LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/www.debian.org/doc/manuals/securing-debian-howto/ap-fw-security-update.en.html

538 lines
41 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
<title>Securing Debian Manual - Security update protected by a firewall</title>
<link href="index.en.html" rel="start">
<link href="ap-bind-chuser.en.html" rel="prev">
<link href="ap-chroot-ssh-env.en.html" rel="next">
<link href="index.en.html#contents" rel="contents">
<link href="index.en.html#copyright" rel="copyright">
<link href="ch1.en.html" rel="chapter" title="1 Introduction">
<link href="ch2.en.html" rel="chapter" title="2 Before you begin">
<link href="ch3.en.html" rel="chapter" title="3 Before and during the installation">
<link href="ch4.en.html" rel="chapter" title="4 After installation">
<link href="ch-sec-services.en.html" rel="chapter" title="5 Securing services running on your system">
<link href="ch-automatic-harden.en.html" rel="chapter" title="6 Automatic hardening of Debian systems">
<link href="ch7.en.html" rel="chapter" title="7 Debian Security Infrastructure">
<link href="ch-sec-tools.en.html" rel="chapter" title="8 Security tools in Debian">
<link href="ch9.en.html" rel="chapter" title="9 Developer's Best Practices for OS Security">
<link href="ch10.en.html" rel="chapter" title="10 Before the compromise">
<link href="ch-after-compromise.en.html" rel="chapter" title="11 After the compromise (incident response)">
<link href="ch12.en.html" rel="chapter" title="12 Frequently asked Questions (FAQ)">
<link href="ap-harden-step.en.html" rel="appendix" title="A The hardening process step by step">
<link href="ap-checklist.en.html" rel="appendix" title="B Configuration checklist">
<link href="ap-snort-box.en.html" rel="appendix" title="C Setting up a stand-alone IDS">
<link href="ap-bridge-fw.en.html" rel="appendix" title="D Setting up a bridge firewall">
<link href="ap-bind-chuser.en.html" rel="appendix" title="E Sample script to change the default Bind installation.">
<link href="ap-fw-security-update.en.html" rel="appendix" title="F Security update protected by a firewall">
<link href="ap-chroot-ssh-env.en.html" rel="appendix" title="G <code>Chroot</code> environment for <code>SSH</code>">
<link href="ap-chroot-apache-env.en.html" rel="appendix" title="H <code>Chroot</code> environment for <code>Apache</code>">
<link href="ch1.en.html#s-authors" rel="section" title="1.1 Authors">
<link href="ch1.en.html#s1.2" rel="section" title="1.2 Where to get the manual (and available formats)">
<link href="ch1.en.html#s1.3" rel="section" title="1.3 Organizational notes/feedback">
<link href="ch1.en.html#s1.4" rel="section" title="1.4 Prior knowledge">
<link href="ch1.en.html#s1.5" rel="section" title="1.5 Things that need to be written (FIXME/TODO)">
<link href="ch1.en.html#s-changelog" rel="section" title="1.6 Changelog/History">
<link href="ch1.en.html#s-credits" rel="section" title="1.7 Credits and thanks!">
<link href="ch2.en.html#s2.1" rel="section" title="2.1 What do you want this system for?">
<link href="ch2.en.html#s-references" rel="section" title="2.2 Be aware of general security problems">
<link href="ch2.en.html#s2.3" rel="section" title="2.3 How does Debian handle security?">
<link href="ch3.en.html#s-bios-passwd" rel="section" title="3.1 Choose a BIOS password">
<link href="ch3.en.html#s3.2" rel="section" title="3.2 Partitioning the system">
<link href="ch3.en.html#s3.3" rel="section" title="3.3 Do not plug to the Internet until ready">
<link href="ch3.en.html#s3.4" rel="section" title="3.4 Set a root password">
<link href="ch3.en.html#s3.5" rel="section" title="3.5 Activate shadow passwords and MD5 passwords">
<link href="ch3.en.html#s3.6" rel="section" title="3.6 Run the minimum number of services required">
<link href="ch3.en.html#s3.7" rel="section" title="3.7 Install the minimum amount of software required">
<link href="ch3.en.html#s3.8" rel="section" title="3.8 Read the Debian security mailing lists">
<link href="ch4.en.html#s-debian-sec-announce" rel="section" title="4.1 Subscribe to the Debian Security Announce mailing list">
<link href="ch4.en.html#s-security-update" rel="section" title="4.2 Execute a security update">
<link href="ch4.en.html#s-bios-boot" rel="section" title="4.3 Change the BIOS (again)">
<link href="ch4.en.html#s-lilo-passwd" rel="section" title="4.4 Set a LILO or GRUB password">
<link href="ch4.en.html#s-kernel-initramfs-prompt" rel="section" title="4.5 Disable root prompt on the initramfs">
<link href="ch4.en.html#s-kernel-root-prompt" rel="section" title="4.6 Remove root prompt on the kernel">
<link href="ch4.en.html#s-restrict-console-login" rel="section" title="4.7 Restricting console login access">
<link href="ch4.en.html#s-restrict-reboots" rel="section" title="4.8 Restricting system reboots through the console">
<link href="ch4.en.html#s4.9" rel="section" title="4.9 Mounting partitions the right way">
<link href="ch4.en.html#s4.10" rel="section" title="4.10 Providing secure user access">
<link href="ch4.en.html#s-tcpwrappers" rel="section" title="4.11 Using tcpwrappers">
<link href="ch4.en.html#s-log-alerts" rel="section" title="4.12 The importance of logs and alerts">
<link href="ch4.en.html#s-kernel-patches" rel="section" title="4.13 Adding kernel patches">
<link href="ch4.en.html#s4.14" rel="section" title="4.14 Protecting against buffer overflows">
<link href="ch4.en.html#s4.15" rel="section" title="4.15 Secure file transfers">
<link href="ch4.en.html#s4.16" rel="section" title="4.16 File system limits and control">
<link href="ch4.en.html#s-network-secure" rel="section" title="4.17 Securing network access">
<link href="ch4.en.html#s-snapshot" rel="section" title="4.18 Taking a snapshot of the system">
<link href="ch4.en.html#s4.19" rel="section" title="4.19 Other recommendations">
<link href="ch-sec-services.en.html#s5.1" rel="section" title="5.1 Securing ssh">
<link href="ch-sec-services.en.html#s5.2" rel="section" title="5.2 Securing Squid">
<link href="ch-sec-services.en.html#s-ftp-secure" rel="section" title="5.3 Securing FTP">
<link href="ch-sec-services.en.html#s5.4" rel="section" title="5.4 Securing access to the X Window System">
<link href="ch-sec-services.en.html#s5.5" rel="section" title="5.5 Securing printing access (the lpd and lprng issue)">
<link href="ch-sec-services.en.html#s5.6" rel="section" title="5.6 Securing the mail service">
<link href="ch-sec-services.en.html#s-sec-bind" rel="section" title="5.7 Securing BIND">
<link href="ch-sec-services.en.html#s5.8" rel="section" title="5.8 Securing Apache">
<link href="ch-sec-services.en.html#s5.9" rel="section" title="5.9 Securing finger">
<link href="ch-sec-services.en.html#s-chroot" rel="section" title="5.10 General chroot and suid paranoia">
<link href="ch-sec-services.en.html#s5.11" rel="section" title="5.11 General cleartext password paranoia">
<link href="ch-sec-services.en.html#s5.12" rel="section" title="5.12 Disabling NIS">
<link href="ch-sec-services.en.html#s-rpc" rel="section" title="5.13 Securing RPC services">
<link href="ch-sec-services.en.html#s-firewall-setup" rel="section" title="5.14 Adding firewall capabilities">
<link href="ch-automatic-harden.en.html#s6.1" rel="section" title="6.1 Harden">
<link href="ch-automatic-harden.en.html#s6.2" rel="section" title="6.2 Bastille Linux">
<link href="ch7.en.html#s-debian-sec-team" rel="section" title="7.1 The Debian Security Team">
<link href="ch7.en.html#s-dsa" rel="section" title="7.2 Debian Security Advisories">
<link href="ch7.en.html#s7.3" rel="section" title="7.3 Security Tracker">
<link href="ch7.en.html#s7.4" rel="section" title="7.4 Debian Security Build Infrastructure">
<link href="ch7.en.html#s-deb-pack-sign" rel="section" title="7.5 Package signing in Debian">
<link href="ch-sec-tools.en.html#s-vuln-asses" rel="section" title="8.1 Remote vulnerability assessment tools">
<link href="ch-sec-tools.en.html#s8.2" rel="section" title="8.2 Network scanner tools">
<link href="ch-sec-tools.en.html#s8.3" rel="section" title="8.3 Internal audits">
<link href="ch-sec-tools.en.html#s8.4" rel="section" title="8.4 Auditing source code">
<link href="ch-sec-tools.en.html#s-vpn" rel="section" title="8.5 Virtual Private Networks">
<link href="ch-sec-tools.en.html#s8.6" rel="section" title="8.6 Public Key Infrastructure (PKI)">
<link href="ch-sec-tools.en.html#s8.7" rel="section" title="8.7 SSL Infrastructure">
<link href="ch-sec-tools.en.html#s8.8" rel="section" title="8.8 Antivirus tools">
<link href="ch-sec-tools.en.html#s-gpg-agent" rel="section" title="8.9 GPG agent">
<link href="ch9.en.html#s-bpp-devel-design" rel="section" title="9.1 Best practices for security review and design">
<link href="ch9.en.html#s-bpp-lower-privs" rel="section" title="9.2 Creating users and groups for software daemons">
<link href="ch10.en.html#s-keep-secure" rel="section" title="10.1 Keep your system secure">
<link href="ch10.en.html#s-periodic-integrity" rel="section" title="10.2 Do periodic integrity checks">
<link href="ch10.en.html#s-intrusion-detect" rel="section" title="10.3 Set up Intrusion Detection">
<link href="ch10.en.html#s10.4" rel="section" title="10.4 Avoiding root-kits">
<link href="ch10.en.html#s10.5" rel="section" title="10.5 Genius/Paranoia Ideas &mdash; what you could do">
<link href="ch-after-compromise.en.html#s11.1" rel="section" title="11.1 General behavior">
<link href="ch-after-compromise.en.html#s11.2" rel="section" title="11.2 Backing up the system">
<link href="ch-after-compromise.en.html#s11.3" rel="section" title="11.3 Contact your local CERT">
<link href="ch-after-compromise.en.html#s11.4" rel="section" title="11.4 Forensic analysis">
<link href="ch12.en.html#s12.1" rel="section" title="12.1 Security in the Debian operating system">
<link href="ch12.en.html#s-vulnerable-system" rel="section" title="12.2 My system is vulnerable! (Are you sure?)">
<link href="ch12.en.html#s-debian-sec-team-faq" rel="section" title="12.3 Questions regarding the Debian security team">
<link href="ap-bridge-fw.en.html#sD.1" rel="section" title="D.1 A bridge providing NAT and firewall capabilities">
<link href="ap-bridge-fw.en.html#sD.2" rel="section" title="D.2 A bridge providing firewall capabilities">
<link href="ap-bridge-fw.en.html#sD.3" rel="section" title="D.3 Basic IPtables rules">
<link href="ap-chroot-ssh-env.en.html#sG.1" rel="section" title="G.1 Chrooting the ssh users">
<link href="ap-chroot-ssh-env.en.html#sG.2" rel="section" title="G.2 Chrooting the ssh server">
<link href="ap-chroot-apache-env.en.html#sH.1" rel="section" title="H.1 Introduction">
<link href="ap-chroot-apache-env.en.html#sH.2" rel="section" title="H.2 Installing the server">
<link href="ap-chroot-apache-env.en.html#sH.3" rel="section" title="H.3 See also">
<link href="ch1.en.html#s1.6.1" rel="subsection" title="1.6.1 Version 3.16 (March 2011)">
<link href="ch1.en.html#s1.6.2" rel="subsection" title="1.6.2 Version 3.15 (December 2010)">
<link href="ch1.en.html#s1.6.3" rel="subsection" title="1.6.3 Version 3.14 (March 2009)">
<link href="ch1.en.html#s1.6.4" rel="subsection" title="1.6.4 Version 3.13 (Februrary 2008)">
<link href="ch1.en.html#s1.6.5" rel="subsection" title="1.6.5 Version 3.12 (August 2007)">
<link href="ch1.en.html#s1.6.6" rel="subsection" title="1.6.6 Version 3.11 (January 2007)">
<link href="ch1.en.html#s1.6.7" rel="subsection" title="1.6.7 Version 3.10 (November 2006)">
<link href="ch1.en.html#s1.6.8" rel="subsection" title="1.6.8 Version 3.9 (October 2006)">
<link href="ch1.en.html#s1.6.9" rel="subsection" title="1.6.9 Version 3.8 (July 2006)">
<link href="ch1.en.html#s1.6.10" rel="subsection" title="1.6.10 Version 3.7 (April 2006)">
<link href="ch1.en.html#s1.6.11" rel="subsection" title="1.6.11 Version 3.6 (March 2006)">
<link href="ch1.en.html#s1.6.12" rel="subsection" title="1.6.12 Version 3.5 (November 2005)">
<link href="ch1.en.html#s1.6.13" rel="subsection" title="1.6.13 Version 3.4 (August-September 2005)">
<link href="ch1.en.html#s1.6.14" rel="subsection" title="1.6.14 Version 3.3 (June 2005)">
<link href="ch1.en.html#s1.6.15" rel="subsection" title="1.6.15 Version 3.2 (March 2005)">
<link href="ch1.en.html#s1.6.16" rel="subsection" title="1.6.16 Version 3.1 (January 2005)">
<link href="ch1.en.html#s1.6.17" rel="subsection" title="1.6.17 Version 3.0 (December 2004)">
<link href="ch1.en.html#s1.6.18" rel="subsection" title="1.6.18 Version 2.99 (March 2004)">
<link href="ch1.en.html#s1.6.19" rel="subsection" title="1.6.19 Version 2.98 (December 2003)">
<link href="ch1.en.html#s1.6.20" rel="subsection" title="1.6.20 Version 2.97 (September 2003)">
<link href="ch1.en.html#s1.6.21" rel="subsection" title="1.6.21 Version 2.96 (August 2003)">
<link href="ch1.en.html#s1.6.22" rel="subsection" title="1.6.22 Version 2.95 (June 2003)">
<link href="ch1.en.html#s1.6.23" rel="subsection" title="1.6.23 Version 2.94 (April 2003)">
<link href="ch1.en.html#s1.6.24" rel="subsection" title="1.6.24 Version 2.93 (March 2003)">
<link href="ch1.en.html#s1.6.25" rel="subsection" title="1.6.25 Version 2.92 (February 2003)">
<link href="ch1.en.html#s1.6.26" rel="subsection" title="1.6.26 Version 2.91 (January/February 2003)">
<link href="ch1.en.html#s1.6.27" rel="subsection" title="1.6.27 Version 2.9 (December 2002)">
<link href="ch1.en.html#s1.6.28" rel="subsection" title="1.6.28 Version 2.8 (November 2002)">
<link href="ch1.en.html#s1.6.29" rel="subsection" title="1.6.29 Version 2.7 (October 2002)">
<link href="ch1.en.html#s1.6.30" rel="subsection" title="1.6.30 Version 2.6 (September 2002)">
<link href="ch1.en.html#s1.6.31" rel="subsection" title="1.6.31 Version 2.5 (September 2002)">
<link href="ch1.en.html#s1.6.32" rel="subsection" title="1.6.32 Version 2.5 (August 2002)">
<link href="ch1.en.html#s1.6.33" rel="subsection" title="1.6.33 Version 2.4">
<link href="ch1.en.html#s1.6.34" rel="subsection" title="1.6.34 Version 2.3">
<link href="ch1.en.html#s1.6.35" rel="subsection" title="1.6.35 Version 2.3">
<link href="ch1.en.html#s1.6.36" rel="subsection" title="1.6.36 Version 2.2">
<link href="ch1.en.html#s1.6.37" rel="subsection" title="1.6.37 Version 2.1">
<link href="ch1.en.html#s1.6.38" rel="subsection" title="1.6.38 Version 2.0">
<link href="ch1.en.html#s1.6.39" rel="subsection" title="1.6.39 Version 1.99">
<link href="ch1.en.html#s1.6.40" rel="subsection" title="1.6.40 Version 1.98">
<link href="ch1.en.html#s1.6.41" rel="subsection" title="1.6.41 Version 1.97">
<link href="ch1.en.html#s1.6.42" rel="subsection" title="1.6.42 Version 1.96">
<link href="ch1.en.html#s1.6.43" rel="subsection" title="1.6.43 Version 1.95">
<link href="ch1.en.html#s1.6.44" rel="subsection" title="1.6.44 Version 1.94">
<link href="ch1.en.html#s1.6.45" rel="subsection" title="1.6.45 Version 1.93">
<link href="ch1.en.html#s1.6.46" rel="subsection" title="1.6.46 Version 1.92">
<link href="ch1.en.html#s1.6.47" rel="subsection" title="1.6.47 Version 1.91">
<link href="ch1.en.html#s1.6.48" rel="subsection" title="1.6.48 Version 1.9">
<link href="ch1.en.html#s1.6.49" rel="subsection" title="1.6.49 Version 1.8">
<link href="ch1.en.html#s1.6.50" rel="subsection" title="1.6.50 Version 1.7">
<link href="ch1.en.html#s1.6.51" rel="subsection" title="1.6.51 Version 1.6">
<link href="ch1.en.html#s1.6.52" rel="subsection" title="1.6.52 Version 1.5">
<link href="ch1.en.html#s1.6.53" rel="subsection" title="1.6.53 Version 1.4">
<link href="ch1.en.html#s1.6.54" rel="subsection" title="1.6.54 Version 1.3">
<link href="ch1.en.html#s1.6.55" rel="subsection" title="1.6.55 Version 1.2">
<link href="ch1.en.html#s1.6.56" rel="subsection" title="1.6.56 Version 1.1">
<link href="ch1.en.html#s1.6.57" rel="subsection" title="1.6.57 Version 1.0">
<link href="ch3.en.html#s3.2.1" rel="subsection" title="3.2.1 Choose an intelligent partition scheme">
<link href="ch3.en.html#s3.2.1.1" rel="subsection" title="3.2.1.1 Selecting the appropriate file systems">
<link href="ch3.en.html#s-disableserv" rel="subsection" title="3.6.1 Disabling daemon services">
<link href="ch3.en.html#s-inetd" rel="subsection" title="3.6.2 Disabling <code>inetd</code> or its services">
<link href="ch3.en.html#s3.7.1" rel="subsection" title="3.7.1 Removing Perl">
<link href="ch4.en.html#s-lib-security-update" rel="subsection" title="4.2.1 Security update of libraries">
<link href="ch4.en.html#s-kernel-security-update" rel="subsection" title="4.2.2 Security update of the kernel">
<link href="ch4.en.html#s4.9.1" rel="subsection" title="4.9.1 Setting <code>/tmp</code> noexec">
<link href="ch4.en.html#s4.9.2" rel="subsection" title="4.9.2 Setting /usr read-only">
<link href="ch4.en.html#s-auth-pam" rel="subsection" title="4.10.1 User authentication: PAM">
<link href="ch4.en.html#s-user-limits" rel="subsection" title="4.10.2 Limiting resource usage: the <code>limits.conf</code> file">
<link href="ch4.en.html#s4.10.3" rel="subsection" title="4.10.3 User login actions: edit <code>/etc/login.defs</code>">
<link href="ch4.en.html#s4.10.4" rel="subsection" title="4.10.4 Restricting ftp: editing <code>/etc/ftpusers</code>">
<link href="ch4.en.html#s4.10.5" rel="subsection" title="4.10.5 Using su">
<link href="ch4.en.html#s4.10.6" rel="subsection" title="4.10.6 Using sudo">
<link href="ch4.en.html#s4.10.7" rel="subsection" title="4.10.7 Disallow remote administrative access">
<link href="ch4.en.html#s-user-restrict" rel="subsection" title="4.10.8 Restricting users's access">
<link href="ch4.en.html#s4.10.9" rel="subsection" title="4.10.9 User auditing">
<link href="ch4.en.html#s4.10.9.1" rel="subsection" title="4.10.9.1 Input and output audit with script">
<link href="ch4.en.html#s4.10.9.2" rel="subsection" title="4.10.9.2 Using the shell history file">
<link href="ch4.en.html#s4.10.9.3" rel="subsection" title="4.10.9.3 Complete user audit with accounting utilities">
<link href="ch4.en.html#s4.10.9.4" rel="subsection" title="4.10.9.4 Other user auditing methods">
<link href="ch4.en.html#s4.10.10" rel="subsection" title="4.10.10 Reviewing user profiles">
<link href="ch4.en.html#s4.10.11" rel="subsection" title="4.10.11 Setting users umasks">
<link href="ch4.en.html#s4.10.12" rel="subsection" title="4.10.12 Limiting what users can see/access">
<link href="ch4.en.html#s-limit-user-perm" rel="subsection" title="4.10.12.1 Limiting access to other user's information">
<link href="ch4.en.html#s-user-pwgen" rel="subsection" title="4.10.13 Generating user passwords">
<link href="ch4.en.html#s4.10.14" rel="subsection" title="4.10.14 Checking user passwords">
<link href="ch4.en.html#s-idle-logoff" rel="subsection" title="4.10.15 Logging off idle users">
<link href="ch4.en.html#s-custom-logcheck" rel="subsection" title="4.12.1 Using and customizing <code>logcheck</code>">
<link href="ch4.en.html#s4.12.2" rel="subsection" title="4.12.2 Configuring where alerts are sent">
<link href="ch4.en.html#s4.12.3" rel="subsection" title="4.12.3 Using a loghost">
<link href="ch4.en.html#s4.12.4" rel="subsection" title="4.12.4 Log file permissions">
<link href="ch4.en.html#s4.14.1" rel="subsection" title="4.14.1 Kernel patch protection for buffer overflows">
<link href="ch4.en.html#s4.14.2" rel="subsection" title="4.14.2 Testing programs for overflows">
<link href="ch4.en.html#s4.16.1" rel="subsection" title="4.16.1 Using quotas">
<link href="ch4.en.html#s-ext2attr" rel="subsection" title="4.16.2 The ext2 filesystem specific attributes (chattr/lsattr)">
<link href="ch4.en.html#s-check-integ" rel="subsection" title="4.16.3 Checking file system integrity">
<link href="ch4.en.html#s4.16.4" rel="subsection" title="4.16.4 Setting up setuid check">
<link href="ch4.en.html#s-kernel-conf" rel="subsection" title="4.17.1 Configuring kernel network features">
<link href="ch4.en.html#s-tcp-syncookies" rel="subsection" title="4.17.2 Configuring syncookies">
<link href="ch4.en.html#s-net-harden" rel="subsection" title="4.17.3 Securing the network on boot-time">
<link href="ch4.en.html#s-kernel-fw" rel="subsection" title="4.17.4 Configuring firewall features">
<link href="ch4.en.html#s-limit-bindaddr" rel="subsection" title="4.17.5 Disabling weak-end hosts issues">
<link href="ch4.en.html#s4.17.6" rel="subsection" title="4.17.6 Protecting against ARP attacks">
<link href="ch4.en.html#s4.19.1" rel="subsection" title="4.19.1 Do not use software depending on svgalib">
<link href="ch-sec-services.en.html#s-ssh-chroot" rel="subsection" title="5.1.1 Chrooting ssh">
<link href="ch-sec-services.en.html#s5.1.2" rel="subsection" title="5.1.2 Ssh clients">
<link href="ch-sec-services.en.html#s5.1.3" rel="subsection" title="5.1.3 Disallowing file transfers">
<link href="ch-sec-services.en.html#s-ssh-only-file" rel="subsection" title="5.1.4 Restricing access to file transfer only">
<link href="ch-sec-services.en.html#s5.4.1" rel="subsection" title="5.4.1 Check your display manager">
<link href="ch-sec-services.en.html#s5.6.1" rel="subsection" title="5.6.1 Configuring a Nullmailer">
<link href="ch-sec-services.en.html#s5.6.2" rel="subsection" title="5.6.2 Providing secure access to mailboxes">
<link href="ch-sec-services.en.html#s5.6.3" rel="subsection" title="5.6.3 Receiving mail securely">
<link href="ch-sec-services.en.html#s-configure-bind" rel="subsection" title="5.7.1 Bind configuration to avoid misuse">
<link href="ch-sec-services.en.html#s-user-bind" rel="subsection" title="5.7.2 Changing BIND's user">
<link href="ch-sec-services.en.html#s-chroot-bind" rel="subsection" title="5.7.3 Chrooting the name server">
<link href="ch-sec-services.en.html#s5.8.1" rel="subsection" title="5.8.1 Disabling users from publishing web contents">
<link href="ch-sec-services.en.html#s5.8.2" rel="subsection" title="5.8.2 Logfiles permissions">
<link href="ch-sec-services.en.html#s5.8.3" rel="subsection" title="5.8.3 Published web files">
<link href="ch-sec-services.en.html#s-auto-chroot" rel="subsection" title="5.10.1 Making chrooted environments automatically">
<link href="ch-sec-services.en.html#s5.13.1" rel="subsection" title="5.13.1 Disabling RPC services completely">
<link href="ch-sec-services.en.html#s5.13.2" rel="subsection" title="5.13.2 Limiting access to RPC services">
<link href="ch-sec-services.en.html#s5.14.1" rel="subsection" title="5.14.1 Firewalling the local system">
<link href="ch-sec-services.en.html#s5.14.2" rel="subsection" title="5.14.2 Using a firewall to protect other systems">
<link href="ch-sec-services.en.html#s5.14.3" rel="subsection" title="5.14.3 Setting up a firewall">
<link href="ch-sec-services.en.html#s-firewall-pack" rel="subsection" title="5.14.3.1 Using firewall packages">
<link href="ch-sec-services.en.html#s5.14.3.2" rel="subsection" title="5.14.3.2 Manual init.d configuration">
<link href="ch-sec-services.en.html#s5.14.3.3" rel="subsection" title="5.14.3.3 Configuring firewall rules through <code>ifup</code>">
<link href="ch-sec-services.en.html#s5.14.3.4" rel="subsection" title="5.14.3.4 Testing your firewall configuration">
<link href="ch7.en.html#s-crossreference" rel="subsection" title="7.2.1 Vulnerability cross references">
<link href="ch7.en.html#s-cve-compatible" rel="subsection" title="7.2.2 CVE compatibility">
<link href="ch7.en.html#s7.4.1" rel="subsection" title="7.4.1 Developer's guide to security updates">
<link href="ch7.en.html#s7.5.1" rel="subsection" title="7.5.1 The current scheme for package signature checks">
<link href="ch7.en.html#s-apt-0.6" rel="subsection" title="7.5.2 Secure apt">
<link href="ch7.en.html#s-check-releases" rel="subsection" title="7.5.3 Per distribution release check">
<link href="ch7.en.html#s7.5.3.1" rel="subsection" title="7.5.3.1 Basic concepts">
<link href="ch7.en.html#s7.5.3.2" rel="subsection" title="7.5.3.2 <code>Release</code> checksums">
<link href="ch7.en.html#s7.5.3.3" rel="subsection" title="7.5.3.3 Verification of the <code>Release</code> file">
<link href="ch7.en.html#s7.5.3.4" rel="subsection" title="7.5.3.4 Check of <code>Release.gpg</code> by <code>apt</code>">
<link href="ch7.en.html#s7.5.3.5" rel="subsection" title="7.5.3.5 How to tell apt what to trust">
<link href="ch7.en.html#s7.5.3.6" rel="subsection" title="7.5.3.6 Finding the key for a repository">
<link href="ch7.en.html#s-secure-apt-add-key" rel="subsection" title="7.5.3.7 Safely adding a key">
<link href="ch7.en.html#s7.5.3.8" rel="subsection" title="7.5.3.8 Verifying key integrity">
<link href="ch7.en.html#s7.5.3.9" rel="subsection" title="7.5.3.9 Debian archive key yearly rotation">
<link href="ch7.en.html#s7.5.3.10" rel="subsection" title="7.5.3.10 Known release checking problems">
<link href="ch7.en.html#s-manual-check-releases" rel="subsection" title="7.5.3.11 Manual per distribution release check">
<link href="ch7.en.html#s-check-non-debian-releases" rel="subsection" title="7.5.4 Release check of non Debian sources">
<link href="ch7.en.html#s-check-pkg-sign" rel="subsection" title="7.5.5 Alternative per-package signing scheme">
<link href="ch-sec-tools.en.html#s8.5.1" rel="subsection" title="8.5.1 Point to Point tunneling">
<link href="ch10.en.html#s-track-vulns" rel="subsection" title="10.1.1 Tracking security vulnerabilities">
<link href="ch10.en.html#s-keep-up-to-date" rel="subsection" title="10.1.2 Continuously update the system">
<link href="ch10.en.html#s10.1.2.1" rel="subsection" title="10.1.2.1 Manually checking which security updates are available">
<link href="ch10.en.html#s-update-desktop" rel="subsection" title="10.1.2.2 Checking for updates at the Desktop">
<link href="ch10.en.html#s-cron-apt" rel="subsection" title="10.1.2.3 Automatically checking for updates with cron-apt">
<link href="ch10.en.html#s-debsecan" rel="subsection" title="10.1.2.4 Automatically checking for security issues with debsecan">
<link href="ch10.en.html#s10.1.2.5" rel="subsection" title="10.1.2.5 Other methods for security updates">
<link href="ch10.en.html#s10.1.3" rel="subsection" title="10.1.3 Avoid using the unstable branch">
<link href="ch10.en.html#s-security-support-testing" rel="subsection" title="10.1.4 Security support for the testing branch">
<link href="ch10.en.html#s10.1.5" rel="subsection" title="10.1.5 Automatic updates in a Debian GNU/Linux system">
<link href="ch10.en.html#s10.3.1" rel="subsection" title="10.3.1 Network based intrusion detection">
<link href="ch10.en.html#s10.3.2" rel="subsection" title="10.3.2 Host based intrusion detection">
<link href="ch10.en.html#s-LKM" rel="subsection" title="10.4.1 Loadable Kernel Modules (LKM)">
<link href="ch10.en.html#s10.4.2" rel="subsection" title="10.4.2 Detecting root-kits">
<link href="ch10.en.html#s-proactive" rel="subsection" title="10.4.2.1 Proactive defense">
<link href="ch10.en.html#s10.4.2.2" rel="subsection" title="10.4.2.2 Reactive defense">
<link href="ch10.en.html#s10.5.1" rel="subsection" title="10.5.1 Building a honeypot">
<link href="ch-after-compromise.en.html#s11.4.1" rel="subsection" title="11.4.1 Analysis of malware">
<link href="ch12.en.html#s12.1.1" rel="subsection" title="12.1.1 Is Debian more secure than X?">
<link href="ch12.en.html#s12.1.1.1" rel="subsection" title="12.1.1.1 Is Debian more secure than other Linux distributions (such as Red Hat, SuSE...)?">
<link href="ch12.en.html#s12.1.2" rel="subsection" title="12.1.2 There are many Debian bugs in Bugtraq. Does this mean that it is very vulnerable?">
<link href="ch12.en.html#s12.1.3" rel="subsection" title="12.1.3 Does Debian have any certification related to security?">
<link href="ch12.en.html#s12.1.4" rel="subsection" title="12.1.4 Are there any hardening programs for Debian?">
<link href="ch12.en.html#s12.1.5" rel="subsection" title="12.1.5 I want to run XYZ service, which one should I choose?">
<link href="ch12.en.html#s12.1.6" rel="subsection" title="12.1.6 How can I make service XYZ more secure in Debian?">
<link href="ch12.en.html#s12.1.7" rel="subsection" title="12.1.7 How can I remove all the banners for services?">
<link href="ch12.en.html#s12.1.8" rel="subsection" title="12.1.8 Are all Debian packages safe?">
<link href="ch12.en.html#s12.1.9" rel="subsection" title="12.1.9 Why are some log files/configuration files world-readable, isn't this insecure?">
<link href="ch12.en.html#s12.1.10" rel="subsection" title="12.1.10 Why does /root/ (or UserX) have 755 permissions?">
<link href="ch12.en.html#s12.1.11" rel="subsection" title="12.1.11 After installing a grsec/firewall, I started receiving many console messages! How do I remove them?">
<link href="ch12.en.html#s-faq-os-users" rel="subsection" title="12.1.12 Operating system users and groups">
<link href="ch12.en.html#s12.1.12.1" rel="subsection" title="12.1.12.1 Are all system users necessary?">
<link href="ch12.en.html#s12.1.12.2" rel="subsection" title="12.1.12.2 I removed a system user! How can I recover?">
<link href="ch12.en.html#s12.1.12.3" rel="subsection" title="12.1.12.3 What is the difference between the adm and the staff group?">
<link href="ch12.en.html#s12.1.13" rel="subsection" title="12.1.13 Why is there a new group when I add a new user? (or Why does Debian give each user one group?)">
<link href="ch12.en.html#s12.1.14" rel="subsection" title="12.1.14 Questions regarding services and open ports">
<link href="ch12.en.html#s12.1.14.1" rel="subsection" title="12.1.14.1 Why are all services activated upon installation?">
<link href="ch12.en.html#s12.1.14.2" rel="subsection" title="12.1.14.2 Can I remove <code>inetd</code>?">
<link href="ch12.en.html#s12.1.14.3" rel="subsection" title="12.1.14.3 Why do I have port 111 open?">
<link href="ch12.en.html#s12.1.14.4" rel="subsection" title="12.1.14.4 What use is <code>identd</code> (port 113) for?">
<link href="ch12.en.html#s12.1.14.5" rel="subsection" title="12.1.14.5 I have services using port 1 and 6, what are they and how can I remove them?">
<link href="ch12.en.html#s12.1.14.6" rel="subsection" title="12.1.14.6 I found the port XYZ open, can I close it?">
<link href="ch12.en.html#s12.1.14.7" rel="subsection" title="12.1.14.7 Will removing services from <code>/etc/services</code> help secure my box?">
<link href="ch12.en.html#s12.1.15" rel="subsection" title="12.1.15 Common security issues">
<link href="ch12.en.html#s12.1.15.1" rel="subsection" title="12.1.15.1 I have lost my password and cannot access the system!">
<link href="ch12.en.html#s12.1.16" rel="subsection" title="12.1.16 How do I accomplish setting up a service for my users without giving out shell accounts?">
<link href="ch12.en.html#s-vulnasses-false-positive" rel="subsection" title="12.2.1 Vulnerability assessment scanner X says my Debian system is vulnerable!">
<link href="ch12.en.html#s12.2.2" rel="subsection" title="12.2.2 I've seen an attack in my system's logs. Is my system compromised?">
<link href="ch12.en.html#s12.2.3" rel="subsection" title="12.2.3 I have found strange 'MARK' lines in my logs: Am I compromised?">
<link href="ch12.en.html#s12.2.4" rel="subsection" title="12.2.4 I found users using 'su' in my logs: Am I compromised?">
<link href="ch12.en.html#s12.2.5" rel="subsection" title="12.2.5 I have found 'possible SYN flooding' in my logs: Am I under attack?">
<link href="ch12.en.html#s12.2.6" rel="subsection" title="12.2.6 I have found strange root sessions in my logs: Am I compromised?">
<link href="ch12.en.html#s12.2.7" rel="subsection" title="12.2.7 I have suffered a break-in, what do I do?">
<link href="ch12.en.html#s12.2.8" rel="subsection" title="12.2.8 How can I trace an attack?">
<link href="ch12.en.html#s12.2.9" rel="subsection" title="12.2.9 Program X in Debian is vulnerable, what do I do?">
<link href="ch12.en.html#s-version-backport" rel="subsection" title="12.2.10 The version number for a package indicates that I am still running a vulnerable version!">
<link href="ch12.en.html#s12.2.11" rel="subsection" title="12.2.11 Specific software">
<link href="ch12.en.html#s12.2.11.1" rel="subsection" title="12.2.11.1 <code>proftpd</code> is vulnerable to a Denial of Service attack.">
<link href="ch12.en.html#s12.2.11.2" rel="subsection" title="12.2.11.2 After installing <code>portsentry</code>, there are a lot of ports open.">
<link href="ch12.en.html#s12.3.1" rel="subsection" title="12.3.1 What is a Debian Security Advisory (DSA)?">
<link href="ch12.en.html#s12.3.2" rel="subsection" title="12.3.2 The signature on Debian advisories does not verify correctly!">
<link href="ch12.en.html#s12.3.3" rel="subsection" title="12.3.3 How is security handled in Debian?">
<link href="ch12.en.html#s12.3.4" rel="subsection" title="12.3.4 Why are you fiddling with an old version of that package?">
<link href="ch12.en.html#s12.3.5" rel="subsection" title="12.3.5 What is the policy for a fixed package to appear in security.debian.org?">
<link href="ch12.en.html#s12.3.6" rel="subsection" title="12.3.6 What does &quot;local (remote)&quot; mean?">
<link href="ch12.en.html#s12.3.7" rel="subsection" title="12.3.7 The version number for a package indicates that I am still running a vulnerable version!">
<link href="ch12.en.html#s-sec-unstable" rel="subsection" title="12.3.8 How is security handled for <samp>testing</samp> and <samp>unstable</samp>?">
<link href="ch12.en.html#s-sec-older" rel="subsection" title="12.3.9 I use an older version of Debian, is it supported by the Debian Security Team?">
<link href="ch12.en.html#s12.3.10" rel="subsection" title="12.3.10 How does <em>testing</em> get security updates?">
<link href="ch12.en.html#s12.3.11" rel="subsection" title="12.3.11 How is security handled for contrib and non-free?">
<link href="ch12.en.html#s12.3.12" rel="subsection" title="12.3.12 Why are there no official mirrors for security.debian.org?">
<link href="ch12.en.html#s12.3.13" rel="subsection" title="12.3.13 I've seen DSA 100 and DSA 102, now where is DSA 101?">
<link href="ch12.en.html#s12.3.14" rel="subsection" title="12.3.14 I tried to download a package listed in one of the security advisories, but I got a `file not found' error.">
<link href="ch12.en.html#s12.3.15" rel="subsection" title="12.3.15 How can I reach the security team?">
<link href="ch12.en.html#s12.3.16" rel="subsection" title="12.3.16 What difference is there between security@debian.org and debian-security@lists.debian.org?">
<link href="ch12.en.html#s12.3.17" rel="subsection" title="12.3.17 I guess I found a security problem, what should I do?">
<link href="ch12.en.html#s12.3.18" rel="subsection" title="12.3.18 How can I contribute to the Debian security team?">
<link href="ch12.en.html#s12.3.19" rel="subsection" title="12.3.19 Who is the Security Team composed of?">
<link href="ch12.en.html#s12.3.20" rel="subsection" title="12.3.20 Does the Debian Security team check every new package in Debian?">
<link href="ch12.en.html#s12.3.21" rel="subsection" title="12.3.21 How much time will it take Debian to fix vulnerability XXXX?">
<link href="ch12.en.html#s12.3.22" rel="subsection" title="12.3.22 How long will security updates be provided?">
<link href="ch12.en.html#s12.3.23" rel="subsection" title="12.3.23 How can I check the integrity of packages?">
<link href="ch12.en.html#s12.3.24" rel="subsection" title="12.3.24 What to do if a random package breaks after a security update?">
<link href="ap-chroot-ssh-env.en.html#sG.1.1" rel="subsection" title="G.1.1 Using <code>libpam-chroot</code>">
<link href="ap-chroot-ssh-env.en.html#sG.1.2" rel="subsection" title="G.1.2 Patching the <code>ssh</code> server">
<link href="ap-chroot-ssh-env.en.html#sG.2.1" rel="subsection" title="G.2.1 Setup a minimal system (the really easy way)">
<link href="ap-chroot-ssh-env.en.html#sG.2.2" rel="subsection" title="G.2.2 Automatically making the environment (the easy way)">
<link href="ap-chroot-ssh-env.en.html#sG.2.3" rel="subsection" title="G.2.3 Manually creating the environment (the hard way)">
<link href="ap-chroot-apache-env.en.html#sH.1.1" rel="subsection" title="H.1.1 Licensing">
</head>
<body>
<p><a name="ap-fw-security-update"></a></p>
<hr>
<p>
[ <a href="ap-bind-chuser.en.html">previous</a> ]
[ <a href="index.en.html#contents">Contents</a> ]
[ <a href="ch1.en.html">1</a> ]
[ <a href="ch2.en.html">2</a> ]
[ <a href="ch3.en.html">3</a> ]
[ <a href="ch4.en.html">4</a> ]
[ <a href="ch-sec-services.en.html">5</a> ]
[ <a href="ch-automatic-harden.en.html">6</a> ]
[ <a href="ch7.en.html">7</a> ]
[ <a href="ch-sec-tools.en.html">8</a> ]
[ <a href="ch9.en.html">9</a> ]
[ <a href="ch10.en.html">10</a> ]
[ <a href="ch-after-compromise.en.html">11</a> ]
[ <a href="ch12.en.html">12</a> ]
[ <a href="ap-harden-step.en.html">A</a> ]
[ <a href="ap-checklist.en.html">B</a> ]
[ <a href="ap-snort-box.en.html">C</a> ]
[ <a href="ap-bridge-fw.en.html">D</a> ]
[ <a href="ap-bind-chuser.en.html">E</a> ]
[ F ]
[ <a href="ap-chroot-ssh-env.en.html">G</a> ]
[ <a href="ap-chroot-apache-env.en.html">H</a> ]
[ <a href="ap-chroot-ssh-env.en.html">next</a> ]
</p>
<hr>
<h1>
Securing Debian Manual
<br>Appendix F - Security update protected by a firewall</h1>
<hr>
<p>
After a standard installation, a system may still have some security
vulnerabilities. Unless you can download updates for the vulnerable packages
on another system (or you have mirrored security.debian.org for local use), the
system will have to be connected to the Internet for the downloads.
</p>
<p>
However, as soon as you connect to the Internet you are exposing this system.
If one of your local services is vulnerable, you might be compromised even
before the update is finished! This may seem paranoid but, in fact, analysis
from the <code><a href="http://www.honeynet.org">Honeynet Project</a></code>
has shown that systems can be compromised in less than three days, even if the
system is not publicly known (i.e., not published in DNS records).
</p>
<p>
When doing an update on a system not protected by an external system like a
firewall, it is possible to properly configure your local firewall to restrict
connections involving only the security update itself. The example below shows
how to set up such local firewall capabilities, which allow connections from
security.debian.org only, logging all others.
</p>
<p>
The following example can be use to setup a restricted firewall ruleset. Run
this commands from a local console (not a remote one) to reduce the chances of
locking yourself out of the system.
</p>
<pre>
# iptables -F
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# iptables -A OUTPUT -d security.debian.org --dport 80 -j ACCEPT
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A INPUT -p icmp -j ACCEPT
# iptables -A INPUT -j LOG
# iptables -A OUTPUT -j LOG
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT DROP
# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
LOG all -- anywhere anywhere LOG level warning
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT 80 -- anywhere security.debian.org
LOG all -- anywhere anywhere LOG level warning
</pre>
<p>
Note: Using a <em>DROP</em> policy in the INPUT chain is the most correct thing
to do, but be <em>very</em> careful when doing this after flushing the chain
from a remote connection. When testing firewall rulesets from a remote
location it is best if you run a script with the firewall ruleset (instead of
introducing the ruleset line by line through the command line) and, as a
precaution, keep a backdoor[<a href="footnotes.en.html#f85" name="fr85">85</a>]
configured so that you can re-enable access to the system if you make a
mistake. That way there would be no need to go to a remote location to fix a
firewall ruleset that blocks you.
</p>
<p>
FIXME: This needs DNS to be working properly since it is required for
security.debian.org to work. You can add security.debian.org to /etc/hosts but
now it is a CNAME to several hosts (there is more than one security mirror)
</p>
<p>
FIXME: this will only work with HTTP URLs since ftp might need the
ip_conntrack_ftp module, or use passive mode.
</p>
<hr>
<p>
[ <a href="ap-bind-chuser.en.html">previous</a> ]
[ <a href="index.en.html#contents">Contents</a> ]
[ <a href="ch1.en.html">1</a> ]
[ <a href="ch2.en.html">2</a> ]
[ <a href="ch3.en.html">3</a> ]
[ <a href="ch4.en.html">4</a> ]
[ <a href="ch-sec-services.en.html">5</a> ]
[ <a href="ch-automatic-harden.en.html">6</a> ]
[ <a href="ch7.en.html">7</a> ]
[ <a href="ch-sec-tools.en.html">8</a> ]
[ <a href="ch9.en.html">9</a> ]
[ <a href="ch10.en.html">10</a> ]
[ <a href="ch-after-compromise.en.html">11</a> ]
[ <a href="ch12.en.html">12</a> ]
[ <a href="ap-harden-step.en.html">A</a> ]
[ <a href="ap-checklist.en.html">B</a> ]
[ <a href="ap-snort-box.en.html">C</a> ]
[ <a href="ap-bridge-fw.en.html">D</a> ]
[ <a href="ap-bind-chuser.en.html">E</a> ]
[ F ]
[ <a href="ap-chroot-ssh-env.en.html">G</a> ]
[ <a href="ap-chroot-apache-env.en.html">H</a> ]
[ <a href="ap-chroot-ssh-env.en.html">next</a> ]
</p>
<hr>
<p>
Securing Debian Manual
</p>
<address>
Version: 3.13, Sun, 08 Apr 2012 02:48:09 +0000<br>
<br>
Javier Fern&aacute;ndez-Sanguino Pe&ntilde;a <code><a href="mailto:jfs@debian.org">jfs@debian.org</a></code><br>
<a href="ch1.en.html#s-authors">Authors, Section 1.1</a><br>
<br>
</address>
<hr>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink