# Security Advice for Home Server: nextCloud, Subversion, Wiki

## Xharlie

Hi, all. Greetings from an old Gentoo user, recently returned. I haven't used Gentoo since 2007. It's nice to find that the distro still feels the same - sort of comfortable - after all these years. Although it did take me a whole day to get my home server up and running and accessible via SSH. (Most of this time was spent fighting with UEFI and `menuconfig`, to be fair. I'm rusty.)

Anyway, I am building a home server. I have many devices, now, such as different dev. boxes, phone, laptop, CUDA dev. desktop, etc, and need some sort of cloud to sync stuff between them. The news, these days, makes me want to ditch SkyDrive and wotnot in favour of storying my own data within my own four walls. I'm looking for some advice.

Initially, I'm aiming to run nextCloud, a Subversion server and some sort of Markdown-powered wiki server, and perhaps GitLab. I've decided to go with Docker containers running Alpine Linux hosted on a Hardened Gentoo host.

I've identified Gentoo as a good distro for the host because I sort of remember it - I basically lived under Gentoo, ten years ago. And I get to patch, configure and compile my own Kernel and, because Docker shares the Kernel between host and containers, this can ONLY be a good thing.

I want to use Docker on my home server so that the system is "repeatable". I love the fact that dockerfiles are plain-text and simple to read and write and can be stored under Git and, once written, they're assets that can be replayed - unlike bare-metal servers, which typically require at least some setup and configuration by hand. Also, if you get them wrong, you can remove the fallout atomically and have another go - unlike hand-installed services which can spew orphaned artefacts all over your box if you're not careful. (Sure, you can fix nearly everything on Gentoo but let's be honest: I'm too old to be manually sifting through my file-system, fixing broken stuff.)

Yesterday, I built the host. It's in a passively-cooled Micro-ITX housing that should be fine for an always-on device. I went with a hardened stage-3 without multilib. Right now, it's up and running with SSH with key-file authentication, only. I also locked the root account, changed the SSH port and have spent some time fighting with `hdparm` to get the drives to idle nicely. It's ready for some usefulness to be added. Question time.

Should I set up SELinux on this host? Will it play nicely, with Docker, and will it actually add any useful security, considering that all applications will be isolated in containers, anyway?

What about grsecurity and Pax? Same questions for these. (Newbie Asside: are these two separate things or one and the same?)

I'm guessing that there are a few, here, who run Docker under Gentoo. Are there docker-specific security issues about which I should be informed? Do you have advice on partitioning and mount-points so that Docker's containers and data-files are isolated from the system?

Are there any massive security errors of which I should be aware? Newbie mistakes? I've read the security guide on the Wiki and I'm trying to apply common-sense. Are there other guides or pages or blog-posts that I should definitely read before proceeding to expose my server through my firewall?

At the end of all this, I plan to ask my white-hat friend to have a go. I'll even give him some information about the box so he'll have an advantage. He'll have fun - he's that sort of bloke. Also, I'll promise him a crate of local beer for every vulnerability he finds. We're in Nürnberg so that's the good stuff. (Oh... and cheap. So more of a symbolic prize.)

----------

## Ant P.

You might want to build your sshd without SSL support (leaving it with only the fairly strong built-in ciphers/keys), unless you have a pressing need to log in from ancient clients (fair warning: this includes some phone apps). Or you can go further and build everything with USE=libressl to get rid of openssl. It's not too hard, I've got both done on a normal desktop machine.

SELinux seems like overkill for a home server; plus you sound like you have enough common sense already that it won't make a difference.

Use grsec at your own risk, they've recently started shaking down users for money, and there's no patch for kernel >= 4.9 unless you have extremely deep pockets or trust random third-party github repos with ring 0 access to your computer. A badly-done security setup can be worse than none at all.

----------

## Xharlie

Interesting. I read the news-item from emerge with hardened-sources and sort of got this impression. Anyway, I managed to bork my JFS and my ath10k drivers so badly that I decided to take what I had learned and have another go. 

This time around, I ditched GRUB2 in favour of direct EFI entries - what a refreshing novelty! Caw. I hated UEFI up until now but, now, I realise that what I truly hated was SecureBoot. UEFI is just glorious.

It feels like my system is way more stable, now, and boots way faster - obviously.

But I have yet more questions - the biggest one: if I don't go with the hardened kernel sources, should I bother with a hardened profile? I guessed not, and went with vanilla (ohne multilib) (agh. been living in Germany for too long - it's creeping in unconsciously) (hmm? Why would I not have thought twice about saying "sans multilib" but seeing myself type "ohne" seems unusual?) ... back on track... I feel like the vanilla profile is more stable. Even with the -ssl use-flag.

If I stick with vanilla, are there any use-flags from the hardened profile that I absolutely must set?

I've turned off RSA and DSA in sshd and have opted for chacha20-poly1305, curve25519-sha256 key-exchange and ed25519 keys for hosts and authentication. I have also moved off the default port and disabled all but public-key auth - and that only for my non-root user.

For some reason, the hmac-sha2-...-etm macs aren't showing from `ssh -Q mac`. Do I need OpenSSL for those? That seems a bit odd.

----------

## Ant P.

It's a good idea to switch GCC to USE="pie ssp" sooner rather than later. Those are default in hardened, they're going to be default in normal profiles too. It might be a bit rough switching over; I was lazy and just did an emerge -e @world.

Yes, the missing sha2 things come from OpenSSL. sshd_config(5) contains lists for various -Q things *with* SSL if you want to compare them and see what else isn't there. Don't panic though, the defaults are secure. And if you had cause to worry about MACs then you'd already have much crazier problems (the main encryption being cracked).

My own opinion is that there's not much point in using hardened anyway for a server that does... any service at all: Most malware goes for easy targets at the top of the software stack. You see a lot of noise made about things like Heartbleed or Shellshock, but nobody gives that kind of attention to an SQL injection, XSS, or weak default password — it'd take a million-dollar budget just to register the clever-sounding domain names for them all, to say nothing of the logo design...

----------

## Hu

Hardened profile without a hardened kernel is, at least in theory, more secure than vanilla profile without a hardened kernel.  As Ant P. notes though, there are plenty of stupid security bugs that the hardened profile cannot protect against, especially in the higher level languages where hardened makes no meaningful changes relative to vanilla.  Personally, I would use hardened profile whenever possible.  It's not perfect, but it reduces the number of ways that an attacker can advance.

----------

