Quoting Benjamin Walkenhorst <krylon@xxxxxxx>: > Hello everybody, > > I use Slackware 9.1 on my desktop-machine. I do so quite happily, it > took only a week for Slackware to become my new primary OS. =) > > I connect to the internet through a small server/gateway running > NetBSD-1.6.1. The gateway connects to my ISP via ISDN-dial-up > connection. > The NetBSD-machine runs ipf (NetBSD's packet filter, roughly equivalent > to iptables) and IPNAT. > > I run gtk-gnutella on my desktop-machine from time to time. Since I want > others to be able to connect to my machine (also, for getting > push-connections), I decided to forward the corresponding port to my > Linux-machine. > This has even shown to work fine, thanks. =) > > But I am getting a little concerned about letting others connect to my > machine. Since my desktop-machine is behind a firewall, also since I am > the only user on my home-network, I did not exactly take care to secure > my Linux-machine. > Now I am getting worried someone might break into my machine via > GNUtella. I don't think gtk-gnutella was written with security in > mind... > > So I want to tighten the security on my Linux machine in a way that > includes minimal inconvenience. Of course, I am going to start with all > the usual stuff, like installing tripwire, shutting down unneeded > services (in fact, I do this by default after installation), taking > care of file-permissions, cleaning up unneeded suid/sgid-bits, and so > on. > > But then I read, most of all network-attacks are done via > buffer-overflows, so this is what I am most concerned about. I hear, > there's basically two ways of handling this problem: > - Using MAC/RBAC for controlling the ressources an application can > access - if it's getting compromised, it won't be able to harm the > system (seLinux). > - Preventing buffer-overflows in the first place. There's several > options how to achieve this, the most important are a) applying > patches to the kernel (PaX, grSecurity) or to the GNU C Compiler > (ProPolice) > > In general, preventing buffer-overflows at all seems preferrable to me, > since it does not seem to require that much work. Also, this is they > way the OpenBSD-project has been going, and OpenBSD surely has a > reputation for first-class security. > So I got several questions: > - Has anyone worked with these system-add-ons? Got any experiences to > share with me? > - ProPolice sounds nice. But using it would require lots of > recompiling... What exactly do I have to recompile in order to benefit > from it? Just the application in question? The libraries, too? The > kernel? The entire system? > I am going to evaluate CRUX and Gentoo on my desktop-machine, both of > which offer the option of recompiling the entire system. If I choose > to use one of these as my primary system, recompiling won't be a > problem, any more. As of now, it is, if system libraries or even the > base system are involved. > - PaX/grSecurity sound really sweet. But I see on the homepages, there > are patches available only for linux-kernels 2.4.22. Is 2.6 going to > be supported in the near future? > I am using 2.6.0-test8 right now, and I am rather happy with it, so I > would like to keep using 2.6, once the final version is out. > On the other hand, I can switch back to 2.4.22 if PaX/grSecurity > offers serious protection. > And a lot of grSec's features sound really neat. =) Right now, this > sounds like the best way to secure my machine, since it invloves only > minimal setup, just patching and recompiling the kernel, while > increasing system-security drastically. If I got things right, that > is... > - MAC/RBAC does not really sound like I need it. Then again, more > security never hurts. > But this also sounds like it is going to be a lot of learning plus a > lot of effort to get it working. Furthermore, the corresponding > kernel-patch is developed at the NSA, and I do not exactly trust the > NSA to contribute to my privacy. > In order for M/RB-AC to be really useful, I'm afraid, you have to take > a lot of time to set it up correctly. And, as I said, I do not know > terribly much about this topic. > If I get things right, seLinux and grSecurity are not mutually > exclusive. > > So, in general, any information will be appreciated. If there are > further promising ways of protecting my system against > buffer-overflows, I would like to know, as well. > Of course, I like to read a lot, so any hints on where to look for > information will be appreciated as well (if there's something > useful/interesting to read, there). > I am aware of pageexec.virtualave.net (PaX's homepage) and > grsecurity.net, as well as the NSA's seLinux-page. > Anything I missed? Anything I should know? > > Thank you very much in advance, > > Kind regards, > > Benjamin Walkenhorst > > -- > Benjamin Walkenhorst > eMail: krylon@xxxxxxx > http://www.krylon.de > - > : send the line "unsubscribe linux-admin" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > I would suggest you should try libsafe and Wolk. You can find libsafe @ freshmeat.net and wolk @ sf.net - : send the line "unsubscribe linux-admin" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
