| View previous topic :: View next topic |
| Author |
Message |
Tourec
n00b
Joined: 18 Aug 2005
Posts: 4
|
 Posted: Thu Oct 13, 2005 6:09 pm Post subject: Security concern |
 |
|
I'm going to be rebuilding one of my personal servers very soon and I plan to make it reasonably secure from the beginning, instead of as an afterthought 
So I've been doing a lot of research about what steps I should take to accomplish this goal. I could swear that I read something about the security flaws of having loadable module support several weeks ago, but I've been unable to find this again (if it ever existed in the first place  ). So my question is: Are there security concerns to take into consideration when including loadable module support in the kernel? I like having that support but would I be better off building everything I need directly into the kernel? |
|
| Back to top |
|
 |
barbar
Guru
Joined: 16 Apr 2003
Posts: 397
Location: Austria
|
| Posted: Thu Oct 13, 2005 6:21 pm Post subject: |
|
|
The problem with loadable module support is that rootkits can be loaded as modules into the kernel. But there is also a method to load rootkit without LMS into the kernel (I just forgot where I read about this topic).
Using hardend kernel sources or SELinux would add security to your system. But why would you need to make a fortress of your home server? |
|
| Back to top |
|
|
Tourec
n00b
Joined: 18 Aug 2005
Posts: 4
|
| Posted: Thu Oct 13, 2005 7:01 pm Post subject: |
|
|
Thanks for the reply. I'm not looking to make a fortress out of it, but it will be accessible from the internet so I do want it to be reasonably secure.
So, what you are saying is that disabling LMS is not that much of a security improvement, especially for a system that needs to be as secure as a wooden palisade and not as secure as multiple walls of steel-reinforced concrete with mounted guns? |
|
| Back to top |
|
|
barbar
Guru
Joined: 16 Apr 2003
Posts: 397
Location: Austria
|
| Posted: Thu Oct 13, 2005 7:10 pm Post subject: |
|
|
Disable LKM (loadable kernel modules is the correct term) make it more difficult to install rootkits. This measure will not keep off a dedicated attacker, but it makes it harder for somebody who just tries to hack a box.
It is a good idea to think about which services are really needed, and what should be accessible from the internet. |
|
| Back to top |
|
|
DNAspark99
Guru
Joined: 03 Sep 2004
Posts: 321
|
| Posted: Thu Oct 13, 2005 7:52 pm Post subject: |
|
|
disable modules, you won't be 'immune', but it will stop 98% of would-be r00terz ... there's many ways to get owned, but elevating the 'difficulty' of cracking your box will definatley narrow the threat level to those who actually know wtf they're doing
then basically just read up and follow the hardened howto
http://www.gentoo.org/proj/en/hardened/
in particular read this - you should start with grsec, pax, etc, and leave SELinux for 'last' (you may decide you don't even need it, it may be overkill for your needs):
http://www.gentoo.org/proj/en/hardened/grsecurity.xml |
|
| Back to top |
|
|
|
Networking & Security
