Gentoo Wiki




Okay, so you have followed the gentoo handbook installation guide. Your system is setup, you have installed apache or whatever server-type services you were hoping to. Now what? How do we lock this server down?



It is worth noting that in most cases, you have a hardware firewall as your first line of defense. Whether it is a dedicated firewall rack-mounted solution, or even a home router, it does definately play a role in security. You may have your server on the DMZ or you may have specified certain ports to forward to this box explicitly. Either way, this must be step one.

Dead Man Zone or DeMilitarized Zone -- In terms of a home network with one router, the DMZ can be seen as the default recipient of all traffic on ports not otherwise routed to a given machine. This is a very basic, and not entirely accurate, description of DMZ. For more information, see wikipedia:Demilitarized zone (computing).



Iptables is the name of the tool by which administrators create rules for packet filtering and Network Address Translation (NAT). While technically iptables is merely the tool which controls the packet filtering and NAT components within the kernel, the name iptables is often used to refer to the entire infrastructure, including netfilter, connection tracking and NAT, as well as the tool itself.

First, we will install iptables.

# emerge iptables

Iptables does not just work out of the box. See Configuring iptables for configuration.


Like iptables, the name ipsec can be misleading. Ipsec more refers to the kernel and its inner workings than the tool you, the user, will be manipulating. The two most common tools for ipsec are openswan and strongswan.

What is ipsec? In the most basic terms, ipsec helps to create a VPN. A VPN, or virtual private network, is used to securely connect to your LAN through the WAN. In other words, you can be off-site and still connect to your enterprise domain, or home workgroup, almost as if you were physically connected to the topology (your home router). This involves creating a tunnel through the internet to connect the two end-points, but that is beyond the scope of this description. Please refer to the HOWTO IPSEC for more detail.


Another useful utility for locking down a system is tripwire. Tripwire is really a forensics utility (but still a handy tool in the arsenal of a security administrator) that generates cryptographic checksums, or hashes, of files on a system, and periodically checks to ensure that they have not changed. In other words, it notifies you if hackers have changed your system files.

You can install tripwire with the following command.

# emerge tripwire

Tripwire also requires some configuration before it provides any level of protection.

Configuring tripwire

A free alternative to tripwire is AIDE (see the howto for AIDE at


It is also worth noting that if you can avoid it, you should not use the telnet or ftp daemons (the ones coupled with inetd/xinetd, or otherwise) because they are generally insecure, but specifically because they send your username and password in cleartext and can be easily nabbed. There are several SFTP servers available, vsftp for example. The same goes for telnet, try to use ssh instead. Openssh should already be on your system. Note: Telnet and ftp are both disabled by default already. As are ssh and sftp for that matter.


Some more basic utilites for security are su and sudo. Gentoo comes with su but you can install sudo with the following command.

# emerge sudo

The main purpose of su and sudo is to limit you, or other users, from logging in as root. The idea is that you log in as your normal everyday user, and if you need to preform an action that requires elevation (as root) then you can either su or sudo to do so. Sudo (or superuser do) allows you to run one command at a time as root. This is generally the preferred method. Su basically transforms your current session into root, or more accurately, adds another session logged in as root on top of the current one.

There are a couple of minor actions you need to take before sudo will work. For example, any users that need to be able to use sudo need to belong to the 'wheel' group. For this and other required configuration changes, please refer to Configuring sudo.

This page is far from complete. Please provide feedback on the talk page.

Retrieved from ""

Last modified: Fri, 12 Sep 2008 19:52:00 +0000 Hits: 1,828