| 1 |
I definitely agree. |
| 2 |
|
| 3 |
xyon wrote: |
| 4 |
|
| 5 |
>down more tightly. I'd also recommend disabling loadable module support in |
| 6 |
>your kernel ;) |
| 7 |
> |
| 8 |
>Also, didn't that paper on the idle scan mention that more random IPIDs |
| 9 |
>would help prevent idle scans? GrSecurity has just the feature to take |
| 10 |
>care of this. You might want to check into using some of the GRSecurity |
| 11 |
>features in the kernel. :) |
| 12 |
> |
| 13 |
>HTH! |
| 14 |
> |
| 15 |
I decided to make all of my servers on hardened gentoo kernels without |
| 16 |
loadable module support. GRSecurity has a number of great features |
| 17 |
including /proc restrictions, memory randomization, trusted execution, |
| 18 |
and denial of server sockets to users. The trusted execution is a very |
| 19 |
powerful feature. "Untrusted users will not be able to execute any files |
| 20 |
that are not in root-owned directories writable only by root." |
| 21 |
|
| 22 |
Also, I think the Gentoo Infrastructure servers are all hardened boxes. |
| 23 |
|
| 24 |
-- |
| 25 |
Michael Liesenfelt |
| 26 |
University of Florida |
| 27 |
Innovative Nuclear Space Power and Propulsion Institute |
Archives