On Dec 11, 2011 12:48 AM, "Tanstaafl" <tansta...@libertytrek.org> wrote: > > Hello all, > > I'm considering rolling out a new server with gentoo, but wanted to base it on the hardened profile, but the docs I've read so far all seem to be a bit vague about all the details. > > I've been using gentoo for a while on my hobby server, but I installed it about 8 years ago, and chose the 'server' profile, and I must say it has been a real pleasure to maintain, and the only real hiccup I ever experienced was the mailman update that moved the directories for the lists without telling me what to do about it (the fix was simple, and the devs swiftly fixed the lack of post-install docs). > > Does anyone know of a good How-To that covers *all* of the bases? Ie, which model is best - grsecurity, PAX, SeLinux - and how best to implement it? > > Thanks... >
Oh, one more thing: If you don't need to milk your hardware for every last bit of performance, consider running the server inside a VM like XenServer. You gain the benefit of branchable snapshots, ease of migrating to a different physical box (as long as you don't use -march=native), and simpler menuconfig. Plus, if somehow your VM lost all connectivity, you don't need to visit the server; you can still manage it through XenServer's virtual console. I have been deploying my servers on top of XenServers, including one gateway/firewall that used to oversee 5 internet links + 1 LAN with an aggregate Internet bandwidth of 35 Mbps. Albeit running on an elderly Pentium 4 box, I have no performance problems at all, even when the gatewall does some very exotic iptables magic (my list of iptables rules is already longer than 100 lines). Rgds,