# Some Gentoo server pointers

## Arthanis

Hi all. First of all I must say I have been using gentoo on desktop for about 2 years, and Im very pleased with its stability, speed and customization, as I still keep get amazed for its awesome documentation and, most of all, good-will and expertise of its community . Because of all that, I decided to build some gentoo servers, 2 tomcat servers + one replicated (so, its actually 2) mysql database server. So you guys figure that my priority here is stability, not "bleeding-edge" software, which means that I need to build the servers then keep them running, thats all, no major unecessary updates and stuff, except security ones. So I would like some suggestions of how to maintain the servers, and how do I keep them secure, which means only updating packages that have vulnerabilities on them. I heard about glsa-check, but I don't quite understood how to use it. And also heard about Hardened gentoo, but I didn't get the difference. So, what are your suggestions, guys? Thanks in advance.

----------

## mikegpitt

I've been running gentoo on a development server that needs to be connected to the net for around three years now, and had similar requirements to you when I set things up.

Here are some tips:

1) Stick to stable keywords, and try to avoid using ~x86 for anything

2) Create a nightly cronjob to run an `emerge --sync` and a `glsa-check --list affected` and email you the results.  This will let you know if you need to update anything due to security issues.  (if you need help here I can give some pointers).

3) Set up shorewall or a similar firewall to keep things sane.

4) Unless your server is public, I would look into using openvpn to only allow trusted people access.  This will cut down on a lot of unwanted probing.

5) It might be useful for you to install snort and chkrootkit for some IDS capability.

6) Use the server make.profile when you build your packages.

For my server I have had great performance, security, and stability since I've set it up.  Bringing the entire system up to date might be a bit of a hassle, since I've only really updated packages for security issues, but so far there has been no need.

----------

## Hypnos

mikegpitt,

Even though I only have a laptop, I follow all of your principles which apply.  Keeps things solid and trim.

I would add one more tip:  periodically upgrade packages whose installed version has been removed from the Portage tree.  If a version (or whole package) disappears from the tree, it's no longer supported.  When you have to do some other upgrade for security or features, you might encounter some mysterious breakage ...

Using Paludis this is easily seen with "paludis --report", which is one of many things I have emailed to me nightly by my cron.  Most likely there's some way to do this with stock portage ...

----------

## Arthanis

But guys, if I run emerge --sync, wont I be updating my packages once I run emerge world? I would like to know if there is a way to "freeze" my gentoo, only updating when there is security issues or removal of an installer version from the portage

----------

## Hypnos

The point is you don't do "emerge --sync; emerge world".   You do "emerge --sync; glsa-check --list affected" to see if there any new vulnerabilities, and correct them manually by invoking "emerge yabba daba doo".

"emerge world" on a server, except during scheduled downtimes, or unless you have a test machine, seems like a very bad idea ...

----------

## szczerb

 *Hypnos wrote:*   

> ...
> 
> "emerge world" on a server, except during scheduled downtimes, or unless you have a test machine, seems like a very bad idea ...

 Actually it seems like a very weird idea on any machine. There are two sensible things to do with world. #1 is updating so `emerge -DuNva world` or similar and #2 is rebuilding everything `emerge -e world` after damaging / or /usr or something similar or to rebuild with new flags or a new compiler. Can't really think why one would do `emerge world`...

----------

## Hypnos

I never do "emerge world", but I do pick and choose from there to update specific world packages to get new features.

Deep upgrade is recommended by Gentoo devs, but I very much disagree with it, and I've had no problem with my method in 7 years of running.  As I write above, I do update deep dependencies whose installed versions have disappeared from the tree and follow up with a revdep-rebuild.

Also, "emerge -e world" is done way too often.  It is only required if your gcc ABI changes, and the devs tell you when that is.  Updating USE flags uniformly across your system is not necessary for its proper functioning -- that's what USE deps are for.  If your system is b0rked, restore from backups (which are complete and up-to-date, right? Right?!).

----------

## szczerb

 *Hypnos wrote:*   

> I never do "emerge world", but I do pick and choose from there to update specific world packages to get new features.

 I'd still guess then, that you do something more like `emerge -uNvp world` and choose from the output (without or the rebuilds). *Hypnos wrote:*   

> Deep upgrade is recommended by Gentoo devs, but I very much disagree with it, and I've had no problem with my method in 7 years of running.  As I write above, I do update deep dependencies whose installed versions have disappeared from the tree and follow up with a revdep-rebuild.

 I understand that on a server and that's the topic. On normal systems I prefer to have everything up to date, not just the couple dozen packages in world. *Hypnos wrote:*   

> Also, "emerge -e world" is done way too often.  It is only required if your gcc ABI changes, and the devs tell you when that is.  Updating USE flags uniformly across your system is not necessary for its proper functioning -- that's what USE deps are for.  If your system is b0rked, restore from backups (which are complete and up-to-date, right? Right?!).

 I meant CFLAGS not USE flags...my bad ;]

----------

## overkll

If you run sshd on the public interface, you may want to have it listen on a non-standard port.  Running it on port 22 will leave you open to all the script kiddies and other malicious entities.  Running on port 22 is USUALLY harmless other than one's logs filling up with unsuccessful login attempts.

----------

## arndawg

I'm also running hardened gentoo (x86) and glsa-check in cron (you can find glsa.sh in the wiki). 

It have been working great the last year or so. The only thing i'm a bit worried about is if glsa-check checks to see if my kernel has security holes? I think i have read that linus have started reporting security holes as just regular bugs? Is this true? If so, when should you upgrade the kernel (hardened-sources)?

----------

