[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: My own Firewall ??

> When you say you tried it, how did you test?

I probably made a premature comment.  Nessus probings, for example, were
ok for me before trying this kernel.  Maybe other friends with more
experience can say something.  What specific tests are you referring to?

> Can you identify any specific, real world situation where it has helped?
> Has it caused problems with any software, or people, or whatever?

I just have a small personal debian server running a web and mail servers.
 Most of the hacking attempts are directed to those.  However, apache has
many security options (suphp, modsecurity, etc) and is chrooted. I don't
think the kernel had a lot to do with this. Apparently, it protects kernel
memory, stack overflows and /proc (see below for what is added to this
kernel).  Other software programs installed appear to be OK.  Of course,
this kernel-image disables any X servers and programs related to it. 
There is a kernel source if you need to compile it.  I cannot really say
it would or would not cause problems to some people. It did not cause any
for me. But again, I just run a small box.

> This isn't a question aimed at making problems for you, or insulting the
> people who are, no doubt, working very hard on the hardening project.

I think is great we have brothers and sisters interested on these things...

> I really want to know, because I don't have time (currently) to test it
> myself, but would happily deploy it to client sites if I could be sure
> it would actually achieve anything to improve matters.


Hardened Debian kernel sources information.

Maintainer: Lorenzo Hernández García-Hierro

	- grSecurity 2.0.1
	- CAN-2004-0109 fix.
	- CAN-2004-0596 fix.
	- TCP-stealth for 2.6.7.
	- Net-dev-random for 2.6.7.
	- Net-dev-random-drivers for 2.6.7.
	- SELinux PaX hooks for 2.6.7.
	- SELinux ipaddr patch.
	- grSecurity doesn't depend on PaX at all and viceversa.
	- SELinux updated headers.
	- Added extra security options to SELinux.
	- Openswan 2.3.0dr2 (improved IPSec stack).
	- Fortuna CSRNG.
	- BINFMT_ELF Loader Local Privilege Escalation Vulnerabilities.

> Also, I recall some months ago that some Debian hardening toolkit had
> made a miserable mess of the systems of a couple of people on the Debian
> lists, by going in and screwing around with various configuration files
> for them.
> IIRC, it was some sort of "education about security" package;  is this
> the same project, or am I thinking of something else?

If you are referring to bastille, I think is a good program.  Never had
any problems with it.  Just a little thing here and there, like creating
some sort of directory it needed and the like.  I believe some of the
options need to be carefully considered.

-JM. ?Estos días azules y este sol de la infancia ?(Antonio Machado-1939)

Reply to: