1 |
I definitely agree. |
2 |
|
3 |
xyon wrote: |
4 |
|
5 |
>down more tightly. I'd also recommend disabling loadable module support in |
6 |
>your kernel ;) |
7 |
> |
8 |
>Also, didn't that paper on the idle scan mention that more random IPIDs |
9 |
>would help prevent idle scans? GrSecurity has just the feature to take |
10 |
>care of this. You might want to check into using some of the GRSecurity |
11 |
>features in the kernel. :) |
12 |
> |
13 |
>HTH! |
14 |
> |
15 |
I decided to make all of my servers on hardened gentoo kernels without |
16 |
loadable module support. GRSecurity has a number of great features |
17 |
including /proc restrictions, memory randomization, trusted execution, |
18 |
and denial of server sockets to users. The trusted execution is a very |
19 |
powerful feature. "Untrusted users will not be able to execute any files |
20 |
that are not in root-owned directories writable only by root." |
21 |
|
22 |
Also, I think the Gentoo Infrastructure servers are all hardened boxes. |
23 |
|
24 |
-- |
25 |
Michael Liesenfelt |
26 |
University of Florida |
27 |
Innovative Nuclear Space Power and Propulsion Institute |