On 27/03/16 12:51, 80x24 wrote: > Hunter Jozwiak wrote: >> Hello, >> >> I am going to now host my web site on a Gentoo server. Firstly, is there >> a recommended profile for this, or will the default amd64 profile
It depends on your use-case and preference, but hardened is often a good choice for something that will offer external services (as in over the Internet). >> suffice? Or would it be better to use a hardened profile for this task? >> Secondly, does Linode offer the requisite information for things you >> MUST have while building a kernel? The Linode configurations, last time I checked, were significantly out of date (including their Gentoo deployment image). Depending on your level of paranoia, it may be reasonable for you to boot your Linode using their rescue environment and perform a stage-3 install that way. Otherwise, you can simply deploy their Gentoo image and update/harden as necessary. As for kernel configuration, I don't recall seeing anything specifically, however they do include their default kernel configuration in either /boot/config* or /proc/config.gz, so you can use that as a base. >> And finally, I am going to have >> multiple servers. Is there a package that I can use to distribute my >> built kernels? There isn't a package, however depending on how you configure the kernel, you can either just copy the .config from one host or another, or the kernel make program has options to build archives of the built kernel - see `make help` for details. >> Thanks, you guys are awesome, and keep up the good work, >> >> Hunter >> > As far as you know how to hardened security of your servers. Normal > profile will be good (Though I still recommend hardened if you're > familiar with GRsecurity and other ``hardeded'' stuff). > > If you go with the hardened version, you will also need to build custom > kernel and set kernel to pygrub in Linode profile settings (which > selects proper generic kernel by default). And yes you will need a > bootloader. Hardened is not one be-all solution - you can use some hardened features and not others. For example, you can convert to the hardened profile and do not necessarily need to use hardened-sources. Similarly, if you *do* use hardened-sources, you do not need to enable an RBAC (such as GRSecurity or SELinux). If you do use PaX in the kernel, though, you will need to also be on a hardened profile to have binaries marked appropriately. Cheers; -- Sam Jorna (wraeth) <[email protected]> GnuPG Key: D6180C26
signature.asc
Description: OpenPGP digital signature
