Originally posted by duby229
View Post
Announcement
Collapse
No announcement yet.
Watch Out Upgrading To Linux 4.14 If You Use AppArmor
Collapse
X
-
Originally posted by sandy8925 View PostLol, no wonder most people haven't encountered this problem yet, they're all probably using 16.04 LTS with kernel 4.8. Or for the people who are actually running 17.04 .......they are probably running 4.10 or 4.12 at best.
Comment
-
Originally posted by starshipeleven View PostHeh, Gentoo on a server... I guess it's not that bad if you use Gentoo on all your PCs anyway, so it's just n+1 of the same stuff you do already.
Thanks for the explanation.
Comment
-
Originally posted by debianxfce View Post
Adsl users has no experience of modern mobile networks. With adsl and fixed WAN IP you have hundreds of attacks per day.
No viruses or attacks with Debian and 3G/4G mobile connection in years. Debian has over 50 000 virus free software packages and WAN IP changes in 3G/4G mobile networks (you need to pay extra to have a fixed IP) so there is no attacks.
Attack vectors though are many and varied and CG NAT is not a firewall or a maleware/virus scanner.
Possible Attack Vector: What happens if someone in your house downloads a dodgy app on their phone? it could scan the network (or even listen passively for all the mdns beacons) find vulnerable items (like your router, wifi extender) and infect them. Your network is now infected.
Possible Attack Vector: Some sort of vuln in your web browser that let's malicious websites run code remotely - same thing.
not having a routeable IP is only a hinderance to getting infected, not a total defence.
Comment
-
Originally posted by extide View Post
No network is "safe"
* if possible, disable anything on your modem that can be reached from the outside (ping, mgt interface etc)
* disable everything you don't need (wifi, bluetooth, etc.)
* use firewall
- default drop, and only allow ports you use
- only accept traffic to and from sources you trust
* run services on 127.0.0.1 (or 127.0.0.x)
* run your own dns resolver on your router
* use a local dns resolver (like unbind) for rerouting bad domains to 127.0.0.x
- adblocking
- google analytics, adobedtm etc.
- list here: https://pgl.yoyo.org/as/serverlist.p...stformat=hosts
* use only stable distributions for your production environment
* use test distributions on separate (or virtual) machines
* use test distributions on a different network
* mount temp directories with no_exec
* have a separate partition for home, and mount it with no_exec
* use plugins like no_script to control which sources you want to trust
* etc.
Comment
-
Security by it's nature is a hassle. It takes constant vigilance and it's not something people can reasonably accomplish in a home environment. You can get to a level that's acceptable but you'll always be a far cry from what the enterprises can do. For instance one just can't be expected to review CVE's for all their software every day like they would in a enterprise environment. With the above post all that is fine but I don't see you deploying dnssec.. tisk tisk.
Gentoo on a server is also kinda foolish. They expect constant patches to software (new versions, not just security updates, it is a rolling distro afterall) and I promise you will have something sometime fail to build. Since there is no way to install a binary on Gentoo you might have issues. It will just lead you to a lot of work tracking down issues that Gentoo missed, all the extra work is just time lost that is unnecessary. FreeBSD would make a much better platform as you have source AND binary control there and a lot of built in ways to return your server to a working condition if there ever were to be an issue such as ZFS rollback and boot environments. - I *do* like Grsec and thats great if you want to use something like that on Gentoo, but HardenedBSD and OpenBSD also exist and would be more reliable without the constant maintenance Gentoo takes to keep stable. My advice on that is if you plan to go that route and have hardened systems like that, keep in mind that most of them are research OS's and try to keep them real simple so they are easier to work on.Last edited by k1e0x; 21 October 2017, 08:03 AM.
Comment
-
Originally posted by k1e0x View PostSecurity by it's nature is a hassle. It takes constant vigilance and it's not something people can reasonably accomplish in a home environment. You can get to a level that's acceptable but you'll always be a far cry from what the enterprises can do. For instance one just can't be expected to review CVE's for all their software every day like they would in a enterprise environment. With the above post all that is fine but I don't see you deploying dnssec.. tisk tisk.
Gentoo on a server is also kinda foolish. They expect constant patches to software (new versions, not just security updates, it is a rolling distro afterall) and I promise you will have something sometime fail to build. Since there is no way to install a binary on Gentoo you might have issues. It will just lead you to a lot of work tracking down issues that Gentoo missed, all the extra work is just time lost that is unnecessary. FreeBSD would make a much better platform as you have source AND binary control there and a lot of built in ways to return your server to a working condition if there ever were to be an issue such as ZFS rollback and boot environments. - I *do* like Grsec and thats great if you want to use something like that on Gentoo, but HardenedBSD and OpenBSD also exist and would be more reliable without the constant maintenance Gentoo takes to keep stable. My advice on that is if you plan to go that route and have hardened systems like that, keep in mind that most of them are research OS's and try to keep them real simple so they are easier to work on.
IF you're using gentoo right, you won't be updating existing installations, you'll be creating new images that you boot up to for upgrades. Besides tweaking and testing it can be almost fully scripted. (And any admin responsible for maintaining their servers knows all about how important planned downtime is. Bragging about uptime is just like bragging about how dumb you are.)Last edited by duby229; 21 October 2017, 09:41 AM.
Comment
-
Originally posted by duby229 View Post
Gentoo on a server is fantastic if you know what you're doing. First, I know I'm gonna get flack for saying this, but upgrading Gentoo is worthless. In every single case you're going to be better off building a new image to boot from. It's not like starting from scratch, most Gentoo users create install scripts for themselves.You already have your configuration files, zip them up, use truncate to create an *.img, mount it, unpack the newest stage tarball, chroot, and then run your install script. It takes less than a day on modern hardware. Then you just have to tweak the image to your prefences and then test it thoroughly. Due to USE flags you can pretty much every single time create yourself a -better- server that is use case specific. And because you can make it use case specific you can eliminate a whole bunch of attack vectors.
IF you're using gentoo right, you won't be updating existing installations, you'll be creating new images that you boot up to for upgrades. Besides tweaking and testing it can be almost fully scripted. (And any admin responsible for maintaining their servers knows all about how important planned downtime is. Bragging about uptime is just like bragging about how dumb you are.)
Comment
-
Originally posted by k1e0x View Post
I guess that one way to solve it. Your aware of the same problem I am, their update cycle is pretty busted. For me I don't see a lot of value in using Gentoo as opposed to FreeBSD in a more generic server role or OpenBSD in a high security role (such as vpn server or web frontend) that maybe just be me though and I like your methods, if I had tons of time and needed Linux for some specific reason I might go that route. Call me lazy maybe tho I like stuff that doesn't take a whole lot of maintenance.
Comment
-
Originally posted by duby229 View Post
I think it's just more of a workflow type of situation. It's really not that much maintenance. FreeBSD does have the benefit of a prebuilt binary library, but short of that it's more difficult to work with than Gentoo for sure. There's no doubt about that at all.Last edited by k1e0x; 22 October 2017, 09:48 PM.
Comment
Comment