Use grsecurity on critical machines!
Posted Dec 12, 2003 14:58 UTC (Fri) by emk
Parent article: Lessons from the Debian compromise
The grsecurity patch to the Linux kernel does two highly useful things:
1) It breaks most exploits by heavily randomizing memory layouts, PIDs, and anything else it can find to randomize. It also makes quite a few things non-executable, even on Intel architectures.
2) It optionally allows you to set up advanced role-based ACLs, which allow you to ruthlessly strip privileges away from various processes on your server. In particular, you can drop unneeded capabilities from root processes, prevent fork/exec of all but a specified list of executables, and hide all but a tiny part of the filesystem.
If you use grsecurity in addition to your regular system hardening, you can make life very difficult for the crackers.
to post comments)