Looking for advice on grsec kernel


Well-Known Member
Jan 17, 2003

I am just about to add a new CPanel box, and had planned to compile a gresec patched kernel. My goal is to get all major issues before I put a client on it ( :rolleyes: , seems a good idea)

So, would there be a good and a less good way to build the box? Would you say that building CPanel on a patched box is more or less of a problem than patching after building CPanel?

And second, does anyone have an advice as result of their own experience, NOT to use gresec kernels on a CPanel box? I am not totally convinced yet :confused:

Thanks for the advice. I didn't find much after searching first.


Active Member
Jan 19, 2005
I used grsec on both of my servers and on both of them performance dropped dramatically. They both would spike to load averages of 30+ just out of nowhere.

They were both AMD 64 bit processors with cpanel

I will never use it again.


Well-Known Member
Verifed Vendor
Jun 15, 2002
Go on, have a guess
I've only ever seen problems with grsec secured servers - unexplained crashes, stuttered performance and as CollateralFX says, poor overall performance.

I'd stick to the OS vendor provided kernels so long as you are using a supported OS, and subscribe to their OS announcement list so you know as soon as new kernels become available.


Well-Known Member
Jan 17, 2003
That is clear advice. Thanks.

I had a testserver with grsec, but I didn't test the performance unfortunately. All of those kernel messages did drive me crazy though ;)

I am taking your advice. Thanks again. I will use grsec again, but not on a production server for now.


Well-Known Member
Jan 28, 2005
I know this thread is back from the stone age, but in the light of the 'Random JS' rootkit it has become apparent that the only way to protect yourself from it (until more is known) is to install a grsec kernel to stop it writing to /dev/kmem

Up until this point, I have always used stock redhat kernels but given the fact that after weeks, still nothing much is known about this exploit I am a little uneasy with being unprotected from it.

Does anyone have any information as to the state of play with grsec kernels and performance?
Is it that major an impact on performance? (as my boxes nearly always have under 0.9 load averages, I could suffer it temporarily until more is known about the exploit, obviously providing it isnt going to hit my boxes majorly)

Once more is known about this exploit, I will switch back to stock kernels, just for the time being, I'd like to have the peace of mind that I'm safe from it!)