Re: down to the core
On 28 Jul 2004, michael@etalon.net wrote:
[...]
> As the others have mentioned, there isn't too much you can add to get your
> kernel more secure. I wonder if taking out the things you'll never use will
> help with security, but that might be over paranoid?
It will, since there are occasional kernel bugs in drivers that are
locally exploitable to give enhanced privileges. Not having those
drivers compiled in, obviously enough, means that you are not subject to
that issue.
One thing which will *not* enhance security, but is often claimed to do
so, is disabling kernel modules. Even if you don't use them, an
attacker with root privileges can still insert code into the running
kernel successfully, with the same result as loading a kernel module.
> There are some other patches that you may consider. For example, the mppe
> patch. Debian has a .deb for this patch when your build your own kernel
> with "kernel-package".
>
> This will give you VPN encryption for pptp-client or pptpd-server on your
> firewall. Your network may not ever use VPN but its something to check out if
> VPN is an option for you.
>
> Note: There are other VPN packages out there that don't need the mppe patch.
> , but pptp lets your communicate with M.Soft servers too.
PPtP, and MPPE, are grossly insecure. Flaws in the protocol design mean
that it is a trivial matter to violate the security of the "VPN".
I would certainly recommend very strongly against using either of those
technologies in a security critical environment. They provide an
illusion of safety, but no actual protection against attack.
Regards,
Daniel
--
Make friends with the dark, the fear, make love to loneliness. Her eyes are
clear and bright, missing nothing. Not there but nothing missing. Amazing what
you can live through if you just keep breathing, ride it.
-- RageBoy (AKA Christopher Locke), _EGR 'Criminal'_
Reply to: