Posted January 20Jan 20 You are reading Part 53 of the 57-part series: Harden and Secure Linux Servers. [Level 6]This series covers progressive security measures, from fundamental hardening techniques to enterprise-grade defense strategies. Each article delves into a specific security practice, explaining its importance and providing step-by-step guidance for implementation.To explore more security best practices, visit the main guide for a full breakdown of all levels and recommendations.ExecShield is a Linux security feature that helps protect against buffer overflow, memory corruption, and exploit-based attacks by marking memory segments as non-executable. This prevents attackers from injecting and executing malicious code in writable memory regions.✅ Prevents code execution from stack and heap memory (NX bit enforcement).✅ Mitigates common exploits such as return-to-libc attacks.✅ Works alongside Address Space Layout Randomization (ASLR) for enhanced security.✅ Helps defend against zero-day vulnerabilities and memory-based attacks.🔹 ExecShield is built into older versions of CentOS and RHEL but has been replaced by other security features (like NX-bit, ASLR, and SELinux) in modern Linux distributions.How to Enable ExecShield on CentOS/RHEL1. Enable ExecShield in sysctl.confModify the kernel settings to enforce memory protections:sudo nano /etc/sysctl.confAdd the following lines:kernel.exec-shield=1 kernel.randomize_va_space=2🔹 Explanation:kernel.exec-shield=1 → Enables ExecShield, preventing execution of code in non-executable memory regions.kernel.randomize_va_space=2 → Enables full Address Space Layout Randomization (ASLR) to make memory addresses unpredictable.Save and exit the file.2. Apply the Changes Without RebootingTo apply the new settings immediately, run:sudo sysctl -pVerify changes:sysctl -a | grep exec-shield sysctl -a | grep randomize_va_space3. Additional Hardening: Enable NX (No-Execute) Bit Protection🔹 Modern Linux kernels use NX (No-Execute) bit to prevent execution of code in non-executable memory regions.Check If NX Support is EnabledRun the following command to check CPU and kernel support for NX:dmesg | grep NXExpected output:NX (Execute Disable) protection: active🔹 If NX is not enabled, ensure your CPU supports it and enable it in the BIOS.4. Enable Additional Memory ProtectionsA. Enable Stack Protection (SSP) and ASLR EnhancementsModify the sysctl.conf file:sudo nano /etc/sysctl.confAdd:vm.mmap_min_addr=65536 fs.suid_dumpable=0 kernel.kptr_restrict=1🔹 Explanation:vm.mmap_min_addr=65536 → Prevents NULL pointer dereference attacks.fs.suid_dumpable=0 → Disables core dumps for setuid binaries, preventing information leakage.kernel.kptr_restrict=1 → Hides kernel memory addresses from unprivileged users.Apply the changes:sudo sysctl -p5. Verify Memory Protections Are ActiveAfter applying all changes, check the system settings:Check ASLR Status:cat /proc/sys/kernel/randomize_va_spaceExpected output:2 # Full ASLR enabledCheck NX Protection:dmesg | grep NXCheck ExecShield Status (Legacy CentOS/RHEL):sysctl kernel.exec-shieldBest Practices for Memory Protection Hardening✅ Enable ExecShield and ASLR to protect against memory corruption exploits.✅ Use the NX bit to prevent execution of malicious shellcode in memory.✅ Harden sysctl.conf settings for enhanced memory security.✅ Keep the Linux kernel updated to benefit from the latest security patches.✅ Enable SELinux or AppArmor for additional exploit mitigation.By enabling ExecShield, ASLR, and NX protections, you significantly reduce the risk of memory-based attacks, making your Linux server more resilient against exploits and buffer overflow vulnerabilities.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.