On Thu, Jul 21, 2005 at 08:17:38PM +0200, Karsten Dambekalns wrote: > Now, I find it unlikely to see the same local root exploit in 2.4.18 and > 2.6.7. They are both old kernels, compile your own and apply suitable patches. Grsecurity is one, and it doesn't need any particular configuration. > Are pwgen-passwords with 8 chars, containing upper/lower case and numbers > really that insecure? Good initial passwords doesn't really protect anything if the user are able to change the password into a really crappy one. Consider using libpam-passwdqc. > What should I do to prevent such things in the future? . Remove anything you dont need . Use iptables to block everything, and allow only what's needed . Better passwords . Set Allow{Users,Group} for ssh . Use current kernels, don't use 2.6 unless you have to. Even if it's considered stable new versions keep popping up with big patches . Have strict mount options; /home mounted with nosuid,nodev,noexec works well (unless your users are developers) . Go read the Securing Debian Manual (http://www.debian.org/doc/manuals/securing-debian-howto/) /Thomas --
Attachment:
signature.asc
Description: Digital signature