Peter Keel wrote:
* on the Sun, Jan 05, 2003 at 11:51:44AM +0100, John Morgan Salomon wrote:
Seriously: I don't know whether Linux supports it, but
you should look into either chrooting your web services
(all your services, for that matter) or even running them
in a jail.
It does, of course. "apt-get install jailtool". HP has an even more
sophisticated jail-solution for linux called "compartments".
Or use something like SubDomain: http://www.immunix.org/subdomain.html
We normally compile the kernel using grsec http://www.grsecurity.net
which provides several different protections in excess of the normal
possibilities: ACLs, non-exec stack, chroot-restrictions, auditing-
features, randomized IP-IDs, randomized PIDs and so on. This puts
Linux up to what you otherwise only get with OpenBSD and even more.
Most importantly, the non-exec stack will render most buffer-overflow
attacks commonly used by script-kiddies useless (Note: you _can_
overflow them nevertheless, but it takes more skill. And heap-based
overflows will work also). Which gives us just the few extra days we
need to patch our systems.
PaX (http://pageexec.virtualave.net) which is used in the grsec
patch also catches most heap based overflows and return into
libc attacks but there's a performance impact.
For some attacks against PaX see:
- The advanced return-into-lib(c) exploits:
http://www.phrack.org/show.php?p=58&a=4
- Bypassing PaX ASLR protection:
http://www.phrack.org/show.php?p=59&a=9
Nico.
--
Nicolas FISCHBACH ([EMAIL PROTECTED]) <http://www.securite.org/nico/>
Senior Manager - IP Engineering/Security - COLT Telecom
Securite.Org Team <http://www.securite.org/>
----------------------------------------------
[EMAIL PROTECTED] Maillist-Archive:
http://www.mail-archive.com/swinog%40swinog.ch/
