Many Linux administrators often think about securing their systems from the top down (or perhaps the outside in). Significant focus is placed on Firewalls, packet filtering, limiting or denying dangerous services and controlling available programs and local permissions. . . .

Many Linux administrators often think about securing their systems from the top down (or perhaps the outside in). Significant focus is placed on Firewalls, packet filtering, limiting or denying dangerous services and controlling available programs and local permissions. An aspect of security that many ignore (or aren't even aware of) is that security can be improved on a host from the bottom up. I'm talking about security at the kernel level.

The flexibility of the Linux kernel offers administrators the facility to improve security on their systems at the lowest level (try that in Windows). Several new kernel patches have recently been released that can improve the overall security of any Linux system by modifying attributes of the kernel's operation.

The Linux Intrustion Detection System (LIDS) is a patch that can completely secure files on your system. When the LIDS patch is in place, specified files on the system cannot be moved or altered in any way, not even by root.

Another patch, the Secure Linux Patch, helps to improve security by decreasing the ability of hostile parties to perform some of the more common types of buffer overflows, limits the ability of attackers to place symbolic links or FIFOs in the /tmp directory and helps to implement controls over File Descriptors 0, 1 and 2 (standard input, standard output and standard error). It can also be used to block certain parts of the /proc filesystem from being viewed by users.

The Crypto IP Encapsulation (CIPE) kernel patch can be used to send encrypted UDP packets between two routers. This allows for the creation of a relatively simply version of a VPN. This patch is a modification of the Internation Kernal Patch.

The International Kernal Patch allows for the inclusion of strong encryption within the Linux kernel. This patch allows the system to encrypt mounted devices and to encrypt a user's home directory so that a passphrase is required to access any files located there.

Administrators of Linux hosts are often looking for better ways to improve the security of their critical (and even not so critical) systems. One option that should definately be investigated is the use of a security patched kernel.

The link for this article located at Linux.com is no longer available.