Category Archives: sysadmin

Hardening Debian for the Desktop Using Grsecurity

I recently built a desktop system that I think is reasonably secure. It’s running Debian sid, also known as “unstable” — though in the Debian desktop world that just means you get to use the newest software. It’s just about as stable as “stable”, and besides, #yolo. It’s also running a grsecurity-patched Linux kernel and PaX, technologies that make Linux way more secure. Grsecurity protects you against memory corruption attacks, such as buffer overflows.

Last October I traveled to Moscow and interviewed Edward Snowden. Here’s one of the things he told me:

“Something that we haven’t seen that we need to see is a greater hardening of the overall kernels of every operating system through things like grsecurity, but unfortunately there’s a big usability gap between the capabilities that are out there, that are possible, and what is attainable for the average user.”

Since I just set up Debian with a grsec kernel, I figured I’d write a tutorial for how to do it. It’s still a long way before the average user can take advantage of this stuff – it breaks everything, and the user needs to learn how to diagnose and fix it themselves – but I think that it’s well within the capabilities of Linux nerds who are comfortable using a terminal. You can probably also follow along no matter what Linux distribution you’re using. Also, I’m fairly new to grsecurity myself, so if you have tips or suggestions, or if I got something wrong, please post in the comments.

Continue reading

People Seem to Care About Why I Switched from Ubuntu to Debian

About a month ago I decided to rent a $16/month VPS from Gandi, hosted in Paris, that I’ve been using to run a fast Tor exit node called gollum. I wanted to tunnel my Thunderbird, Pidgin, and IRC traffic through gollum as well, but realized that that wasn’t a good idea. Tor recommends that you don’t mix personal traffic with exit traffic, not to mention freenode and other IRC networks block Tor exits.

Continue reading

Beefing Up Security on Your SSH Server

Lately I’ve been thinking about setting up a blog to talk about tech things I find interesting, particularly web security, since that’s how I spend a lot of my work and free time. Since I had an under-used VPS sitting around, I figured I ought to set up WordPress on it and start blogging. What better topic to blog about than how I’m securely setting up this website?

I’m going to start by talking about how to harden SSH. In later posts I’ll talk about how I set up Apache, install an SSL certificate and configure it for maximum security, and some WordPress security tricks. I’m using Debian, but it shouldn’t be hard to adapt this to any Linux distro. I’m assuming you have root access to your server.

Continue reading