Computer and Technology News Blog

Content:
1) Introduction
2) cPanel/WHM Installation and cPanel/WHM Configuration
3) The server and it’s services | PHP Installation, Optimization & Security
4) Kernel Hardening | Linux Kernel + Grsecurity Patch
5) SSH
6) Firewall | DDoS Protection
7) Mod_Security
Anti-Virus – ClamAV
9) Rootkit
10) The Rest of Shits

===================
| 1) Introduction |
===================

A step by step paper how to secure linux server with cPanel/WHM and
Apache installed. By default, linux is not secured enough but you have
to understand there is no such thing as “totally secured server/system”.
The purpose of this paper is to understand how to at least provide some
kind of security to the server. I prefer lsws web-server without any
Control Panel at all but for this paper I have used CentOS 5 with cPanel/WHM
and Apache web-server installed since a lot of hosting companies and
individuals out there are using it.

Let’s start

So, you bought the server with CentOS 5 installed. If you ordered cPanel/WHM together with the server you can skip 2.1 step

============================================
| 2) cP/WHM installation and configuration |
============================================
2.1) cP/WHM Installation
To begin your installation, use the following commands into SSH:
root@server [~]# cd /home
root@server [/home]# wget http://layer1.cpanel.net/latest
root@server [/home]# ./latest

—————————————————————————————————–
cd /home – Opens /home directory
wget http://layer1.cpanel.net/latest – Fetches the latest installation file from the cPanel servers.
./latest – Opens and runs the installation files.
——————————————————————————————————

cP/WHM should be installed now. You should be able to access cP via
http://serverip:2082(SSL-2083) or http://serverip/cpanel and WHM via
http://serverip:2086(SSL-2087) or http://serverip/whm. Let’s configure
it now.

2.2) cP/WHM Configuration
Login to WHM using root username/passwd
http://serverip:2086 or http://serverip/whm

WHM – Server setup – Tweak Security:
————————————-
Enable open_basedir protection
Disable Compilers for all accounts(except root)
Enable Shell Bomb/memory Protection
Enable cPHulk Brute Force Protection

WHM – Account Functions:
————————-
Disable cPanel Demo Mode
Disable shell access for all accounts(except root)

WHM – Service Configuration – FTP Configuration:
————————————————-
Disable anonymous FTP access

WHM – MySQL:
————-
Set some MySQL password(Don’t set the same password like for the root access)
-If you didn’t set MySQL password someone will be able to login into the DB with
username “root” without password and delete/edit/download any db on the server.

WHM – Service Configuration – Apache Configuration – PHP and SuExec Configuration
——————–
Enable suEXEC – suEXEC = On
When PHP runs as an Apache Module it executes as the user/group of the
webserver which is usually “nobody” or “apache”. suEXEC changes this so
scripts are run as a CGI. Than means scripts are executed as the user
that created them. With suEXEC script permissions can’t be set to
777(read/write/execute at user/group/world level)

===============================================================================
| 3) The server and it’s services | PHP Installation, Optimization & Security |
===============================================================================

3.1) Keep all services and scripts up to date and make sure that you running the latest secured version.
On CentOS type this into SSH to upgrade/update services on the server.
[root@server ~]# yum upgrade
or
[root@server ~]# yum update

3.2) PHP installation/update, configuration and optimization + Suhosin patch
First download what you need, type the following into SSH:
root@server [~]# cd /root
root@server [~]# wget http://www.php.net/get/php-5.2.9.tar.bz2/from/this/mirror
root@server [~]# wget http://download.suhosin.org/suhosin-patch-5.2.8-0.9.6.3.patch.gz
root@server [~]# wget http://download.suhosin.org/suhosin-0.9.27.tgz

Untar PHP:
root@server [~]# tar xvjf php-5.2.9.tar.bz2

Patch the source:
root@server [~]# gunzip < suhosin-patch-5.2.8-0.9.6.3.patch.gz | patch -p0

Configure the source. If you want to use the same config as you used for
the last php build it’s not a problem but you will have to add:
enable-suhosin to old config. To get an old config type this into SSH:
root@server [~]# php -i | grep ./configure

root@server [~]# cd php-5.2.9
root@server [~/php-5.2.9]# ./configure –enable-suhosin + old config(add old config you got from “php -i | grep ./configure” here)
root@server [~/php-5.2.9]# make
root@server [~/php-5.2.9]# make install

Note: If you get an error like make: command not found or patch: Command
not found, you will have to install “make” and “patch”. It can be done
easly. Just type this into SSH:
root@server [~]# yum install make
root@server [~]# yum install patch

Now check is everything as you want. Upload php script like this on the server:
phpinfo();
?>
And open it via your browser and you will see your PHP configuration there.

3.3) Suhosin
We will install Suhosin now, it’s an advanced protection system for PHP.
root@server [~]# tar zxvf suhosin-0.9.27.tgz
root@server [~]# cd suhosin-0.9.27
root@server [~/suhosin-0.9.27]# phpize
root@server [~/suhosin-0.9.27]# ./configure
root@server [~/suhosin-0.9.27]# make
root@server [~/suhosin-0.9.27]# make install

After you installed suhosin you will get something like this: It’s installed to /usr/local/lib/php/extensions/no-debug-non-zts-20060613/

Now edit your php.ini. If you don’t know where php.ini located is, type this into SSH.
root@server [~]# php -i | grep php.ini
Configuration File (php.ini) Path => /usr/local/lib
Loaded Configuration File => /usr/local/lib/php.ini

It means you have to edit /usr/local/lib/php.ini
Type into SHH:
root@server [~]# nano /usr/local/lib/php.ini
If you get an error, nano: Command not found, then:
root@server [~]# yum install nano

Find “extension_dir =” and add:
extension_dir = /usr/local/lib/php/extensions/no-debug-non-zts-20060613/
To save it, CTRL + O and press the enter button on your keyboard.

3.4) Zend Optimizer:
Download Zend Optimizer from http://www.zend.com/store/products/zend-optimizer.php
root@server [~]# tar -zxvf ZendOptimizer-3.3.3-linux-glibc23-i386.tar.gz
root@server [~]# cd ZendOptimizer-3.3.3-linux-glibc23-i386
root@server [~/ZendOptimizer-3.3.3-linux-glibc23-i386]# ./install.sh
Welcome to Zend Optimizer installation….. – Press Enter button
Zend licence agreement… – Press Enter button
Do you accept the terms of this licence… – Yes, press Enter button
Location of Zend Optimizer… – /usr/local/Zend, press Enter button
Confirm the location of your php.ini file…- /usr/local/lib, press Enter button
Are you using Apache web-server.. – Yes, press Enter button
Specify the full path to the Apache control utility(apachectl)…-/usr/local/apache/bin/apachectl, press Enter button
The installation has completed seccessfully…- Press Enter button

Now restart apache, type this into SSH:
root@server [~]# service httpd restart

3.5) php.ini & disabled functions
Edit php.ini like this:
root@server [~]# nano /usr/local/lib/php.ini
————————————————————
safe_mode = On
expose_php = Off
Enable_dl= Off
magic_quotes = On
register_globals = off
display errors = off
disable_functions = system, show_source, symlink, exec, dl,
shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd
————————————————————-

root@server [~]# service httpd restart

Or you can edit php.ini via WHM:
WHM – Service Configuration – PHP Configuration Editor

=========================================================
| 4) Kernel Hardening | Linux Kernel + Grsecurity Patch |
=========================================================

Description : grsecurity is an innovative approach to security utilizing
a multi-layered detection, prevention, and containment model. It is
licensed under the GPL. It offers among many other features:
-An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your
entire system with no configuration
-Change root (chroot) hardening
-/tmp race prevention
-Extensive auditing
-Prevention of arbitrary code execution, regardless of the technique used (stack smashing, heap corruption, etc)
-Prevention of arbitrary code execution in the kernel
-Randomization of the stack, library, and heap bases
-Kernel stack base randomization
-Protection against exploitable null-pointer dereference bugs in the kernel
-Reduction of the risk of sensitive information being leaked by arbitrary-read kernel bugs
-A restriction that allows a user to only view his/her processes
-Security alerts and audits that contain the IP address of the person causing the alert

Downloading and patching kernel with grsecurity
root@server [~]# cd /root
root@server [~]# wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.26.5.tar.gz
root@server [~]# wget http://www.grsecurity.com/test/grsecurity-2.1.12-2.6.26.5-200809141715.patch
root@server [~]# tar xzvf linux-2.6.26.5.tar.gz
root@server [~]# patch -p0 < grsecurity-2.1.12-2.6.26.5-200809141715.patch
root@server [~]# mv linux-2.6.26.5 linux-2.6.26.5-grsec
root@server [~]# ln -s linux-2.6.26.5-grsec/ linux
root@server [~/linux]# cd linux
root@server [~/linux]# cp /boot/config-`uname -r` .config
root@server [~/linux]# make oldconfig

Compile the Kernel:
root@server [~/linux]# make bzImage
root@server [~/linux]# make modules
root@server [~/linux]# make modules_install
root@server [~/linux]# make install

Check your grub loader config, and make sure default is 0
root@server [~/linux]# nano /boot/grub/grub.conf

Reboot the server
root@server [~/linux]# reboot

==========
| 5) SSH |
==========

In order to change SSH port and protocol you will have to edit sshd_config
root@server [~]# nano /etc/ssh/sshd_config

Change Protocol 2,1 to Protocol 2
Change #Port 22 to some other port and uncomment it
Like, Port 1337

There is a lot of script kiddiez with brute forcers and they will try to crack our ssh pass because they know username is root, port is 22
But we were smarter, we have changed SSH port
Also, their “brute forcing” can increase server load, which means our sites(hosted on that server) will be slower.

SSH Legal Message
edit /etc/motd, write in motd something like this:
“ALERT! That is a secured area. Your IP is logged. Administrator has been notified”

When someone logins into SSH he will see that message:
ALERT! That is a secured area. Your IP is logged. Administrator has been notified

If you want to recieve an email every time when someone logins into SSH as root, edit .bash_profile(It’s located in /root directory) and put this at the end of file:
echo ‘ALERT – Root Shell Access on:’ `date` `who` | mail -s “Alert: Root Access from `who | awk ‘{print $6}’`” mail@something.com

And at the end restart SSH, type “service sshd restart” into SSH

=================================
| 6) Firewall | DDoS Protection |
=================================

6.1) Firewall, CSF Installation
root@server [~]# wget http://www.configserver.com/free/csf.tgz
root@server [~]# tar -xzf csf.tgz
root@server [~]# cd csf

In order to install csf your server needs to have some ipt modules
enabled. csftest is a perl script and it comes with csf. You can check
those mudules with it.
root@server [~/csf]# ./csftest.pl
The output should be like this:

root@server [~/csf]# ./csftest.pl
Testing ip_tables/iptable_filter…OK
Testing ipt_LOG…OK
Testing ipt_multiport/xt_multiport…OK
Testing ipt_REJECT…OK
Testing ipt_state/xt_state…OK
Testing ipt_limit/xt_limit…OK
Testing ipt_recent…OK
Testing ipt_owner…OK
Testing iptable_nat/ipt_REDIRECT…OK

Don’t worry if you don’t have all those mudules enabled, csf will work if
you didn’t get any FATAL errors at the end of the output.

Now, get to installation
root@server [~/csf]# ./install.sh

You will have to edit csf.conf file. It’s located here:
/etc/csf/csf.conf

You need to edit it like this:
Testing = “0″

And you need to configure open ports in csf.conf or you won’t be able to
access these ports. In most cases it should be configured like this if
you are using cP/WHM. If you are running something on some other port
you will have to enable it here. If you changed SSH port you will have
to add a new port here:
# Allow incoming TCP ports
TCP_IN = “20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096″
# Allow outgoing TCP ports
TCP_OUT = “20,21,22,25,37,43,53,80,110,113,443,587,873,2087,2089,2703″

6.2) CSF Connection Limit
There is in csf.conf CT option, configure it like this
CT_LIMIT = “200″
It means every IP with more than 200 connections is going to be blocked.
CT_PERMANENT = “1″
IP will blocked permanenty
CT_BLOCK_TIME = “1800″
IP will be blocked 1800 secs(1800 secs = 30 mins)
CT_INTERVAL = “60″
Set this to the the number of seconds between connection tracking scans.

After csf.conf editing you need to restart csf
root@server [~# service csf restart

6.3) SYN Cookies
Edit the /etc/sysctl.conf file and add the following line in order to enable SYN cookies protection:
-----------------------------------
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
-----------------------------------

root@server [~/]# service network restart

6.4) CSF as security testing tool
CSF has an option “Server Security Check”. Go to WHM – Plugins – CSF -
Test Server Security. You will see additional steps how to secure the
server even more. I’m writing only about most important things here and
I covered most of them in the paper but if you want you can follow steps
provided by CSF to get the server even more secured.

6.5) Mod_Evasive
ModEvasive module for apache offers protection against DDoS (denial of service attacks) on your server.

To install it login into SSH and type:

———————————————————————————
root@server [~]# cd /root/
root@server [~]# wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
root@server [~]# tar zxf mode_evasive-1.10.1.tar.gz
root@server [~]# cd mod_evasive

then type…
root@server [~/mod_evasive]# /usr/sbin/apxs -cia mod_evasive20.c
———————————————————————————

When mod_evasive is installed, place the following lines in your httpd.conf (/etc/httpd/conf/httpd.conf)

——————————–

DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10

——————————–

6.6) Random things:
csf -d IP – Block an IP with CSF
csf -dr IP – Unblock an IP with CSF
csf -s – Start firewall rules
csf -f – Flush/stop firewall rules
csf -r – Restart firewall rules
csf -x – Disable CSF
csf -e – Enable CSF
csf -c – Check for updates
csf -h – Show help screen

-Block an IP via iptables
iptables -A INPUT -s IP -j DROP

-Unblock an IP via iptables
iptables -A INPUT -s IP -j ACCEPT

-See how many IP addresses are connected to the server and how many connections has each of them.
netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

===================
| 7) Mod_Security |
===================

Mod_Security is a web application firewall and he can help us to secure our sites against RFI, LFI, XSS, SQL Injection etc

If you use cP/WHM you can easly enable Mod_security in WHM – Plugins – Enable Mod_Security and save

Now I will explain how to install Mod_security from source.
You can’t install Mod_Security if you don’t have libxml2 and http-devel libraries.
Also, you need to enable mod_unique_id in apache modules, but don’t worry, I will explain how to do it

Login into SSH and type…

root@server [~]# yum install libxml2 libxml2-devel httpd-devel

libxml2 libxml2-devel httpd-devel should be installed now

then you need to edit httpd.conf file, you can find it here:
root@server [~]# nano /etc/httpd/conf/httpd.conf

You need to add this in your httpd.conf file
LoadModule unique_id_module modules/mod_unique_id.so

Now download the latest version of mod_security for apache2 from http://www.modsecurity.org

login into SSH and type…

root@server [~]# cd /root/
root@server [~]# wget http://www.modsecurity.org/download/modsecurity-apache_2.5.6.tar.gz
root@server [~]# tar zxf modsecurity-apache_2.5.6.tar.gz
root@server [~]# cd modsecurity-apache_2.5.6
root@server [~/modsecurity-apache_2.5.6]# cd apache2

then type:
root@server [~/modsecurity-apache_2.5.6/apache2]# ./configure
root@server [~/modsecurity-apache_2.5.6/apache2]# make
root@server [~/modsecurity-apache_2.5.6/apache2]# make install

Go at the end of httpd.conf and place an include for our config/rules file…
Include /etc/httpd/conf/modsecurity.conf

———————————————————
# /etc/httpd/conf/httpd.conf

LoadModule unique_id_module modules/mod_unique_id.so
LoadFile /usr/lib/libxml2.so
LoadModule security2_module modules/mod_security2.so
Include /etc/httpd/conf/modsecurity.conf
———————————————————

You need to find a good rules for Mod_Security. You can find them at
official Mod_Security site. Also, give a try to gotroot.com rules. When
you find a good rules, just put them in /etc/httpd/conf/modsecurity.conf

And restart httpd at the end, type “service httpd restart” into SSH.

==========================
| Anti-Virus – ClamAV |
==========================

You need AV protection to protect the server against worms and trojans
invading your mailbox and files! Just install clamav (a free open source
antivirus software for linux). More information can be found on clamav.
website – http://www.clamav.net

In order to install CLamAV login into SSH and type

root@server [~]# yum install clamav

Once you have installed clamav for your CentOS, here are some basic commands you will need:

Update the antivirus database
root@server [~]# freshclam

Run antivirus
root@server [~]# clamscan -r /home

Running as Cron Daily Job
To run antivirus as a cron job (automatically scan daily) just run
crontab -e from your command line. Then add the following line and save
the file.
@daily root clamscan -R /home

It means clamav will be scanning /home directory every day. You can change the folder to whatever you want to scan.

==============
| 9) Rootkit |
==============

Rootkit scanner is scanning tool to ensure you for about 99.9%* you’re clean of nasty tools.
This tool scans for rootkits, backdoors and local exploits by running tests like:
-MD5 hash compare
-Look for default files used by rootkits
-Wrong file permissions for binaries
-Look for suspected strings in LKM and KLD modules
-Look for hidden files
-Optional scan within plaintext and binary files

Instalation:

Login into SSH and type

root@server [~]# cd /root/
root@server [~]# wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz
root@server [~]# tar -zxvf rkhunter-1.2.7.tar.gz
root@server [~]# cd rkhunter
root@server [~rkhunter]# ./installer.sh

Scan the server with rkhunter
root@server [~]# rkhunter -c

=========================
| 10) The Rest of Shits |
=========================

10.1) Random suggestions

If you use bind DNS server then we need to edit named.conf file
named.conf is located here: /etc/named.conf

and add
recursion no; under Options
—————————-
Options{
recursion no;
—————————-

Now restart bind, type into SSH
root@server [~]# service named restart

This will prevent lookups from dnstools.com and similar services and reduce server load

In order to prevent IP spoofing, you need to edit host.conf file like this:
This file is located here: /etc/host.conf
Add that in host.conf
——————
order bind,hosts
nospoof on
——————

Hide the Apache version number:

edit httpd.conf (/etc/httpd/conf/httpd.conf)
———————–
ServerSignature Off
———————–

10.2) Passwords
Don’t use the same password you are using for the server on some other places.
When the Datacenter contacts you via e-mail or phone, always request
more informations. Remember, someone alse could contact you to get some
information or even root passwords.

10.3) Random thoughts
No matter what you need to secure the server, don’t think you are safe
only because you are not personally involved in any shits with
“hackers”. When you are hosting hacking/warez related sites you are the
target. There is no such thing as totally secured server. Most important
things are backups, make sure you will always have an “up-to-date”
offsite backups ^^

Hello everybody, now a days people use router for wifi connections, sharing more than 2 computers. Every router comes with its firmware. But what is firmware ?

In electronics and computing, firmware is a term often used to denote the fixed, usually rather small, programs and/or data structures that internally control various electronic devices.

People use different firmwares to make router more powerful. One of the famous firmware is DD-WRT.

DD-WRT is a Linux based alternative OpenSource firmware suitable for a great variety of WLAN routers and embedded systems. The main emphasis lies on providing the easiest possible handling while at the same time supporting a great number of functionalities within the framework of the respective hardware platform used.

DD-WRT is a Linux-based firmware for several wireless routers, most notably the Linksys WRT54G (including the WRT54GL and WRT54GS). Like other similar projects, DD-WRT is considered a third-party firmware solution designed to replace the firmware that ships pre-installed on many commercial routers. This is done for a variety of reasons; including but not limited to the addition of features which are not typically included in a manufacturer’s router firmware.

DD-WRT includes such features as support for the Kai network, daemon-based services, IPv6, Wireless Distribution System, RADIUS, advanced quality of service, radio output power control, overclocking capability, and software support for a Secure Digital Card hardware modification.

Watch the following video before installing DD-WRT on your Router

A computer virus could be the end of a wonderful day when in the middle of a computer application, a virus starts eating up your files. Or you slaved all week for a report and when you try to open the file, you can’t find it anywhere. In cases like these, what do you do?

The first thing to do is to unplug the modem wires and don’t connect to another computer. Just re-plug everything once the virus has been eliminated. Second, look for a virus-scan software in your computer and install updates via the internet. Once installed, you can run the software. If the software can’t remove the virus, there is a possibility that it can identify it.

Third, browse the Web for any data about the virus affecting your computer. Just type the name of your virus like Trojan Virus. If the Web gives you specific instructions in getting rid of the virus, follow these instructions carefully. Or you may try downloading and installing programs from the Web that can get rid of the virus. Lastly, you may run another virus scan to see if the virus was totally eliminated.

There are other things you should know about these viruses and what to do as First Aid. To avoid spreading the virus to people in your contact list, find out if the virus is spread through e-mail. If it is, contact these people and tell them to avoid opening attachments and messages from your email address temporarily until the virus has been dealt with.

To find out, open your address book and a new contact which is a phony address. You may try !000 because this is the very first address that will register in your address book and the first address where the virus will send itself. Right there, it will stop sending itself because of the phony address. The best thing to do is to get specific online procedure to get rid of the virus.

If your computer contains many sensitive and personal files that practically mean your life, it would probably be good if you invest in software that virtually removes all kinds of viruses. Because even reformatting can’t get rid of all types of virus, it is very important that you get one of these software’s.

Knowing these things about computer viruses is imperative. At least, when you encounter one, you will know what to do. Invest in a good virus-scan software that could take care of all sorts of virus. Or you could download good virus scans from the Web anytime for free.

If you are a computer enthusiast and want to experiment a little with the Operating System of your computer or tired with virus, malware, adware or spyware you might consider an Operating System which is both secure, fast and at the same time free, try Ubuntu Linux. Ubuntu Linux which is just a distribution of Linux Operating System is available free of cost. You need to download the ISO file and burn it using your favorite CD/DVD burning software or if you have a slow internet connection but still want to try out the Operating System you can order for a CD from Ubuntu’s home page. Ubuntu Linux is available for Desktop, servers and Notebook. Ubuntu Linux licensed by a UK based company Canonical Limited. This implies that anyone can reuse, study and modify the code and that the code is free and can be freely distributed or copied.

Ubuntu Linux was first released in the year 2004 October. After that Canonical does release a version after every six months and a LTS version (Long Time support) after two years. The LTS version was so called because Canonical will give support for this version for three years and five years for Server. The last LTS version was released in April 2010 and hence was called version 10.04. The naming convention is YY.MM. After six months in the month of October 10th 2010 the next version was launched by Canonical which was naturally 10.10. The next version will be probably 11.04 which should be released in the year 2011 in the month of April.

Before proceeding with features and other important aspects let’s see how to install Ubuntu Linux. Some may have conception installing Linux is very tough and you need a UNIX conception if you want to install Ubuntu. But things have changed over the years and now loading Linux is very easy. For Linux set up support, you can talk to a remote computer support service provider. The full installation is GUI based where a click of mouse is sufficient for things to be done quickly. Further if you are extremely happy with your existing Operating System and you don’t want to remove it you can use the installation CD of Ubuntu Linux as a Live CD.

This means that you don’t need to install or create partition for trying out Ubuntu Linux. Just boot your computer by selecting CDROM drive as first boot device and you will get a screen where you will be given options of either to Try Ubuntu Linux or Install Ubuntu. Choose Ubuntu only if you are absolutely sure and backed up all your data. Or else click Try Ubuntu. In no time you will get the desktop with complete set of software like Open Office, Firefox browser, Movie Player and other software programs as well.

Source :- http://goarticles.com/article/Ubuntu-Linux-A-More-Secure-and-Reliable-Operation-System-for-Your-Computer/3674822

How to Compile Linux kernel 2.6
Start…

Compiling custom kernel has its own advantages and disadvantages. However, new Linux user / admin find it difficult to compile Linux kernel. Compiling kernel needs to understand few things and then just type couple of commands. This step by step howto covers compiling Linux kernel version 2.6.xx under Debian GNU Linux. However, instructions remains the same for any other distribution except for apt-get command.

Step # 1 Get Latest Linux kernel code

Visit http://kernel.org/ and download the latest source code. File name would be linux-x.y.z.tar.bz2, where x.y.z is actual version number. For example file Linux-2.6.25.tar.bz2 represents 2.6.25 kernel version. Use wget command to download kernel source code:
$ cd /tmp
$ wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-x.y.z.tar.bz2

Note: Replace x.y.z with actual version number.

Step # 2 Extract tar (.tar.bz3) file

Type the following command:
# tar -xjvf linux-2.6.25.tar.bz2 -C /usr/src
# cd /usr/src

Step # 3 Configure kernel

Before you configure kernel make sure you have development tools (gcc compilers and related tools) are installed on your system. If gcc compiler and tools are not installed then use apt-get command under Debian Linux to install development tools.
# apt-get install gcc

Now you can start kernel configuration by typing any one of the command:

* $ make menuconfig – Text based color menus, radiolists & dialogs. This option also useful on remote server if you wanna compile kernel remotely.
* $ make xconfig – X windows (Qt) based configuration tool, works best under KDE desktop
* $ make gconfig – X windows (Gtk) based configuration tool, works best under Gnome Dekstop.

For example make menuconfig command launches following screen:
$ make menuconfig

You have to select different options as per your need. Each configuration option has HELP button associated with it so select help button to get help.

Step # 4 Compile kernel

Start compiling to create a compressed kernel image, enter:
$ make
Start compiling to kernel modules:
$ make modules

Install kernel modules (become a root user, use su command):
$ su -
# make modules_install

Step # 5 Install kernel

So far we have compiled kernel and installed kernel modules. It is time to install kernel itself.
# make install

It will install three files into /boot directory as well as modification to your kernel grub configuration file:

* System.map-2.6.25
* config-2.6.25
* vmlinuz-2.6.25

Step # 6: Create an initrd image

Type the following command at a shell prompt:
# cd /boot
# mkinitrd -o initrd.img-2.6.25 2.6.25

initrd images contains device driver which needed to load rest of the operating system later on. Not all computer requires initrd, but it is safe to create one.

Step # 7 Modify Grub configuration file – /boot/grub/menu.lst

Open file using vi:
# vi /boot/grub/menu.lst

title Debian GNU/Linux, kernel 2.6.25 Default
root (hd0,0)
kernel /boot/vmlinuz root=/dev/hdb1 ro
initrd /boot/initrd.img-2.6.25
savedefault
boot

Remember to setup correct root=/dev/hdXX device. Save and close the file. If you think editing and writing all lines by hand is too much for you, try out update-grub command to update the lines for each kernel in /boot/grub/menu.lst file. Just type the command:
# update-grub
Neat. Huh?

Step # 8 : Reboot computer and boot into your new kernel

Just issue reboot command:
# reboot