# [solved] [hardened] about gentoo hardened

## opc0de.fr

Hello,

I have a server and it's my first. I already use gentoo for my desktop. I would like to know if gentoo hardened is really secure and stable ? If it is a good idea to install it on my server ?

Thank you to develop and explain your answer.Last edited by opc0de.fr on Mon Apr 22, 2013 11:03 am; edited 1 time in total

----------

## chithanh

Hardened is as secure as it gets in most measurable ways.

http://labs.mwrinfosecurity.com/blog/2010/06/29/assessing-the-tux-strength-part-1---userspace-memory-protection/

http://labs.mwrinfosecurity.com/blog/2010/09/02/assessing-the-tux-strength-part-2---into-the-kernel/

However, the security comes at the cost of functionality and convenience (and to a lesser extent, performance). A number of packages do not work properly or need extra attention. To get an idea, have a look at the various package.mask and package.use.mask files under /usr/portage/profiles/hardened/.

----------

## NeddySeagoon

opc0de.fr,

Welcome to Gentoo.

What is security and what do you want to secure against?

If you consider security in layers, rather like an onion, then hardened adds more layers to make remote attacks and local priviledge escalation attacks harder to execute successfully.

It does nothing to prevent someone with physical access to your system doing what they will. For that, you need to encrypt your data.  You can do that anyway but its not a part of hardened.

Yes its a good thing on servers because it makes attacks harder. That will make random attackers go away and find an easier target.

----------

## opc0de.fr

Thank you both,

It's not for prevent someone with physical access to my system.

When i mention "security" i want say : a gentoo that will hardly hackable.

In my server, there will be apache/php/mysql for one website, two wordpress, two repository, one gitlab or something like it (hm, what is the best in your opinion ?) for several projects in C, C++, ASM, ...

There will also be a dns server (bind), a mail server and a media server (deezer-like, here also, what is your opinion on the more better ?)

What do you think about chrooting / jailing services ?

Have you urls website telling about hardening gentoo for more informations and tutorials ?

For the hardened kernel, what are essential / inevitable modules ?

I wait your answers impatiently, thank you verry much.  :Smile: 

----------

## chithanh

The various components of a hardened system protect against a very specific list of threats. Mostly they are related to making it difficult to exploit buffer overflow vulnerabilities, or limiting the options an attacker has after gaining control of the execution flow of a process.

Hardened does not help against SQL injections / directory traversal / XSS / CSRF style attacks. Look into Apache mod_security for that. It also does not help against weak passwords (look at pam_cracklib) or detecting whether someone has already compromised your system (look at aide, chkrootkit) or network (look at snort).

Virtualization can be used to isolate services from each other, so that - barring exploitable conditions in the hypervisor - a vulnerability in one service does not put the others in danger.

----------

## Sven Vermeulen

Gentoo Hardened has a number of subprojects, including SELinux and integrity. Securing a box can be done using several methods, but imo the most important one is to have educated administrators  :Wink: 

That being said, if you want to run multiple services on the same system, using virtualization and/or a mandatory access control system like SELinux makes sense imo. It reduces the risk that an exploit against one system affects the others.

----------

