Hello everybody, I use Slackware 9.1 on my desktop-machine. I do so quite happily, it took only a week for Slackware to become my new primary OS. =) I connect to the internet through a small server/gateway running NetBSD-1.6.1. The gateway connects to my ISP via ISDN-dial-up connection. The NetBSD-machine runs ipf (NetBSD's packet filter, roughly equivalent to iptables) and IPNAT. I run gtk-gnutella on my desktop-machine from time to time. Since I want others to be able to connect to my machine (also, for getting push-connections), I decided to forward the corresponding port to my Linux-machine. This has even shown to work fine, thanks. =) But I am getting a little concerned about letting others connect to my machine. Since my desktop-machine is behind a firewall, also since I am the only user on my home-network, I did not exactly take care to secure my Linux-machine. Now I am getting worried someone might break into my machine via GNUtella. I don't think gtk-gnutella was written with security in mind... So I want to tighten the security on my Linux machine in a way that includes minimal inconvenience. Of course, I am going to start with all the usual stuff, like installing tripwire, shutting down unneeded services (in fact, I do this by default after installation), taking care of file-permissions, cleaning up unneeded suid/sgid-bits, and so on. But then I read, most of all network-attacks are done via buffer-overflows, so this is what I am most concerned about. I hear, there's basically two ways of handling this problem: - Using MAC/RBAC for controlling the ressources an application can access - if it's getting compromised, it won't be able to harm the system (seLinux). - Preventing buffer-overflows in the first place. There's several options how to achieve this, the most important are a) applying patches to the kernel (PaX, grSecurity) or to the GNU C Compiler (ProPolice) In general, preventing buffer-overflows at all seems preferrable to me, since it does not seem to require that much work. Also, this is they way the OpenBSD-project has been going, and OpenBSD surely has a reputation for first-class security. So I got several questions: - Has anyone worked with these system-add-ons? Got any experiences to share with me? - ProPolice sounds nice. But using it would require lots of recompiling... What exactly do I have to recompile in order to benefit from it? Just the application in question? The libraries, too? The kernel? The entire system? I am going to evaluate CRUX and Gentoo on my desktop-machine, both of which offer the option of recompiling the entire system. If I choose to use one of these as my primary system, recompiling won't be a problem, any more. As of now, it is, if system libraries or even the base system are involved. - PaX/grSecurity sound really sweet. But I see on the homepages, there are patches available only for linux-kernels 2.4.22. Is 2.6 going to be supported in the near future? I am using 2.6.0-test8 right now, and I am rather happy with it, so I would like to keep using 2.6, once the final version is out. On the other hand, I can switch back to 2.4.22 if PaX/grSecurity offers serious protection. And a lot of grSec's features sound really neat. =) Right now, this sounds like the best way to secure my machine, since it invloves only minimal setup, just patching and recompiling the kernel, while increasing system-security drastically. If I got things right, that is... - MAC/RBAC does not really sound like I need it. Then again, more security never hurts. But this also sounds like it is going to be a lot of learning plus a lot of effort to get it working. Furthermore, the corresponding kernel-patch is developed at the NSA, and I do not exactly trust the NSA to contribute to my privacy. In order for M/RB-AC to be really useful, I'm afraid, you have to take a lot of time to set it up correctly. And, as I said, I do not know terribly much about this topic. If I get things right, seLinux and grSecurity are not mutually exclusive. So, in general, any information will be appreciated. If there are further promising ways of protecting my system against buffer-overflows, I would like to know, as well. Of course, I like to read a lot, so any hints on where to look for information will be appreciated as well (if there's something useful/interesting to read, there). I am aware of pageexec.virtualave.net (PaX's homepage) and grsecurity.net, as well as the NSA's seLinux-page. Anything I missed? Anything I should know? Thank you very much in advance, Kind regards, Benjamin Walkenhorst -- Benjamin Walkenhorst eMail: krylon@xxxxxxx http://www.krylon.de - : send the line "unsubscribe linux-admin" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
