search

mail-in-a-box / mailinabox

Mail-in-a-Box helps individuals take back control of their email by defining a one-click, easy-to-deploy SMTP+everything else server: a mail server in a box.
https://mailinabox.email/
Creative Commons Zero v1.0 Universal
13.99k stars 1.44k forks source link

entropy #466

Closed piecam closed 9 years ago

piecam commented 9 years ago

HI Josh,

I just checked out my box with MIAB installed, and it has haveged running. The entropy is constantly pretty high about 3000 above. Here's a snapshot. $ cat /proc/sys/kernel/random/entropy_avail 3162 $ service --status-all [ + ] acpid [ - ] apparmor [ ? ] apport [ + ] atd [ + ] bind9 [ ? ] console-setup [ + ] cron [ ? ] cryptdisks [ ? ] cryptdisks-early [ - ] dbus [ ? ] dns-clean [ ? ] ejabberd [ - ] fail2ban [ + ] friendly-recovery [ - ] grub-common [ + ] haveged [ ? ] irqbalance [ ? ] killprocs [ ? ] kmod [ ? ] mailinabox [ + ] memcached [ ? ] networking [ + ] nginx [ - ] nsd [ + ] ntp [ ? ] ondemand [ + ] opendkim [ + ] opendmarc [ - ] php5-fpm [ - ] postfix [ - ] postgrey [ ? ] pppd-dns [ - ] procps [ ? ] prosody [ ? ] rc.local [ + ] resolvconf [ ? ] rng-tools [ - ] rsync [ + ] rsyslog [ ? ] screen-cleanup [ ? ] sendsigs [ - ] spamassassin [ - ] spampd [ - ] ssh [ - ] sudo [ - ] udev [ ? ] umountfs [ ? ] umountnfs.sh [ ? ] umountroot [ - ] unattended-upgrades [ - ] urandom

While, the other idential box, both are physical box, I also have haveged running. The entropy is always about 1200-1300. cat /proc/sys/kernel/random/entropy_avail 1200 root@UP:~# service --status-all [ + ] acpid [ + ] atd [ - ] bootlogs [ - ] bootmisc.sh [ - ] checkfs.sh [ - ] checkroot-bootclean.sh [ - ] checkroot.sh [ + ] console-setup [ + ] cron [ - ] cryptdisks [ - ] cryptdisks-early [ + ] dbus [ + ] exim4 [ + ] haveged [ - ] hostname.sh [ - ] hwclock.sh [ + ] kbd [ + ] keyboard-setup [ - ] killprocs [ + ] kmod [ - ] lvm2 [ - ] motd [ - ] mountall-bootclean.sh [ - ] mountall.sh [ - ] mountdevsubfs.sh [ - ] mountkernfs.sh [ - ] mountnfs-bootclean.sh [ - ] mountnfs.sh [ + ] mysql [ + ] networking [ + ] nfs-common [ + ] nginx [ + ] php5-fpm [ + ] procps [ + ] rc.local [ - ] rmnologin [ + ] rpcbind [ + ] rsyslog [ - ] sendsigs [ + ] ssh [ + ] udev [ + ] udev-finish [ - ] umountfs [ - ] umountnfs.sh [ - ] umountroot [ + ] urandom [ + ] varnish [ - ] varnishlog [ - ] varnishncsa

I was just wondering whether you have done something special or used some program to have the entropy level constantly at high level, which is a good thing.

Oh, just realized that the one with low entropy is Debian 8 and the one with yours and high entropy is Ubuntu 14.04. Any difference does it make?

THanks

JoshData commented 9 years ago

I have no idea.

piecam commented 9 years ago

Here it seems what RNG being used in the box by which program. It looks that all MIAB related program are using /dev/urandom. In the future, /dev/random might be a consideration if we can guarantee more stable entroph pool.

Just somethougths to share. Hope that helps overall security. thanks root@mx:/boot# lsof /dev/urandom COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME mailinabo 7140 root 3r CHR 1,9 0t0 1055 /dev/urandom mailinabo 7140 root 21r CHR 1,9 0t0 1055 /dev/urandom mailinabo 7153 root 3r CHR 1,9 0t0 1055 /dev/urandom mailinabo 7153 root 5r CHR 1,9 0t0 1055 /dev/urandom mailinabo 7154 root 3r CHR 1,9 0t0 1055 /dev/urandom mailinabo 7155 root 3r CHR 1,9 0t0 1055 /dev/urandom mailinabo 7156 root 3r CHR 1,9 0t0 1055 /dev/urandom mailinabo 7156 root 5r CHR 1,9 0t0 1055 /dev/urandom mailinabo 7157 root 3r CHR 1,9 0t0 1055 /dev/urandom mailinabo 7157 root 5r CHR 1,9 0t0 1055 /dev/urandom mailinabo 7158 root 3r CHR 1,9 0t0 1055 /dev/urandom mailinabo 7158 root 5r CHR 1,9 0t0 1055 /dev/urandom mailinabo 7159 root 3r CHR 1,9 0t0 1055 /dev/urandom mailinabo 7160 root 3r CHR 1,9 0t0 1055 /dev/urandom mailinabo 7161 root 3r CHR 1,9 0t0 1055 /dev/urandom mailinabo 7162 root 3r CHR 1,9 0t0 1055 /dev/urandom tlsmgr 11893 postfix 8r CHR 1,9 0t0 1055 /dev/urandom auth 15041 dovecot 4r CHR 1,9 0t0 1055 /dev/urandom root@mx:/boot# root@mx:/boot# root@mx:/boot# lsof /dev/random COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME haveged 1400 root 4u CHR 1,8 0t0 1054 /dev/random named 3084 bind 9r CHR 1,8 0t0 1054 /dev/random

JoshData commented 9 years ago

We are supposed to be using /dev/random everywhere, so the uses of /dev/urandom are bugs/limitations.

piecam commented 9 years ago

Hi Josh,

I don't want to confuse you; there are a lot of documents about this "entropy, /dev/random, /dev/urandom, /dev/arandom (openBSD)". I am myself is bit confused and still learning.

It seems that a high quality and fast speed entropy is ideal for all we do. Only openBSD's /dev/arandom can do it, at software level.

On linux, /dev/random is high quality but with slow speed; while /dev/urandom is low quality but with fast speed. That's one the /random is mostly used when generating keys . /urandom is used by TLS/SSL session keys, to avoid system hanging due to low entropy situation in /random while it's depleted and not yet being replenished .

hope we can all understand it better. thanks

https://en.wikipedia.org/wiki//dev/random https://www.calomel.org/entropy_random_number_generators.html

JoshData commented 9 years ago

So.... Is there anything to be changed in MiaB? It sounds like we're in OK shape since /dev/random is what it is.

piecam commented 9 years ago

HI Josh,

I am not sure it's you with your package or myself, the box has "haveged" installed and it seems the Entropy level is good.

thanks Peng

eng@MX:~$ sudo apt-get install haveged [sudo] password for peng: Reading package lists... Done Building dependency tree Reading state information... Done haveged is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.

python -c "$(echo -e "import time\nwhile True:\n time.sleep(1)\n print open('/proc/sys/kernel/random/entropy_avail', 'rb').read(),")" 1604 1608 1608 1609 1609 1609

On 2015-10-10 12:43, Joshua Tauberer wrote:

So.... Is there anything to be changed in MiaB? It sounds like we're in OK shape since /dev/random is what it is.

Reply to this email directly or view it on GitHub: https://github.com/mail-in-a-box/mailinabox/issues/466#issuecomment-147105802

dhpiggott commented 9 years ago

MIAB installs haveged at https://github.com/mail-in-a-box/mailinabox/blob/v0.13b/setup/system.sh#L57 and has for as long as I remember.

gitk helped me to determine that it was added in 69f0e1d07a50f030b2120c0318cb6887dffbd0cd and that was merged in 621fcc2233e7380887de03fc2a5c8e1860e7e84b.

JoshData commented 9 years ago

Okey doke. Interesting conversation but nothing actionable, so closing. :)