On Tue, Jul 01, 2003 at 02:36:37PM +0200, Javier Castillo Alcibar wrote: > Hi all, > > I want to setup a new linux server in internet (apache, php, postfix, > mysql, dns...), and I would like to patch the standard kernel with some > security patches..... but my question is, what patches are the best??
I run a mail server on my desktop machine at home, and also SSH and DNS. I just compiled and installed 2.4.21 with Con Kolivas's patches, which includes some desktop tuning (preemptible kernel, low latency stuff, O(1) scheduler, ...), and grsecurity. I love it, because it's a bunch of good stuff all in one patch that applies cleanly. I turned on the address space (stack and mmap) randomization stuff, and some of the extra network randomness (e.g. TCP ISN) stuff. Con had -ck1 ready a day or two after 2.4.21 was released, so I guess he's pretty good about not getting behind. http://members.optusnet.com.au/ckolivas/kernel/. Make sure you read the online help in the kernel config for grsecurity. Some of the options can break user-space software. BTW, in the subject of your message, you asked for the "strongest", but in the body you asked for the "best". IMHO best means good security for the amount of effort it takes to set up, plus stable, reliable, well documented, etc. Some of the other options probably meet those criteria, but I wouldn't know, not having looked at them. All I can do is say that I'm happy with the grsec stuff so-far. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , s.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BC
