Bill Wohler: Linux security tips
In a recent Usenix login; magazine, an article on security noted the
following configurations for Linux. I noticed that most are already
in place in my 2.0.33 kernel (I haven't upgraded to hamm yet, but
soon!)
I couldn't find mention of the last one (CONFIG_SECURE_STACK)
anywhere. Has this already been folded into the kernel? If not,
perhaps it should be considered.
------- Forwarded Message
To: wohler@gbr.newt.com
Subject: Linux security tips
From: Bill Wohler <wohler@newt.com>
Date: Tue, 02 Jun 1998 07:57:36 -0700
To prevent Linux from forwarding any packets, recompile the kernel
with the option CONFIG_IP_FORWARD off.
To prevent forwarding any source-routed packets or accepting any
source routed packets destined for itself, use CONFIG_IP_NOSR on.
To defend against SYN flooding, use CONFIG_SYN_COOKIES or
CONFIG_RST_COOKIES on.
To prevent responding to pings altogether, use
CONFIG_IP_IGNORE_ECHO_REQUESTS on.
If firewall, use CONFIG_IP_ALWAYS_DEFRAG on to protect machines
behind it from IP fragmentation attacks.
To mark the stack as nonexecutable apply patch at
www.false.com/security/linux/secure-linux.tar.gz and use
CONFIG_SECURE_STACK on.
Bill Wohler <wohler@newt.com>
Say it with MIME. Maintainer of comp.mail.mh and news.software.nn FAQs.
If you're passed on the right, you're in the wrong lane.
------- End of Forwarded Message
--
Unsubscribe? mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null
Reply to: