# Securing a spare box as a side project, possible IoT

## ComputingCactus

Hi gentoo community, I've used gentoo on and off for several years. Usually just for a desktop that "for me" and fits my needs, or small servers(hobby projects).

I never had the need to post before as the gentoo forums and internet provide solutions to most endeavors. I had an interesting idea I haven't found much if anything about.

Spare x86_64 box running a manual kernel could use an update and I was curious if I could make it a secure box and have it negotiate everything between IoT devices(hobby project, not mission critical).

I know that you can create quite a secure gentoo box with enough work, or I don't think the hardened profiles would still be around. I've never delved deep into the security of linux past the desktop, but I read on the wiki & in the forum that you generally cannot mix desktop and hardened due to bugs or vulnerabilities. 

I read the security handbook, but it's dated now six years(2010). I have a healthy skepticism for learning about securing a (gentoo)box with data that's old and probably exploitable. I did find it useful as a primer though!

Spare box would be x86_64 with 8Gib-16Gib of RAM, and is presently running a fully functional kernel from earlier this year. The devices it would connect to via IoT I was thinking could be TV, Laptop, Android(maybe) @ home among others like pi's or ssh to other servers(Voip server as an example). I'm aware technologies in the IoT aren't always secure inherently like bluetooth, wireless, etc.

I'm also trying to learn more about iptables as I believe that'd be the most important place to start(since I have some familiarity). I can't go too far past that on my own due to my lack of expertise, but I do think this hobby project will be a great learning experience.

I understand gentoo well enough I believe to try and secure an install(and hopefully an IoT network), and I remember the triumph of just getting gentoo working the first time after so many tries(double digits!) on an old temper-mental machine. 

Is hardened gentoo viable for this project, or should I try using another distribution for it?

How has the Security handbook changed the most dramatically?

Useful caveats that address what might not be available on the wiki or forums(yet)?

Useful knowledge to read about getting further into the realm of security that might be too esoteric or difficult to find for the average gentoo user(which might not be much since gentoo users tend to rt(f)m).

My first step is just converting the box over to a hardened kernel. I suppose I am simply looking for gentoo gurus with spare time and expertise for this little project haha!  As my knowledge of gentoo is average at best I presume out of the whole herd of larry's.

Thanks, Cactus

----------

## gerdesj

I think you are confusing several things here.

I think you are looking to implement a router and firewall with maybe a web proxy and a few other things. In the end you can't really make IoT "things" secure by putting something in between them and the internet unless you modify what they "do" in some way.

For example I have a IP camera from a firm called Keekoon (it's Chinese, I'm British).  By default it wants to stream via their servers to a smartphone app.  No thanks!  As it turns out I can block its access to the internet completely and I simply stream from it via Zoneminder, so it is blocked from accessing the internet at all and it is connected to a separate VLAN from my home PCs/servers etc.  It is on the SEWER VLAN (yes, that's what I named it) along with other devices that I think can co-exist without fighting too much.

Before you worry about overdoing the security of your router's kernel I would define your security policy based on what devices and systems you have and what you want them to do.  I would also consider what functionality you want, constraints and so on.  Although I use the word policy, it's not as bad as all that. 

I personally use pfSense for my external firewall/router (I look after about 30 of them) and even with a web GUI it is complicated.  Trying to do it from scratch is much too hard but I still point nmap and things like http://www.openvas.org/ at them to test them.  I use the Kali distro for that.

----------

## ComputingCactus

Thanks @ gerdesj,

I've put some hours into the idea throughout the week and I think you're right. I was misunderstanding quite a bit, but I did expect a bit of that. 

It turned out that I was just getting ahead of myself with the project, went backwards and found I should do more reading and research on the topic. It doesn't take long to get lost.

Testing will be done @ home during free time. I looked @ pfSense and I will give it a shot. As far as constrictions go, none(that I'm aware of yet). I only need to be able to pipe traffic to home network for regular use from one or more routers, and pipe traffic to this project box. My goal is to make the one box as secure as reasonably possible, see how far I can get! Test it, and make improvements primarily for fun. I figure there is a lot of interesting things to be learned in just doing that. 

IoT is too big an idea right now haha!

I'll put off IoT until I can get the router and traffic handling done, rebuild the box's system with a hardened stage 3(I've looked at selinux & grsecurity, I don't know enough about them both yet to decide on either or both yet -- future reading(available on the wiki). 

Then I'll take the traffic piped from the router that's not going to home network, set up another firewall in the box, test both the router & the box and go from there(Information about firewalls is also available on the wiki, I don't know much about advanced practices though).

Afterwards I believe I'd be tinkering with a 'policy' as you put it and find what I'm comfortable with. Then once all of that is running well, move on to a small IoT talking to the box. Whether those devices will be running gentoo or not or how is beyond the scope of this project right now. I'm making progress though.

My general idea so far:

1) --Router Setup(pfSense or alternative)

  Pipe traffic to 'home' network, and pipe traffic to 'hobby', hobby will as strict as I can figure out I suppose, so long as I'm still learning something. 'home' will be much less so to begin with to not impact daily use too much. (Though after the project if all goes well I could use what I learn to increase home network's security, that can be another goal.)

2) --Spare box setup(hardened stage3, possiblly selinux &or grsecurity)

Might also do lvm/luks but there is enough on the forums/wiki about that so I might make that brief

3) --Testing phase

See how router & box fair against generic attacks & exploits of different magnitudes(If anyone has any ideas they'd like me to try on it @ that stage let me know. Might be fun!)

4) --Adding IoT

Unknown, 1-5 devices estimate, support for more

5) --Secure 'home' network(not to extent of spare box, but more than it is now)

To be decided

If anyone has any other ideas, topics, thoughts or projects that run parallel or similar you're always welcome to post.

----------

## gerdesj

A router and firewall are only one part of the system.  When I used the word "policy" I meant "define what you want to happen".  Get away from the terminal and think about what you want to achieve.  Break the problem down into small pieces and deal with each piece.  This is defining a policy.

For example:

I have these systems on my network:  laptops/PCs, servers, mobiles (en_US: cell phone), IP cameras, smart TVs.

I have a set of DNS servers and they are the only ones that may be used (ntp etc as well)  

I have guests who come around that I would like to provide internet access but it should be via a captive portal.

I do not want my IP cameras to ever access the internet

I do not want my guests to be able to access my servers

I do want my ... etc etc

One method might be to make up a spreadsheet with the devices and classes down a column and the access across a row.  Then you put a X in the row/column to say that you allow access.  Anyway however you do it, you are defining your "policy".

That policy then needs to be translated into action.  You now decide how best to enforce your policy.  It might be through a Gentoo based router/firewall or something else.

When you have got your policy implemented and working then you have finished the job.

If you still feel the need to mess around with things like  Gentoo hardened then do so but get to grips with it outside of your core systems.  When you get the hang of it then by all means make changes and do it.

----------

