Locking Down a Linux Server

From: Björn Eriksson (bjorn@bjornen.nu)
Date: 01/08/02

Date: Tue, 8 Jan 2002 00:20:00 +0100
From: Björn Eriksson <bjorn@bjornen.nu>
To: "'focus-linux@securityfocus.com'" <focus-linux@securityfocus.com>

On Mon, Jan 07, 2002 at 02:14:25PM -0000, Pybus, David wrote:
> Agreed, removing editors is a waste of time and just makes it difficult
> to admin the system. For example given shell access, the command cat and
> the re-direction operator '>' it is easy to edit a file.
<...snip editing example...>

 Agreed. Has grsequrity.net, openwall or anyone else produced a kernel-
patch which only allows signed executables to run? Along the lines of:

 [For a server.]

 * Decrypt a cert. on boot (from keyboard, network, special hardware, ...)
 * Use a kernel provided ld.so and disallow user processes to map
   something as exec:able (Sadly stopping all jvms, wine, uml, xfree, ..)
 * And verify all programs against cert. on load.

 The idea being to stop the attacker from installing any elf-
executables on the server. (Module support disabled ofcourse.)

 I haven't looked at many rootkits so this might be a silly idea. (?)

//Björnen. bjorn@bjornen.nu | mdeans@algonet.se | bjorn@pobox.com

Relevant Pages

  • RE: IIS Key pairs (how to export an IIS 4.0 self-issued Root CA a nd import into new IIS 4.0 box)
    ... it prompts the user for what client cert they want to use to connect to the ... it issues client certificates to the end users. ... Step I - Installing the New Server ... Install NT SP 3 ONLY ...
  • Re: ActiveSync error 0x85010004 from Windows Mobile 6 to SBS 2003
    ... I found a link suggesting a test of the OMA using a desktop browser by ... the server and from the phone. ... I then reinstalled the cert, ... Before installing the cert, I could ...
  • RE: Certificate logon on Unix
    ... I don't know of any package but there is prolly one out there you should ... The good news is that getting fulle client ... and server side authentication is pretty easy so it will work as a quick ... setup your CA and make the root cert Pbk available to everyone. ...
  • Re: SSL certificates
    ... Should I just create a new self signed cert for StartTLS? ... self-signed certificate to advertise StartTLS to internet Server to Server ... Also I am trying to see how the send/recieve connectors FQDN play a part ...
  • Re: IIS website - only allow users with client cert from our CA. Possi
    ... The server cert that you installed on ServerB is for server authentication. ... That would restrict access to those users who have client ... Once I got the server Certificate, I applied it to our Webserver ...