The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Looking for advice on grsec kernel

Discussion in 'General Discussion' started by eagle, Sep 13, 2006.

  1. eagle

    eagle Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    Hi,

    I am just about to add a new CPanel box, and had planned to compile a gresec patched kernel. My goal is to get all major issues before I put a client on it ( :rolleyes: , seems a good idea)

    So, would there be a good and a less good way to build the box? Would you say that building CPanel on a patched box is more or less of a problem than patching after building CPanel?

    And second, does anyone have an advice as result of their own experience, NOT to use gresec kernels on a CPanel box? I am not totally convinced yet :confused:

    Thanks for the advice. I didn't find much after searching first.
     
  2. CollateralFX

    CollateralFX Active Member

    Joined:
    Jan 19, 2005
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    USA
    I used grsec on both of my servers and on both of them performance dropped dramatically. They both would spike to load averages of 30+ just out of nowhere.

    They were both AMD 64 bit processors with cpanel

    I will never use it again.
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I've only ever seen problems with grsec secured servers - unexplained crashes, stuttered performance and as CollateralFX says, poor overall performance.

    I'd stick to the OS vendor provided kernels so long as you are using a supported OS, and subscribe to their OS announcement list so you know as soon as new kernels become available.
     
  4. eagle

    eagle Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    That is clear advice. Thanks.

    I had a testserver with grsec, but I didn't test the performance unfortunately. All of those kernel messages did drive me crazy though ;)

    I am taking your advice. Thanks again. I will use grsec again, but not on a production server for now.
     
  5. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    I know this thread is back from the stone age, but in the light of the 'Random JS' rootkit it has become apparent that the only way to protect yourself from it (until more is known) is to install a grsec kernel to stop it writing to /dev/kmem

    Up until this point, I have always used stock redhat kernels but given the fact that after weeks, still nothing much is known about this exploit I am a little uneasy with being unprotected from it.

    Does anyone have any information as to the state of play with grsec kernels and performance?
    Is it that major an impact on performance? (as my boxes nearly always have under 0.9 load averages, I could suffer it temporarily until more is known about the exploit, obviously providing it isnt going to hit my boxes majorly)

    Once more is known about this exploit, I will switch back to stock kernels, just for the time being, I'd like to have the peace of mind that I'm safe from it!)

    TIA
     
Loading...

Share This Page