RE: [suse-security] LIDS & OPENWALL Combo kernel patch

21 Aug 2000


      -----Original Message-----
From: Roman Drahtmueller [mailto:draht@suse.de]
Sent: 21 August 2000 05:05
To: Steven Thompson
Cc: security@suse.de
Subject: Re: [suse-security] LIDS & OPENWALL Combo kernel patch
...
Hi
SuSE recommends recompiling your kernel with the OpenWall Patch for
firewall
...
servers.
Who said that?

# Copyright (c) 1999,2000 SuSE GmbH Nuernberg, Germany.  All rights
reserved.
#
# Author: Marc Heuse , 1999,2000
# Please contact me directly if you find bugs.
#
# If you have problems getting this tool configures, please read this file
# carefuly and take also a look into /usr/doc/packages/firewals/EXAMPLES !
#
# /etc/rc.config.d/firewall.rc.config
#
# for use with /sbin/SuSEfirewall version 2.1
#
# ------------------------------------------------------------------------
#
# PLEASE NOTE THE FOLLOWING:
#
# Just by configuring these settings and using the SuSEfirewall you are
# not secure per se! There is *not* such a thing you install and hence you
# are safed from all (security) hazards.
#
# To ensure your security, you must also:
#
#   * Secure all services you are offering to untrusted networks (internet)
#     You can do this by using software which has been designed with
#     security in mind (like postfix, apop3d, ssh), setting these up without
#     misconfiguration and praying, that they have got really no holes.
#     SuSEcompartment can help in most circumstances to reduce the risk.
#   * Do not run untrusted software. (philosophical question, can you trust
#     SuSE or any other software distributor?)
#   * Harden your server(s) with the harden_suse package/script
#   * Recompile your kernel with the openwall-linux kernel patch
#     (former secure-linux patch, from Solar Designer) www.openwall.com
#   * Check the security of your server(s) regulary
#   * If you are using this server as a firewall/bastion host to the
internet
#     for an internal network, try to run proxy services for everything and
#     disable routing on this machine.
#   * If you run DNS on the firewall: disable untrusted zone transfers and
#     either don't allow access to it from the internet or run it
split-brained.
#
# Good luck!
#
# Yours,
#       SuSE Security Team
...
Which is better LIDS or OpenWall or a Combination of both patches.
Will the LIDS or OpenWall break any Apps in SuSE 6.4
PS Is there a good Linux Networking Mailing list with support for Advanced
IP routing.
Thanks in advance
Steven Thompson
---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribe@suse.com
For additional commands, e-mail: suse-security-help@suse.com
Thanks,
Roman.
-- 
 -                                                                      -
| Roman Drahtmüller       //          "Caution: Cape does |
  SuSE GmbH - Security           Phone: //       not enable user to fly."
| Nürnberg, Germany     +49-911-740530 // (Batman Costume warning label) |
 -                                                                      -