xorl %eax, %eax

How to grsec + Debian (

leave a comment »

After 4 years with Slackware on my laptop I decide to move to Debian. I installed Debian 4.0r6 Etch and then decide to perform some basic hardening. The first thing that you can do is of course to remove some crappy services like RPC portmap simply by issuing:

apt-get remove --purge portmap

As well as the default MTA which is exim4:

apt-get remove --purge exim4

However, you have to also disable some services from the startup scripts. Check out /etc/inittab to find your default run level (in my case this was 2) and then move to /etc/rc2.d/. These init scripts run on boot and have the following format:


The MTA script is S20exim4. If you wish to disable it just rename it to K80exim4. Consequently, any other service you wish to disable just change the initial letter from ‘S’ to ‘K’ and the number to 100 – <NUM>. For example, on exim4 this was: 20 – 100 = 80. Now, that we’ve done with the basic hardening we can move to the juicy part, hardening the Linux kernel using grsec patch. Before we proceed we need to have some utilities, fetch them using our lovely APT:

apt-get install kernel-package build-essential bin86

Now, we are almost ready.. Here is a funny thing. If you’re using Etch (stable) then you cannot compile grsec since it required binutils 2.18 and the latest binutils package on Etch repository is 2.17. There are two possible solutions to this problem:
1) Move the whole distribution to sid (testing).
2) Install manually the required package.
I selected the second option and used the binutils 2.18 package from http://packages.debian.org/sid/binutils . Then just install the package simply by issuing:

dpkg -i binutils_2.18.1~cvs20080103-7_i386.deb

Most people (including me) use menuconfig to configure their kernel. Since Debian does not include by default the ncurses library you have to install this one too before moving on. So…

apt-get install libncurses5-dev

Now we have everything we need to continue with the kernel recompile. Go to to /usr/src/ and download the grsecurity patch as well as the appropriate Linux kernel for this patch. Here are the latest by this time:

root:~# cd /usr/src/
root:src# wget ftp://ftp.kernel.org/pub/linux/kernel/v2.6/linux-

Since this is the kernel supported by the latest grsec patch. Here is the patch too..

root:src# wget http://grsecurity.net/grsecurity-2.1.12-

And when this is finished which depending on your connection can take up from a couple of minutes to hours, you can extract the archived files like this:

root:src# tar xvfz linux-

And for the grsec patch:

root:src# gunzip grsecurity-2.1.12-

And you’re good to go! For convenience we create a symlink to the kernel we’re about to compile named linux like this:

root:src# ln -s linux- linux
root:src# cd linux

We move the patch to the source code directory of the Linux kernel and apply it using the patch utility like this:

root:linux# mv ../grsecurity-2.1.12- .
root:linux# patch -p1 < grsecurity-2.1.12-

Everything should have been patched correctly by now. Now it’s time for the common kernel configuration. I used menuconfig, so just issue:

root:linux# make menuconfig

To enable grsec, move to “Security options” -> “Grsecurity” -> “Grsecurity” and enable it. Of course you can enable/disable numerous other options but in most cases, the default options are good for the average Linux user. Note here that by default the Linux kernel does not have all of the netfilter/iptables modules compiled so if you’re about to create a firewall you have to enable whatever you may need. After configuring your kernel, it’s time for a clean-up using the debian specific kernel packaging utility:

root:linux# make-kpkg clean

And at last… compile the kernel using the same utility:

root:linux# make-kpkg --initrd --append-to-version "-xorl" kernel_image

Yeah! Debian makes the classic process of recompiling your kernel a simple command :P Actually, the cool part is that it creates a DEB package that you can use wherever you want and if you administrate more than 4-5 computers this is just great :)
Now, just backup your new kernel package somewhere:

root:linux# cd ..
root:src# cp linux-image- /home/xorl/

And install it like this:

root:src# dpkg -i linux-image-

Finally, update your grub menu and reboot:

root:src# update-grub && reboot

Hopefully, you’ll have your brand new kernel hardened with PaX/Grsecurity patch. :) Obviously, exploitation is still feasible for some intruders but clearly not for the average attacker. In addition to this, you can use (I suggest you should) more hardening software such as SELinux access control policies (which is included in the above hardened kernel), a filesystem integrity check utility like tripwire, integrit or aide, an IDS system such as Snort and of course a well designed firewall. Once again, you are still vulnerable, there is no such thing as ultimate security but as I said earlier you are not vulnerable to the average attacker.

Written by xorl

February 2, 2009 at 13:55

Posted in administration, linux

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: