Bill Wohler: Linux security tips
In a recent Usenix login; magazine, an article on security noted the
following configurations for Linux. I noticed that most are already
in place in my 2.0.33 kernel (I haven't upgraded to hamm yet, but
I couldn't find mention of the last one (CONFIG_SECURE_STACK)
anywhere. Has this already been folded into the kernel? If not,
perhaps it should be considered.
------- Forwarded Message
Subject: Linux security tips
From: Bill Wohler <firstname.lastname@example.org>
Date: Tue, 02 Jun 1998 07:57:36 -0700
To prevent Linux from forwarding any packets, recompile the kernel
with the option CONFIG_IP_FORWARD off.
To prevent forwarding any source-routed packets or accepting any
source routed packets destined for itself, use CONFIG_IP_NOSR on.
To defend against SYN flooding, use CONFIG_SYN_COOKIES or
To prevent responding to pings altogether, use
If firewall, use CONFIG_IP_ALWAYS_DEFRAG on to protect machines
behind it from IP fragmentation attacks.
To mark the stack as nonexecutable apply patch at
www.false.com/security/linux/secure-linux.tar.gz and use
Bill Wohler <email@example.com>
Say it with MIME. Maintainer of comp.mail.mh and news.software.nn FAQs.
If you're passed on the right, you're in the wrong lane.
------- End of Forwarded Message
Unsubscribe? mail -s unsubscribe firstname.lastname@example.org < /dev/null