Just about ever since I have been administering Linux servers I have explored just about every thing that can possibly increase security without breaking too many things. It really depends on what your server is used for to determine how tight you can get it. With web hosting servers you have to be very careful as you can break applications and piss some of your users off. And lots of times you wont hear about the problems until days later. So its a good idea to give special attention to the effects and consequences of anything you implement.

When I speak of a webhosting server I mean a server with hosting clients on it - multiple domains/multiple users. Php/MYSQL and the httpd being the most widely used but also including support for perl, python, cgi, etc. Users having and using SSH for website related functions.  When you have too tight of a security policy on this type server it can cause problems pretty fast. So my goal has always been to make a hosting server as secure as humanly possible without neggatively affecting the users.

When I first setup a grsecurity kernel with pax I about tripped out when the server came back up and all sites had an Internal Server Error page but I got to looking into the specific settings and found paxctl so then I was able to understand how it works. I wont get into all the functions here but this is just a quick lil guide for those new to it.

Just select the same options you see as I have done below. This config works on all webhosting servers

First get a grsecurity patch kernel ready go in your menuconfig > Security > Pax Funnctions

Enable various PaX features

[*] Support soft mode
[*] Use legacy ELF header marking
[*] Use ELF program header marking
MAC system integration (direct)  —>

Non-executable pages

[*] Enforce non-executable pages
[*]   Paging based non-executable pages
[*]   Segmentation based non-executable pages
[*] Emulate trampolines
[*] Restrict mprotect()
[ ]   Disallow ELF text relocations
[*] Enforce non-executable kernel pages

[*] Address Space Layout Randomization
[*]   Randomize kernel stack base
[*]   Randomize user stack base
[*]   Randomize mmap() base

And for Miscellaneous hardening features I advise not to select any.

Once you got your pax and gr security kernel setup and have booted into it the first thing you will have to do is disable some pax functions on php binaries. NOTICE: php will work with pax functions enabled but will nbot be able to load anything like zend optimizer

For example

paxctl -c /usr/local/bin/php

paxctl -permxs /usr/local/bin/php

You can even use wildcards like /usr/bin/php*

Also make sure you do the sapi/cli/cgi module of your web server the same way. On some webservers like litespeed you will have to do the binaries on it as well. Do not disable binaries too freely, only try to do it if it is the only option to make it work.

Here is the latest grsecurity test patch with latest tarpit patch. All ready to go, configured for 64 bit systems. This also includes patched iptables-1.4.0 source

wget nix101.com/kernels/linux-2.26.6-grsec-tarpit.tar.gz

Also here is a kernel update script to compile and install this. It is configured for a 64 bit machine running an intel core2 or better processor. I am planning to make a lil project out of this and make them for all archs to see if they may be useful to anyone.

To run the script

wget nix101.com/kern.sh ; sh kern.sh

Things like these save lots of time when you have multiple servers to update.

IN order to try out nerw kernel before going default use this for grub

grub
savedefault --default=0 --once
quit

Anyone who runs litespeed knows about the huge core dumps the lsphp leaves in users public_html directories. No matter what you set in limits config or ulimit it still does them. I suppose it does like the webserver does and overrides or sets certain things on startup as root. I have been on litespeed a while now over these core dumps. I have had users entire disks get filled up with these within hours.

It doesnt look like they will do anything about it. Litespeed still is a great http server, very fast and great against ddos so I have no plans for dumping it in the future. George finally posted a patch for lsphp disabling core dumps. I applied the patch to my php source that I use for all servers. So I figured I would share this with those who want these dumps disabled but dont have time to patch and compile php.

Php-5.2.6 with litespeed sapi, suhosin patch and mail header patch,. Build on 64 bit, should not matter what you build it on.

Make sure after you untar config to cd into the source directory and do

wget sph1.net/php.tar.gz

touch ac*

./buildconf --force

Then configure with your usual modules and configurations.

This is probably not needed since it was done when I added litespeed to the source but it doesnt hurt to make sure and it wont hurt anything to do it when its not needed.