In a recent Usenix login; magazine, an article on security noted the following configurations for Linux. I noticed that most are already in place in my 2.0.33 kernel (I haven't upgraded to hamm yet, but soon!)
I couldn't find mention of the last one (CONFIG_SECURE_STACK) anywhere. Has this already been folded into the kernel? If not, perhaps it should be considered. ------- Forwarded Message To: [EMAIL PROTECTED] Subject: Linux security tips From: Bill Wohler <[EMAIL PROTECTED]> Date: Tue, 02 Jun 1998 07:57:36 -0700 To prevent Linux from forwarding any packets, recompile the kernel with the option CONFIG_IP_FORWARD off. To prevent forwarding any source-routed packets or accepting any source routed packets destined for itself, use CONFIG_IP_NOSR on. To defend against SYN flooding, use CONFIG_SYN_COOKIES or CONFIG_RST_COOKIES on. To prevent responding to pings altogether, use CONFIG_IP_IGNORE_ECHO_REQUESTS on. If firewall, use CONFIG_IP_ALWAYS_DEFRAG on to protect machines behind it from IP fragmentation attacks. To mark the stack as nonexecutable apply patch at www.false.com/security/linux/secure-linux.tar.gz and use CONFIG_SECURE_STACK on. Bill Wohler <[EMAIL PROTECTED]> Say it with MIME. Maintainer of comp.mail.mh and news.software.nn FAQs. If you're passed on the right, you're in the wrong lane. ------- End of Forwarded Message -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null
