Announcement

Collapse
No announcement yet.

Watch Out Upgrading To Linux 4.14 If You Use AppArmor

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #21
    Originally posted by duby229 View Post
    Gentoo doesn't release premade kernels.
    He didn't say he was using Gentoo on his server, or I would have not asked. I know enough Gentoo.

    Comment


    • #22
      Originally posted by sandy8925 View Post
      Lol, no wonder most people haven't encountered this problem yet, they're all probably using 16.04 LTS with kernel 4.8. Or for the people who are actually running 17.04 .......they are probably running 4.10 or 4.12 at best.
      I'm running latest stable @here always. As of today - 4.13.7 on KDE Neon (16.04 LTS). I won't use RC's in production, because, well, it's production. But glad others do however, to find and squash bugs like these...

      Comment


      • #23
        Originally posted by starshipeleven View Post
        Heh, Gentoo on a server... I guess it's not that bad if you use Gentoo on all your PCs anyway, so it's just n+1 of the same stuff you do already.

        Thanks for the explanation.
        I don't use Gentoo on PCs, that would be a terrible idea. But it's perfect for servers thanks to the Gentoo Hardened project that is unmatched, the webapp-config tool, and the ability to properly configure nginx (the choice of modules is configured at build time).

        Comment


        • #24
          Originally posted by debianxfce View Post

          Adsl users has no experience of modern mobile networks. With adsl and fixed WAN IP you have hundreds of attacks per day.

          No viruses or attacks with Debian and 3G/4G mobile connection in years. Debian has over 50 000 virus free software packages and WAN IP changes in 3G/4G mobile networks (you need to pay extra to have a fixed IP) so there is no attacks.
          Hey Man, I understand what you are saying and you are right, you eliminate one attack vector by not having a routable ip.

          Attack vectors though are many and varied and CG NAT is not a firewall or a maleware/virus scanner.

          Possible Attack Vector: What happens if someone in your house downloads a dodgy app on their phone? it could scan the network (or even listen passively for all the mdns beacons) find vulnerable items (like your router, wifi extender) and infect them. Your network is now infected.

          Possible Attack Vector: Some sort of vuln in your web browser that let's malicious websites run code remotely - same thing.

          not having a routeable IP is only a hinderance to getting infected, not a total defence.

          Comment


          • #25
            Originally posted by extide View Post

            No network is "safe"
            * use a modem (or a router behind your modem) that you control
            * if possible, disable anything on your modem that can be reached from the outside (ping, mgt interface etc)
            * disable everything you don't need (wifi, bluetooth, etc.)
            * use firewall
            - default drop, and only allow ports you use
            - only accept traffic to and from sources you trust
            * run services on 127.0.0.1 (or 127.0.0.x)
            * run your own dns resolver on your router
            * use a local dns resolver (like unbind) for rerouting bad domains to 127.0.0.x
            - adblocking
            - google analytics, adobedtm etc.
            - list here: https://pgl.yoyo.org/as/serverlist.p...stformat=hosts
            * use only stable distributions for your production environment
            * use test distributions on separate (or virtual) machines
            * use test distributions on a different network
            * mount temp directories with no_exec
            * have a separate partition for home, and mount it with no_exec
            * use plugins like no_script to control which sources you want to trust
            * etc.

            Comment


            • #26
              Security by it's nature is a hassle. It takes constant vigilance and it's not something people can reasonably accomplish in a home environment. You can get to a level that's acceptable but you'll always be a far cry from what the enterprises can do. For instance one just can't be expected to review CVE's for all their software every day like they would in a enterprise environment. With the above post all that is fine but I don't see you deploying dnssec.. tisk tisk.

              Gentoo on a server is also kinda foolish. They expect constant patches to software (new versions, not just security updates, it is a rolling distro afterall) and I promise you will have something sometime fail to build. Since there is no way to install a binary on Gentoo you might have issues. It will just lead you to a lot of work tracking down issues that Gentoo missed, all the extra work is just time lost that is unnecessary. FreeBSD would make a much better platform as you have source AND binary control there and a lot of built in ways to return your server to a working condition if there ever were to be an issue such as ZFS rollback and boot environments. - I *do* like Grsec and thats great if you want to use something like that on Gentoo, but HardenedBSD and OpenBSD also exist and would be more reliable without the constant maintenance Gentoo takes to keep stable. My advice on that is if you plan to go that route and have hardened systems like that, keep in mind that most of them are research OS's and try to keep them real simple so they are easier to work on.
              Last edited by k1e0x; 21 October 2017, 08:03 AM.

              Comment


              • #27
                Originally posted by k1e0x View Post
                Security by it's nature is a hassle. It takes constant vigilance and it's not something people can reasonably accomplish in a home environment. You can get to a level that's acceptable but you'll always be a far cry from what the enterprises can do. For instance one just can't be expected to review CVE's for all their software every day like they would in a enterprise environment. With the above post all that is fine but I don't see you deploying dnssec.. tisk tisk.

                Gentoo on a server is also kinda foolish. They expect constant patches to software (new versions, not just security updates, it is a rolling distro afterall) and I promise you will have something sometime fail to build. Since there is no way to install a binary on Gentoo you might have issues. It will just lead you to a lot of work tracking down issues that Gentoo missed, all the extra work is just time lost that is unnecessary. FreeBSD would make a much better platform as you have source AND binary control there and a lot of built in ways to return your server to a working condition if there ever were to be an issue such as ZFS rollback and boot environments. - I *do* like Grsec and thats great if you want to use something like that on Gentoo, but HardenedBSD and OpenBSD also exist and would be more reliable without the constant maintenance Gentoo takes to keep stable. My advice on that is if you plan to go that route and have hardened systems like that, keep in mind that most of them are research OS's and try to keep them real simple so they are easier to work on.
                Gentoo on a server is fantastic if you know what you're doing. First, I know I'm gonna get flack for saying this, but upgrading Gentoo is worthless. In every single case you're going to be better off building a new image to boot from. It's not like starting from scratch, most Gentoo users create install scripts for themselves.You already have your configuration files, zip them up, use truncate to create an *.img, mount it, unpack the newest stage tarball, chroot, and then run your install script. It takes less than a day on modern hardware. Then you just have to tweak the image to your prefences and then test it thoroughly. Due to USE flags you can pretty much every single time create yourself a -better- server that is use case specific. And because you can make it use case specific you can eliminate a whole bunch of attack vectors.

                IF you're using gentoo right, you won't be updating existing installations, you'll be creating new images that you boot up to for upgrades. Besides tweaking and testing it can be almost fully scripted. (And any admin responsible for maintaining their servers knows all about how important planned downtime is. Bragging about uptime is just like bragging about how dumb you are.)
                Last edited by duby229; 21 October 2017, 09:41 AM.

                Comment


                • #28
                  Originally posted by duby229 View Post

                  Gentoo on a server is fantastic if you know what you're doing. First, I know I'm gonna get flack for saying this, but upgrading Gentoo is worthless. In every single case you're going to be better off building a new image to boot from. It's not like starting from scratch, most Gentoo users create install scripts for themselves.You already have your configuration files, zip them up, use truncate to create an *.img, mount it, unpack the newest stage tarball, chroot, and then run your install script. It takes less than a day on modern hardware. Then you just have to tweak the image to your prefences and then test it thoroughly. Due to USE flags you can pretty much every single time create yourself a -better- server that is use case specific. And because you can make it use case specific you can eliminate a whole bunch of attack vectors.

                  IF you're using gentoo right, you won't be updating existing installations, you'll be creating new images that you boot up to for upgrades. Besides tweaking and testing it can be almost fully scripted. (And any admin responsible for maintaining their servers knows all about how important planned downtime is. Bragging about uptime is just like bragging about how dumb you are.)
                  I guess that one way to solve it. Your aware of the same problem I am, their update cycle is pretty busted. For me I don't see a lot of value in using Gentoo as opposed to FreeBSD in a more generic server role or OpenBSD in a high security role (such as vpn server or web frontend) that maybe just be me though and I like your methods, if I had tons of time and needed Linux for some specific reason I might go that route. Call me lazy maybe tho I like stuff that doesn't take a whole lot of maintenance.

                  Comment


                  • #29
                    Originally posted by k1e0x View Post

                    I guess that one way to solve it. Your aware of the same problem I am, their update cycle is pretty busted. For me I don't see a lot of value in using Gentoo as opposed to FreeBSD in a more generic server role or OpenBSD in a high security role (such as vpn server or web frontend) that maybe just be me though and I like your methods, if I had tons of time and needed Linux for some specific reason I might go that route. Call me lazy maybe tho I like stuff that doesn't take a whole lot of maintenance.
                    I think it's just more of a workflow type of situation. It's really not that much maintenance. FreeBSD does have the benefit of a prebuilt binary library, but short of that it's more difficult to work with than Gentoo for sure. There's no doubt about that at all.

                    Comment


                    • #30
                      Originally posted by duby229 View Post

                      I think it's just more of a workflow type of situation. It's really not that much maintenance. FreeBSD does have the benefit of a prebuilt binary library, but short of that it's more difficult to work with than Gentoo for sure. There's no doubt about that at all.
                      I find it easier but maybe I have more experience with it. (15~20 years with both Linux and Unix) You have any examples? I really can't think of a standard sysadmin task that is easier on Gentoo than FreeBSD. Most are pretty comparable.. there are a lot of small things in FreeBSD that make it easier. PF is one thing that comes to mind and really seals the deal because it's way easier than Netfilter. When I was doing a IOMMU pass through system on Gentoo last I was really pining for FreeBSD's module loading system as opposed to Linux's.. Linux's is super painful trying to isolate devices. I'd put lines in grub that were ignored then added blacklists and found them still ignored.. I eventually worked it out but it was troublesome.. "it just works" is nice except when it doesn't. Just editing loader.conf would have been easier. It's the kind of thing you get when you have a system thats all made by one group as opposed to 20 different groups.
                      Last edited by k1e0x; 22 October 2017, 09:48 PM.

                      Comment

                      Working...
                      X