Quotes

There are a lot of hardening softwares available for Unix and Linux systems. Such measures as closing open network ports, instruction-detection as well as instruction-prevention software and firewalls are just a few methods. The most widespread hardening tools among them are Exec Shield, PaX and of course, Bastille Linux. So, what is the difference between them and what should be chosen as the best system?

It should be admitted that all these tools have various protective measures. Thus, Exec Shield was created in order to reduce the risk of any automated remote attacks on an operating system. This tool reduces the risk of inserting "shell code". There is no need in application recompilation in order to utilize Exec Shield, but still it should be noticed that such applications as Wine, Mono or XEmacs are not compatible. This hardening tool is lightweight, but can't fully secure arbitrary virtual memory layouts. Thus, if the Code Segment limit is raised, the system is not able to protect entirely.

On the other hand, PaX - a patch for the Linux Kernel - protects memory pages. Thus, the hardening tool controls the access to memory without interfering with proper code. This program prevents usage of programming bugs in order to get the unauthorized entry into a computer software. There also exist such systems as StackGuard and Stack-Smashing Protector which detect buffer overflows and just kill the damaging programs on identifying them. PaX does not use this stack-smashing protection and prevents damage when all the attempts have already been made. Bastille Linux and Apache also take protective measures before the attempts begin and can deactivate some features in configuration files.