Let's get into a Windows is sooo cool discussion instead! ;-) guet's neus.....
-----Ursprungliche Nachricht----- Von: John Morgan Salomon [mailto:[EMAIL PROTECTED]] Gesendet: Montag, 6. Januar 2003 20:46 An: [EMAIL PROTECTED] Betreff: Re: [swinog] hack Not to get into the whole "Linux-has-this-oh-yeah-well-BSD-has-that" thing, but while we're at it, you might be interested in TrustedBSD at http://www.trustedbsd.org/ Cheers, -John Nicolas FISCHBACH wrote: > Peter Keel wrote: > >> * on the Sun, Jan 05, 2003 at 11:51:44AM +0100, John Morgan Salomon >> wrote: >> >>> Seriously: I don't know whether Linux supports it, but >>> you should look into either chrooting your web services >>> (all your services, for that matter) or even running them >>> in a jail. >> >> >> It does, of course. "apt-get install jailtool". HP has an even more >> sophisticated jail-solution for linux called "compartments". > > > Or use something like SubDomain: http://www.immunix.org/subdomain.html > >> We normally compile the kernel using grsec http://www.grsecurity.net >> which provides several different protections in excess of the normal >> possibilities: ACLs, non-exec stack, chroot-restrictions, auditing- >> features, randomized IP-IDs, randomized PIDs and so on. This puts >> Linux up to what you otherwise only get with OpenBSD and even more. >> Most importantly, the non-exec stack will render most buffer-overflow >> attacks commonly used by script-kiddies useless (Note: you _can_ >> overflow them nevertheless, but it takes more skill. And heap-based >> overflows will work also). Which gives us just the few extra days we >> need to patch our systems. > > > PaX (http://pageexec.virtualave.net) which is used in the grsec > patch also catches most heap based overflows and return into > libc attacks but there's a performance impact. > > For some attacks against PaX see: > - The advanced return-into-lib(c) exploits: > http://www.phrack.org/show.php?p=58&a=4 > - Bypassing PaX ASLR protection: > http://www.phrack.org/show.php?p=59&a=9 > > Nico. ---------------------------------------------- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/ ---------------------------------------------- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
