Open Alternatives to grsecurity on Anubiz VPS
grsecurity is no longer freely available, but most of what it offered now lives in mainline kernel as KSPP (Kernel Self Protection Project) defaults. On an Anubiz Ubuntu 24.04 VPS the kernel ships with many KSPP hardening flags by default. This guide enables the rest (kernel lockdown LSM, restricted mmap_min_addr, strict aslr) and points to community-maintained hardened kernels for the paranoid.
Need this done for your project?
We implement, you ship. Async, documented, done in days.
Step 1: Understand the Baseline
Mainline 6.8 has stack protector, SMEP/SMAP, KASLR, FORTIFY_SOURCE. Most of grsecurity's PaX equivalents are present.
Step 2: Kernel Lockdown LSM
Enable at boot: GRUB cmdline lockdown=integrity (or confidentiality for paranoid). Prevents root from loading unsigned modules or accessing /dev/mem.
Step 3: Module Signing
Ubuntu kernel modules are signed. Verify cat /sys/module/kernel/parameters/lockdown. Out-of-tree modules without sign require relaxing lockdown.
Step 4: Boot Params
Add to GRUB: slab_nomerge slub_debug=ZF page_alloc.shuffle=1 init_on_alloc=1 init_on_free=1 vsyscall=none. These are KSPP-recommended.
Step 5: Hardened Distros
If you want the linux-hardened kernel package, Arch hosts maintain one. Not officially available on Anubiz cloud images but installable from third-party repo at your own risk.
Related Services
Why Anubiz Host
Ready to get started?
Skip the research. Tell us what you need, and we'll scope it, implement it, and hand it back — fully documented and production-ready.