LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/www.debian.org/doc/manuals/securing-debian-howto/ch-sec-tools.en.html

1238 lines
57 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
<title>Securing Debian Manual - Security tools in Debian</title>
<link href="index.en.html" rel="start">
<link href="ch7.en.html" rel="prev">
<link href="ch9.en.html" rel="next">
<link href="index.en.html#contents" rel="contents">
<link href="index.en.html#copyright" rel="copyright">
<link href="ch1.en.html" rel="chapter" title="1 Introduction">
<link href="ch2.en.html" rel="chapter" title="2 Before you begin">
<link href="ch3.en.html" rel="chapter" title="3 Before and during the installation">
<link href="ch4.en.html" rel="chapter" title="4 After installation">
<link href="ch-sec-services.en.html" rel="chapter" title="5 Securing services running on your system">
<link href="ch-automatic-harden.en.html" rel="chapter" title="6 Automatic hardening of Debian systems">
<link href="ch7.en.html" rel="chapter" title="7 Debian Security Infrastructure">
<link href="ch-sec-tools.en.html" rel="chapter" title="8 Security tools in Debian">
<link href="ch9.en.html" rel="chapter" title="9 Developer's Best Practices for OS Security">
<link href="ch10.en.html" rel="chapter" title="10 Before the compromise">
<link href="ch-after-compromise.en.html" rel="chapter" title="11 After the compromise (incident response)">
<link href="ch12.en.html" rel="chapter" title="12 Frequently asked Questions (FAQ)">
<link href="ap-harden-step.en.html" rel="appendix" title="A The hardening process step by step">
<link href="ap-checklist.en.html" rel="appendix" title="B Configuration checklist">
<link href="ap-snort-box.en.html" rel="appendix" title="C Setting up a stand-alone IDS">
<link href="ap-bridge-fw.en.html" rel="appendix" title="D Setting up a bridge firewall">
<link href="ap-bind-chuser.en.html" rel="appendix" title="E Sample script to change the default Bind installation.">
<link href="ap-fw-security-update.en.html" rel="appendix" title="F Security update protected by a firewall">
<link href="ap-chroot-ssh-env.en.html" rel="appendix" title="G <code>Chroot</code> environment for <code>SSH</code>">
<link href="ap-chroot-apache-env.en.html" rel="appendix" title="H <code>Chroot</code> environment for <code>Apache</code>">
<link href="ch1.en.html#s-authors" rel="section" title="1.1 Authors">
<link href="ch1.en.html#s1.2" rel="section" title="1.2 Where to get the manual (and available formats)">
<link href="ch1.en.html#s1.3" rel="section" title="1.3 Organizational notes/feedback">
<link href="ch1.en.html#s1.4" rel="section" title="1.4 Prior knowledge">
<link href="ch1.en.html#s1.5" rel="section" title="1.5 Things that need to be written (FIXME/TODO)">
<link href="ch1.en.html#s-changelog" rel="section" title="1.6 Changelog/History">
<link href="ch1.en.html#s-credits" rel="section" title="1.7 Credits and thanks!">
<link href="ch2.en.html#s2.1" rel="section" title="2.1 What do you want this system for?">
<link href="ch2.en.html#s-references" rel="section" title="2.2 Be aware of general security problems">
<link href="ch2.en.html#s2.3" rel="section" title="2.3 How does Debian handle security?">
<link href="ch3.en.html#s-bios-passwd" rel="section" title="3.1 Choose a BIOS password">
<link href="ch3.en.html#s3.2" rel="section" title="3.2 Partitioning the system">
<link href="ch3.en.html#s3.3" rel="section" title="3.3 Do not plug to the Internet until ready">
<link href="ch3.en.html#s3.4" rel="section" title="3.4 Set a root password">
<link href="ch3.en.html#s3.5" rel="section" title="3.5 Activate shadow passwords and MD5 passwords">
<link href="ch3.en.html#s3.6" rel="section" title="3.6 Run the minimum number of services required">
<link href="ch3.en.html#s3.7" rel="section" title="3.7 Install the minimum amount of software required">
<link href="ch3.en.html#s3.8" rel="section" title="3.8 Read the Debian security mailing lists">
<link href="ch4.en.html#s-debian-sec-announce" rel="section" title="4.1 Subscribe to the Debian Security Announce mailing list">
<link href="ch4.en.html#s-security-update" rel="section" title="4.2 Execute a security update">
<link href="ch4.en.html#s-bios-boot" rel="section" title="4.3 Change the BIOS (again)">
<link href="ch4.en.html#s-lilo-passwd" rel="section" title="4.4 Set a LILO or GRUB password">
<link href="ch4.en.html#s-kernel-initramfs-prompt" rel="section" title="4.5 Disable root prompt on the initramfs">
<link href="ch4.en.html#s-kernel-root-prompt" rel="section" title="4.6 Remove root prompt on the kernel">
<link href="ch4.en.html#s-restrict-console-login" rel="section" title="4.7 Restricting console login access">
<link href="ch4.en.html#s-restrict-reboots" rel="section" title="4.8 Restricting system reboots through the console">
<link href="ch4.en.html#s4.9" rel="section" title="4.9 Mounting partitions the right way">
<link href="ch4.en.html#s4.10" rel="section" title="4.10 Providing secure user access">
<link href="ch4.en.html#s-tcpwrappers" rel="section" title="4.11 Using tcpwrappers">
<link href="ch4.en.html#s-log-alerts" rel="section" title="4.12 The importance of logs and alerts">
<link href="ch4.en.html#s-kernel-patches" rel="section" title="4.13 Adding kernel patches">
<link href="ch4.en.html#s4.14" rel="section" title="4.14 Protecting against buffer overflows">
<link href="ch4.en.html#s4.15" rel="section" title="4.15 Secure file transfers">
<link href="ch4.en.html#s4.16" rel="section" title="4.16 File system limits and control">
<link href="ch4.en.html#s-network-secure" rel="section" title="4.17 Securing network access">
<link href="ch4.en.html#s-snapshot" rel="section" title="4.18 Taking a snapshot of the system">
<link href="ch4.en.html#s4.19" rel="section" title="4.19 Other recommendations">
<link href="ch-sec-services.en.html#s5.1" rel="section" title="5.1 Securing ssh">
<link href="ch-sec-services.en.html#s5.2" rel="section" title="5.2 Securing Squid">
<link href="ch-sec-services.en.html#s-ftp-secure" rel="section" title="5.3 Securing FTP">
<link href="ch-sec-services.en.html#s5.4" rel="section" title="5.4 Securing access to the X Window System">
<link href="ch-sec-services.en.html#s5.5" rel="section" title="5.5 Securing printing access (the lpd and lprng issue)">
<link href="ch-sec-services.en.html#s5.6" rel="section" title="5.6 Securing the mail service">
<link href="ch-sec-services.en.html#s-sec-bind" rel="section" title="5.7 Securing BIND">
<link href="ch-sec-services.en.html#s5.8" rel="section" title="5.8 Securing Apache">
<link href="ch-sec-services.en.html#s5.9" rel="section" title="5.9 Securing finger">
<link href="ch-sec-services.en.html#s-chroot" rel="section" title="5.10 General chroot and suid paranoia">
<link href="ch-sec-services.en.html#s5.11" rel="section" title="5.11 General cleartext password paranoia">
<link href="ch-sec-services.en.html#s5.12" rel="section" title="5.12 Disabling NIS">
<link href="ch-sec-services.en.html#s-rpc" rel="section" title="5.13 Securing RPC services">
<link href="ch-sec-services.en.html#s-firewall-setup" rel="section" title="5.14 Adding firewall capabilities">
<link href="ch-automatic-harden.en.html#s6.1" rel="section" title="6.1 Harden">
<link href="ch-automatic-harden.en.html#s6.2" rel="section" title="6.2 Bastille Linux">
<link href="ch7.en.html#s-debian-sec-team" rel="section" title="7.1 The Debian Security Team">
<link href="ch7.en.html#s-dsa" rel="section" title="7.2 Debian Security Advisories">
<link href="ch7.en.html#s7.3" rel="section" title="7.3 Security Tracker">
<link href="ch7.en.html#s7.4" rel="section" title="7.4 Debian Security Build Infrastructure">
<link href="ch7.en.html#s-deb-pack-sign" rel="section" title="7.5 Package signing in Debian">
<link href="ch-sec-tools.en.html#s-vuln-asses" rel="section" title="8.1 Remote vulnerability assessment tools">
<link href="ch-sec-tools.en.html#s8.2" rel="section" title="8.2 Network scanner tools">
<link href="ch-sec-tools.en.html#s8.3" rel="section" title="8.3 Internal audits">
<link href="ch-sec-tools.en.html#s8.4" rel="section" title="8.4 Auditing source code">
<link href="ch-sec-tools.en.html#s-vpn" rel="section" title="8.5 Virtual Private Networks">
<link href="ch-sec-tools.en.html#s8.6" rel="section" title="8.6 Public Key Infrastructure (PKI)">
<link href="ch-sec-tools.en.html#s8.7" rel="section" title="8.7 SSL Infrastructure">
<link href="ch-sec-tools.en.html#s8.8" rel="section" title="8.8 Antivirus tools">
<link href="ch-sec-tools.en.html#s-gpg-agent" rel="section" title="8.9 GPG agent">
<link href="ch9.en.html#s-bpp-devel-design" rel="section" title="9.1 Best practices for security review and design">
<link href="ch9.en.html#s-bpp-lower-privs" rel="section" title="9.2 Creating users and groups for software daemons">
<link href="ch10.en.html#s-keep-secure" rel="section" title="10.1 Keep your system secure">
<link href="ch10.en.html#s-periodic-integrity" rel="section" title="10.2 Do periodic integrity checks">
<link href="ch10.en.html#s-intrusion-detect" rel="section" title="10.3 Set up Intrusion Detection">
<link href="ch10.en.html#s10.4" rel="section" title="10.4 Avoiding root-kits">
<link href="ch10.en.html#s10.5" rel="section" title="10.5 Genius/Paranoia Ideas &mdash; what you could do">
<link href="ch-after-compromise.en.html#s11.1" rel="section" title="11.1 General behavior">
<link href="ch-after-compromise.en.html#s11.2" rel="section" title="11.2 Backing up the system">
<link href="ch-after-compromise.en.html#s11.3" rel="section" title="11.3 Contact your local CERT">
<link href="ch-after-compromise.en.html#s11.4" rel="section" title="11.4 Forensic analysis">
<link href="ch12.en.html#s12.1" rel="section" title="12.1 Security in the Debian operating system">
<link href="ch12.en.html#s-vulnerable-system" rel="section" title="12.2 My system is vulnerable! (Are you sure?)">
<link href="ch12.en.html#s-debian-sec-team-faq" rel="section" title="12.3 Questions regarding the Debian security team">
<link href="ap-bridge-fw.en.html#sD.1" rel="section" title="D.1 A bridge providing NAT and firewall capabilities">
<link href="ap-bridge-fw.en.html#sD.2" rel="section" title="D.2 A bridge providing firewall capabilities">
<link href="ap-bridge-fw.en.html#sD.3" rel="section" title="D.3 Basic IPtables rules">
<link href="ap-chroot-ssh-env.en.html#sG.1" rel="section" title="G.1 Chrooting the ssh users">
<link href="ap-chroot-ssh-env.en.html#sG.2" rel="section" title="G.2 Chrooting the ssh server">
<link href="ap-chroot-apache-env.en.html#sH.1" rel="section" title="H.1 Introduction">
<link href="ap-chroot-apache-env.en.html#sH.2" rel="section" title="H.2 Installing the server">
<link href="ap-chroot-apache-env.en.html#sH.3" rel="section" title="H.3 See also">
<link href="ch1.en.html#s1.6.1" rel="subsection" title="1.6.1 Version 3.16 (March 2011)">
<link href="ch1.en.html#s1.6.2" rel="subsection" title="1.6.2 Version 3.15 (December 2010)">
<link href="ch1.en.html#s1.6.3" rel="subsection" title="1.6.3 Version 3.14 (March 2009)">
<link href="ch1.en.html#s1.6.4" rel="subsection" title="1.6.4 Version 3.13 (Februrary 2008)">
<link href="ch1.en.html#s1.6.5" rel="subsection" title="1.6.5 Version 3.12 (August 2007)">
<link href="ch1.en.html#s1.6.6" rel="subsection" title="1.6.6 Version 3.11 (January 2007)">
<link href="ch1.en.html#s1.6.7" rel="subsection" title="1.6.7 Version 3.10 (November 2006)">
<link href="ch1.en.html#s1.6.8" rel="subsection" title="1.6.8 Version 3.9 (October 2006)">
<link href="ch1.en.html#s1.6.9" rel="subsection" title="1.6.9 Version 3.8 (July 2006)">
<link href="ch1.en.html#s1.6.10" rel="subsection" title="1.6.10 Version 3.7 (April 2006)">
<link href="ch1.en.html#s1.6.11" rel="subsection" title="1.6.11 Version 3.6 (March 2006)">
<link href="ch1.en.html#s1.6.12" rel="subsection" title="1.6.12 Version 3.5 (November 2005)">
<link href="ch1.en.html#s1.6.13" rel="subsection" title="1.6.13 Version 3.4 (August-September 2005)">
<link href="ch1.en.html#s1.6.14" rel="subsection" title="1.6.14 Version 3.3 (June 2005)">
<link href="ch1.en.html#s1.6.15" rel="subsection" title="1.6.15 Version 3.2 (March 2005)">
<link href="ch1.en.html#s1.6.16" rel="subsection" title="1.6.16 Version 3.1 (January 2005)">
<link href="ch1.en.html#s1.6.17" rel="subsection" title="1.6.17 Version 3.0 (December 2004)">
<link href="ch1.en.html#s1.6.18" rel="subsection" title="1.6.18 Version 2.99 (March 2004)">
<link href="ch1.en.html#s1.6.19" rel="subsection" title="1.6.19 Version 2.98 (December 2003)">
<link href="ch1.en.html#s1.6.20" rel="subsection" title="1.6.20 Version 2.97 (September 2003)">
<link href="ch1.en.html#s1.6.21" rel="subsection" title="1.6.21 Version 2.96 (August 2003)">
<link href="ch1.en.html#s1.6.22" rel="subsection" title="1.6.22 Version 2.95 (June 2003)">
<link href="ch1.en.html#s1.6.23" rel="subsection" title="1.6.23 Version 2.94 (April 2003)">
<link href="ch1.en.html#s1.6.24" rel="subsection" title="1.6.24 Version 2.93 (March 2003)">
<link href="ch1.en.html#s1.6.25" rel="subsection" title="1.6.25 Version 2.92 (February 2003)">
<link href="ch1.en.html#s1.6.26" rel="subsection" title="1.6.26 Version 2.91 (January/February 2003)">
<link href="ch1.en.html#s1.6.27" rel="subsection" title="1.6.27 Version 2.9 (December 2002)">
<link href="ch1.en.html#s1.6.28" rel="subsection" title="1.6.28 Version 2.8 (November 2002)">
<link href="ch1.en.html#s1.6.29" rel="subsection" title="1.6.29 Version 2.7 (October 2002)">
<link href="ch1.en.html#s1.6.30" rel="subsection" title="1.6.30 Version 2.6 (September 2002)">
<link href="ch1.en.html#s1.6.31" rel="subsection" title="1.6.31 Version 2.5 (September 2002)">
<link href="ch1.en.html#s1.6.32" rel="subsection" title="1.6.32 Version 2.5 (August 2002)">
<link href="ch1.en.html#s1.6.33" rel="subsection" title="1.6.33 Version 2.4">
<link href="ch1.en.html#s1.6.34" rel="subsection" title="1.6.34 Version 2.3">
<link href="ch1.en.html#s1.6.35" rel="subsection" title="1.6.35 Version 2.3">
<link href="ch1.en.html#s1.6.36" rel="subsection" title="1.6.36 Version 2.2">
<link href="ch1.en.html#s1.6.37" rel="subsection" title="1.6.37 Version 2.1">
<link href="ch1.en.html#s1.6.38" rel="subsection" title="1.6.38 Version 2.0">
<link href="ch1.en.html#s1.6.39" rel="subsection" title="1.6.39 Version 1.99">
<link href="ch1.en.html#s1.6.40" rel="subsection" title="1.6.40 Version 1.98">
<link href="ch1.en.html#s1.6.41" rel="subsection" title="1.6.41 Version 1.97">
<link href="ch1.en.html#s1.6.42" rel="subsection" title="1.6.42 Version 1.96">
<link href="ch1.en.html#s1.6.43" rel="subsection" title="1.6.43 Version 1.95">
<link href="ch1.en.html#s1.6.44" rel="subsection" title="1.6.44 Version 1.94">
<link href="ch1.en.html#s1.6.45" rel="subsection" title="1.6.45 Version 1.93">
<link href="ch1.en.html#s1.6.46" rel="subsection" title="1.6.46 Version 1.92">
<link href="ch1.en.html#s1.6.47" rel="subsection" title="1.6.47 Version 1.91">
<link href="ch1.en.html#s1.6.48" rel="subsection" title="1.6.48 Version 1.9">
<link href="ch1.en.html#s1.6.49" rel="subsection" title="1.6.49 Version 1.8">
<link href="ch1.en.html#s1.6.50" rel="subsection" title="1.6.50 Version 1.7">
<link href="ch1.en.html#s1.6.51" rel="subsection" title="1.6.51 Version 1.6">
<link href="ch1.en.html#s1.6.52" rel="subsection" title="1.6.52 Version 1.5">
<link href="ch1.en.html#s1.6.53" rel="subsection" title="1.6.53 Version 1.4">
<link href="ch1.en.html#s1.6.54" rel="subsection" title="1.6.54 Version 1.3">
<link href="ch1.en.html#s1.6.55" rel="subsection" title="1.6.55 Version 1.2">
<link href="ch1.en.html#s1.6.56" rel="subsection" title="1.6.56 Version 1.1">
<link href="ch1.en.html#s1.6.57" rel="subsection" title="1.6.57 Version 1.0">
<link href="ch3.en.html#s3.2.1" rel="subsection" title="3.2.1 Choose an intelligent partition scheme">
<link href="ch3.en.html#s3.2.1.1" rel="subsection" title="3.2.1.1 Selecting the appropriate file systems">
<link href="ch3.en.html#s-disableserv" rel="subsection" title="3.6.1 Disabling daemon services">
<link href="ch3.en.html#s-inetd" rel="subsection" title="3.6.2 Disabling <code>inetd</code> or its services">
<link href="ch3.en.html#s3.7.1" rel="subsection" title="3.7.1 Removing Perl">
<link href="ch4.en.html#s-lib-security-update" rel="subsection" title="4.2.1 Security update of libraries">
<link href="ch4.en.html#s-kernel-security-update" rel="subsection" title="4.2.2 Security update of the kernel">
<link href="ch4.en.html#s4.9.1" rel="subsection" title="4.9.1 Setting <code>/tmp</code> noexec">
<link href="ch4.en.html#s4.9.2" rel="subsection" title="4.9.2 Setting /usr read-only">
<link href="ch4.en.html#s-auth-pam" rel="subsection" title="4.10.1 User authentication: PAM">
<link href="ch4.en.html#s-user-limits" rel="subsection" title="4.10.2 Limiting resource usage: the <code>limits.conf</code> file">
<link href="ch4.en.html#s4.10.3" rel="subsection" title="4.10.3 User login actions: edit <code>/etc/login.defs</code>">
<link href="ch4.en.html#s4.10.4" rel="subsection" title="4.10.4 Restricting ftp: editing <code>/etc/ftpusers</code>">
<link href="ch4.en.html#s4.10.5" rel="subsection" title="4.10.5 Using su">
<link href="ch4.en.html#s4.10.6" rel="subsection" title="4.10.6 Using sudo">
<link href="ch4.en.html#s4.10.7" rel="subsection" title="4.10.7 Disallow remote administrative access">
<link href="ch4.en.html#s-user-restrict" rel="subsection" title="4.10.8 Restricting users's access">
<link href="ch4.en.html#s4.10.9" rel="subsection" title="4.10.9 User auditing">
<link href="ch4.en.html#s4.10.9.1" rel="subsection" title="4.10.9.1 Input and output audit with script">
<link href="ch4.en.html#s4.10.9.2" rel="subsection" title="4.10.9.2 Using the shell history file">
<link href="ch4.en.html#s4.10.9.3" rel="subsection" title="4.10.9.3 Complete user audit with accounting utilities">
<link href="ch4.en.html#s4.10.9.4" rel="subsection" title="4.10.9.4 Other user auditing methods">
<link href="ch4.en.html#s4.10.10" rel="subsection" title="4.10.10 Reviewing user profiles">
<link href="ch4.en.html#s4.10.11" rel="subsection" title="4.10.11 Setting users umasks">
<link href="ch4.en.html#s4.10.12" rel="subsection" title="4.10.12 Limiting what users can see/access">
<link href="ch4.en.html#s-limit-user-perm" rel="subsection" title="4.10.12.1 Limiting access to other user's information">
<link href="ch4.en.html#s-user-pwgen" rel="subsection" title="4.10.13 Generating user passwords">
<link href="ch4.en.html#s4.10.14" rel="subsection" title="4.10.14 Checking user passwords">
<link href="ch4.en.html#s-idle-logoff" rel="subsection" title="4.10.15 Logging off idle users">
<link href="ch4.en.html#s-custom-logcheck" rel="subsection" title="4.12.1 Using and customizing <code>logcheck</code>">
<link href="ch4.en.html#s4.12.2" rel="subsection" title="4.12.2 Configuring where alerts are sent">
<link href="ch4.en.html#s4.12.3" rel="subsection" title="4.12.3 Using a loghost">
<link href="ch4.en.html#s4.12.4" rel="subsection" title="4.12.4 Log file permissions">
<link href="ch4.en.html#s4.14.1" rel="subsection" title="4.14.1 Kernel patch protection for buffer overflows">
<link href="ch4.en.html#s4.14.2" rel="subsection" title="4.14.2 Testing programs for overflows">
<link href="ch4.en.html#s4.16.1" rel="subsection" title="4.16.1 Using quotas">
<link href="ch4.en.html#s-ext2attr" rel="subsection" title="4.16.2 The ext2 filesystem specific attributes (chattr/lsattr)">
<link href="ch4.en.html#s-check-integ" rel="subsection" title="4.16.3 Checking file system integrity">
<link href="ch4.en.html#s4.16.4" rel="subsection" title="4.16.4 Setting up setuid check">
<link href="ch4.en.html#s-kernel-conf" rel="subsection" title="4.17.1 Configuring kernel network features">
<link href="ch4.en.html#s-tcp-syncookies" rel="subsection" title="4.17.2 Configuring syncookies">
<link href="ch4.en.html#s-net-harden" rel="subsection" title="4.17.3 Securing the network on boot-time">
<link href="ch4.en.html#s-kernel-fw" rel="subsection" title="4.17.4 Configuring firewall features">
<link href="ch4.en.html#s-limit-bindaddr" rel="subsection" title="4.17.5 Disabling weak-end hosts issues">
<link href="ch4.en.html#s4.17.6" rel="subsection" title="4.17.6 Protecting against ARP attacks">
<link href="ch4.en.html#s4.19.1" rel="subsection" title="4.19.1 Do not use software depending on svgalib">
<link href="ch-sec-services.en.html#s-ssh-chroot" rel="subsection" title="5.1.1 Chrooting ssh">
<link href="ch-sec-services.en.html#s5.1.2" rel="subsection" title="5.1.2 Ssh clients">
<link href="ch-sec-services.en.html#s5.1.3" rel="subsection" title="5.1.3 Disallowing file transfers">
<link href="ch-sec-services.en.html#s-ssh-only-file" rel="subsection" title="5.1.4 Restricing access to file transfer only">
<link href="ch-sec-services.en.html#s5.4.1" rel="subsection" title="5.4.1 Check your display manager">
<link href="ch-sec-services.en.html#s5.6.1" rel="subsection" title="5.6.1 Configuring a Nullmailer">
<link href="ch-sec-services.en.html#s5.6.2" rel="subsection" title="5.6.2 Providing secure access to mailboxes">
<link href="ch-sec-services.en.html#s5.6.3" rel="subsection" title="5.6.3 Receiving mail securely">
<link href="ch-sec-services.en.html#s-configure-bind" rel="subsection" title="5.7.1 Bind configuration to avoid misuse">
<link href="ch-sec-services.en.html#s-user-bind" rel="subsection" title="5.7.2 Changing BIND's user">
<link href="ch-sec-services.en.html#s-chroot-bind" rel="subsection" title="5.7.3 Chrooting the name server">
<link href="ch-sec-services.en.html#s5.8.1" rel="subsection" title="5.8.1 Disabling users from publishing web contents">
<link href="ch-sec-services.en.html#s5.8.2" rel="subsection" title="5.8.2 Logfiles permissions">
<link href="ch-sec-services.en.html#s5.8.3" rel="subsection" title="5.8.3 Published web files">
<link href="ch-sec-services.en.html#s-auto-chroot" rel="subsection" title="5.10.1 Making chrooted environments automatically">
<link href="ch-sec-services.en.html#s5.13.1" rel="subsection" title="5.13.1 Disabling RPC services completely">
<link href="ch-sec-services.en.html#s5.13.2" rel="subsection" title="5.13.2 Limiting access to RPC services">
<link href="ch-sec-services.en.html#s5.14.1" rel="subsection" title="5.14.1 Firewalling the local system">
<link href="ch-sec-services.en.html#s5.14.2" rel="subsection" title="5.14.2 Using a firewall to protect other systems">
<link href="ch-sec-services.en.html#s5.14.3" rel="subsection" title="5.14.3 Setting up a firewall">
<link href="ch-sec-services.en.html#s-firewall-pack" rel="subsection" title="5.14.3.1 Using firewall packages">
<link href="ch-sec-services.en.html#s5.14.3.2" rel="subsection" title="5.14.3.2 Manual init.d configuration">
<link href="ch-sec-services.en.html#s5.14.3.3" rel="subsection" title="5.14.3.3 Configuring firewall rules through <code>ifup</code>">
<link href="ch-sec-services.en.html#s5.14.3.4" rel="subsection" title="5.14.3.4 Testing your firewall configuration">
<link href="ch7.en.html#s-crossreference" rel="subsection" title="7.2.1 Vulnerability cross references">
<link href="ch7.en.html#s-cve-compatible" rel="subsection" title="7.2.2 CVE compatibility">
<link href="ch7.en.html#s7.4.1" rel="subsection" title="7.4.1 Developer's guide to security updates">
<link href="ch7.en.html#s7.5.1" rel="subsection" title="7.5.1 The current scheme for package signature checks">
<link href="ch7.en.html#s-apt-0.6" rel="subsection" title="7.5.2 Secure apt">
<link href="ch7.en.html#s-check-releases" rel="subsection" title="7.5.3 Per distribution release check">
<link href="ch7.en.html#s7.5.3.1" rel="subsection" title="7.5.3.1 Basic concepts">
<link href="ch7.en.html#s7.5.3.2" rel="subsection" title="7.5.3.2 <code>Release</code> checksums">
<link href="ch7.en.html#s7.5.3.3" rel="subsection" title="7.5.3.3 Verification of the <code>Release</code> file">
<link href="ch7.en.html#s7.5.3.4" rel="subsection" title="7.5.3.4 Check of <code>Release.gpg</code> by <code>apt</code>">
<link href="ch7.en.html#s7.5.3.5" rel="subsection" title="7.5.3.5 How to tell apt what to trust">
<link href="ch7.en.html#s7.5.3.6" rel="subsection" title="7.5.3.6 Finding the key for a repository">
<link href="ch7.en.html#s-secure-apt-add-key" rel="subsection" title="7.5.3.7 Safely adding a key">
<link href="ch7.en.html#s7.5.3.8" rel="subsection" title="7.5.3.8 Verifying key integrity">
<link href="ch7.en.html#s7.5.3.9" rel="subsection" title="7.5.3.9 Debian archive key yearly rotation">
<link href="ch7.en.html#s7.5.3.10" rel="subsection" title="7.5.3.10 Known release checking problems">
<link href="ch7.en.html#s-manual-check-releases" rel="subsection" title="7.5.3.11 Manual per distribution release check">
<link href="ch7.en.html#s-check-non-debian-releases" rel="subsection" title="7.5.4 Release check of non Debian sources">
<link href="ch7.en.html#s-check-pkg-sign" rel="subsection" title="7.5.5 Alternative per-package signing scheme">
<link href="ch-sec-tools.en.html#s8.5.1" rel="subsection" title="8.5.1 Point to Point tunneling">
<link href="ch10.en.html#s-track-vulns" rel="subsection" title="10.1.1 Tracking security vulnerabilities">
<link href="ch10.en.html#s-keep-up-to-date" rel="subsection" title="10.1.2 Continuously update the system">
<link href="ch10.en.html#s10.1.2.1" rel="subsection" title="10.1.2.1 Manually checking which security updates are available">
<link href="ch10.en.html#s-update-desktop" rel="subsection" title="10.1.2.2 Checking for updates at the Desktop">
<link href="ch10.en.html#s-cron-apt" rel="subsection" title="10.1.2.3 Automatically checking for updates with cron-apt">
<link href="ch10.en.html#s-debsecan" rel="subsection" title="10.1.2.4 Automatically checking for security issues with debsecan">
<link href="ch10.en.html#s10.1.2.5" rel="subsection" title="10.1.2.5 Other methods for security updates">
<link href="ch10.en.html#s10.1.3" rel="subsection" title="10.1.3 Avoid using the unstable branch">
<link href="ch10.en.html#s-security-support-testing" rel="subsection" title="10.1.4 Security support for the testing branch">
<link href="ch10.en.html#s10.1.5" rel="subsection" title="10.1.5 Automatic updates in a Debian GNU/Linux system">
<link href="ch10.en.html#s10.3.1" rel="subsection" title="10.3.1 Network based intrusion detection">
<link href="ch10.en.html#s10.3.2" rel="subsection" title="10.3.2 Host based intrusion detection">
<link href="ch10.en.html#s-LKM" rel="subsection" title="10.4.1 Loadable Kernel Modules (LKM)">
<link href="ch10.en.html#s10.4.2" rel="subsection" title="10.4.2 Detecting root-kits">
<link href="ch10.en.html#s-proactive" rel="subsection" title="10.4.2.1 Proactive defense">
<link href="ch10.en.html#s10.4.2.2" rel="subsection" title="10.4.2.2 Reactive defense">
<link href="ch10.en.html#s10.5.1" rel="subsection" title="10.5.1 Building a honeypot">
<link href="ch-after-compromise.en.html#s11.4.1" rel="subsection" title="11.4.1 Analysis of malware">
<link href="ch12.en.html#s12.1.1" rel="subsection" title="12.1.1 Is Debian more secure than X?">
<link href="ch12.en.html#s12.1.1.1" rel="subsection" title="12.1.1.1 Is Debian more secure than other Linux distributions (such as Red Hat, SuSE...)?">
<link href="ch12.en.html#s12.1.2" rel="subsection" title="12.1.2 There are many Debian bugs in Bugtraq. Does this mean that it is very vulnerable?">
<link href="ch12.en.html#s12.1.3" rel="subsection" title="12.1.3 Does Debian have any certification related to security?">
<link href="ch12.en.html#s12.1.4" rel="subsection" title="12.1.4 Are there any hardening programs for Debian?">
<link href="ch12.en.html#s12.1.5" rel="subsection" title="12.1.5 I want to run XYZ service, which one should I choose?">
<link href="ch12.en.html#s12.1.6" rel="subsection" title="12.1.6 How can I make service XYZ more secure in Debian?">
<link href="ch12.en.html#s12.1.7" rel="subsection" title="12.1.7 How can I remove all the banners for services?">
<link href="ch12.en.html#s12.1.8" rel="subsection" title="12.1.8 Are all Debian packages safe?">
<link href="ch12.en.html#s12.1.9" rel="subsection" title="12.1.9 Why are some log files/configuration files world-readable, isn't this insecure?">
<link href="ch12.en.html#s12.1.10" rel="subsection" title="12.1.10 Why does /root/ (or UserX) have 755 permissions?">
<link href="ch12.en.html#s12.1.11" rel="subsection" title="12.1.11 After installing a grsec/firewall, I started receiving many console messages! How do I remove them?">
<link href="ch12.en.html#s-faq-os-users" rel="subsection" title="12.1.12 Operating system users and groups">
<link href="ch12.en.html#s12.1.12.1" rel="subsection" title="12.1.12.1 Are all system users necessary?">
<link href="ch12.en.html#s12.1.12.2" rel="subsection" title="12.1.12.2 I removed a system user! How can I recover?">
<link href="ch12.en.html#s12.1.12.3" rel="subsection" title="12.1.12.3 What is the difference between the adm and the staff group?">
<link href="ch12.en.html#s12.1.13" rel="subsection" title="12.1.13 Why is there a new group when I add a new user? (or Why does Debian give each user one group?)">
<link href="ch12.en.html#s12.1.14" rel="subsection" title="12.1.14 Questions regarding services and open ports">
<link href="ch12.en.html#s12.1.14.1" rel="subsection" title="12.1.14.1 Why are all services activated upon installation?">
<link href="ch12.en.html#s12.1.14.2" rel="subsection" title="12.1.14.2 Can I remove <code>inetd</code>?">
<link href="ch12.en.html#s12.1.14.3" rel="subsection" title="12.1.14.3 Why do I have port 111 open?">
<link href="ch12.en.html#s12.1.14.4" rel="subsection" title="12.1.14.4 What use is <code>identd</code> (port 113) for?">
<link href="ch12.en.html#s12.1.14.5" rel="subsection" title="12.1.14.5 I have services using port 1 and 6, what are they and how can I remove them?">
<link href="ch12.en.html#s12.1.14.6" rel="subsection" title="12.1.14.6 I found the port XYZ open, can I close it?">
<link href="ch12.en.html#s12.1.14.7" rel="subsection" title="12.1.14.7 Will removing services from <code>/etc/services</code> help secure my box?">
<link href="ch12.en.html#s12.1.15" rel="subsection" title="12.1.15 Common security issues">
<link href="ch12.en.html#s12.1.15.1" rel="subsection" title="12.1.15.1 I have lost my password and cannot access the system!">
<link href="ch12.en.html#s12.1.16" rel="subsection" title="12.1.16 How do I accomplish setting up a service for my users without giving out shell accounts?">
<link href="ch12.en.html#s-vulnasses-false-positive" rel="subsection" title="12.2.1 Vulnerability assessment scanner X says my Debian system is vulnerable!">
<link href="ch12.en.html#s12.2.2" rel="subsection" title="12.2.2 I've seen an attack in my system's logs. Is my system compromised?">
<link href="ch12.en.html#s12.2.3" rel="subsection" title="12.2.3 I have found strange 'MARK' lines in my logs: Am I compromised?">
<link href="ch12.en.html#s12.2.4" rel="subsection" title="12.2.4 I found users using 'su' in my logs: Am I compromised?">
<link href="ch12.en.html#s12.2.5" rel="subsection" title="12.2.5 I have found 'possible SYN flooding' in my logs: Am I under attack?">
<link href="ch12.en.html#s12.2.6" rel="subsection" title="12.2.6 I have found strange root sessions in my logs: Am I compromised?">
<link href="ch12.en.html#s12.2.7" rel="subsection" title="12.2.7 I have suffered a break-in, what do I do?">
<link href="ch12.en.html#s12.2.8" rel="subsection" title="12.2.8 How can I trace an attack?">
<link href="ch12.en.html#s12.2.9" rel="subsection" title="12.2.9 Program X in Debian is vulnerable, what do I do?">
<link href="ch12.en.html#s-version-backport" rel="subsection" title="12.2.10 The version number for a package indicates that I am still running a vulnerable version!">
<link href="ch12.en.html#s12.2.11" rel="subsection" title="12.2.11 Specific software">
<link href="ch12.en.html#s12.2.11.1" rel="subsection" title="12.2.11.1 <code>proftpd</code> is vulnerable to a Denial of Service attack.">
<link href="ch12.en.html#s12.2.11.2" rel="subsection" title="12.2.11.2 After installing <code>portsentry</code>, there are a lot of ports open.">
<link href="ch12.en.html#s12.3.1" rel="subsection" title="12.3.1 What is a Debian Security Advisory (DSA)?">
<link href="ch12.en.html#s12.3.2" rel="subsection" title="12.3.2 The signature on Debian advisories does not verify correctly!">
<link href="ch12.en.html#s12.3.3" rel="subsection" title="12.3.3 How is security handled in Debian?">
<link href="ch12.en.html#s12.3.4" rel="subsection" title="12.3.4 Why are you fiddling with an old version of that package?">
<link href="ch12.en.html#s12.3.5" rel="subsection" title="12.3.5 What is the policy for a fixed package to appear in security.debian.org?">
<link href="ch12.en.html#s12.3.6" rel="subsection" title="12.3.6 What does &quot;local (remote)&quot; mean?">
<link href="ch12.en.html#s12.3.7" rel="subsection" title="12.3.7 The version number for a package indicates that I am still running a vulnerable version!">
<link href="ch12.en.html#s-sec-unstable" rel="subsection" title="12.3.8 How is security handled for <samp>testing</samp> and <samp>unstable</samp>?">
<link href="ch12.en.html#s-sec-older" rel="subsection" title="12.3.9 I use an older version of Debian, is it supported by the Debian Security Team?">
<link href="ch12.en.html#s12.3.10" rel="subsection" title="12.3.10 How does <em>testing</em> get security updates?">
<link href="ch12.en.html#s12.3.11" rel="subsection" title="12.3.11 How is security handled for contrib and non-free?">
<link href="ch12.en.html#s12.3.12" rel="subsection" title="12.3.12 Why are there no official mirrors for security.debian.org?">
<link href="ch12.en.html#s12.3.13" rel="subsection" title="12.3.13 I've seen DSA 100 and DSA 102, now where is DSA 101?">
<link href="ch12.en.html#s12.3.14" rel="subsection" title="12.3.14 I tried to download a package listed in one of the security advisories, but I got a `file not found' error.">
<link href="ch12.en.html#s12.3.15" rel="subsection" title="12.3.15 How can I reach the security team?">
<link href="ch12.en.html#s12.3.16" rel="subsection" title="12.3.16 What difference is there between security@debian.org and debian-security@lists.debian.org?">
<link href="ch12.en.html#s12.3.17" rel="subsection" title="12.3.17 I guess I found a security problem, what should I do?">
<link href="ch12.en.html#s12.3.18" rel="subsection" title="12.3.18 How can I contribute to the Debian security team?">
<link href="ch12.en.html#s12.3.19" rel="subsection" title="12.3.19 Who is the Security Team composed of?">
<link href="ch12.en.html#s12.3.20" rel="subsection" title="12.3.20 Does the Debian Security team check every new package in Debian?">
<link href="ch12.en.html#s12.3.21" rel="subsection" title="12.3.21 How much time will it take Debian to fix vulnerability XXXX?">
<link href="ch12.en.html#s12.3.22" rel="subsection" title="12.3.22 How long will security updates be provided?">
<link href="ch12.en.html#s12.3.23" rel="subsection" title="12.3.23 How can I check the integrity of packages?">
<link href="ch12.en.html#s12.3.24" rel="subsection" title="12.3.24 What to do if a random package breaks after a security update?">
<link href="ap-chroot-ssh-env.en.html#sG.1.1" rel="subsection" title="G.1.1 Using <code>libpam-chroot</code>">
<link href="ap-chroot-ssh-env.en.html#sG.1.2" rel="subsection" title="G.1.2 Patching the <code>ssh</code> server">
<link href="ap-chroot-ssh-env.en.html#sG.2.1" rel="subsection" title="G.2.1 Setup a minimal system (the really easy way)">
<link href="ap-chroot-ssh-env.en.html#sG.2.2" rel="subsection" title="G.2.2 Automatically making the environment (the easy way)">
<link href="ap-chroot-ssh-env.en.html#sG.2.3" rel="subsection" title="G.2.3 Manually creating the environment (the hard way)">
<link href="ap-chroot-apache-env.en.html#sH.1.1" rel="subsection" title="H.1.1 Licensing">
</head>
<body>
<p><a name="ch-sec-tools"></a></p>
<hr>
<p>
[ <a href="ch7.en.html">previous</a> ]
[ <a href="index.en.html#contents">Contents</a> ]
[ <a href="ch1.en.html">1</a> ]
[ <a href="ch2.en.html">2</a> ]
[ <a href="ch3.en.html">3</a> ]
[ <a href="ch4.en.html">4</a> ]
[ <a href="ch-sec-services.en.html">5</a> ]
[ <a href="ch-automatic-harden.en.html">6</a> ]
[ <a href="ch7.en.html">7</a> ]
[ 8 ]
[ <a href="ch9.en.html">9</a> ]
[ <a href="ch10.en.html">10</a> ]
[ <a href="ch-after-compromise.en.html">11</a> ]
[ <a href="ch12.en.html">12</a> ]
[ <a href="ap-harden-step.en.html">A</a> ]
[ <a href="ap-checklist.en.html">B</a> ]
[ <a href="ap-snort-box.en.html">C</a> ]
[ <a href="ap-bridge-fw.en.html">D</a> ]
[ <a href="ap-bind-chuser.en.html">E</a> ]
[ <a href="ap-fw-security-update.en.html">F</a> ]
[ <a href="ap-chroot-ssh-env.en.html">G</a> ]
[ <a href="ap-chroot-apache-env.en.html">H</a> ]
[ <a href="ch9.en.html">next</a> ]
</p>
<hr>
<h1>
Securing Debian Manual
<br>Chapter 8 - Security tools in Debian
</h1>
<hr>
<p>
FIXME: More content needed.
</p>
<p>
Debian provides also a number of security tools that can make a Debian box
suited for security purposes. These purposes include protection of information
systems through firewalls (either packet or application-level), intrusion
detection (both network and host based), vulnerability assessment, antivirus,
private networks, etc.
</p>
<p>
Since Debian 3.0 (<em>woody</em>), the distribution features cryptographic
software integrated into the main distribution. OpenSSH and GNU Privacy Guard
are included in the default install, and strong encryption is now present in
web browsers and web servers, databases, and so forth. Further integration of
cryptography is planned for future releases. This software, due to export
restrictions in the US, was not distributed along with the main distribution
but included only in non-US sites.
</p>
<hr>
<h2><a name="s-vuln-asses"></a>8.1 Remote vulnerability assessment tools</h2>
<p>
The tools provided by Debian to perform remote vulnerability assessment are:
[<a href="footnotes.en.html#f59" name="fr59">59</a>]
</p>
<ul>
<li>
<p>
<code>nessus</code>
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>raccess</code>
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>nikto</code> (<code>whisker</code>'s replacement)
</p>
</li>
</ul>
<p>
By far, the most complete and up-to-date tools is <code>nessus</code> which is
composed of a client (<code>nessus</code>) used as a GUI and a server
(<code>nessusd</code>) which launches the programmed attacks. Nessus includes
remote vulnerabilities for quite a number of systems including network
appliances, ftp servers, www servers, etc. The latest security plugins are
able even to parse a web site and try to discover which interactive pages are
available which could be attacked. There are also Java and Win32 clients (not
included in Debian) which can be used to contact the management server.
</p>
<p>
<code>nikto</code> is a web-only vulnerability assessment scanner including
anti-IDS tactics (most of which are not <em>anti-IDS</em> anymore). It is one
of the best cgi-scanners available, being able to detect a WWW server and
launch only a given set of attacks against it. The database used for scanning
can be easily modified to provide for new information.
</p>
<hr>
<h2><a name="s8.2"></a>8.2 Network scanner tools</h2>
<p>
Debian does provide some tools used for remote scanning of hosts (but not
vulnerability assessment). These tools are, in some cases, used by
vulnerability assessment scanners as the first type of &quot;attack&quot; run
against remote hosts in an attempt to determine remote services available.
Currently Debian provides:
</p>
<ul>
<li>
<p>
<code>nmap</code>
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>xprobe</code>
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>p0f</code>
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>knocker</code>
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>isic</code>
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>hping2</code>
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>icmpush</code>
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>nbtscan</code> (for SMB /NetBIOS audits)
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>fragrouter</code>
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>strobe</code> (in the <code>netdiag</code> package)
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>irpas</code>
</p>
</li>
</ul>
<p>
While <code>xprobe</code> provide only remote operating system detection (using
TCP/IP fingerprinting, <code>nmap</code> and <code>knocker</code> do both
operating system detection and port scanning of the remote hosts. On the other
hand, <code>hping2</code> and <code>icmpush</code> can be used for remote ICMP
attack techniques.
</p>
<p>
Designed specifically for SMB networks, <code>nbtscan</code> can be used to
scan IP networks and retrieve name information from SMB-enabled servers,
including: usernames, network names, MAC addresses...
</p>
<p>
On the other hand, <code>fragrouter</code> can be used to test network
intrusion detection systems and see if the NIDS can be eluded by fragmentation
attacks.
</p>
<p>
FIXME: Check <code><a href="http://bugs.debian.org/153117">Bug
#153117</a></code> (ITP fragrouter) to see if it's included.
</p>
<p>
FIXME add information based on <code><a
href="http://www.giac.org/practical/gcux/Stephanie_Thomas_GCUX.pdf">Debian
Linux Laptop for Road Warriors</a></code> which describes how to use Debian and
a laptop to scan for wireless (803.1) networks (link not there any more).
</p>
<hr>
<h2><a name="s8.3"></a>8.3 Internal audits</h2>
<p>
Currently, only the <code>tiger</code> tool used in Debian can be used to
perform internal (also called white box) audit of hosts in order to determine
if the file system is properly set up, which processes are listening on the
host, etc.
</p>
<hr>
<h2><a name="s8.4"></a>8.4 Auditing source code</h2>
<p>
Debian provides several packages that can be used to audit C/C++ source code
programs and find programming errors that might lead to potential security
flaws:
</p>
<ul>
<li>
<p>
<code>flawfinder</code>
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>rats</code>
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>splint</code>
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>pscan</code>
</p>
</li>
</ul>
<hr>
<h2><a name="s-vpn"></a>8.5 Virtual Private Networks</h2>
<p>
A virtual private network (VPN) is a group of two or more computer systems,
typically connected to a private network with limited public network access,
that communicate securely over a public network. VPNs may connect a single
computer to a private network (client-server), or a remote LAN to a private
network (server-server). VPNs often include the use of encryption, strong
authentication of remote users or hosts, and methods for hiding the private
network's topology.
</p>
<p>
Debian provides quite a few packages to set up encrypted virtual private
networks:
</p>
<ul>
<li>
<p>
<code>vtun</code>
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>tunnelv</code> (non-US section)
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>cipe-source</code>, <code>cipe-common</code>
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>tinc</code>
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>secvpn</code>
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>pptpd</code>
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>openvpn</code>
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>openswan</code> (<code><a
href="http://www.openswan.org/">http://www.openswan.org/</a></code>)
</p>
</li>
</ul>
<p>
FIXME: Update the information here since it was written with FreeSWAN in mind.
Check Bug #237764 and Message-Id: &lt;200412101215.04040.rmayr@debian.org&gt;.
</p>
<p>
The OpenSWAN package is probably the best choice overall, since it promises to
interoperate with almost anything that uses the IP security protocol, IPsec
(RFC 2411). However, the other packages listed above can also help you get a
secure tunnel up in a hurry. The point to point tunneling protocol (PPTP) is a
proprietary Microsoft protocol for VPN. It is supported under Linux, but is
known to have serious security issues.
</p>
<p>
For more information see the <code><a
href="http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO.html">VPN-Masquerade
HOWTO</a></code> (covers IPsec and PPTP), <code><a
href="http://www.tldp.org/HOWTO/VPN-HOWTO.html">VPN HOWTO</a></code> (covers
PPP over SSH), <code><a
href="http://www.tldp.org/HOWTO/mini/Cipe+Masq.html">Cipe
mini-HOWTO</a></code>, and <code><a
href="http://www.tldp.org/HOWTO/mini/ppp-ssh/index.html">PPP and SSH
mini-HOWTO</a></code>.
</p>
<p>
Also worth checking out is <code><a
href="http://yavipin.sourceforge.net/">Yavipin</a></code>, but no Debian
packages seem to be available yet.
</p>
<hr>
<h3><a name="s8.5.1"></a>8.5.1 Point to Point tunneling</h3>
<p>
If you want to provide a tunneling server for a mixed environment (both
Microsoft operating systems and Linux clients) and IPsec is not an option
(since it's only provided for Windows 2000 and Windows XP), you can use
<em>PoPToP</em> (Point to Point Tunneling Server), provided in the
<code>pptpd</code> package.
</p>
<p>
If you want to use Microsoft's authentication and encryption with the server
provided in the <code>ppp</code> package, note the following from the FAQ:
</p>
<pre>
It is only necessary to use PPP 2.3.8 if you want Microsoft compatible
MSCHAPv2/MPPE authentication and encryption. The reason for this is that
the MSCHAPv2/MPPE patch currently supplied (19990813) is against PPP
2.3.8. If you don't need Microsoft compatible authentication/encryption
any 2.3.x PPP source will be fine.
</pre>
<p>
However, you also have to apply the kernel patch provided by the
<code>kernel-patch-mppe</code> package, which provides the pp_mppe module for
pppd.
</p>
<p>
Take into account that the encryption in ppptp forces you to store user
passwords in clear text, and that the MS-CHAPv2 protocol contains <code><a
href="http://mopo.informatik.uni-freiburg.de/pptp_mschapv2/">known security
holes</a></code>.
</p>
<hr>
<h2><a name="s8.6"></a>8.6 Public Key Infrastructure (PKI)</h2>
<p>
Public Key Infrastructure (PKI) is a security architecture introduced to
provide an increased level of confidence for exchanging information over
insecure networks. It makes use of the concept of public and private
cryptographic keys to verify the identity of the sender (signing) and to ensure
privacy (encryption).
</p>
<p>
When considering a PKI, you are confronted with a wide variety of issues:
</p>
<ul>
<li>
<p>
a Certificate Authority (CA) that can issue and verify certificates, and that
can work under a given hierarchy.
</p>
</li>
</ul>
<ul>
<li>
<p>
a Directory to hold user's public certificates.
</p>
</li>
</ul>
<ul>
<li>
<p>
a Database (?) to maintain Certificate Revocation Lists (CRL).
</p>
</li>
</ul>
<ul>
<li>
<p>
devices that interoperate with the CA in order to print out smart cards/USB
tokens/whatever to securely store certificates.
</p>
</li>
</ul>
<ul>
<li>
<p>
certificate-aware applications that can use certificates issued by a CA to
enroll in encrypted communication and check given certificates against CRL (for
authentication and full Single Sign On solutions).
</p>
</li>
</ul>
<ul>
<li>
<p>
a Time stamping authority to digitally sign documents.
</p>
</li>
</ul>
<ul>
<li>
<p>
a management console from which all of this can be properly used (certificate
generation, revocation list control, etc...).
</p>
</li>
</ul>
<p>
Debian GNU/Linux has software packages to help you with some of these PKI
issues. They include <code>OpenSSL</code> (for certificate generation),
<code>OpenLDAP</code> (as a directory to hold the certificates),
<code>gnupg</code> and <code>openswan</code> (with X.509 standard support).
However, as of the Woody release (Debian 3.0), Debian does not have any of the
freely available Certificate Authorities such as pyCA, <code><a
href="http://www.openca.org">OpenCA</a></code> or the CA samples from OpenSSL.
For more information read the <code><a
href="http://ospkibook.sourceforge.net/">Open PKI book</a></code>.
</p>
<hr>
<h2><a name="s8.7"></a>8.7 SSL Infrastructure</h2>
<p>
Debian does provide some SSL certificates with the distribution so that they
can be installed locally. They are found in the <code>ca-certificates</code>
package. This package provides a central repository of certificates that have
been submitted to Debian and approved (that is, verified) by the package
maintainer, useful for any OpenSSL applications which verify SSL connections.
</p>
<p>
FIXME: read debian-devel to see if there was something added to this.
</p>
<hr>
<h2><a name="s8.8"></a>8.8 Antivirus tools</h2>
<p>
There are not many anti-virus tools included with Debian GNU/Linux, probably
because GNU/Linux users are not plagued by viruses. The Unix security model
makes a distinction between privileged (root) processes and user-owned
processes, therefore a &quot;hostile&quot; executable that a non-root user
receives or creates and then executes cannot &quot;infect&quot; or otherwise
manipulate the whole system. However, GNU/Linux worms and viruses do exist,
although there has not (yet, hopefully) been any that has spread in the wild
over any Debian distribution. In any case, administrators might want to build
up anti-virus gateways that protect against viruses arising on other, more
vulnerable systems in their network.
</p>
<p>
Debian GNU/Linux currently provides the following tools for building antivirus
environments:
</p>
<ul>
<li>
<p>
<code><a href="http://www.clamav.net">Clam Antivirus</a></code>, provided since
Debian <em>sarge</em> (3.1 release). Packages are provided both for the virus
scanner (<code>clamav</code>) for the scanner daemon
(<code>clamav-daemon</code>) and for the data files needed for the scanner.
Since keeping an antivirus up-to-date is critical for it to work properly there
are two different ways to get this data: <code>clamav-freshclam</code> provides
a way to update the database through the Internet automatically and
<code>clamav-data</code> which provides the data files directly. [<a
href="footnotes.en.html#f60" name="fr60">60</a>]
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>mailscanner</code> an e-mail gateway virus scanner and spam detector.
Using <code>sendmail</code> or <code>exim</code> as its basis, it can use more
than 17 different virus scanning engines (including <code>clamav</code>).
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>libfile-scan-perl</code> which provides File::Scan, a Perl extension for
scanning files for viruses. This modules can be used to make platform
independent virus scanners.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code><a href="http://www.sourceforge.net/projects/amavis">Amavis Next
Generation</a></code>, provided in the package <code>amavis-ng</code> and
available in <em>sarge</em>, which is a mail virus scanner which integrates
with different MTA (Exim, Sendmail, Postfix, or Qmail) and supports over 15
virus scanning engines (including clamav, File::Scan and openantivirus).
</p>
</li>
</ul>
<ul>
<li>
<p>
<code><a href="http://packages.debian.org/sanitizer">sanitizer</a></code>, a
tool that uses the <code>procmail</code> package, which can scan email
attachments for viruses, block attachments based on their filenames, and more.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code><a
href="http://packages.debian.org/amavis-postfix">amavis-postfix</a></code>, a
script that provides an interface from a mail transport agent to one or more
commercial virus scanners (this package is built with support for the
<code>postfix</code> MTA only).
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>exiscan</code>, an e-mail virus scanner written in Perl that works with
Exim.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>blackhole-qmail</code> a spam filter for Qmail with built-in support for
Clamav.
</p>
</li>
</ul>
<p>
Some gateway daemons support already tools extensions to build antivirus
environments including <code>exim4-daemon-heavy</code> (the <em>heavy</em>
version of the Exim MTA), <code>frox</code> (a transparent caching ftp proxy
server), <code>messagewall</code> (an SMTP proxy daemon) and
<code>pop3vscan</code> (a transparent POP3 proxy).
</p>
<p>
Debian currently provide <code>clamav</code> as the only antivirus scanning
software in the main official distribution and it also provides multiple
interfaces to build gateways with antivirus capabilities for different
protocols.
</p>
<p>
Some other free software antivirus projects which might be included in future
Debian GNU/Linux releases:
</p>
<ul>
<li>
<p>
<code><a href="http://sourceforge.net/projects/openantivirus/">Open
Antivirus</a></code> (see <code><a href="http://bugs.debian.org/150698">Bug
#150698 (ITP oav-scannerdaemon)</a></code> and <code><a
href="http://bugs.debian.org/150695">Bug #150695 (ITP oav-update)</a></code> ).
</p>
</li>
</ul>
<p>
FIXME: Is there a package that provides a script to download the latest virus
signatures from <code><a
href="http://www.openantivirus.org/latest.php">http://www.openantivirus.org/latest.php</a></code>?
</p>
<p>
FIXME: Check if scannerdaemon is the same as the open antivirus scanner daemon
(read ITPs).
</p>
<p>
However, Debian will <em>never</em> provide propietary (non-free and
undistributable) antivirus software such as: Panda Antivirus, NAI Netshield,
<code><a href="http://www.sophos.com/">Sophos Sweep</a></code>, <code><a
href="http://www.antivirus.com">TrendMicro Interscan</a></code>, or <code><a
href="http://www.ravantivirus.com">RAV</a></code>. For more pointers see the
<code><a
href="http://www.computer-networking.de/~link/security/av-linux_e.txt">Linux
antivirus software mini-FAQ</a></code>. This does not mean that this software
cannot be installed properly in a Debian system[<a href="footnotes.en.html#f61"
name="fr61">61</a>].
</p>
<p>
For more information on how to set up a virus detection system read Dave Jones'
article <code><a
href="http://www.linuxjournal.com/article.php?sid=4882">Building an E-mail
Virus Detection System for Your Network</a></code>.
</p>
<hr>
<h2><a name="s-gpg-agent"></a>8.9 GPG agent</h2>
<p>
It is very common nowadays to digitally sign (and sometimes encrypt) e-mail.
You might, for example, find that many people participating on mailing lists
sign their list e-mail. Public key signatures are currently the only means to
verify that an e-mail was sent by the sender and not by some other person.
</p>
<p>
Debian GNU/Linux provides a number of e-mail clients with built-in e-mail
signing capabilities that interoperate either with <code>gnupg</code> or
<code>pgp</code>:
</p>
<ul>
<li>
<p>
<code>evolution</code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>mutt</code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>kmail</code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>icedove</code> (rebranded version of Mozilla's Thunderbird) through the
<code><a href="http://enigmail.mozdev.org/">Enigmail</a></code> plugin. This
plugin is provided by the <code>enigmail</code> package.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>sylpheed</code>. Depending on how the stable version of this package
evolves, you may need to use the <em>bleeding edge version</em>,
<code>sylpheed-claws</code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>gnus</code>, which when installed with the <code>mailcrypt</code>
package, is an <code>emacs</code> interface to <code>gnupg</code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>kuvert</code>, which provides this functionality independently of your
chosen mail user agent (MUA) by interacting with the mail transport agent
(MTA).
</p>
</li>
</ul>
<p>
Key servers allow you to download published public keys so that you may verify
signatures. One such key server is <code><a
href="http://wwwkeys.pgp.net">http://wwwkeys.pgp.net</a></code>.
<code>gnupg</code> can automatically fetch public keys that are not already in
your public keyring. For example, to configure <code>gnupg</code> to use the
above key server, edit the file <code>~/.gnupg/options</code> and add the
following line: [<a href="footnotes.en.html#f62" name="fr62">62</a>]
</p>
<pre>
keyserver wwwkeys.pgp.net
</pre>
<p>
Most key servers are linked, so that when your public key is added to one
server, the addition is propagated to all the other public key servers. There
is also a Debian GNU/Linux package <code>debian-keyring</code>, that provides
all the public keys of the Debian developers. The <code>gnupg</code> keyrings
are installed in <code>/usr/share/keyrings/</code>.
</p>
<p>
For more information:
</p>
<ul>
<li>
<p>
<code><a href="http://www.gnupg.org/faq.html">GnuPG FAQ</a></code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code><a href="http://www.gnupg.org/gph/en/manual.html">GnuPG
Handbook</a></code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code><a
href="http://www.dewinter.com/gnupg_howto/english/GPGMiniHowto.html">GnuPG Mini
Howto (English)</a></code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code><a href="http://www.uk.pgp.net/pgpnet/pgp-faq/">comp.security.pgp
FAQ</a></code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code><a href="http://www.cryptnet.net/fdp/crypto/gpg-party.html">Keysigning
Party HOWTO</a></code>.
</p>
</li>
</ul>
<hr>
<p>
[ <a href="ch7.en.html">previous</a> ]
[ <a href="index.en.html#contents">Contents</a> ]
[ <a href="ch1.en.html">1</a> ]
[ <a href="ch2.en.html">2</a> ]
[ <a href="ch3.en.html">3</a> ]
[ <a href="ch4.en.html">4</a> ]
[ <a href="ch-sec-services.en.html">5</a> ]
[ <a href="ch-automatic-harden.en.html">6</a> ]
[ <a href="ch7.en.html">7</a> ]
[ 8 ]
[ <a href="ch9.en.html">9</a> ]
[ <a href="ch10.en.html">10</a> ]
[ <a href="ch-after-compromise.en.html">11</a> ]
[ <a href="ch12.en.html">12</a> ]
[ <a href="ap-harden-step.en.html">A</a> ]
[ <a href="ap-checklist.en.html">B</a> ]
[ <a href="ap-snort-box.en.html">C</a> ]
[ <a href="ap-bridge-fw.en.html">D</a> ]
[ <a href="ap-bind-chuser.en.html">E</a> ]
[ <a href="ap-fw-security-update.en.html">F</a> ]
[ <a href="ap-chroot-ssh-env.en.html">G</a> ]
[ <a href="ap-chroot-apache-env.en.html">H</a> ]
[ <a href="ch9.en.html">next</a> ]
</p>
<hr>
<p>
Securing Debian Manual
</p>
<address>
Version: 3.13, Sun, 08 Apr 2012 02:48:09 +0000<br>
<br>
Javier Fern&aacute;ndez-Sanguino Pe&ntilde;a <code><a href="mailto:jfs@debian.org">jfs@debian.org</a></code><br>
<a href="ch1.en.html#s-authors">Authors, Section 1.1</a><br>
<br>
</address>
<hr>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink