Security related things for the paranoid

Kernel patch

2.6.x

This patch changes the networking code to no longer use a pseudo random generator but use more or less the /dev/urandom device instead. This at least seems to confuse nmap.
Kernel 2.6.22 (version 1): fvhlkp-2.6.22-1.diff.bz2

This version also enlarges the PRNG entropy buffer and emits kernel messages when processes receive unhandled signals:
Kernel 2.6.22 (version 2): fvhlkp-2.6.22-2.diff.bz2

2.4.x


This patch includes code for the following things:
  • random PID
  • random port-numbers for IPv4, NAT, IPv6
  • enhanced random-values for networking
Kernel 2.4.35: random-pid-2.4.35.patch.gz
No changes. Ported by acme@paranoici.org (thanks!).

Kernel 2.4.33: random-pid-2.4.33.patch.gz
No changes. Ported by acme@paranoici.org (thanks!).

Kernel 2.4.32: random-pid-2.4.32.patch.gz
No changes. Ported by acme@paranoici.org (thanks!).

Kernel 2.4.31: random-pid-2.4.31.patch.gz
No changes. Ported by acme@olografix.org (thanks again!).

Kernel 2.4.30: random-pid-2.4.30.patch.gz
No changes. Ported by acme@olografix.org (thanks again!).

Kernel 2.4.29: fp-2.4.29.patch.gz
No changes. Ported by acme@olografix.org (thanks!).

Kernel 2.4.27: fp-2.4.27.patch.gz
No changes. Ported by Thomas Sjögren (thanks!).

Kernel 2.4.26: random-pid-2.4.26.patch.gz
No changes. Ported by Thomas Sjögren (thanks!).

Kernel 2.4.22: fp-2.4.22.patch.gz
No changes. Also not tested.

Kernel 2.4.21: fp-2.4.21.patch.gz
No changes. Also not tested.

Kernel 2.4.20: fp-2.4.20.patch.gz
This patch was tested on an i386 and Alpha platform.
It also contains enhanced code for random PID-generation which "uses less entropy-data" from the random-device.

Kernel 2.2.19: fp-2.2.19.patch.gz
This patch was tested on a Dec Alpha.

Before asking any questions, read the FAQ.

Some of this patch is included in the www.grsecurity.net patch-set.
It is also included in the Adamantix project.

Links

  • audio-entropyd adds entropy bits (random bits) to the /dev/random device. it gets them from a (spare) audio device
  • video-entropyd adds entropy bits (random bits) to the /dev/random device. it gets them from a (spare) video4linux device (e.g. a webcam or tv-card)
  • libsd is a preload library which makes every application secure delete files it wants to delete/truncate/etc. without any changes
  • libprngwrap is a preload library which forces all applications and daemons to use the /dev/urandom device instead of [s]rand, [s]random, [*]rand48(), etc.

Check out my united states Mega Millions lottery winning help page