive into the server pool. From what I´ve read, setting up a server is not trivial because as you mentioned, apache2 has many "bugs" if you have no experience with it).

So... You mentioned, that disabling acces to compilers except for root is a boost for the security level. AFAIK on desktop system it is only possible to run emerge as root.

As you can see at my second post, I´ve deactivated ssh completely. (I don't need it although it is a nice tool).

To sum up, the best way for a secure desktop environment and/or desktop-system is keeping the system up to date / disabled ssh root logins and/or use the hardened project? Am I right?

Have a great day,

Loko 123

----------

## Loko123

 *Sven Vermeulen wrote:*   

> First time I heard that SELinux might have a backdoor... it's integrated in the main linux kernel, so I'm quite confident that it doesn't have one. 
> 
> But to answer your question, yes, you can use hardened without SELinux.

 

I think it's also just a fairytale. But my inner voice (Paranoia) says, that I should stay far away from SELinux, if you know what I mean.  :Smile: 

Thanks for your response and help!  :Smile: 

Best wishes,

Loko 123

----------

## gerard27

Do you run a server?

If you don't there's nothing to worry about.

I've been using Linux exclusively for years.

Did my share of distro hopping and always used the same passwords for root and user.

Clamav is to find Windows malware.

I occasionally run rkhunter and chkrootkit: never anything wrong.

Gerard.

----------

## Bircoph

 *Sven Vermeulen wrote:*   

> First time I heard that SELinux might have a backdoor... it's integrated in the main linux kernel, so I'm quite confident that it doesn't have one. 
> 
> 

 

What makes me really bother about SELinux is that this thing is originally developed by NSA. These guys will never ever release in public technology unbreakable by themselves. This is not necessary means SELinux has some overlooked backdoor in the usual sense, maybe technology is vulnerable by design. As far as I understand SELinux, you should know a program code and an intended behavior in a great detail in order to write the strict and precise policy rules, needlessly to mention, that SELinux is really useful only in enforced mode, when you have the rules written for any application on your system. That is just overkill in terms of required human time to analyse the code and write the rules, with equivalent effort you can just found and fix all security bugs in the analyzed code; obviously this is impossible.

----------

## Bircoph

 *Loko123 wrote:*   

> 
> 
> So... You mentioned, that disabling acces to compilers except for root is a boost for the security level. AFAIK on desktop system it is only possible to run emerge as root.
> 
> 

 

If you have no login users in the portage group, then yes. But gcc can be used by any user, so hacked user account may be used to compile exploit, rootkit and so on.

----------

## JC99

FWIW I've been running Gentoo for several years now and I do get some port scans and automated login attempts but my server has never been compromised.

Make sure you have a firewall up and runnning and choose strong passwords (upper and lower case letters, symbols and numbers) that are hard to guess.

----------

## dE_logics

If you're not considering services which provides protection, Gentoo is more secure than other distros (assuming they do not provide any security specific applications like iptables, sandbox etc...), since it's build with minimal components (now that depends on you), so the probability of a security loophole is less. You should also try hardened Gentoo.

In reality the question is invalid, Gentoo is merely a toolkit which can be used to make distros... secure or not, depending on the configuration. For e.g. Sabayon.

----------

## Loko123

Thanks to everyone who contributed to this thread. You´ve helped me so much! Again, thank you!  :Smile: 

So, I´ve got a 80 digits password (may you call me crazy/paranoid?) but after JC99's post, I'm sure, that this is as secure as possible.  :Smile:  So, I´ve disabled also ssh's root login and now I'm going to install gentoo-hardened. I hope that everything works fine, and I'm much obliged to everyone (& the Gentoo community  :Wink:  ).

Best wishes,

Loko 123

----------

## aCOSwt

 *Sven Vermeulen wrote:*   

> Note though that a systems' security is never beyond the ability of its adminstrator.

 

I fear that this statement is going to end... nowhere !

Strictly speaking it is meaningless as... of course it is not beyond... but... it is not below either...   :Twisted Evil: 

In order to get the most secure system, one should consider security as... uncertain ! 

Does this imply practicing tcpdump ?  :Shocked: 

Hmmm... I am not certain about this...   :Rolling Eyes: 

----------

## cach0rr0

I don't know that there's much need for the NSA to code in backdoors for SELinux

----------

## Havin_it

One of the great bummers I always think in Gentoo (and many other desktop distros) is the lack of a firewall that's on by default and easy to configure. 

There are many who will argue either that it's not important (no services exposed by default until you add them yourself; most home users are behind NAT now anyway; etc), or it's a piece of cake to setup ("iptables -J somethingorother -t wibble -k 5,8,~ CAKE FISHNET ALBATROSS" - well, if you call that simple :S ). But none of these arguments are watertight or universal, and remember how we mocked Windows for not turning on the firewall by default until XP SP2.

At the very least, it'd be nice to have a bundled initscript that just sets iptables to drop all incoming traffic, which would be just the job for a large percentage of basic users. But in the Linux world (and I mean far beyond Gentoo alone) we seem a bit masochistic about this.  I've tried a couple of GUI firewall solutions (kmyfirewall, fwbuilder) and they certainly take a step in the right direction, but they can still sometimes get bogged down in excessive complexity, and rely on you having the right kernel settings or they will fail - often without giving you very clear info about what you need to change. For example, kmyfirewall would crap out if all your iptables stuff wasn't built as modules, because it expected to have to modprobe everything it needed itself and didn't identify when it was built-in (maybe they've fixed this, it's been a while).

Rant over. Like most comments above, it comes down to "you get out what you put in", but this is one of those areas where Windows overtook us while we were being all smug about it, and that's a little embarrassing to me.

----------

## Mousee

 *Havin_it wrote:*   

> One of the great bummers I always think in Gentoo (and many other desktop distros) is the lack of a firewall that's on by default and easy to configure. 
> 
> There are many who will argue either that it's not important (no services exposed by default until you add them yourself; most home users are behind NAT now anyway; etc), or it's a piece of cake to setup ("iptables -J somethingorother -t wibble -k 5,8,~ CAKE FISHNET ALBATROSS" - well, if you call that simple :S ). But none of these arguments are watertight or universal, and remember how we mocked Windows for not turning on the firewall by default until XP SP2.
> 
> At the very least, it'd be nice to have a bundled initscript that just sets iptables to drop all incoming traffic, which would be just the job for a large percentage of basic users. But in the Linux world (and I mean far beyond Gentoo alone) we seem a bit masochistic about this. 

 

No thanks, I like my Gentoo install untouched so that I, the administrator, can configure it how I want it to be configured. Not how someone else decided it was to be configured for me. That's one of the major "perks" of using Gentoo - nearly everything is configured by you, not pre-configured. Hand-holding distros such as Ubuntu and Fedora work well enough for this purpose (do they even have a default iptables rule set, enabled by default? I don't recall there being one in those distros either...).

Also, if I'm installing Gentoo on a headless box or a server, blocking *all* incoming traffic would make the install impossible via SSH.

Now if Gentoo perhaps offered a "Desktop Install CD", targeted at "new" users, I could see this as an "okay" solution to some form of security; but really in the end, at least with Gentoo, it's about you, the administrator/user, knowing how to secure your own system and lock it down. Windows security always failed in the past because Windows users didn't understand how to secure their system properly (and still don't), or didn't take advantage of the security offered due to lack of knowledge at least, and thus Microsoft began adopting more "automatic" security features that you now have to disable, rather than enable. Linux is no different. If the user doesn't understand how to secure themselves then their system is at risk in the same way a Windows user would be.

I won't disagree with you about the "easy to configure" part though. Iptables can be a huge pain in the butt to setup, with the aid of a GUI or not.

----------

## Havin_it

Yeah, admittedly Gentoo is perhaps the worst example of a distro where you might "expect" things like this to be done for you, and I totally agree about the on-by-default thing being a usability risk. However, I've never seen it in any other distro (not that I'm much of a distro-whore mind you, I've only tried Kubuntu on real machines and Ubuntu, Debian and CrunchBang in VMs).

Ubuntu is a good case in point. They do a lot of work on making important *choices* jump out at the user on install or first-run, such as the non-free addons and so forth. I think it'd be good if they also threw in a popup saying "Would you like to enable a basic firewall that keeps everything out? If you change your mind, here's how to disable it again..." And it would be a smart move with Ubuntu, as its default install includes a lot of running services some of which might be unwise to expose to the WAN (say if one was using a 3G modem, and Ubuntu *is* a favourite for netbooks after all...).

The parallel in Gentoo would be an addition to the installation handbook I guess.

What I'm getting at is, it'd be good if such a thing was just available and well-publicised, but sadly it's not.

----------

## Loko123

 *Havin_it wrote:*   

> One of the great bummers I always think in Gentoo (and many other desktop distros) is the lack of a firewall that's on by default and easy to configure. 
> 
> There are many who will argue either that it's not important (no services exposed by default until you add them yourself; most home users are behind NAT now anyway; etc), or it's a piece of cake to setup ("iptables -J somethingorother -t wibble -k 5,8,~ CAKE FISHNET ALBATROSS" - well, if you call that simple :S ). But none of these arguments are watertight or universal, and remember how we mocked Windows for not turning on the firewall by default until XP SP2.
> 
> At the very least, it'd be nice to have a bundled initscript that just sets iptables to drop all incoming traffic, which would be just the job for a large percentage of basic users. But in the Linux world (and I mean far beyond Gentoo alone) we seem a bit masochistic about this.  I've tried a couple of GUI firewall solutions (kmyfirewall, fwbuilder) and they certainly take a step in the right direction, but they can still sometimes get bogged down in excessive complexity, and rely on you having the right kernel settings or they will fail - often without giving you very clear info about what you need to change. For example, kmyfirewall would crap out if all your iptables stuff wasn't built as modules, because it expected to have to modprobe everything it needed itself and didn't identify when it was built-in (maybe they've fixed this, it's been a while).
> ...

 

++. That's true! And you have mentioned the problem with the complexity of iptables. So, maybe the Gentoo Community could start an article about configure iptables & the problems is going to be solved. But the problem is, that iptables is also a software firewall. And software firewalls are not as secure as hardware firewalls. So on the one hand, a firewall is a good idea, but on the other hand a wrong configured firewall / firewall script (iptables) could be a negative step in security and rise your vulnerability.

++EDIT++

I'm going to install iptables and google for some How To's. If I get a working environment (with iptables) I'm going to write a documentation about it. (As far as I see, Gentoo has no documentation about iptables - Just a home router guide with some iptables commands).

----------

## Loko123

 *Mousee wrote:*   

>  *Havin_it wrote:*   One of the great bummers I always think in Gentoo (and many other desktop distros) is the lack of a firewall that's on by default and easy to configure. 
> 
> There are many who will argue either that it's not important (no services exposed by default until you add them yourself; most home users are behind NAT now anyway; etc), or it's a piece of cake to setup ("iptables -J somethingorother -t wibble -k 5,8,~ CAKE FISHNET ALBATROSS" - well, if you call that simple :S ). But none of these arguments are watertight or universal, and remember how we mocked Windows for not turning on the firewall by default until XP SP2.
> 
> At the very least, it'd be nice to have a bundled initscript that just sets iptables to drop all incoming traffic, which would be just the job for a large percentage of basic users. But in the Linux world (and I mean far beyond Gentoo alone) we seem a bit masochistic about this.  
> ...

 

As far as I understood, you're able to allow ssh only. I this is the following script for that:

# Flushing all rules

iptables -F

iptables -X

# Setting default filter policy

iptables -P INPUT DROP

iptables -P OUTPUT DROP

iptables -P FORWARD DROP

# Allow unlimited traffic on loopback

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT

/sbin/iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT

If port 22 is youre ssh port, if not just change it on your desired port.

Best wishes,

Loko 123

----------

## Mousee

 *Loko123 wrote:*   

> 
> 
> As far as I understood, you're able to allow ssh only. I this is the following script for that:
> 
> # Flushing all rules
> ...

 

Yes, however someone may not want SSH running on port 22 when they setup their headless box. Anyways, it's an "okay" idea for a desktop system, but terrible for any server system.

And thankfully Gentoo will not be adding anything like that.

----------

## Havin_it

 *Mousee wrote:*   

> 
> 
> Yes, however someone may not want SSH running on port 22 when they setup their headless box. Anyways, it's an "okay" idea for a desktop system, but terrible for any server system.
> 
> And thankfully Gentoo will not be adding anything like that.

 

I don't see why the hostility to having something *available* at least. As I said above, nobody's suggesting it should be enabled by default, but lots of people would benefit from having the *option* to deploy a firewall with some basic config done for them (including keeping some specified ports open if required). The alternative is what we're stuck with now, where nobody can get basic protection without a great deal of study. Choices are good!

----------

## The Doctor

I agree that the handbook should have some firewall information in it.

Personally, I would put a link in the beginning to the security handbook and at the end refinance the handbook again and also have a second link directly to the page on firewalls.

Its not an option unless people are informed.

The following link has all the information needed to set up an iptables firewall, in case any are interested.

http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=12

----------

## Mousee

 *Havin_it wrote:*   

>  *Mousee wrote:*   
> 
> Yes, however someone may not want SSH running on port 22 when they setup their headless box. Anyways, it's an "okay" idea for a desktop system, but terrible for any server system.
> 
> And thankfully Gentoo will not be adding anything like that. 
> ...

 

You say this but:

 *Havin_it wrote:*   

> 
> 
> One of the great bummers I always think in Gentoo (and many other desktop distros) is the lack of a firewall that's on by default and easy to configure.
> 
> 

 

Anyways - I don't see what your complaint is about. Iptables IS available as an option already (emerge -av iptables), as are the UI's designed to make creating rules for it easier. Perhaps some more coverage in the Installation Guide wouldn't hurt however, as I don't even recall it being covered well (if at all) in there.

 *penguin swordmaster wrote:*   

> 
> 
> Its not an option unless people are informed. 
> 
> 

 

Exactly!  :Very Happy: 

As to adding some kind of basic, "pre-defined, new-user-friendly rule-set" to iptables - the best way to go about it, that I can think of off-hand, would be to have a USE flag for the iptables package. No idea what you'd call it... "preset-desktop" or something? This way both the iptables package and the rule-set remain optional components while some decent coverage of their availability and the added benefits they provide together in the Gentoo Installation docs would give new users a simple and somewhat effective choice in security for their system(s).

Also... "hostile"? Please. If you want hostile, ask me about my opinion on having app-editors/nano installed as a "default" in the current Stage3's, without the "option" of having a stage3 built with app-editors/vim installed instead.  :Razz: 

----------

## Havin_it

 *Mousee wrote:*   

> 
> 
> You say this but:
> 
>  *Havin_it wrote:*   
> ...

 

Yeah, you won me over on that point   :Very Happy:  I should have backtracked explicitly. I do still think it'd be good for Ubuntu et al. to devote a step in their installation wizards to it, though.

 *Mousee wrote:*   

> 
> 
> Anyways - I don't see what your complaint is about. Iptables IS available as an option already (emerge -av iptables), as are the UI's designed to make creating rules for it easier.

 

It's there, but as you acknowledged it's pretty arcane to actually use, and the GUIs in my experience are pretty flakey. I was getting somewhere with kmyfirewall but it bit-rotted, and fwbuilder seems to actually make things even more complex  :Sad:  and in both cases, the generated scripts have failed without giving a clear indication what's wrong.  Consumer router/modems come to mind here: with them you're achieving all the basic firewall configuration most users would need, but they keep it simple enough for the average consumer to comprehend. Something like this would be a godsend.

 *Mousee wrote:*   

> Perhaps some more coverage in the Installation Guide wouldn't hurt however, as I don't even recall it being covered well (if at all) in there.
> 
> 

 

I don't think it's there at all. There is the page in the Security Handbook that penguin swordmaster linked above, which without reviewing in depth, I'd say loses a lot of impetus by going through a load of irrelevant historical info before getting to the point. When you get to the meat, it seems good, but it should be referenced in the Installation Handbook so people could actually find it.

 *Mousee wrote:*   

> As to adding some kind of basic, "pre-defined, new-user-friendly rule-set" to iptables - the best way to go about it, that I can think of off-hand, would be to have a USE flag for the iptables package. No idea what you'd call it... "preset-desktop" or something? This way both the iptables package and the rule-set remain optional components while some decent coverage of their availability and the added benefits they provide together in the Gentoo Installation docs would give new users a simple and somewhat effective choice in security for their system(s).
> 
> 

 

I agree. The iptables ebuild is already set-up well to receive canned sets of rules; my thought was an "examples" flag that would provide a small set of ready-to-use scripts for common setups. Taking it further, it'd be quite simple (for an iptables guru) to knock up a "wizard" to construct a basic inbound-blocking ruleset with the opportunity to punch some holes as needed.  Gentoo is as good at CLI-level "polish" like this as Ubuntu is with the GUI variety, I'm sure it could be done.

 *Mousee wrote:*   

> 
> 
> Also... "hostile"? Please. If you want hostile, ask me about my opinion on having app-editors/nano installed as a "default" in the current Stage3's, without the "option" of having a stage3 built with app-editors/vim installed instead. 

 

LOL, yeah best if I stay out of that one too   :Laughing: 

----------

## Mousee

 *Havin_it wrote:*   

>  *Mousee wrote:*   
> 
> You say this but:
> 
>  *Havin_it wrote:*   
> ...

 

Yeah I don't disagree at all, and honestly I'm surprised most of them don't have this as some kind of default already (Ubuntu especially, considering they have separate desktop & server builds).

I've never had any luck with the various iptables GUI's myself either, so I can't exactly recommend any of them for mention in the Gentoo docs, but I assume for rather simple rules they're useful/functional. The complexity of even the GUI's however might be a reason that other distros haven't incorporated any kind of "default firewall" I suppose. :/

----------

