[Gllug] Redhat 9 and moving distribution: your experience

Grzegorz Jaskiewicz gj at pointblue.com.pl
Wed Apr 30 12:31:08 UTC 2003


On Wed, 2003-04-30 at 11:34, Tethys wrote:
> Grzegorz Jaskiewicz writes:
> >Even more, they are
> >using very often non stable/cvs snapshoted versions. Fe, kernel in rh 9
> >is 2.4.21-rc3 with tons of patches (kernel it self, as i am kernel
> >hacker my self - looks very good).
> 
> Take a look around. Virtually no major distribution uses a stock Linus
> kernel. They nearly all apply various patches, usually on top of an -ac
> base kernel.
Well, i said in this few lines - i like redhats kernel. Read it again ;)

> >But on servers, you have to put much more trust in security of your
> >distro. And i will recomend Debian for that.
> 
> Again, more FUD. Red Hat may have many faults. But the security of
> their distribution is not one of them. They're very responsive to
> security problems, more so than any other disitribution (including
> Debian) in my experience.

Yes, but i don't like to patch my server 3 times a week. I got better things to do, 
so i am using debian + my kernel + my patches + grsec. And this gives me 80 % more security, 
since most exploits will not break in remotely. Most of them will not even be able to 
break service their atacking!. When configuring grsec, be sure you have turned on all
stack protections and all randomnes.

Well, i can tell you what i am doing also. Since most exploits contain shell codes (to run
/bin/sh usually). I've got them (/etc/shells) owned by root:shell and with mode --x--x--- .
Plus a little trick to stop root from running any of them, instead of normal /bin/bash i am running 
a copy of it under different name. Something like /bin/bb. Different on different boxes :)

Anyway, i like this redhat 9 for workstation. But their security policy makes me unconvicted to 
set a server on it.
After all, everyone have their own taste. :)

But there is allways one rule - do not trust your distribution is safe out of box, and with default settings :)
This even apply to GNU/Debian. 

Cheers.

-- 
Grzegorz Jaskiewicz <gj at pointblue.com.pl>
K4 labs



-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list