Grsecurity+Knock

Related
Grsecurity
Knock
Gnu04-mascot-logo 050ppi.png

General details

Grsecurity and Knock are two different projects to provide a improved security for the Linux kernel, but in this case, it is combination of them on the same kernel. The current package available on Parabola is linux-libre-grsec-knock

Note: It is available in the kernels repo.

Patch projects

Grsecurity

From Grsecurity homepage:

Unlike other expensive security "solutions" that pretend to achieve security through known-vulnerability patching, signature-based detection, or other reactive methods, grsecurity provides real proactive security. The only solution that hardens both your applications and operating system, grsecurity is essential for public-facing servers and shared-hosting environments.

The grsecurity project provides patches to the Linux kernel which enhance security. It hardens the kernel against common attack vectors, preventing a steady stream of vulnerabilities allowing the kernel itself to be compromised. It includes a powerful Mandatory Access Control system with an effortless automatic learning mode. The PaX patches are also included, for hardening userspace applications against exploits via stronger memory protections and ASLR. See our documentation on Grsecurity for more information about the configuring.

Knock

From Knock homepage:

Knock is a kernel patch that implements a new NAT-compatible TCP option for stealthy port knocking with a few new twists for improved security which is referred to as TCP Stealth.

The knock project provides patches to the Linux kernel which enhance security like grsecurity, but it makes a TCP server not respond (positively) to a TCP SYN request unless a particular "knock" packet has been sent first. This can be helpful for security, as an attacker that cannot establish a TCP connection also cannot really attack the TCP server.

Activation of kernels repo

You can add the following lines to your /etc/pacman.conf:

/etc/pacman.conf
[kernels]
SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist