[code] [blog]

gentooSeptember 13 2015 18:02:03

This website runs on a relatively insecure VPS. Hence I developed a set of scripts to aid me in maintaining a certain amount of privacy. Below you will find a Gentoo distribution for use in these environments. It comes with an initrd that automatically probes all network devices to acquire an IP address, and a ssh daemon that allows the user to connect right after the kernel is loaded.


After connecting to the server an administrator can connect to this server and set up his entire system in RAM - or if preferred set up disk encryption from this shell. Thus allowing full disk encryption on a VPS or co-located server, even when VNC is unavailable. When the server goes down, is confiscated or otherwise interrupted, all the sensitive data contained in it disappears.


This distribution can run on both VPS and co-located servers, however when running a service of which the privacy is critical, a co-located server is preferable. For co-located servers it is advisable to ensure that removal of the server from the rack, or manipulation of the server leads to the system shutting down. This can be done trough chassis switches, and other physical means.


There are ways to compromise this system, most of which only apply to a VPS. For instance it is possible for the hosting provider to modify the initrd in such a manner that any key entered is logged. If the VPS provider uses a box with hyper-threading enabled, or no fixed cores allocated to your VPS, it's entirely possible to steal CPU caches of another VPS and discover encryption keys that way. However, when using a co-located server, with physical protections in place, booted from an USB stick with this initrd, it is nigh impossible to do this. Which, until this gets built into a kernel is probably our best bet at security in boxes we have no direct control over.


This distribution contains 3 files. boot.tar.xz containing a default kernel with a default ssh login, namely root: toor. It is obviously inadvisable to use this with an unmodified password. Furthermore it contains root.tar.xz, the Gentoo distribution used to build this kernel image. And it contains files.tar.xz, the scripts one can use to produce this Gentoo distribution from a base hardened gentoo installation, should the need, or the paranoia to do this arise.


When building the kernel yourself for the first time, it is advisable to enable Grsecurity and SeLinux. The provided kernel does not have these enabled, they are, however, essential to Linux server security.


Package dependencies, by script:
  bin/buildkernel:
   genkernel
  bin/modinitrd:
   busybox
   dropbear
   cryptsetup
   curl
   links
   lvm2
  root/update:
   gentoolkit
   eix
   layman


Login:
   Username: root
   Password: toor


The script "buildkernel" builds a kernel, and prepares an initrd automatically. The script "modinitrd" modifies an intird generated by genkernel to contain the files necessary for this distribution. The script update contains a set of commands commonly used to update a gentoo installation.


File root.tar.xz
Size 376M
Sha512sum b93d3e029924e6f0e17cad8e9e00e52635a51215ff9e19769e92be17aae673a
2d9f673679ec28cb4ceef1b82c8432a48b7f3b511b0ace1e4691397f340c9f13a
File boot.tar.xz
Size 23M
Sha512sum 275b3d9abc5798c2600000177ad73af26b77772f01f1dfea886335a75695672
f2c2709003b5b840af3c10244a22c1fd9cde7959c2ee41d6149e43db84f637330
File files.tar.xz
Size 3.3K
Sha512sum 399580e577a90cff85a60d37e4ad8a880cede90d424e84d183880f1eb722fe8
7e58ccabf57a7af99c04e48aa2566a48827fee20758de182b05b5faca6e1af4e5