I'm playing around now with the Kernel Security Patches put out by openwall.com. These patches add all kinds of fun security options to your kernel configuration. Of course, to use this patch, you have to know how to compile a custom kernel. Debian has some tools here to help out both the novice and veteran.
If you are like me and reboot your computer once in a blue moon, then I suggest you do so before attempting the following procedure. A few years ago I was upgrading the kernel on my firewall box I had built and it hadn't been rebooted in a very long time. When I rebooted to test the new kernel out, everything seemed fine until init started going through the usual motions and failed to boot completely. Being less experienced, I attributed this screw-up to the new kernel. So I rebooted back to my old kernel, but I got the same behavior. Well, I didn't know what the hell was going on, until I tried to reinstall on that machine. Turns out the disk was bad and had been heading in that direction for some time. I have no idea how I made it through a kernel compile or how the computer stayed running as long as it did. You can save yourself a lot of trouble by rebooting and testing the current (and backed-up kernels you have).
Grab the latest source tarball from kernel.org. I am assuming you know how to do this. Unpack the tarball under /usr/src. This creates a directory called /usr/src/linux. Rename this directory to /usr/src/linux-<version> where <version> is the version of the kernel you downloaded, like 2.2.20 or 2.4.15. An example might be /usr/src/linux-2.2.20. Create a symlink /usr/src/linux that points to the actual source directory you just made.
cd /usr/src(Get sources)tar zxvf <tarball>mv linux linux-<version>(Remove old linux symlink)ln -s linux-<version> linuxIf you already have a config file (Debian often puts a copy of the config file under /boot, often named something like config-<version>) you can copy it to the source directory and name it .config (notice the leading dot).
cd /usr/src/linuxcp /boot/config<old version> .configPatch the kernel. Grab the patch you want to apply (openwall's patches in this
case) and apply it. Usually from /usr/src you need to patch like
patch -p0 < patch_file.diff, or if you are in
/usr/src/linux you should use patch -p1 <
patch_file.diff. (However, this depends on how the patch was
made. Read the man page on patch and diff for more help here.)
Configure your kernel. Even if you already had a config file, chances are you should do this again anyway. If you applied a patch, you may need to turn on the options it gave you. To configure your kernel, from /usr/src/linux, do make menuconfig. You can substitute other targets for menuconfig, like config if you like. I like menuconfig myself. Answer the questions here. Read the documentation if you don't know what to enable/disable.
Update: As noted by Mark Matthews, potato users may need to install libncurses5-dev for menuconfig to work. In general, you will need the header files for ncurses installed to use menuconfig.
cd /usr/src/linuxapt-get install libncurses5-devmake menuconfigBuild it! You can use the make-kpkg to make a debian package out
of your kernel (and handle most of the build process). To do this,
you need to install kernel-package (apt-get update && apt-get install
kernel-package). From the source directory, do make-kpkg
--revision <revision> buildpackage where <revision>
is a revision number you pick. I like cust.1.0.
cd /usr/src/linuxapt-get install kernel-packagemake-kpkg --revision <revision> buildpackageIf you use modules that are packaged separately from the kernel itself, you may need to make a debian package for them. For the most part, this step shouldn't be needed unless you are on a laptop and use pcmcia cards. In that case, you need to rebuild the pcmcia-modules package to keep it in sync with your kernel version.
If you have a laptop, apt-get install pcmcia-source. This should drop a pcmcia-cs tarball under /usr/src. Unpack this and it should create /usr/src/modules/pcmcia-cs. From /usr/src/linux do make-kpkg modules_image to build a pcmcia-cs .deb. Making modules_image instead of modules (for me) gets rid of the dependency on gpg or pgp.
cd /usr/src/linuxmake-kpkg --revision <revision> modules_imageInstall it! You should now have produced debian packages for the stuff you built (kernel + optional modules). They should have been created in /usr/src. The most important package is kernel-image (and pcmcia-cs if you have a laptop). If you like, you can skip kernel-headers, kernel-source, and kernel-doc if you have followed the instructions up to this point. Don't delete /usr/src/linux if you want to build programs yourself. Some of the headers are needed.
Before you install them with dpkg -i, you should back up your old kernel, System.map, and config file in /boot. If the kernel you are building is the same version as the one you are currently running, you should move /lib/modules/<version> out of the way. Rename it to something else (meaningfully). I like to set up lilo to keep bootable the original kernel that came with my distro, the previous working kernel, in addition to the new kernel. Read the docs on lilo for how to do this (it isn't hard).
Answer the questions when you install the packages. If you choose not to have it automagically run lilo for you, you need to make sure to run lilo to install your shiny new kernel. Reboot and enjoy.
If something goes wrong, I am not responsible for what happens. You do this at your own risk. ;)