Kernel and /tmp folder hardening?
- Thread starter dec
- Start date
They are 2 seperate things.... try google.... but 3 things -
1) Both are things you should be careful with and sometimes can cause problems (but doesn't this go for anything?!?)
2) I dont advise resizing / removing / changing FS or anything else on an active partition .
3) Always leave a kernel you know works on there.... and leave it in the bootloader of course - if a new kernel fails and you dont have another you have problems ahead of you.#
Chris
1) Both are things you should be careful with and sometimes can cause problems (but doesn't this go for anything?!?)
2) I dont advise resizing / removing / changing FS or anything else on an active partition .
3) Always leave a kernel you know works on there.... and leave it in the bootloader of course - if a new kernel fails and you dont have another you have problems ahead of you.#
Chris
Hi Chris,
do you think is good enough to keep the kernel updated?
I am aware of the risk that comes with tweacking the kernel... Is just that i checked a couple companies that offer server mangement services, and on their list of thing they will do in your server, they usually include something like:
/tmp hardening, kernel optimization. etc...
I wonder what every body thing about this steps of security..
Dec
do you think is good enough to keep the kernel updated?
I am aware of the risk that comes with tweacking the kernel... Is just that i checked a couple companies that offer server mangement services, and on their list of thing they will do in your server, they usually include something like:
/tmp hardening, kernel optimization. etc...
I wonder what every body thing about this steps of security..
Dec
dec said:
/tmp hardening would cover having tmp mounted with noexec in most cases.
kernel optimization - you would have to check with them... it will vary between provider - some will offer upgrades only, others just have it so you only have the modules you need, others will go into basic grsecurity patched kernels and others will go into advanced configurations of a patch such as grsec also... although its very likely you wont get that service from a <$200USD month management provider (management only that is).
Generally keeping the kernel updated is fine.
dec said:
On all of our own servers we have /tmp mounted with noexec, I'm sure every security guide in the checklist (link in sig) and numerous permission changes on compilers / other binaries etc, also root access is limited to only 2 IP addresses....
On managed servers we provide the security is virtually identical to above, the majority of work done before anyone besides us have access to the system to ensure any problems that do/may occur are while its in our hands and while only our own data is there.
With management packages, security is again, virtually the same - differences being we will not touch partitioning with active partitions (as mentioned in previous post) the reason behind this, is basically the possiblility that data gets corupted during the process.
Chris
jjma
Verified User
ProWebUK said:
How did you set root access to only 2 ips - I've setup root to be only accessible from a particular user but I've not heard of focusing it on a specific IP address.
Thanks
Jon
jjma
Verified User
ProWebUK said:
Ok. I have this setup similarly with my firewalls scripts but as I am the only one with shell access enabled the only issue I have to worry about is ip addresses that I log in from.(2)
I don't have root access enabled as it is a security no-no, but I was interested to see if iptables could differentiate from non-root / root attempts.
Jon
jjma
Verified User
Chris
I thought as much, but thought I might as well ask...
regards
Jon
I thought as much, but thought I might as well ask...
regards
Jon