The common rule for creating your own kernel is:
"Deactivate everything you do not need."
This not only gets you a truly small kernel, it also helps avoiding bugs in unfinished kernel source parts. The common rule should include deactivating the module support - [ ] Enable loadable module support. Injecting a root kit at runtime thus will be much harder for any attacker.
This will advise the kernel to drop any ICMP packets of type 0 (zero). In a network, ping is only useful to test connects. So, no one but root does actually need ping.
This deactivates automatic answers to ICMP broadcasts and protects against smurf attacks.
Attackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirected.
Activates protection against "bogus error message responses".
This option is only required by routers (= hosts with multiple network interfaces). By default, this sould be disabled.
This logs spoofed as well as "source routed" and "redirect".
As changes to /proc-entries will get lost upon any reboot of the system, I recommend saving the changes in to script (differs among distributions).
To call it upon boot, actions differs among distributions. Describing all methods would break the frame of this document.
To disable passing kernerl parameters at boot time, the following entries have to be made in /etc/lilo.conf:
This file should then be readable only by root, as otherwise anybody could read the plain-text password. For Unix, this is done by
Any further image can only be started by a password, at the following entry in /etc/lilo.conf:
With GRUB, plain-text as well as MD5-encrypted passwords can be used. This is done as follows:
The encrypted password has to be saved in /boot/grub/menu.lst:
This is an excerpt of a fstab:
"The partition will not be automatically mounted when you're using
That's good so, because normaly you don't need to do something there excepting
for copying new kernels or installing bootloader to it.
So for security reason it's recommended to do no mount.",
KillerFox 2005-04-25 19:16:23 @irc.forkbomb.ch, #uscc
These entries provide for log entries to be written to tty8, additionally.