Looking for advice on grsec kernel

E

eagle

Well-Known Member
Jan 17, 2003
139
0
166
Hi,

I am just about to add a new CPanel box, and had planned to compile a gresec patched kernel. My goal is to get all major issues before I put a client on it ( :rolleyes: , seems a good idea)

So, would there be a good and a less good way to build the box? Would you say that building CPanel on a patched box is more or less of a problem than patching after building CPanel?

And second, does anyone have an advice as result of their own experience, NOT to use gresec kernels on a CPanel box? I am not totally convinced yet :confused:

Thanks for the advice. I didn't find much after searching first.
 
C

CollateralFX

Active Member
Jan 19, 2005
35
0
156
USA
I used grsec on both of my servers and on both of them performance dropped dramatically. They both would spike to load averages of 30+ just out of nowhere.

They were both AMD 64 bit processors with cpanel

I will never use it again.
 
chirpy

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
I've only ever seen problems with grsec secured servers - unexplained crashes, stuttered performance and as CollateralFX says, poor overall performance.

I'd stick to the OS vendor provided kernels so long as you are using a supported OS, and subscribe to their OS announcement list so you know as soon as new kernels become available.
 
E

eagle

Well-Known Member
Jan 17, 2003
139
0
166
That is clear advice. Thanks.

I had a testserver with grsec, but I didn't test the performance unfortunately. All of those kernel messages did drive me crazy though ;)

I am taking your advice. Thanks again. I will use grsec again, but not on a production server for now.
 
N

nickp666

Well-Known Member
Jan 28, 2005
769
2
168
/dev/null
I know this thread is back from the stone age, but in the light of the 'Random JS' rootkit it has become apparent that the only way to protect yourself from it (until more is known) is to install a grsec kernel to stop it writing to /dev/kmem

Up until this point, I have always used stock redhat kernels but given the fact that after weeks, still nothing much is known about this exploit I am a little uneasy with being unprotected from it.

Does anyone have any information as to the state of play with grsec kernels and performance?
Is it that major an impact on performance? (as my boxes nearly always have under 0.9 load averages, I could suffer it temporarily until more is known about the exploit, obviously providing it isnt going to hit my boxes majorly)

Once more is known about this exploit, I will switch back to stock kernels, just for the time being, I'd like to have the peace of mind that I'm safe from it!)

TIA
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
A I need an Advice about the best system for cPanel in this time Operating Systems 6
W In Progress [CPANEL-24474] Offer advice in the Security Advisor when the "KernelCare Gap" is in effect Operating Systems 12
S looking for a decent free / Open Source flash media server software for linux Operating Systems 1
S looking for a kickstart file for CentOS 5.0 / 5.1 Operating Systems 12
K Advice on OS and Server (looking to upgrade) Operating Systems 2
Similar threads
I need an Advice about the best system for cPanel in this time
In Progress [CPANEL-24474] Offer advice in the Security Advisor when the "KernelCare Gap" is in effect
looking for a decent free / Open Source flash media server software for linux
looking for a kickstart file for CentOS 5.0 / 5.1
Advice on OS and Server (looking to upgrade)
Top Bottom