How to grsec + Debian (184.108.40.206-grsec)
After 4 years with Slackware on my laptop I decide to move to Debian. I installed Debian 4.0r6 Etch and then decide to perform some basic hardening. The first thing that you can do is of course to remove some crappy services like RPC portmap simply by issuing:
apt-get remove --purge portmap
As well as the default MTA which is exim4:
apt-get remove --purge exim4
However, you have to also disable some services from the startup scripts. Check out /etc/inittab to find your default run level (in my case this was 2) and then move to /etc/rc2.d/. These init scripts run on boot and have the following format:
The MTA script is S20exim4. If you wish to disable it just rename it to K80exim4. Consequently, any other service you wish to disable just change the initial letter from 'S' to 'K' and the number to 100 - <NUM>. For example, on exim4 this was: 20 - 100 = 80. Now, that we've done with the basic hardening we can move to the juicy part, hardening the Linux kernel using grsec patch. Before we proceed we need to have some utilities, fetch them using our lovely APT:
apt-get install kernel-package build-essential bin86
Now, we are almost ready.. Here is a funny thing. If you're using Etch (stable) then you cannot compile grsec since it required binutils 2.18 and the latest binutils package on Etch repository is 2.17. There are two possible solutions to this problem:
1) Move the whole distribution to sid (testing).
2) Install manually the required package.
I selected the second option and used the binutils 2.18 package from http://packages.debian.org/sid/binutils . Then just install the package simply by issuing:
dpkg -i binutils_2.18.1~cvs20080103-7_i386.deb
Most people (including me) use menuconfig to configure their kernel. Since Debian does not include by default the ncurses library you have to install this one too before moving on. So...
apt-get install libncurses5-dev
Now we have everything we need to continue with the kernel recompile. Go to to /usr/src/ and download the grsecurity patch as well as the appropriate Linux kernel for this patch. Here are the latest by this time:
root:~# cd /usr/src/ root:src# wget ftp://ftp.kernel.org/pub/linux/kernel/v2.6/linux-220.127.116.11.tar.gz
Since this is the kernel supported by the latest grsec patch. Here is the patch too..
root:src# wget http://grsecurity.net/grsecurity-2.1.12-18.104.22.168-200812271347.patch.gz
And when this is finished which depending on your connection can take up from a couple of minutes to hours, you can extract the archived files like this:
root:src# tar xvfz linux-22.214.171.124.tar.gz
And for the grsec patch:
root:src# gunzip grsecurity-2.1.12-126.96.36.199-200812271347.patch.gz
And you're good to go! For convenience we create a symlink to the kernel we're about to compile named linux like this:
root:src# ln -s linux-188.8.131.52 linux root:src# cd linux root:linux#
We move the patch to the source code directory of the Linux kernel and apply it using the patch utility like this:
root:linux# mv ../grsecurity-2.1.12-184.108.40.206-200812271347.patch . root:linux# patch -p1 < grsecurity-2.1.12-220.127.116.11-200812271347.patch
Everything should have been patched correctly by now. Now it's time for the common kernel configuration. I used menuconfig, so just issue:
root:linux# make menuconfig
To enable grsec, move to "Security options" -> "Grsecurity" -> "Grsecurity" and enable it. Of course you can enable/disable numerous other options but in most cases, the default options are good for the average Linux user. Note here that by default the Linux kernel does not have all of the netfilter/iptables modules compiled so if you're about to create a firewall you have to enable whatever you may need. After configuring your kernel, it's time for a clean-up using the debian specific kernel packaging utility:
root:linux# make-kpkg clean
And at last... compile the kernel using the same utility:
root:linux# make-kpkg --initrd --append-to-version "-xorl" kernel_image
Yeah! Debian makes the classic process of recompiling your kernel a simple command :P Actually, the cool part is that it creates a DEB package that you can use wherever you want and if you administrate more than 4-5 computers this is just great :)
Now, just backup your new kernel package somewhere:
root:linux# cd .. root:src# cp linux-image-18.104.22.168-xorl-grsec_i386.deb /home/xorl/ root:src#
And install it like this:
root:src# dpkg -i linux-image-22.214.171.124-xorl-grsec_i386.deb
Finally, update your grub menu and reboot:
root:src# update-grub && reboot
Hopefully, you'll have your brand new kernel hardened with PaX/Grsecurity patch. :) Obviously, exploitation is still feasible for some intruders but clearly not for the average attacker. In addition to this, you can use (I suggest you should) more hardening software such as SELinux access control policies (which is included in the above hardened kernel), a filesystem integrity check utility like tripwire, integrit or aide, an IDS system such as Snort and of course a well designed firewall. Once again, you are still vulnerable, there is no such thing as ultimate security but as I said earlier you are not vulnerable to the average attacker.