Attempting to stop potential exploits

If you have followed the guidelines within this paper so far, you are doing a good job. But if you wanted to go further than this, then you should think about adding some kernel patches and recompiling your kernel with them. My favorite is the grsecurity patch - found at www.grsecurity.net - it is a set of patches that include Solar Designers' PaX patches (The `Solar Designer` of www.openwall.com and the coder of the openwall security patch for the 2.2 kernel series.)

To install your own kernel with this patch, you have to follow a few guidelines - to make it easy, lets use the existing configuration of the default redhat kernel, but lets use 2.4.19.
1 - Go to www.kernel.org and download the full 2.4.19 kernel source.
2 - Go to www.grsecurity.net and download the newest patch for the 2.4.19 kernel.
3 - Unzip or gzip or bzip2 your kernel to /usr/src/linux-2.4.19/
4 - Apply the grsecurity kernel patch by going into your /usr/src/linux-2.4.19 directory and running `patch -p1 < /path/to/grsecurity-patch`
5 - Do a `make mrproper;make clean` just to be sure you are starting out fresh
6 - Copy your current kernel config to this same directory (as .config): `cp /boot/config-2.4.* .config`
7 - From console do a `make menuconfig`, from X windows do a `make xconfig` - go to the bottom of the options where the grsecurity stuff is, and select what you want - you can choose `medium` or `high` security if you don't want to do much work.
8 - Save this config, and then build the kernel by doing a `make dep;make modules;make modules_install; make;make install` (you can do those separately if you wish - probably better the first time.)
9 - If it compiles correctly and installs correctly, make sure your grub.conf file is edited, and re-run `grub-install /dev/hda` just to be sure your bootloader is up-to-date.
10 - Now if you have chosen PaX protection, you should head over to http://pageexec.virtualave.net/ and you should download the chpax.c utility. Compile this by doing: `gcc -o chpax chpax.c` and make sure your XFree86 binary has page_exec turned off - else your system will hang when trying to boot into X windows! To do this type: `./chpax -p /usr/X11R6/bin/XFree86` and you should be all set.
11 - Reboot! You will have two choices of a kernel, the -grsec kernel is the one you want to try out now.

Keep in mind that you WILL have problems with java if you use PaX - and maybe some other things, you will have to turn off page_exec on all java binaries from Sun the same way you did with XFree86. (java, javac, etc.)