PDA

View Full Version : Kernel and /tmp folder hardening?



dec
05-16-2004, 02:26 PM
Hi,

Does anybody know where to get a howto for this..?

---> Kernel and /tmp folder hardening

Regards,

Dec

ProWebUK
05-16-2004, 03:36 PM
They are 2 seperate things.... try google.... but 3 things -

1) Both are things you should be careful with and sometimes can cause problems (but doesn't this go for anything?!?)

2) I dont advise resizing / removing / changing FS or anything else on an active partition .

3) Always leave a kernel you know works on there.... and leave it in the bootloader of course - if a new kernel fails and you dont have another you have problems ahead of you.#

Chris

dec
05-16-2004, 04:39 PM
Hi Chris,

do you think is good enough to keep the kernel updated?

I am aware of the risk that comes with tweacking the kernel... Is just that i checked a couple companies that offer server mangement services, and on their list of thing they will do in your server, they usually include something like:

/tmp hardening, kernel optimization. etc...

I wonder what every body thing about this steps of security..

Dec

ProWebUK
05-16-2004, 06:38 PM
Originally posted by dec
do you think is good enough to keep the kernel updated?

I am aware of the risk that comes with tweacking the kernel... Is just that i checked a couple companies that offer server mangement services, and on their list of thing they will do in your server, they usually include something like:

/tmp hardening, kernel optimization. etc...

I wonder what every body thing about this steps of security..

/tmp hardening would cover having tmp mounted with noexec in most cases.

kernel optimization - you would have to check with them... it will vary between provider - some will offer upgrades only, others just have it so you only have the modules you need, others will go into basic grsecurity patched kernels and others will go into advanced configurations of a patch such as grsec also... although its very likely you wont get that service from a <$200USD month management provider (management only that is).

Generally keeping the kernel updated is fine.


Originally posted by dec
I wonder what every body thing about this steps of security..

On all of our own servers we have /tmp mounted with noexec, I'm sure every security guide in the checklist (link in sig) and numerous permission changes on compilers / other binaries etc, also root access is limited to only 2 IP addresses....

On managed servers we provide the security is virtually identical to above, the majority of work done before anyone besides us have access to the system to ensure any problems that do/may occur are while its in our hands and while only our own data is there.

With management packages, security is again, virtually the same - differences being we will not touch partitioning with active partitions (as mentioned in previous post) the reason behind this, is basically the possiblility that data gets corupted during the process.

Chris

dec
05-16-2004, 07:17 PM
Interesting!!!

Fedora boxes come with /tmp folder already secured?

My fstab shows /tmp with:

noexec, nosuid and on its own partition!! :D

B E A utiful...

Dec

jjma
05-23-2004, 05:07 AM
Originally posted by ProWebUK
..... also root access is limited to only 2 IP addresses....
Chris

How did you set root access to only 2 ips - I've setup root to be only accessible from a particular user but I've not heard of focusing it on a specific IP address.

Thanks

Jon

ProWebUK
05-23-2004, 10:32 AM
Firewall / iptables

Chris

jjma
05-24-2004, 08:17 AM
Originally posted by ProWebUK
Firewall / iptables

Chris

Ok. I have this setup similarly with my firewalls scripts but as I am the only one with shell access enabled the only issue I have to worry about is ip addresses that I log in from.(2)

I don't have root access enabled as it is a security no-no, but I was interested to see if iptables could differentiate from non-root / root attempts.

Jon

ProWebUK
05-24-2004, 08:22 AM
Originally posted by jjma
I don't have root access enabled as it is a security no-no, but I was interested to see if iptables could differentiate from non-root / root attempts.

I can't see how iptables would do that... if you want something like that the only software going to help you is ssh itself.

Chris

jjma
05-24-2004, 09:03 AM
Chris

I thought as much, but thought I might as well ask...

regards

Jon