Re: Strongest linux

[Peter Cordes <peter@llama.nslug.ns.ca>]

On Tue, Jul 01, 2003 at 02:36:37PM +0200, Javier Castillo Alcibar wrote:
> Hi all,
> 
> I want to setup a new linux server in internet (apache, php, postfix,
> mysql, dns...), and I would like to patch the standard kernel with some
> security patches..... but my question is, what patches are the best??

 I run a mail server on my desktop machine at home, and also SSH and DNS.  I
just compiled and installed 2.4.21 with Con Kolivas's patches, which
includes some desktop tuning (preemptible kernel, low latency stuff, O(1)
scheduler, ...), and grsecurity.  I love it, because it's a bunch of good
stuff all in one patch that applies cleanly.  I turned on the address space
(stack and mmap) randomization stuff, and some of the extra network
randomness (e.g. TCP ISN) stuff.  Con had -ck1 ready a day or two after
2.4.21 was released, so I guess he's pretty good about not getting behind.
http://members.optusnet.com.au/ckolivas/kernel/. 

 Make sure you read the online help in the kernel config for grsecurity.
Some of the options can break user-space software.

 BTW, in the subject of your message, you asked for the "strongest", but in
the body you asked for the "best".  IMHO best means good security for the
amount of effort it takes to set up, plus stable, reliable, well documented,
etc.  Some of the other options probably meet those criteria, but I wouldn't
know, not having looked at them.  All I can do is say that I'm happy with
the grsec stuff so-far.

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter@llama.nslug.n , s.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BC