On Thu, Jul 21, 2005 at 08:17:38PM +0200, Karsten Dambekalns wrote:
> Now, I find it unlikely to see the same local root exploit in 2.4.18 and
> 2.6.7.
They are both old kernels, compile your own and apply suitable patches.
Grsecurity is one, and it doesn't need any particular configuration.
> Are pwgen-passwords with 8 chars, containing upper/lower case and numbers
> really that insecure?
Good initial passwords doesn't really protect anything if the user are
able to change the password into a really crappy one. Consider using libpam-passwdqc.
> What should I do to prevent such things in the future?
. Remove anything you dont need
. Use iptables to block everything, and allow only what's needed
. Better passwords
. Set Allow{Users,Group} for ssh
. Use current kernels, don't use 2.6 unless you have to. Even if it's
considered stable new versions keep popping up with big patches
. Have strict mount options;
/home mounted with nosuid,nodev,noexec works well (unless your users are
developers)
. Go read the Securing Debian Manual (http://www.debian.org/doc/manuals/securing-debian-howto/)
/Thomas
--
Attachment:
signature.asc
Description: Digital signature