[gentoo-user] Testing a chroot
Is there any way to test this? I'm trying to chroot my apache server, and I'm curious how I could test that it's actually using. Also, does anyone have experience with using chroot via mod_security? Thanks! -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] sshd issues
Just keep in mind that rsa/dsa keys would be a more secure way of authenticating, especially with all the brute-force scripts out there. Jon M wrote: Ohh okay that makes sense. For everyones information, I got it to work properly. First of all, I'm an idiot and was edited /etc/ssh/ssh_config, not /etc/ssh/sshD_config :P Secondly, I had to enable PasswordAuthentication yes as well as ChallengeResponseAuthentication no This works perfectly now. Thanks again everyone, sorry for wasting your time. [EMAIL PROTECTED] wrote: I think that tells you that this is the default setting if you don't change it. From: Jon M [EMAIL PROTECTED] Date: 2006/11/14 Tue PM 09:35:13 EST To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] sshd issues Hi Daevid, I tried playing around with some options in there and didn't seem to do much, but not sure if I tried changing that specifically. I do have a question though.. My ssh_config looks something along the lines of this: # Host * #PasswordAuthentication yes My question is, should they actually have # symbols in front as if they're commented out? My gut is telling me no.. Thanks again Daevid Vincent wrote: Change/Add this: PasswordAuthentication yes In /etc/ssh/sshd_config DÆVID -Original Message- From: Jon M [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 14, 2006 6:04 PM To: gentoo-user@lists.gentoo.org Subject: [gentoo-user] sshd issues Hey all, I've been using other distributions for a while (CentOS, Slackware, Red Hat, etc) and finally switching to Gentoo, however this oddness with SSH is getting to me. It seems when I SSH into my machine it uses keyboard interative mode, where as I'm used to every other distro using just password mode I think it is. I'm wondering if there is any way to change this. I tried comparing /etc/ssh/ssh_config between my CentOS machine and my Gentoo machine, and both files are pretty much the same, and everything is commented out anyway. Any light someone could shed on this would be much appreciated. Thanks in advance! -- gentoo-user@gentoo.org mailing list -- gentoo-user@gentoo.org mailing list -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] emerge hints log?
Check out ELOG in /etc/make.conf.examples. jakommo wrote: Hi all, I was wondering if there is a way or a tool wich logs the hints emerge gives you sometimes after merging a program. The hints were usefull for me more than once but I dont want to watch emerge all the time when I ' m merging several packages. best regards jakommo -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] virtual servers/services: which one?
What are these buying the OP over chroot for what he wants to do? Hans de Hartog wrote: [EMAIL PROTECTED] wrote: Hi, I would like to implement some sort of virtual servers (mail, www, ftp) on my small gentoo server as a way of increasing security... Now the only problem is (so typical for linux :-) which solution to use, because there are many: Vserver? OpenVZ? Xen? Maybe VMware? Or something else, supported by Gentoo? I do not know them and I do not have time to test them all, so I would be thankful for any opinion, experiences, comparison, etc... Jarry In order of preference for your purpose: Openvz, the most lighthweight virtualization. One kernel for all systems. Virtualization starts with the init process Xen, real separate kernels. Other major Linux distro's possible. Only if you want to upgrade a system but need to keep the services available. Vmware, the real stuff. Not needed for your purpose. All free and supported by Gentoo. Hans. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Symlinking out of a chroot
As they say, security comes at the cost of convenience (and storage in this case), so I think the most secure solution is to just copy over the data I need to publish to the chroot. I've given it thought, and I don't want the potential apache hax0r to get to (and potentially delete) all my original pictures/videos. The downside is that I'll probably have 90% of them copied to the /chroot/www directory for publishing. The mount --bind thing looked nice, but you can't change the mount permissions from what those directories already have, i.e. if I have /stuff/pics on a filesystem mounted rw, I can't then mount --bind it to ro. At least that's what the man page says. If I could mount it to ro, that might be a better alternative. Thanks, Brian Hans-Werner Hilse wrote: Hi, On Mon, 13 Nov 2006 12:04:51 +0100 Alex [EMAIL PROTECTED] wrote: i would suggest an alias for this - http://httpd.apache.org/docs/2.0/mod/mod_alias.html#alias Aliases werde made for this kind of problem ( data's were not in the documentroot) Yep, but they're not made for *this* exact kind of problem: Here, the file isn't even in the accessible filesystem namespace. BTW, I've always found it easier to manage a bunch of symlinks instead of numerous .htaccess files. But again, in the OP's case neither works. -hwh -- gentoo-user@gentoo.org mailing list
[gentoo-user] Symlinking out of a chroot
Hey folks, I will be running my apache2 server in a chroot. Most of my data for the server (e.g. pictures, user webpages) are on another partition from my chroot. I don't want to move all that data into the apache chroot if I don't have to. Therefore I would have soft symlinks from the chroot to the data. Does this effectively make the chroot worthless? Thanks! -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Do you leave it on? USE=berkdb
I have mine off. However, you should see which packages you have installed that would take advantage of it before you turn it off globally. Grant wrote: Do you guys leave the berkdb USE flag on? It seems to be a default flag, but I've been using -berkdb in make.conf ever since I started using Gentoo. Is it basically a better way for lots of different packages to manage their databases? - Grant -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Lightwheight Gentoo System
I've also used -O2 on my Pentium 2 Celeron system without any problems. I used to run -Os back on my Pentium 200Mhz days, and that works fine too ;). Honestly, however I never did any benchmarking between the different -O settings on any of these machines, so I'm not sure they were the best setting to use. These were recommendations I'd gotten from the forums. Caveat: there is no GUI involved on either of these systems, just headless servers. Thanks, Brian Chris Frederick wrote: Karl Huysmans wrote: Hi All, A friend asked me to install some operating system on an old Dell laptop he got for free. The laptop has a pentium 2 400 MHz, 6 GB HD and 256 MB RAM, and will be used by his young children. I have tried to install Edubuntu on it, looks nice, has a lot of very usefull stuff for kids, but it really runs too slow on this machine. So I was thinking Gentoo, optimized for PII, I guess -Os would be a good option for this little machine. Any thoughts anyone? What about the desktop? I guess Gnome or KDE is not really the best choice. But what else could I use? Of course, it's for kids, so I have to be able to make it look nice :-) What would be a good window manager? File manager? Other applications that help to keep it lean an fast? Anyone with any experience building such a system under Gentoo? Thank you Karl I've got an old NEC and Thinkpad that I use for VNC clients to my server. I've also loaded a bare bones desktop system in case I take them out somewhere. I've loaded fluxbox, dillo, spruce, mplayer, and some assorted games (pysol, xbomb, xtris, etc...) Surprisingly this system responds better then my Win2k server at work. I have a dual xeon server that I did all the building on, then I just boot the laptop to the minimal cd and partition drives and use the tar file from my server in place of the stage3. Then just load grub, reboot, and you just saved yourself days of compiling. I used -O2 for compiling, and since I use my server to do all the building from, I delete /usr/portage before I load it on the laptops. this puts me around ~850M for a complete system (My laptops only have a 2G/3G hard drives with 96M/128M ram). Chris Frederick -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] gentoo in /etc/group
Do you see the user in /etc/passwd? Thanks, Brian james wrote: Hello, A couple of week ago, I installed a system using 2006.1 Livecd To day, I took a look at the /etc/group file and found 'gentoo' listed in several groups, including wheel (wheel audio cdrom usb users games) to be specific. I do not remmeber this before. In fact looking at several other systems, I do not see the word 'gentoo' in any /etc/group file. I'm thinking this must be a vestige of the liveCD 2006.1 install. Can anyone confirm this? Is this a bug I should report? curious, James -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} 2.4Ghz interference
Yes, don't do it. Grant wrote: I have an 802.11g network and I'm considering buying a wireless RF keyboard that uses the 2.4Ghz frequency. Am I setting myself up for interference problems? - Grant -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: firewall minimized make.conf flags
The minimal USE flag might be nice to have. james wrote: Ryan Tandy tarpman at gmail.com writes: USE= -* hardened pic ncurses ssl acl crypt berkdb tcpd pam perl pcre python readline bzip2 zlib apm krbr kerberos nptl nptlonly lm_sensors syslog Try tossing logrotate in there for kicks. It's an absolute joy, especially on systems that you don't intend to interact directly with too often. YES, I've been meaning to come up to speed on using logrotate and some scripts I have found Thanks! James -- gentoo-user@gentoo.org mailing list
[gentoo-user] Using HPN (high performance) for Openssh, no brainer?
Is there any downside to enabling USE=hpn for openssh? Description is here: http://www.psc.edu/networking/projects/hpn-ssh/. Does anyone know why it isn't enabled by default? Thanks, Brian -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: Simplified apache2
Rumen Yotov wrote:
Hi,
On Wed, 13 Sep 2006 12:36:45 + (UTC)
James [EMAIL PROTECTED] wrote:
Ryan Tandy tarpman at gmail.com writes:
Michael Crute wrote:
USE=-* hardened pic ncurses ssl crypt berkdb tcpd pam perl
python readline
You could omit pic here IIRC (on a hardened profile) hardened
includes -fpic -fpie CFLAGS, plus SSP in GCC-4.1.1 (a default).
If using a vanilla (desktop server) profile you'll need 'pie' as well.
Maybe (if not using a hardened profile) you'll also need some LDFLAGS.
I have a question on this, why would a package have to use a pic USE
flag if all that was needed was to complie with -fpic?
Ok,
So I'll test your suggestions.
The more minimized the global flags are, the more secure the server.
+1
Could also check the flags in hardened profile.
Also, be careful using the hardened flag without running the
hardened profile. The hardened profile masks out a couple of
packages and flags that don't work so well on a hardened system.
+1
H,
Not sure I fully grasp what you mean by a 'hardened system'. If you
mean running a hardened kernel with only necessary software
installed, then yes, I run hardened kernels on most servers {dns,
web, mail, firwalls}
If running a hardened system means more than that, please explain,
or point me to some docs.
Check hardened docs page on w.g.o, in short hardened means a kernel
with PaX (+ -fpie for packages) some sort of RBAC system - grsec, RSBAC
or SELinux and all user-land build with SSP,pic,pie (IMHO).
BTW, the flags with underscores in them (kernel_linux,
userland_GNU, elibc_glibc, video_cards_radeon and such) are known
as USE_EXPAND or expanded USE flags.
This is nice to know.
I did not get the memo on this.
Any docs for further reading you can point me to?
...SKIP...
James
HTH.Rumen
--
gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: Simplified apache2
I think I've answered my own question:
On my system, gzip is the only package that contains the pic USE flag.
Looking at the ebuild, the pic USE flag is used to tell the system not
to use the assembler code optimizations.
Presumably, assembler code can't be relocated.
Thanks,
Brian
Brian Davis wrote:
Rumen Yotov wrote:
Hi,
On Wed, 13 Sep 2006 12:36:45 + (UTC)
James [EMAIL PROTECTED] wrote:
Ryan Tandy tarpman at gmail.com writes:
Michael Crute wrote:
USE=-* hardened pic ncurses ssl crypt berkdb tcpd pam perl
python readline
You could omit pic here IIRC (on a hardened profile) hardened
includes -fpic -fpie CFLAGS, plus SSP in GCC-4.1.1 (a default).
If using a vanilla (desktop server) profile you'll need 'pie' as well.
Maybe (if not using a hardened profile) you'll also need some LDFLAGS.
I have a question on this, why would a package have to use a pic USE
flag if all that was needed was to complie with -fpic?
Ok,
So I'll test your suggestions. The more minimized the global flags
are, the more secure the server.
+1
Could also check the flags in hardened profile.
Also, be careful using the hardened flag without running the
hardened profile. The hardened profile masks out a couple of
packages and flags that don't work so well on a hardened system.
+1
H,
Not sure I fully grasp what you mean by a 'hardened system'. If you
mean running a hardened kernel with only necessary software
installed, then yes, I run hardened kernels on most servers {dns,
web, mail, firwalls}
If running a hardened system means more than that, please explain,
or point me to some docs.
Check hardened docs page on w.g.o, in short hardened means a kernel
with PaX (+ -fpie for packages) some sort of RBAC system - grsec, RSBAC
or SELinux and all user-land build with SSP,pic,pie (IMHO).
BTW, the flags with underscores in them (kernel_linux,
userland_GNU, elibc_glibc, video_cards_radeon and such) are known
as USE_EXPAND or expanded USE flags.
This is nice to know. I did not get the memo on this.
Any docs for further reading you can point me to?
...SKIP...
James
HTH.Rumen
--
gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Simplified apache2
Can one covert a non-hardended machine to use the hardended-profile, or
do you have to start from scratch?
Michael Crute wrote:
On 9/12/06, James [EMAIL PROTECTED] wrote:
I used 2006.1 livecd to install a pII machine. It's going
to become a (minimalistic) apache2 server. I just let the
installation
set the flags for the install so I have these flags currently:
snip
Those look a bit excessive for a minimalist machine. I would start
over ;-)
Some of these flag look questionable, such as the one with
underscores (kernel_linux userland_GNU) as I only found
information on them, where they are describe as 'undocumented
use flags'. What's up with these flags?
My understanding is that these are set in the profile and simply tell
portage that you are using Linux. I don't think there is any way
(short of profile hacking) to change them. So don't worry about it.
Where do I look to discern the minimal list of (necessary) system
flags that
must be kept? (I want to avoid negating any flags that are critical).
These are my proposed list of flags:
snip
Still a little excessive in my opinion. The approach that I would (do)
take is to put only the bare minimum use flags in make.conf and
override the rest on a per-package level in /etc/portage/package.use.
So can I just use this list, or do I have to include a -{flag} for
each one?
IS there simpler syntax to globally remove unwanted flags [-*], but,
not any
critical system flags? (Is this the same as just leaving the flag out
of the USE param. setting in make.conf?
-* will work but be careful it can break things if you don't know what
your doing.
Are there default system flag settings that I can safely remove?
Where is the list and how do I know which ones can be removed or
negated?
My (limited) understanding of flags are that the highest priority are
those set in /etc/portage/package.use, then /etc/make.conf then
the system default flags which may be located in several locations.
Is there any docs or listing of all of these location and details
on precedence?
http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=2chap=2
OK, my advice to you would be to start over with a hardened profile.
While hardened is not specifically required I highly recommend it if
this is just going to be a headless server machine.
You probably want to set your machine up with a similar USE= string in
make.conf
USE=-* hardened pic ncurses ssl crypt berkdb tcpd pam perl python
readline
I believe that is the bare minimum if you use -*. Now you can compile
your system and you have a blank slate to start working with. As you
start emerging packages just make sure you use the -pv flags for
emerge and check out the available use flags and add the ones you want
to /etc/portage/package.use. Here is an example of my package.use line
for apache2
net-www/apache mpm-prefork threads
This setup works smashingly for me on my production servers by YMMV.
Best of luck.
-Mike
--
gentoo-user@gentoo.org mailing list
