old-www/LDP/www.debian.org/doc/manuals/securing-debian-howto/ch1.en.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">

<html>

<head>

<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">

<title>Securing Debian Manual - Introduction</title>

<link href="index.en.html" rel="start">
<link href="index.en.html" rel="prev">
<link href="ch2.en.html" rel="next">
<link href="index.en.html#contents" rel="contents">
<link href="index.en.html#copyright" rel="copyright">
<link href="ch1.en.html" rel="chapter" title="1 Introduction">
<link href="ch2.en.html" rel="chapter" title="2 Before you begin">
<link href="ch3.en.html" rel="chapter" title="3 Before and during the installation">
<link href="ch4.en.html" rel="chapter" title="4 After installation">
<link href="ch-sec-services.en.html" rel="chapter" title="5 Securing services running on your system">
<link href="ch-automatic-harden.en.html" rel="chapter" title="6 Automatic hardening of Debian systems">
<link href="ch7.en.html" rel="chapter" title="7 Debian Security Infrastructure">
<link href="ch-sec-tools.en.html" rel="chapter" title="8 Security tools in Debian">
<link href="ch9.en.html" rel="chapter" title="9 Developer's Best Practices for OS Security">
<link href="ch10.en.html" rel="chapter" title="10 Before the compromise">
<link href="ch-after-compromise.en.html" rel="chapter" title="11 After the compromise (incident response)">
<link href="ch12.en.html" rel="chapter" title="12 Frequently asked Questions (FAQ)">
<link href="ap-harden-step.en.html" rel="appendix" title="A The hardening process step by step">
<link href="ap-checklist.en.html" rel="appendix" title="B Configuration checklist">
<link href="ap-snort-box.en.html" rel="appendix" title="C Setting up a stand-alone IDS">
<link href="ap-bridge-fw.en.html" rel="appendix" title="D Setting up a bridge firewall">
<link href="ap-bind-chuser.en.html" rel="appendix" title="E Sample script to change the default Bind installation.">
<link href="ap-fw-security-update.en.html" rel="appendix" title="F Security update protected by a firewall">
<link href="ap-chroot-ssh-env.en.html" rel="appendix" title="G <code>Chroot</code> environment for <code>SSH</code>">
<link href="ap-chroot-apache-env.en.html" rel="appendix" title="H <code>Chroot</code> environment for <code>Apache</code>">
<link href="ch1.en.html#s-authors" rel="section" title="1.1 Authors">
<link href="ch1.en.html#s1.2" rel="section" title="1.2 Where to get the manual (and available formats)">
<link href="ch1.en.html#s1.3" rel="section" title="1.3 Organizational notes/feedback">
<link href="ch1.en.html#s1.4" rel="section" title="1.4 Prior knowledge">
<link href="ch1.en.html#s1.5" rel="section" title="1.5 Things that need to be written (FIXME/TODO)">
<link href="ch1.en.html#s-changelog" rel="section" title="1.6 Changelog/History">
<link href="ch1.en.html#s-credits" rel="section" title="1.7 Credits and thanks!">
<link href="ch2.en.html#s2.1" rel="section" title="2.1 What do you want this system for?">
<link href="ch2.en.html#s-references" rel="section" title="2.2 Be aware of general security problems">
<link href="ch2.en.html#s2.3" rel="section" title="2.3 How does Debian handle security?">
<link href="ch3.en.html#s-bios-passwd" rel="section" title="3.1 Choose a BIOS password">
<link href="ch3.en.html#s3.2" rel="section" title="3.2 Partitioning the system">
<link href="ch3.en.html#s3.3" rel="section" title="3.3 Do not plug to the Internet until ready">
<link href="ch3.en.html#s3.4" rel="section" title="3.4 Set a root password">
<link href="ch3.en.html#s3.5" rel="section" title="3.5 Activate shadow passwords and MD5 passwords">
<link href="ch3.en.html#s3.6" rel="section" title="3.6 Run the minimum number of services required">
<link href="ch3.en.html#s3.7" rel="section" title="3.7 Install the minimum amount of software required">
<link href="ch3.en.html#s3.8" rel="section" title="3.8 Read the Debian security mailing lists">
<link href="ch4.en.html#s-debian-sec-announce" rel="section" title="4.1 Subscribe to the Debian Security Announce mailing list">
<link href="ch4.en.html#s-security-update" rel="section" title="4.2 Execute a security update">
<link href="ch4.en.html#s-bios-boot" rel="section" title="4.3 Change the BIOS (again)">
<link href="ch4.en.html#s-lilo-passwd" rel="section" title="4.4 Set a LILO or GRUB password">
<link href="ch4.en.html#s-kernel-initramfs-prompt" rel="section" title="4.5 Disable root prompt on the initramfs">
<link href="ch4.en.html#s-kernel-root-prompt" rel="section" title="4.6 Remove root prompt on the kernel">
<link href="ch4.en.html#s-restrict-console-login" rel="section" title="4.7 Restricting console login access">
<link href="ch4.en.html#s-restrict-reboots" rel="section" title="4.8 Restricting system reboots through the console">
<link href="ch4.en.html#s4.9" rel="section" title="4.9 Mounting partitions the right way">
<link href="ch4.en.html#s4.10" rel="section" title="4.10 Providing secure user access">
<link href="ch4.en.html#s-tcpwrappers" rel="section" title="4.11 Using tcpwrappers">
<link href="ch4.en.html#s-log-alerts" rel="section" title="4.12 The importance of logs and alerts">
<link href="ch4.en.html#s-kernel-patches" rel="section" title="4.13 Adding kernel patches">
<link href="ch4.en.html#s4.14" rel="section" title="4.14 Protecting against buffer overflows">
<link href="ch4.en.html#s4.15" rel="section" title="4.15 Secure file transfers">
<link href="ch4.en.html#s4.16" rel="section" title="4.16 File system limits and control">
<link href="ch4.en.html#s-network-secure" rel="section" title="4.17 Securing network access">
<link href="ch4.en.html#s-snapshot" rel="section" title="4.18 Taking a snapshot of the system">
<link href="ch4.en.html#s4.19" rel="section" title="4.19 Other recommendations">
<link href="ch-sec-services.en.html#s5.1" rel="section" title="5.1 Securing ssh">
<link href="ch-sec-services.en.html#s5.2" rel="section" title="5.2 Securing Squid">
<link href="ch-sec-services.en.html#s-ftp-secure" rel="section" title="5.3 Securing FTP">
<link href="ch-sec-services.en.html#s5.4" rel="section" title="5.4 Securing access to the X Window System">
<link href="ch-sec-services.en.html#s5.5" rel="section" title="5.5 Securing printing access (the lpd and lprng issue)">
<link href="ch-sec-services.en.html#s5.6" rel="section" title="5.6 Securing the mail service">
<link href="ch-sec-services.en.html#s-sec-bind" rel="section" title="5.7 Securing BIND">
<link href="ch-sec-services.en.html#s5.8" rel="section" title="5.8 Securing Apache">
<link href="ch-sec-services.en.html#s5.9" rel="section" title="5.9 Securing finger">
<link href="ch-sec-services.en.html#s-chroot" rel="section" title="5.10 General chroot and suid paranoia">
<link href="ch-sec-services.en.html#s5.11" rel="section" title="5.11 General cleartext password paranoia">
<link href="ch-sec-services.en.html#s5.12" rel="section" title="5.12 Disabling NIS">
<link href="ch-sec-services.en.html#s-rpc" rel="section" title="5.13 Securing RPC services">
<link href="ch-sec-services.en.html#s-firewall-setup" rel="section" title="5.14 Adding firewall capabilities">
<link href="ch-automatic-harden.en.html#s6.1" rel="section" title="6.1 Harden">
<link href="ch-automatic-harden.en.html#s6.2" rel="section" title="6.2 Bastille Linux">
<link href="ch7.en.html#s-debian-sec-team" rel="section" title="7.1 The Debian Security Team">
<link href="ch7.en.html#s-dsa" rel="section" title="7.2 Debian Security Advisories">
<link href="ch7.en.html#s7.3" rel="section" title="7.3 Security Tracker">
<link href="ch7.en.html#s7.4" rel="section" title="7.4 Debian Security Build Infrastructure">
<link href="ch7.en.html#s-deb-pack-sign" rel="section" title="7.5 Package signing in Debian">
<link href="ch-sec-tools.en.html#s-vuln-asses" rel="section" title="8.1 Remote vulnerability assessment tools">
<link href="ch-sec-tools.en.html#s8.2" rel="section" title="8.2 Network scanner tools">
<link href="ch-sec-tools.en.html#s8.3" rel="section" title="8.3 Internal audits">
<link href="ch-sec-tools.en.html#s8.4" rel="section" title="8.4 Auditing source code">
<link href="ch-sec-tools.en.html#s-vpn" rel="section" title="8.5 Virtual Private Networks">
<link href="ch-sec-tools.en.html#s8.6" rel="section" title="8.6 Public Key Infrastructure (PKI)">
<link href="ch-sec-tools.en.html#s8.7" rel="section" title="8.7 SSL Infrastructure">
<link href="ch-sec-tools.en.html#s8.8" rel="section" title="8.8 Antivirus tools">
<link href="ch-sec-tools.en.html#s-gpg-agent" rel="section" title="8.9 GPG agent">
<link href="ch9.en.html#s-bpp-devel-design" rel="section" title="9.1 Best practices for security review and design">
<link href="ch9.en.html#s-bpp-lower-privs" rel="section" title="9.2 Creating users and groups for software daemons">
<link href="ch10.en.html#s-keep-secure" rel="section" title="10.1 Keep your system secure">
<link href="ch10.en.html#s-periodic-integrity" rel="section" title="10.2 Do periodic integrity checks">
<link href="ch10.en.html#s-intrusion-detect" rel="section" title="10.3 Set up Intrusion Detection">
<link href="ch10.en.html#s10.4" rel="section" title="10.4 Avoiding root-kits">
<link href="ch10.en.html#s10.5" rel="section" title="10.5 Genius/Paranoia Ideas &mdash; what you could do">
<link href="ch-after-compromise.en.html#s11.1" rel="section" title="11.1 General behavior">
<link href="ch-after-compromise.en.html#s11.2" rel="section" title="11.2 Backing up the system">
<link href="ch-after-compromise.en.html#s11.3" rel="section" title="11.3 Contact your local CERT">
<link href="ch-after-compromise.en.html#s11.4" rel="section" title="11.4 Forensic analysis">
<link href="ch12.en.html#s12.1" rel="section" title="12.1 Security in the Debian operating system">
<link href="ch12.en.html#s-vulnerable-system" rel="section" title="12.2 My system is vulnerable! (Are you sure?)">
<link href="ch12.en.html#s-debian-sec-team-faq" rel="section" title="12.3 Questions regarding the Debian security team">
<link href="ap-bridge-fw.en.html#sD.1" rel="section" title="D.1 A bridge providing NAT and firewall capabilities">
<link href="ap-bridge-fw.en.html#sD.2" rel="section" title="D.2 A bridge providing firewall capabilities">
<link href="ap-bridge-fw.en.html#sD.3" rel="section" title="D.3 Basic IPtables rules">
<link href="ap-chroot-ssh-env.en.html#sG.1" rel="section" title="G.1 Chrooting the ssh users">
<link href="ap-chroot-ssh-env.en.html#sG.2" rel="section" title="G.2 Chrooting the ssh server">
<link href="ap-chroot-apache-env.en.html#sH.1" rel="section" title="H.1 Introduction">
<link href="ap-chroot-apache-env.en.html#sH.2" rel="section" title="H.2 Installing the server">
<link href="ap-chroot-apache-env.en.html#sH.3" rel="section" title="H.3 See also">
<link href="ch1.en.html#s1.6.1" rel="subsection" title="1.6.1 Version 3.16 (March 2011)">
<link href="ch1.en.html#s1.6.2" rel="subsection" title="1.6.2 Version 3.15 (December 2010)">
<link href="ch1.en.html#s1.6.3" rel="subsection" title="1.6.3 Version 3.14 (March 2009)">
<link href="ch1.en.html#s1.6.4" rel="subsection" title="1.6.4 Version 3.13 (Februrary 2008)">
<link href="ch1.en.html#s1.6.5" rel="subsection" title="1.6.5 Version 3.12 (August 2007)">
<link href="ch1.en.html#s1.6.6" rel="subsection" title="1.6.6 Version 3.11 (January 2007)">
<link href="ch1.en.html#s1.6.7" rel="subsection" title="1.6.7 Version 3.10 (November 2006)">
<link href="ch1.en.html#s1.6.8" rel="subsection" title="1.6.8 Version 3.9 (October 2006)">
<link href="ch1.en.html#s1.6.9" rel="subsection" title="1.6.9 Version 3.8 (July 2006)">
<link href="ch1.en.html#s1.6.10" rel="subsection" title="1.6.10 Version 3.7 (April 2006)">
<link href="ch1.en.html#s1.6.11" rel="subsection" title="1.6.11 Version 3.6 (March 2006)">
<link href="ch1.en.html#s1.6.12" rel="subsection" title="1.6.12 Version 3.5 (November 2005)">
<link href="ch1.en.html#s1.6.13" rel="subsection" title="1.6.13 Version 3.4 (August-September 2005)">
<link href="ch1.en.html#s1.6.14" rel="subsection" title="1.6.14 Version 3.3 (June 2005)">
<link href="ch1.en.html#s1.6.15" rel="subsection" title="1.6.15 Version 3.2 (March 2005)">
<link href="ch1.en.html#s1.6.16" rel="subsection" title="1.6.16 Version 3.1 (January 2005)">
<link href="ch1.en.html#s1.6.17" rel="subsection" title="1.6.17 Version 3.0 (December 2004)">
<link href="ch1.en.html#s1.6.18" rel="subsection" title="1.6.18 Version 2.99 (March 2004)">
<link href="ch1.en.html#s1.6.19" rel="subsection" title="1.6.19 Version 2.98 (December 2003)">
<link href="ch1.en.html#s1.6.20" rel="subsection" title="1.6.20 Version 2.97 (September 2003)">
<link href="ch1.en.html#s1.6.21" rel="subsection" title="1.6.21 Version 2.96 (August 2003)">
<link href="ch1.en.html#s1.6.22" rel="subsection" title="1.6.22 Version 2.95 (June 2003)">
<link href="ch1.en.html#s1.6.23" rel="subsection" title="1.6.23 Version 2.94 (April 2003)">
<link href="ch1.en.html#s1.6.24" rel="subsection" title="1.6.24 Version 2.93 (March 2003)">
<link href="ch1.en.html#s1.6.25" rel="subsection" title="1.6.25 Version 2.92 (February 2003)">
<link href="ch1.en.html#s1.6.26" rel="subsection" title="1.6.26 Version 2.91 (January/February 2003)">
<link href="ch1.en.html#s1.6.27" rel="subsection" title="1.6.27 Version 2.9 (December 2002)">
<link href="ch1.en.html#s1.6.28" rel="subsection" title="1.6.28 Version 2.8 (November 2002)">
<link href="ch1.en.html#s1.6.29" rel="subsection" title="1.6.29 Version 2.7 (October 2002)">
<link href="ch1.en.html#s1.6.30" rel="subsection" title="1.6.30 Version 2.6 (September 2002)">
<link href="ch1.en.html#s1.6.31" rel="subsection" title="1.6.31 Version 2.5 (September 2002)">
<link href="ch1.en.html#s1.6.32" rel="subsection" title="1.6.32 Version 2.5 (August 2002)">
<link href="ch1.en.html#s1.6.33" rel="subsection" title="1.6.33 Version 2.4">
<link href="ch1.en.html#s1.6.34" rel="subsection" title="1.6.34 Version 2.3">
<link href="ch1.en.html#s1.6.35" rel="subsection" title="1.6.35 Version 2.3">
<link href="ch1.en.html#s1.6.36" rel="subsection" title="1.6.36 Version 2.2">
<link href="ch1.en.html#s1.6.37" rel="subsection" title="1.6.37 Version 2.1">
<link href="ch1.en.html#s1.6.38" rel="subsection" title="1.6.38 Version 2.0">
<link href="ch1.en.html#s1.6.39" rel="subsection" title="1.6.39 Version 1.99">
<link href="ch1.en.html#s1.6.40" rel="subsection" title="1.6.40 Version 1.98">
<link href="ch1.en.html#s1.6.41" rel="subsection" title="1.6.41 Version 1.97">
<link href="ch1.en.html#s1.6.42" rel="subsection" title="1.6.42 Version 1.96">
<link href="ch1.en.html#s1.6.43" rel="subsection" title="1.6.43 Version 1.95">
<link href="ch1.en.html#s1.6.44" rel="subsection" title="1.6.44 Version 1.94">
<link href="ch1.en.html#s1.6.45" rel="subsection" title="1.6.45 Version 1.93">
<link href="ch1.en.html#s1.6.46" rel="subsection" title="1.6.46 Version 1.92">
<link href="ch1.en.html#s1.6.47" rel="subsection" title="1.6.47 Version 1.91">
<link href="ch1.en.html#s1.6.48" rel="subsection" title="1.6.48 Version 1.9">
<link href="ch1.en.html#s1.6.49" rel="subsection" title="1.6.49 Version 1.8">
<link href="ch1.en.html#s1.6.50" rel="subsection" title="1.6.50 Version 1.7">
<link href="ch1.en.html#s1.6.51" rel="subsection" title="1.6.51 Version 1.6">
<link href="ch1.en.html#s1.6.52" rel="subsection" title="1.6.52 Version 1.5">
<link href="ch1.en.html#s1.6.53" rel="subsection" title="1.6.53 Version 1.4">
<link href="ch1.en.html#s1.6.54" rel="subsection" title="1.6.54 Version 1.3">
<link href="ch1.en.html#s1.6.55" rel="subsection" title="1.6.55 Version 1.2">
<link href="ch1.en.html#s1.6.56" rel="subsection" title="1.6.56 Version 1.1">
<link href="ch1.en.html#s1.6.57" rel="subsection" title="1.6.57 Version 1.0">
<link href="ch3.en.html#s3.2.1" rel="subsection" title="3.2.1 Choose an intelligent partition scheme">
<link href="ch3.en.html#s3.2.1.1" rel="subsection" title="3.2.1.1 Selecting the appropriate file systems">
<link href="ch3.en.html#s-disableserv" rel="subsection" title="3.6.1 Disabling daemon services">
<link href="ch3.en.html#s-inetd" rel="subsection" title="3.6.2 Disabling <code>inetd</code> or its services">
<link href="ch3.en.html#s3.7.1" rel="subsection" title="3.7.1 Removing Perl">
<link href="ch4.en.html#s-lib-security-update" rel="subsection" title="4.2.1 Security update of libraries">
<link href="ch4.en.html#s-kernel-security-update" rel="subsection" title="4.2.2 Security update of the kernel">
<link href="ch4.en.html#s4.9.1" rel="subsection" title="4.9.1 Setting <code>/tmp</code> noexec">
<link href="ch4.en.html#s4.9.2" rel="subsection" title="4.9.2 Setting /usr read-only">
<link href="ch4.en.html#s-auth-pam" rel="subsection" title="4.10.1 User authentication: PAM">
<link href="ch4.en.html#s-user-limits" rel="subsection" title="4.10.2 Limiting resource usage: the <code>limits.conf</code> file">
<link href="ch4.en.html#s4.10.3" rel="subsection" title="4.10.3 User login actions: edit <code>/etc/login.defs</code>">
<link href="ch4.en.html#s4.10.4" rel="subsection" title="4.10.4 Restricting ftp: editing <code>/etc/ftpusers</code>">
<link href="ch4.en.html#s4.10.5" rel="subsection" title="4.10.5 Using su">
<link href="ch4.en.html#s4.10.6" rel="subsection" title="4.10.6 Using sudo">
<link href="ch4.en.html#s4.10.7" rel="subsection" title="4.10.7 Disallow remote administrative access">
<link href="ch4.en.html#s-user-restrict" rel="subsection" title="4.10.8 Restricting users's access">
<link href="ch4.en.html#s4.10.9" rel="subsection" title="4.10.9 User auditing">
<link href="ch4.en.html#s4.10.9.1" rel="subsection" title="4.10.9.1 Input and output audit with script">
<link href="ch4.en.html#s4.10.9.2" rel="subsection" title="4.10.9.2 Using the shell history file">
<link href="ch4.en.html#s4.10.9.3" rel="subsection" title="4.10.9.3 Complete user audit with accounting utilities">
<link href="ch4.en.html#s4.10.9.4" rel="subsection" title="4.10.9.4 Other user auditing methods">
<link href="ch4.en.html#s4.10.10" rel="subsection" title="4.10.10 Reviewing user profiles">
<link href="ch4.en.html#s4.10.11" rel="subsection" title="4.10.11 Setting users umasks">
<link href="ch4.en.html#s4.10.12" rel="subsection" title="4.10.12 Limiting what users can see/access">
<link href="ch4.en.html#s-limit-user-perm" rel="subsection" title="4.10.12.1 Limiting access to other user's information">
<link href="ch4.en.html#s-user-pwgen" rel="subsection" title="4.10.13 Generating user passwords">
<link href="ch4.en.html#s4.10.14" rel="subsection" title="4.10.14 Checking user passwords">
<link href="ch4.en.html#s-idle-logoff" rel="subsection" title="4.10.15 Logging off idle users">
<link href="ch4.en.html#s-custom-logcheck" rel="subsection" title="4.12.1 Using and customizing <code>logcheck</code>">
<link href="ch4.en.html#s4.12.2" rel="subsection" title="4.12.2 Configuring where alerts are sent">
<link href="ch4.en.html#s4.12.3" rel="subsection" title="4.12.3 Using a loghost">
<link href="ch4.en.html#s4.12.4" rel="subsection" title="4.12.4 Log file permissions">
<link href="ch4.en.html#s4.14.1" rel="subsection" title="4.14.1 Kernel patch protection for buffer overflows">
<link href="ch4.en.html#s4.14.2" rel="subsection" title="4.14.2 Testing programs for overflows">
<link href="ch4.en.html#s4.16.1" rel="subsection" title="4.16.1 Using quotas">
<link href="ch4.en.html#s-ext2attr" rel="subsection" title="4.16.2 The ext2 filesystem specific attributes (chattr/lsattr)">
<link href="ch4.en.html#s-check-integ" rel="subsection" title="4.16.3 Checking file system integrity">
<link href="ch4.en.html#s4.16.4" rel="subsection" title="4.16.4 Setting up setuid check">
<link href="ch4.en.html#s-kernel-conf" rel="subsection" title="4.17.1 Configuring kernel network features">
<link href="ch4.en.html#s-tcp-syncookies" rel="subsection" title="4.17.2 Configuring syncookies">
<link href="ch4.en.html#s-net-harden" rel="subsection" title="4.17.3 Securing the network on boot-time">
<link href="ch4.en.html#s-kernel-fw" rel="subsection" title="4.17.4 Configuring firewall features">
<link href="ch4.en.html#s-limit-bindaddr" rel="subsection" title="4.17.5 Disabling weak-end hosts issues">
<link href="ch4.en.html#s4.17.6" rel="subsection" title="4.17.6 Protecting against ARP attacks">
<link href="ch4.en.html#s4.19.1" rel="subsection" title="4.19.1 Do not use software depending on svgalib">
<link href="ch-sec-services.en.html#s-ssh-chroot" rel="subsection" title="5.1.1 Chrooting ssh">
<link href="ch-sec-services.en.html#s5.1.2" rel="subsection" title="5.1.2 Ssh clients">
<link href="ch-sec-services.en.html#s5.1.3" rel="subsection" title="5.1.3 Disallowing file transfers">
<link href="ch-sec-services.en.html#s-ssh-only-file" rel="subsection" title="5.1.4 Restricing access to file transfer only">
<link href="ch-sec-services.en.html#s5.4.1" rel="subsection" title="5.4.1 Check your display manager">
<link href="ch-sec-services.en.html#s5.6.1" rel="subsection" title="5.6.1 Configuring a Nullmailer">
<link href="ch-sec-services.en.html#s5.6.2" rel="subsection" title="5.6.2 Providing secure access to mailboxes">
<link href="ch-sec-services.en.html#s5.6.3" rel="subsection" title="5.6.3 Receiving mail securely">
<link href="ch-sec-services.en.html#s-configure-bind" rel="subsection" title="5.7.1 Bind configuration to avoid misuse">
<link href="ch-sec-services.en.html#s-user-bind" rel="subsection" title="5.7.2 Changing BIND's user">
<link href="ch-sec-services.en.html#s-chroot-bind" rel="subsection" title="5.7.3 Chrooting the name server">
<link href="ch-sec-services.en.html#s5.8.1" rel="subsection" title="5.8.1 Disabling users from publishing web contents">
<link href="ch-sec-services.en.html#s5.8.2" rel="subsection" title="5.8.2 Logfiles permissions">
<link href="ch-sec-services.en.html#s5.8.3" rel="subsection" title="5.8.3 Published web files">
<link href="ch-sec-services.en.html#s-auto-chroot" rel="subsection" title="5.10.1 Making chrooted environments automatically">
<link href="ch-sec-services.en.html#s5.13.1" rel="subsection" title="5.13.1 Disabling RPC services completely">
<link href="ch-sec-services.en.html#s5.13.2" rel="subsection" title="5.13.2 Limiting access to RPC services">
<link href="ch-sec-services.en.html#s5.14.1" rel="subsection" title="5.14.1 Firewalling the local system">
<link href="ch-sec-services.en.html#s5.14.2" rel="subsection" title="5.14.2 Using a firewall to protect other systems">
<link href="ch-sec-services.en.html#s5.14.3" rel="subsection" title="5.14.3 Setting up a firewall">
<link href="ch-sec-services.en.html#s-firewall-pack" rel="subsection" title="5.14.3.1 Using firewall packages">
<link href="ch-sec-services.en.html#s5.14.3.2" rel="subsection" title="5.14.3.2 Manual init.d configuration">
<link href="ch-sec-services.en.html#s5.14.3.3" rel="subsection" title="5.14.3.3 Configuring firewall rules through <code>ifup</code>">
<link href="ch-sec-services.en.html#s5.14.3.4" rel="subsection" title="5.14.3.4 Testing your firewall configuration">
<link href="ch7.en.html#s-crossreference" rel="subsection" title="7.2.1 Vulnerability cross references">
<link href="ch7.en.html#s-cve-compatible" rel="subsection" title="7.2.2 CVE compatibility">
<link href="ch7.en.html#s7.4.1" rel="subsection" title="7.4.1 Developer's guide to security updates">
<link href="ch7.en.html#s7.5.1" rel="subsection" title="7.5.1 The current scheme for package signature checks">
<link href="ch7.en.html#s-apt-0.6" rel="subsection" title="7.5.2 Secure apt">
<link href="ch7.en.html#s-check-releases" rel="subsection" title="7.5.3 Per distribution release check">
<link href="ch7.en.html#s7.5.3.1" rel="subsection" title="7.5.3.1 Basic concepts">
<link href="ch7.en.html#s7.5.3.2" rel="subsection" title="7.5.3.2 <code>Release</code> checksums">
<link href="ch7.en.html#s7.5.3.3" rel="subsection" title="7.5.3.3 Verification of the <code>Release</code> file">
<link href="ch7.en.html#s7.5.3.4" rel="subsection" title="7.5.3.4 Check of <code>Release.gpg</code> by <code>apt</code>">
<link href="ch7.en.html#s7.5.3.5" rel="subsection" title="7.5.3.5 How to tell apt what to trust">
<link href="ch7.en.html#s7.5.3.6" rel="subsection" title="7.5.3.6 Finding the key for a repository">
<link href="ch7.en.html#s-secure-apt-add-key" rel="subsection" title="7.5.3.7 Safely adding a key">
<link href="ch7.en.html#s7.5.3.8" rel="subsection" title="7.5.3.8 Verifying key integrity">
<link href="ch7.en.html#s7.5.3.9" rel="subsection" title="7.5.3.9 Debian archive key yearly rotation">
<link href="ch7.en.html#s7.5.3.10" rel="subsection" title="7.5.3.10 Known release checking problems">
<link href="ch7.en.html#s-manual-check-releases" rel="subsection" title="7.5.3.11 Manual per distribution release check">
<link href="ch7.en.html#s-check-non-debian-releases" rel="subsection" title="7.5.4 Release check of non Debian sources">
<link href="ch7.en.html#s-check-pkg-sign" rel="subsection" title="7.5.5 Alternative per-package signing scheme">
<link href="ch-sec-tools.en.html#s8.5.1" rel="subsection" title="8.5.1 Point to Point tunneling">
<link href="ch10.en.html#s-track-vulns" rel="subsection" title="10.1.1 Tracking security vulnerabilities">
<link href="ch10.en.html#s-keep-up-to-date" rel="subsection" title="10.1.2 Continuously update the system">
<link href="ch10.en.html#s10.1.2.1" rel="subsection" title="10.1.2.1 Manually checking which security updates are available">
<link href="ch10.en.html#s-update-desktop" rel="subsection" title="10.1.2.2 Checking for updates at the Desktop">
<link href="ch10.en.html#s-cron-apt" rel="subsection" title="10.1.2.3 Automatically checking for updates with cron-apt">
<link href="ch10.en.html#s-debsecan" rel="subsection" title="10.1.2.4 Automatically checking for security issues with debsecan">
<link href="ch10.en.html#s10.1.2.5" rel="subsection" title="10.1.2.5 Other methods for security updates">
<link href="ch10.en.html#s10.1.3" rel="subsection" title="10.1.3 Avoid using the unstable branch">
<link href="ch10.en.html#s-security-support-testing" rel="subsection" title="10.1.4 Security support for the testing branch">
<link href="ch10.en.html#s10.1.5" rel="subsection" title="10.1.5 Automatic updates in a Debian GNU/Linux system">
<link href="ch10.en.html#s10.3.1" rel="subsection" title="10.3.1 Network based intrusion detection">
<link href="ch10.en.html#s10.3.2" rel="subsection" title="10.3.2 Host based intrusion detection">
<link href="ch10.en.html#s-LKM" rel="subsection" title="10.4.1 Loadable Kernel Modules (LKM)">
<link href="ch10.en.html#s10.4.2" rel="subsection" title="10.4.2 Detecting root-kits">
<link href="ch10.en.html#s-proactive" rel="subsection" title="10.4.2.1 Proactive defense">
<link href="ch10.en.html#s10.4.2.2" rel="subsection" title="10.4.2.2 Reactive defense">
<link href="ch10.en.html#s10.5.1" rel="subsection" title="10.5.1 Building a honeypot">
<link href="ch-after-compromise.en.html#s11.4.1" rel="subsection" title="11.4.1 Analysis of malware">
<link href="ch12.en.html#s12.1.1" rel="subsection" title="12.1.1 Is Debian more secure than X?">
<link href="ch12.en.html#s12.1.1.1" rel="subsection" title="12.1.1.1 Is Debian more secure than other Linux distributions (such as Red Hat, SuSE...)?">
<link href="ch12.en.html#s12.1.2" rel="subsection" title="12.1.2 There are many Debian bugs in Bugtraq. Does this mean that it is very vulnerable?">
<link href="ch12.en.html#s12.1.3" rel="subsection" title="12.1.3 Does Debian have any certification related to security?">
<link href="ch12.en.html#s12.1.4" rel="subsection" title="12.1.4 Are there any hardening programs for Debian?">
<link href="ch12.en.html#s12.1.5" rel="subsection" title="12.1.5 I want to run XYZ service, which one should I choose?">
<link href="ch12.en.html#s12.1.6" rel="subsection" title="12.1.6 How can I make service XYZ more secure in Debian?">
<link href="ch12.en.html#s12.1.7" rel="subsection" title="12.1.7 How can I remove all the banners for services?">
<link href="ch12.en.html#s12.1.8" rel="subsection" title="12.1.8 Are all Debian packages safe?">
<link href="ch12.en.html#s12.1.9" rel="subsection" title="12.1.9 Why are some log files/configuration files world-readable, isn't this insecure?">
<link href="ch12.en.html#s12.1.10" rel="subsection" title="12.1.10 Why does /root/ (or UserX) have 755 permissions?">
<link href="ch12.en.html#s12.1.11" rel="subsection" title="12.1.11 After installing a grsec/firewall, I started receiving many console messages! How do I remove them?">
<link href="ch12.en.html#s-faq-os-users" rel="subsection" title="12.1.12 Operating system users and groups">
<link href="ch12.en.html#s12.1.12.1" rel="subsection" title="12.1.12.1 Are all system users necessary?">
<link href="ch12.en.html#s12.1.12.2" rel="subsection" title="12.1.12.2 I removed a system user! How can I recover?">
<link href="ch12.en.html#s12.1.12.3" rel="subsection" title="12.1.12.3 What is the difference between the adm and the staff group?">
<link href="ch12.en.html#s12.1.13" rel="subsection" title="12.1.13 Why is there a new group when I add a new user? (or Why does Debian give each user one group?)">
<link href="ch12.en.html#s12.1.14" rel="subsection" title="12.1.14 Questions regarding services and open ports">
<link href="ch12.en.html#s12.1.14.1" rel="subsection" title="12.1.14.1 Why are all services activated upon installation?">
<link href="ch12.en.html#s12.1.14.2" rel="subsection" title="12.1.14.2 Can I remove <code>inetd</code>?">
<link href="ch12.en.html#s12.1.14.3" rel="subsection" title="12.1.14.3 Why do I have port 111 open?">
<link href="ch12.en.html#s12.1.14.4" rel="subsection" title="12.1.14.4 What use is <code>identd</code> (port 113) for?">
<link href="ch12.en.html#s12.1.14.5" rel="subsection" title="12.1.14.5 I have services using port 1 and 6, what are they and how can I remove them?">
<link href="ch12.en.html#s12.1.14.6" rel="subsection" title="12.1.14.6 I found the port XYZ open, can I close it?">
<link href="ch12.en.html#s12.1.14.7" rel="subsection" title="12.1.14.7 Will removing services from <code>/etc/services</code> help secure my box?">
<link href="ch12.en.html#s12.1.15" rel="subsection" title="12.1.15 Common security issues">
<link href="ch12.en.html#s12.1.15.1" rel="subsection" title="12.1.15.1 I have lost my password and cannot access the system!">
<link href="ch12.en.html#s12.1.16" rel="subsection" title="12.1.16 How do I accomplish setting up a service for my users without giving out shell accounts?">
<link href="ch12.en.html#s-vulnasses-false-positive" rel="subsection" title="12.2.1 Vulnerability assessment scanner X says my Debian system is vulnerable!">
<link href="ch12.en.html#s12.2.2" rel="subsection" title="12.2.2 I've seen an attack in my system's logs. Is my system compromised?">
<link href="ch12.en.html#s12.2.3" rel="subsection" title="12.2.3 I have found strange 'MARK' lines in my logs: Am I compromised?">
<link href="ch12.en.html#s12.2.4" rel="subsection" title="12.2.4 I found users using 'su' in my logs: Am I compromised?">
<link href="ch12.en.html#s12.2.5" rel="subsection" title="12.2.5 I have found 'possible SYN flooding' in my logs: Am I under attack?">
<link href="ch12.en.html#s12.2.6" rel="subsection" title="12.2.6 I have found strange root sessions in my logs: Am I compromised?">
<link href="ch12.en.html#s12.2.7" rel="subsection" title="12.2.7 I have suffered a break-in, what do I do?">
<link href="ch12.en.html#s12.2.8" rel="subsection" title="12.2.8 How can I trace an attack?">
<link href="ch12.en.html#s12.2.9" rel="subsection" title="12.2.9 Program X in Debian is vulnerable, what do I do?">
<link href="ch12.en.html#s-version-backport" rel="subsection" title="12.2.10 The version number for a package indicates that I am still running a vulnerable version!">
<link href="ch12.en.html#s12.2.11" rel="subsection" title="12.2.11 Specific software">
<link href="ch12.en.html#s12.2.11.1" rel="subsection" title="12.2.11.1 <code>proftpd</code> is vulnerable to a Denial of Service attack.">
<link href="ch12.en.html#s12.2.11.2" rel="subsection" title="12.2.11.2 After installing <code>portsentry</code>, there are a lot of ports open.">
<link href="ch12.en.html#s12.3.1" rel="subsection" title="12.3.1 What is a Debian Security Advisory (DSA)?">
<link href="ch12.en.html#s12.3.2" rel="subsection" title="12.3.2 The signature on Debian advisories does not verify correctly!">
<link href="ch12.en.html#s12.3.3" rel="subsection" title="12.3.3 How is security handled in Debian?">
<link href="ch12.en.html#s12.3.4" rel="subsection" title="12.3.4 Why are you fiddling with an old version of that package?">
<link href="ch12.en.html#s12.3.5" rel="subsection" title="12.3.5 What is the policy for a fixed package to appear in security.debian.org?">
<link href="ch12.en.html#s12.3.6" rel="subsection" title="12.3.6 What does &quot;local (remote)&quot; mean?">
<link href="ch12.en.html#s12.3.7" rel="subsection" title="12.3.7 The version number for a package indicates that I am still running a vulnerable version!">
<link href="ch12.en.html#s-sec-unstable" rel="subsection" title="12.3.8 How is security handled for <samp>testing</samp> and <samp>unstable</samp>?">
<link href="ch12.en.html#s-sec-older" rel="subsection" title="12.3.9 I use an older version of Debian, is it supported by the Debian Security Team?">
<link href="ch12.en.html#s12.3.10" rel="subsection" title="12.3.10 How does <em>testing</em> get security updates?">
<link href="ch12.en.html#s12.3.11" rel="subsection" title="12.3.11 How is security handled for contrib and non-free?">
<link href="ch12.en.html#s12.3.12" rel="subsection" title="12.3.12 Why are there no official mirrors for security.debian.org?">
<link href="ch12.en.html#s12.3.13" rel="subsection" title="12.3.13 I've seen DSA 100 and DSA 102, now where is DSA 101?">
<link href="ch12.en.html#s12.3.14" rel="subsection" title="12.3.14 I tried to download a package listed in one of the security advisories, but I got a `file not found' error.">
<link href="ch12.en.html#s12.3.15" rel="subsection" title="12.3.15 How can I reach the security team?">
<link href="ch12.en.html#s12.3.16" rel="subsection" title="12.3.16 What difference is there between security@debian.org and debian-security@lists.debian.org?">
<link href="ch12.en.html#s12.3.17" rel="subsection" title="12.3.17 I guess I found a security problem, what should I do?">
<link href="ch12.en.html#s12.3.18" rel="subsection" title="12.3.18 How can I contribute to the Debian security team?">
<link href="ch12.en.html#s12.3.19" rel="subsection" title="12.3.19 Who is the Security Team composed of?">
<link href="ch12.en.html#s12.3.20" rel="subsection" title="12.3.20 Does the Debian Security team check every new package in Debian?">
<link href="ch12.en.html#s12.3.21" rel="subsection" title="12.3.21 How much time will it take Debian to fix vulnerability XXXX?">
<link href="ch12.en.html#s12.3.22" rel="subsection" title="12.3.22 How long will security updates be provided?">
<link href="ch12.en.html#s12.3.23" rel="subsection" title="12.3.23 How can I check the integrity of packages?">
<link href="ch12.en.html#s12.3.24" rel="subsection" title="12.3.24 What to do if a random package breaks after a security update?">
<link href="ap-chroot-ssh-env.en.html#sG.1.1" rel="subsection" title="G.1.1 Using <code>libpam-chroot</code>">
<link href="ap-chroot-ssh-env.en.html#sG.1.2" rel="subsection" title="G.1.2 Patching the <code>ssh</code> server">
<link href="ap-chroot-ssh-env.en.html#sG.2.1" rel="subsection" title="G.2.1 Setup a minimal system (the really easy way)">
<link href="ap-chroot-ssh-env.en.html#sG.2.2" rel="subsection" title="G.2.2 Automatically making the environment (the easy way)">
<link href="ap-chroot-ssh-env.en.html#sG.2.3" rel="subsection" title="G.2.3 Manually creating the environment (the hard way)">
<link href="ap-chroot-apache-env.en.html#sH.1.1" rel="subsection" title="H.1.1 Licensing">

</head>

<body>

<p><a name="ch1"></a></p>
<hr>

<p>
[ <a href="index.en.html">previous</a> ]
[ <a href="index.en.html#contents">Contents</a> ]
[ 1 ]
[ <a href="ch2.en.html">2</a> ]
[ <a href="ch3.en.html">3</a> ]
[ <a href="ch4.en.html">4</a> ]
[ <a href="ch-sec-services.en.html">5</a> ]
[ <a href="ch-automatic-harden.en.html">6</a> ]
[ <a href="ch7.en.html">7</a> ]
[ <a href="ch-sec-tools.en.html">8</a> ]
[ <a href="ch9.en.html">9</a> ]
[ <a href="ch10.en.html">10</a> ]
[ <a href="ch-after-compromise.en.html">11</a> ]
[ <a href="ch12.en.html">12</a> ]
[ <a href="ap-harden-step.en.html">A</a> ]
[ <a href="ap-checklist.en.html">B</a> ]
[ <a href="ap-snort-box.en.html">C</a> ]
[ <a href="ap-bridge-fw.en.html">D</a> ]
[ <a href="ap-bind-chuser.en.html">E</a> ]
[ <a href="ap-fw-security-update.en.html">F</a> ]
[ <a href="ap-chroot-ssh-env.en.html">G</a> ]
[ <a href="ap-chroot-apache-env.en.html">H</a> ]
[ <a href="ch2.en.html">next</a> ]
</p>

<hr>

<h1>
Securing Debian Manual
<br>Chapter 1 - Introduction
</h1>

<hr>

<p>
One of the hardest things about writing security documents is that every case
is unique.  Two things you have to pay attention to are the threat environment
and the security needs of the individual site, host, or network.  For instance,
the security needs of a home user are completely different from a network in a
bank.  While the primary threat a home user needs to face is the script kiddie
type of cracker, a bank network has to worry about directed attacks.
Additionally, the bank has to protect their customer's data with arithmetic
precision.  In short, every user has to consider the trade-off between
usability and security/paranoia.
</p>

<p>
Note that this manual only covers issues relating to software.  The best
software in the world can't protect you if someone can physically access the
machine.  You can place it under your desk, or you can place it in a hardened
bunker with an army in front of it.  Nevertheless the desktop computer can be
much more secure (from a software point of view) than a physically protected
one if the desktop is configured properly and the software on the protected
machine is full of security holes.  Obviously, you must consider both issues.
</p>

<p>
This document just gives an overview of what you can do to increase the
security of your Debian GNU/Linux system.  If you have read other documents
regarding Linux security, you will find that there are common issues which
might overlap with this document.  However, this document does not try to be
the ultimate source of information you will be using, it only tries to adapt
this same information so that it is meaningful to a Debian GNU/Linux system.
Different distributions do some things in different ways (startup of daemons is
one example); here, you will find material which is appropriate for Debian's
procedures and tools.
</p>

<hr>

<h2><a name="s-authors"></a>1.1 Authors</h2>

<p>
The current maintainer of this document is <code><a
href="mailto:jfs@debian.org">Javier Fern<72>ndez-Sanguino Pe<50>a</a></code>.  Please
forward him any comments, additions or suggestions, and they will be considered
for inclusion in future releases of this manual.
</p>

<p>
This manual was started as a <em>HOWTO</em> by <code><a
href="mailto:ar@rhwd.de">Alexander Reelsen</a></code>.  After it was published
on the Internet, <code><a href="mailto:jfs@debian.org">Javier
Fern<EFBFBD>ndez-Sanguino Pe<50>a</a></code> incorporated it into the <code><a
href="http://www.debian.org/doc">Debian Documentation Project</a></code>.  A
number of people have contributed to this manual (all contributions are listed
in the changelog) but the following deserve special mention since they have
provided significant contributions (full sections, chapters or appendices):
</p>
<ul>
<li>
<p>
Stefano Canepa
</p>
</li>
</ul>
<ul>
<li>
<p>
Era Eriksson
</p>
</li>
</ul>
<ul>
<li>
<p>
Carlo Perassi
</p>
</li>
</ul>
<ul>
<li>
<p>
Alexandre Ratti
</p>
</li>
</ul>
<ul>
<li>
<p>
Jaime Robles
</p>
</li>
</ul>
<ul>
<li>
<p>
Yotam Rubin
</p>
</li>
</ul>
<ul>
<li>
<p>
Frederic Schutz
</p>
</li>
</ul>
<ul>
<li>
<p>
Pedro Zorzenon Neto
</p>
</li>
</ul>
<ul>
<li>
<p>
Oohara Yuuma
</p>
</li>
</ul>
<ul>
<li>
<p>
Davor Ocelic
</p>
</li>
</ul>

<hr>

<h2><a name="s1.2"></a>1.2 Where to get the manual (and available formats)</h2>

<p>
You can download or view the latest version of the Securing Debian Manual from
the <code><a
href="http://www.debian.org/doc/manuals/securing-debian-howto/">Debian
Documentation Project</a></code>.  If you are reading a copy from another site,
please check the primary copy in case it provides new information.  If you are
reading a translation, please review the version the translation refers to to
the latest version available.  If you find that the version is behind please
consider using the original copy or review the <a
href="#s-changelog">Changelog/History, Section 1.6</a> to see what has changed.
</p>

<p>
If you want a full copy of the manual you can either download the <code><a
href="http://www.debian.org/doc/manuals/securing-debian-howto/securing-debian-howto.en.txt">text
version</a></code> or the <code><a
href="http://www.debian.org/doc/manuals/securing-debian-howto/securing-debian-howto.en.pdf">PDF
version</a></code> from the Debian Documentation Project's site.  These
versions might be more useful if you intend to copy the document over to a
portable device for offline reading or you want to print it out.  Be
forewarned, the manual is over two hundred pages long and some of the code
fragments, due to the formatting tools used, are not wrapped in the PDF version
and might be printed incomplete.
</p>

<p>
The document is also provided in text, html and PDF formats in the <code><a
href="http://packages.debian.org/harden-doc">harden-doc</a></code> package.
Notice, however, that the package maybe not be completely up to date with the
document provided on the Debian site (but you can always use the source package
to build an updated version yourself).
</p>

<p>
This document is part of the documents distributed by the <code><a
href="https://alioth.debian.org/projects/ddp/">Debian Documentation
Project</a></code>.  You can review the changes introduced in the document
using a web browser and obtaining information from the <code><a
href="http://anonscm.debian.org/viewvc/ddp/manuals/trunk/securing-howto">version
control logs online</a></code>.  You can also checkout the code using SVN with
the following call in the command line:
</p>

<pre>
     svn co svn://svn.debian.org/svn/ddp/manuals/trunk/securing-howto/
</pre>

<hr>

<h2><a name="s1.3"></a>1.3 Organizational notes/feedback</h2>

<p>
Now to the official part.  At the moment I (Alexander Reelsen) wrote most
paragraphs of this manual, but in my opinion this should not stay the case.  I
grew up and live with free software, it is part of my everyday use and I guess
yours, too.  I encourage everybody to send me feedback, hints, additions or any
other suggestions you might have.
</p>

<p>
If you think, you can maintain a certain section or paragraph better, then
write to the document maintainer and you are welcome to do it.  Especially if
you find a section marked as FIXME, that means the authors did not have the
time yet or the needed knowledge about the topic.  Drop them a mail
immediately.
</p>

<p>
The topic of this manual makes it quite clear that it is important to keep it
up to date, and you can do your part.  Please contribute.
</p>

<hr>

<h2><a name="s1.4"></a>1.4 Prior knowledge</h2>

<p>
The installation of Debian GNU/Linux is not very difficult and you should have
been able to install it.  If you already have some knowledge about Linux or
other Unices and you are a bit familiar with basic security, it will be easier
to understand this manual, as this document cannot explain every little detail
of a feature (otherwise this would have been a book instead of a manual).  If
you are not that familiar, however, you might want to take a look at <a
href="ch2.en.html#s-references">Be aware of general security problems, Section
2.2</a> for where to find more in-depth information.
</p>

<hr>

<h2><a name="s1.5"></a>1.5 Things that need to be written (FIXME/TODO)</h2>

<p>
This section describes all the things that need to be fixed in this manual.
Some paragraphs include <em>FIXME</em> or <em>TODO</em> tags describing what
content is missing (or what kind of work needs to be done).  The purpose of
this section is to describe all the things that could be included in the future
in the manual, or enhancements that need to be done (or would be interesting to
add).
</p>

<p>
If you feel you can provide help in contributing content fixing any element of
this list (or the inline annotations), contact the main author (<a
href="#s-authors">Authors, Section 1.1</a>).
</p>
<ul>
<li>
<p>
This document has yet to be updated based on the latest Debian releases.  The
default configuration of some packages need to be adapted as they have been
modified since this document was written.
</p>
</li>
</ul>
<ul>
<li>
<p>
Expand the incident response information, maybe add some ideas derived from Red
Hat's Security Guide's <code><a
href="http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/ch-response.html">chapter
on incident response</a></code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
Write about remote monitoring tools (to check for system availability) such as
<code>monit</code>, <code>daemontools</code> and <code>mon</code>.  See
<code><a
href="http://linux.oreillynet.com/pub/a/linux/2002/05/09/sysadminguide.html">http://linux.oreillynet.com/pub/a/linux/2002/05/09/sysadminguide.html</a></code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
Consider writing a section on how to build Debian-based network appliances
(with information such as the base system, <code>equivs</code> and FAI).
</p>
</li>
</ul>
<ul>
<li>
<p>
Check if <code><a
href="http://www.giac.org/practical/gsec/Chris_Koutras_GSEC.pdf">http://www.giac.org/practical/gsec/Chris_Koutras_GSEC.pdf</a></code>
has relevant info not yet covered here.
</p>
</li>
</ul>
<ul>
<li>
<p>
Add information on how to set up a laptop with Debian <code><a
href="http://www.giac.org/practical/gcux/Stephanie_Thomas_GCUX.pdf">http://www.giac.org/practical/gcux/Stephanie_Thomas_GCUX.pdf</a></code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
Add information on how to set up a firewall using Debian GNU/Linux.  The
section regarding firewalling is oriented currently towards a single system
(not protecting others...) also talk on how to test the setup.
</p>
</li>
</ul>
<ul>
<li>
<p>
Add information on setting up a proxy firewall with Debian GNU/Linux stating
specifically which packages provide proxy services (like <code>xfwp</code>,
<code>ftp-proxy</code>, <code>redir</code>, <code>smtpd</code>,
<code>dnrd</code>, <code>jftpgw</code>, <code>oops</code>, <code>pdnsd</code>,
<code>perdition</code>, <code>transproxy</code>, <code>tsocks</code>).  Should
point to the manual for any other info.  Note that <code>zorp</code> is now
available as a Debian package and <em>is</em> a proxy firewall (they also
provide Debian packages upstream).
</p>
</li>
</ul>
<ul>
<li>
<p>
Information on service configuration with file-rc.
</p>
</li>
</ul>
<ul>
<li>
<p>
Check all the reference URLs and remove/fix those no longer available.
</p>
</li>
</ul>
<ul>
<li>
<p>
Add information on available replacements (in Debian) for common servers which
are useful for limited functionality.  Examples:
</p>
<ul>
<li>
<p>
local lpr with cups (package)?
</p>
</li>
</ul>
<ul>
<li>
<p>
remote lrp with lpr
</p>
</li>
</ul>
<ul>
<li>
<p>
bind with dnrd/maradns
</p>
</li>
</ul>
<ul>
<li>
<p>
apache with dhttpd/thttpd/wn (tux?)
</p>
</li>
</ul>
<ul>
<li>
<p>
exim/sendmail with ssmtpd/smtpd/postfix
</p>
</li>
</ul>
<ul>
<li>
<p>
squid with tinyproxy
</p>
</li>
</ul>
<ul>
<li>
<p>
ftpd with oftpd/vsftp
</p>
</li>
</ul>
<ul>
<li>
<p>
...
</p>
</li>
</ul>
</li>
</ul>
<ul>
<li>
<p>
More information regarding security-related kernel patches in Debian, including
the ones shown above and specific information on how to enable these patches in
a Debian system.
</p>
<ul>
<li>
<p>
Linux Intrusion Detection (<code>kernel-patch-2.4-lids</code>)
</p>
</li>
</ul>
<ul>
<li>
<p>
Linux Trustees (in package <code>trustees</code>)
</p>
</li>
</ul>
<ul>
<li>
<p>
<code><a href="http://wiki.debian.org/SELinux">NSA Enhanced Linux</a></code>
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>linux-patch-openswan</code>
</p>
</li>
</ul>
</li>
</ul>
<ul>
<li>
<p>
Details of turning off unnecessary network services (besides
<code>inetd</code>), it is partly in the hardening procedure but could be
broadened a bit.
</p>
</li>
</ul>
<ul>
<li>
<p>
Information regarding password rotation which is closely related to policy.
</p>
</li>
</ul>
<ul>
<li>
<p>
Policy, and educating users about policy.
</p>
</li>
</ul>
<ul>
<li>
<p>
More about tcpwrappers, and wrappers in general?
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>hosts.equiv</code> and other major security holes.
</p>
</li>
</ul>
<ul>
<li>
<p>
Issues with file sharing servers such as Samba and NFS?
</p>
</li>
</ul>
<ul>
<li>
<p>
suidmanager/dpkg-statoverrides.
</p>
</li>
</ul>
<ul>
<li>
<p>
lpr and lprng.
</p>
</li>
</ul>
<ul>
<li>
<p>
Switching off the GNOME IP things.
</p>
</li>
</ul>
<ul>
<li>
<p>
Talk about pam_chroot (see <code><a
href="http://lists.debian.org/debian-security/2002/debian-security-200205/msg00011.html">http://lists.debian.org/debian-security/2002/debian-security-200205/msg00011.html</a></code>)
and its usefulness to limit users.  Introduce information related to <code><a
href="http://online.securityfocus.com/infocus/1575">http://online.securityfocus.com/infocus/1575</a></code>.
<code>pdmenu</code>, for example is available in Debian (whereas flash is not).
</p>
</li>
</ul>
<ul>
<li>
<p>
Talk about chrooting services, some more info on <code><a
href="http://www.linuxfocus.org/English/January2002/article225.shtml">http://www.linuxfocus.org/English/January2002/article225.shtml</a></code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
Talk about programs to make chroot jails.  <code>compartment</code> and
<code>chrootuid</code> are waiting in incoming.  Some others (makejail, jailer)
could also be introduced.
</p>
</li>
</ul>
<ul>
<li>
<p>
More information regarding log analysis software (i.e.  logcheck and
logcolorise).
</p>
</li>
</ul>
<ul>
<li>
<p>
'advanced' routing (traffic policing is security related).
</p>
</li>
</ul>
<ul>
<li>
<p>
limiting <code>ssh</code> access to running certain commands.
</p>
</li>
</ul>
<ul>
<li>
<p>
using dpkg-statoverride.
</p>
</li>
</ul>
<ul>
<li>
<p>
secure ways to share a CD burner among users.
</p>
</li>
</ul>
<ul>
<li>
<p>
secure ways of providing networked sound in addition to network display
capabilities (so that X clients' sounds are played on the X server's sound
hardware).
</p>
</li>
</ul>
<ul>
<li>
<p>
securing web browsers.
</p>
</li>
</ul>
<ul>
<li>
<p>
setting up ftp over <code>ssh</code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
using crypto loopback file systems.
</p>
</li>
</ul>
<ul>
<li>
<p>
encrypting the entire file system.
</p>
</li>
</ul>
<ul>
<li>
<p>
steganographic tools.
</p>
</li>
</ul>
<ul>
<li>
<p>
setting up a PKA for an organization.
</p>
</li>
</ul>
<ul>
<li>
<p>
using LDAP to manage users.  There is a HOWTO of ldap+kerberos for Debian at
<code><a href="http://www.bayour.com">http://www.bayour.com</a></code> written
by Turbo Fredrikson.
</p>
</li>
</ul>
<ul>
<li>
<p>
How to remove information of reduced utility in production systems such as
<code>/usr/share/doc</code>, <code>/usr/share/man</code> (yes, security by
obscurity).
</p>
</li>
</ul>
<ul>
<li>
<p>
More information on lcap based on the packages README file (well, not there
yet, see <code><a
href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=169465">Bug
#169465</a></code>) and from the article from LWN: <code><a
href="http://lwn.net/1999/1202/kernel.php3">Kernel development</a></code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
Add Colin's article on how to setup a chroot environment for a full sid system
(<code><a
href="http://people.debian.org/~walters/chroot.html">http://people.debian.org/~walters/chroot.html</a></code>).
</p>
</li>
</ul>
<ul>
<li>
<p>
Add information on running multiple <code>snort</code> sensors in a given
system (check bug reports sent to <code>snort</code>).
</p>
</li>
</ul>
<ul>
<li>
<p>
Add information on setting up a honeypot (<code>honeyd</code>).
</p>
</li>
</ul>
<ul>
<li>
<p>
Describe situation wrt to FreeSwan (orphaned) and OpenSwan.  VPN section needs
to be rewritten.
</p>
</li>
</ul>
<ul>
<li>
<p>
Add a specific section about databases, current installation defaults and how
to secure access.
</p>
</li>
</ul>
<ul>
<li>
<p>
Add a section about the usefulness of virtual servers (Xen et al).
</p>
</li>
</ul>
<ul>
<li>
<p>
Explain how to use some integrity checkers (AIDE, integrit or samhain).  The
basics are simple and could even explain some configuration improvements.
</p>
</li>
</ul>

<hr>

<h2><a name="s-changelog"></a>1.6 Changelog/History</h2>

<hr>

<h3><a name="s1.6.1"></a>1.6.1 Version 3.16 (March 2011)</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Indicate that the document is not updated with latest versions.
</p>
</li>
</ul>
<ul>
<li>
<p>
Update pointers to current location of sources.
</p>
</li>
</ul>
<ul>
<li>
<p>
Update information on security updates for newer releases.
</p>
</li>
</ul>
<ul>
<li>
<p>
Point information for Developers to online sources instead of keeping the
information in the document, to prevent duplication.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fix shell script example in Appendix.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fix reference errors.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.2"></a>1.6.2 Version 3.15 (December 2010)</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Change reference to Log Analysis' website as this is no longer available.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.3"></a>1.6.3 Version 3.14 (March 2009)</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Change the section related to choosing a filesystem: note that ext3 is now the
default.
</p>
</li>
</ul>
<ul>
<li>
<p>
Change the name of the packages related to enigmail to reflect naming changes
introduced in Debian.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.4"></a>1.6.4 Version 3.13 (Februrary 2008)</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Change URLs pointing to Bastille Linux since the domain has been <code><a
href="http://www.bastille-unix.org/press-release-newname.html">purchased by a
cybersquatter</a></code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fix pointers to Linux Ramen and Lion worms.
</p>
</li>
</ul>
<ul>
<li>
<p>
Use linux-image in the examples instead of the (old) kernel-image packages.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fix typos spotted by Francesco Poli.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.5"></a>1.6.5 Version 3.12 (August 2007)</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Update the information related to security updates.  Drop the text talking
about Tiger and include information on the update-notifier and adept tools (for
Desktops) as well as debsecan.  Also include some pointers to other tools
available.
</p>
</li>
</ul>
<ul>
<li>
<p>
Divide the firewall applications based on target users and add fireflier to the
Desktop firewall applications list.
</p>
</li>
</ul>
<ul>
<li>
<p>
Remove references to libsafe, it's not in the archive any longer (was removed
January 2006).
</p>
</li>
</ul>
<ul>
<li>
<p>
Fix the location of syslog's configuration, thanks to John Talbut.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.6"></a>1.6.6 Version 3.11 (January 2007)</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.  Thanks go to Francesco Poli for his
extensive review of the document.
</p>
<ul>
<li>
<p>
Remove most references to the woody release as it is no longer available (in
the archive) and security support for it is no longer available.
</p>
</li>
</ul>
<ul>
<li>
<p>
Describe how to restrict users so that they can only do file transfers.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a note regarding the debian-private declasiffication decision.
</p>
</li>
</ul>
<ul>
<li>
<p>
Updated link of incident handling guides.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a note saying that development tools (compilers, etc.) are not installed
now in the default 'etch' installation.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fix references to the master security server.
</p>
</li>
</ul>
<ul>
<li>
<p>
Add pointers to additional APT-secure documentation.
</p>
</li>
</ul>
<ul>
<li>
<p>
Improve the description of APT signatures.
</p>
</li>
</ul>
<ul>
<li>
<p>
Comment out some things which are not yet final related to the mirror's
official public keys.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fixed name of the Debian Testing Security Team.
</p>
</li>
</ul>
<ul>
<li>
<p>
Remove reference to sarge in an example.
</p>
</li>
</ul>
<ul>
<li>
<p>
Update the antivirus section, clamav is now available on the release.  Also
mention the f-prot installer.
</p>
</li>
</ul>
<ul>
<li>
<p>
Removes all references to freeswan as it is obsolete.
</p>
</li>
</ul>
<ul>
<li>
<p>
Describe issues related to ruleset changes to the firewall if done remotely and
provide some tips (in footnotes).
</p>
</li>
</ul>
<ul>
<li>
<p>
Update the information related to the IDS installation, mention BASE and the
need to setup a logging database.
</p>
</li>
</ul>
<ul>
<li>
<p>
Rewrite the &quot;running bind as a non-root user&quot; section as this no
longer applies to Bind9.  Also remove the reference to the init.d script since
the changes need to be done through /etc/default.
</p>
</li>
</ul>
<ul>
<li>
<p>
Remove the obsolete way to setup iptables rulesets as woody is no longer
supported.
</p>
</li>
</ul>
<ul>
<li>
<p>
Revert the advice regarding LOG_UNKFAIL_ENAB it should be set to 'no' (as per
default).
</p>
</li>
</ul>
<ul>
<li>
<p>
Added more information related to updating the system with desktop tools
(including update-notifier) and describe aptitude usage to update the system.
Also note that dselect is deprecated.
</p>
</li>
</ul>
<ul>
<li>
<p>
Updated the contents of the FAQ and remove redundant paragraphs.
</p>
</li>
</ul>
<ul>
<li>
<p>
Review and update the section related to forensic analysis of malware.
</p>
</li>
</ul>
<ul>
<li>
<p>
Remove or fix some dead links.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fix many typos and gramatical errors reported by Francesco Poli.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.7"></a>1.6.7 Version 3.10 (November 2006)</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Provide examples using apt-cache's rdepends as suggested by Ozer Sarilar.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fix location of Squid's user's manual because of its relocation as notified by
Oskar Pearson (its maintainer).
</p>
</li>
</ul>
<ul>
<li>
<p>
Fix information regarding umask, it's logins.defs (and not limits.conf) where
this can be configured for all login connections.  Also state what is Debian's
default and what would be a more restrictive value for both users and root.
Thanks to Reinhard Tartler for spotting the bug.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.8"></a>1.6.8 Version 3.9 (October 2006)</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Add information on how to track security vulnerabilities and add references to
the Debian Testing Security Tracker.
</p>
</li>
</ul>
<ul>
<li>
<p>
Add more information on the security support for testing.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fix a large number of typos with a patch provided by Simon Brandmair.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added section on how to disable root prompt on initramfs provided by Max
Attems.
</p>
</li>
</ul>
<ul>
<li>
<p>
Remove references to queso.
</p>
</li>
</ul>
<ul>
<li>
<p>
Note that testing is now security-supported in the introduction.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.9"></a>1.6.9 Version 3.8 (July 2006)</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Rewrote the information on how to setup ssh chroots to clarify the different
options available, thank to Bruce Park for bringing up the different mistakes
in this appendix.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fix lsof call as suggested by Christophe Sahut.
</p>
</li>
</ul>
<ul>
<li>
<p>
Include patches for typo fixes from Uwe Hermann.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fix typo in reference spotted by Moritz Naumann.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.10"></a>1.6.10 Version 3.7 (April 2006)</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Add a section on Debian Developer's best practices for security.
</p>
</li>
</ul>
<ul>
<li>
<p>
Ammended firewall script with comments from WhiteGhost.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.11"></a>1.6.11 Version 3.6 (March 2006)</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Included a patch from Thomas Sj<53>gren which describes that <samp>noexec</samp>
works as expected with &quot;new&quot; kernels, adds information regarding
tempfile handling, and some new pointers to external documentation.
</p>
</li>
</ul>
<ul>
<li>
<p>
Add a pointer to Dan Farmer's and Wietse Venema's forensic discovery web site,
as suggested by Freek Dijkstra, and expanded a little bit the forensic analysis
section with more pointers.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fixed URL of Italy's CERT, thanks to Christoph Auer.
</p>
</li>
</ul>
<ul>
<li>
<p>
Reuse Joey Hess' information at the wiki on secure apt and introduce it in the
infrastructure section.
</p>
</li>
</ul>
<ul>
<li>
<p>
Review sections referring to old versions (woody or potato).
</p>
</li>
</ul>
<ul>
<li>
<p>
Fix some cosmetic issues with patch from Simon Brandmair.
</p>
</li>
</ul>
<ul>
<li>
<p>
Included patches from Carlo Perassi: acl patches are obsolete, openwall patches
are obsolete too, removed fixme notes about 2.2 and 2.4 series kernels, hap is
obsolete (and not present in WNPP), remove references to Immunix (StackGuard is
now in Novell's hands), and fix a FIXME about the use of bsign or elfsign.
</p>
</li>
</ul>
<ul>
<li>
<p>
Updated references to SElinux web pages to point to the Wiki (currently the
most up to date source of information).
</p>
</li>
</ul>
<ul>
<li>
<p>
Include file tags and make a more consistent use of &quot;MD5 sum&quot; with a
patch from Jens Seidel.
</p>
</li>
</ul>
<ul>
<li>
<p>
Patch from Joost van Baal improving the information on the firewall section
(pointing to the wiki instead of listing all firewall packages available)
(Closes: #339865).
</p>
</li>
</ul>
<ul>
<li>
<p>
Review the FAQ section on vulnerability stats, thanks to Carlos Galisteo de
Cabo for pointing out that it was out of date.
</p>
</li>
</ul>
<ul>
<li>
<p>
Use the quote from the Social Contract 1.1 instead of 1.0 as suggested by
Francesco Poli.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.12"></a>1.6.12 Version 3.5 (November 2005)</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Note on the SSH section that the chroot will not work if using the nodev option
in the partition and point to the latest ssh packages with the chroot patch,
thanks to Lutz Broedel for pointing these issues out.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fix typo spotted by Marcos Roberto Greiner (md5sum should be sha1sum in code
snippet).
</p>
</li>
</ul>
<ul>
<li>
<p>
Included Jens Seidel's patch fixing a number of package names and typos.
</p>
</li>
</ul>
<ul>
<li>
<p>
Slightly update of the tools section, removed tools no longer available and
added some new ones.
</p>
</li>
</ul>
<ul>
<li>
<p>
Rewrite parts of the section related to where to find this document and what
formats are available (the website does provide a PDF version).  Also note that
copies on other sites and translations might be obsolete (many of the Google
hits for the manual in other sites are actually out of date).
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.13"></a>1.6.13 Version 3.4 (August-September 2005)</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Improved the after installation security enhancements related to kernel
configuration for network level protection with a sysctl.conf file provided by
Will Moy.
</p>
</li>
</ul>
<ul>
<li>
<p>
Improved the gdm section, thanks to Simon Brandmair.
</p>
</li>
</ul>
<ul>
<li>
<p>
Typo fixes from Fr<46>d<EFBFBD>ric Bothamy and Simon Brandmair.
</p>
</li>
</ul>
<ul>
<li>
<p>
Improvements in the after installation sections related to how to generate the
MD5 (or SHA-1) sums of binaries for periodic review.
</p>
</li>
</ul>
<ul>
<li>
<p>
Updated the after installation sections regarding checksecurity configuration
(was out of date).
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.14"></a>1.6.14 Version 3.3 (June 2005)</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Added a code snippet to use grep-available to generate the list of packages
depending on Perl.  As requested in #302470.
</p>
</li>
</ul>
<ul>
<li>
<p>
Rewrite of the section on network services (which ones are installed and how to
disable them).
</p>
</li>
</ul>
<ul>
<li>
<p>
Added more information to the honeypot deployment section mentioning useful
Debian packages.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.15"></a>1.6.15 Version 3.2 (March 2005)</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Expanded the PAM configuration limits section.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added information on how to use pam_chroot for openssh (based on pam_chroot's
README).
</p>
</li>
</ul>
<ul>
<li>
<p>
Fixed some minor issues reported by Dan Jacobson.
</p>
</li>
</ul>
<ul>
<li>
<p>
Updated the kernel patches information partially based on a patch from Carlo
Perassi and also by adding deprecation notes and new kernel patches available
(adamantix).
</p>
</li>
</ul>
<ul>
<li>
<p>
Included patch from Simon Brandmair that fixes a sentence related to login
failures in terminal.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added Mozilla/Thunderbird to the valid GPG agents as suggested by Kapolnai
Richard.
</p>
</li>
</ul>
<ul>
<li>
<p>
Expanded the section on security updates mentioning library and kernel updates
and how to detect when services need to be restarted.
</p>
</li>
</ul>
<ul>
<li>
<p>
Rewrote the firewall section, moved the information that applies to woody down
and expand the other sections including some information on how to manually set
the firewall (with a sample script) and how to test the firewall configuration.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added some information preparing for the 3.1 release.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added more detailed information on kernel upgrades, specifically targeted at
those that used the old installation system.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a small section on the experimental apt 0.6 release which provides
package signing checks.  Moved old content to the section and also added a
pointer to changes made in aptitude.
</p>
</li>
</ul>
<ul>
<li>
<p>
Typo fixes spotted by Fr<46>d<EFBFBD>ric Bothamy.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.16"></a>1.6.16 Version 3.1 (January 2005)</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Added clarification to ro /usr with patch from Joost van Baal.
</p>
</li>
</ul>
<ul>
<li>
<p>
Apply patch from Jens Seidel fixing many typos.
</p>
</li>
</ul>
<ul>
<li>
<p>
FreeSWAN is dead, long live OpenSWAN.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added information on restricting access to RPC services (when they cannot be
disabled) also included patch provided by Aarre Laakso.
</p>
</li>
</ul>
<ul>
<li>
<p>
Update aj's apt-check-sigs script.
</p>
</li>
</ul>
<ul>
<li>
<p>
Apply patch Carlo Perassi fixing URLs.
</p>
</li>
</ul>
<ul>
<li>
<p>
Apply patch from Davor Ocelic fixing many errors, typos, urls, grammar and
FIXMEs.  Also adds some additional information to some sections.
</p>
</li>
</ul>
<ul>
<li>
<p>
Rewrote the section on user auditing, highlight the usage of script which does
not have some of the issues associated to shell history.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.17"></a>1.6.17 Version 3.0 (December 2004)</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Rewrote the user-auditing information and include examples on how to use
script.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.18"></a>1.6.18 Version 2.99 (March 2004)</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Added information on references in DSAs and CVE-Compatibility.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added information on apt 0.6 (apt-secure merge in experimental).
</p>
</li>
</ul>
<ul>
<li>
<p>
Fixed location of Chroot daemons HOWTO as suggested by Shuying Wang.
</p>
</li>
</ul>
<ul>
<li>
<p>
Changed APACHECTL line in the Apache chroot example (even if its not used at
all) as suggested by Leonard Norrgard.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a footnote regarding hardlink attacks if partitions are not setup
properly.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added some missing steps in order to run bind as named as provided by Jeffrey
Prosa.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added notes about Nessus and Snort out-of-dateness in woody and availability of
backported packages.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a chapter regarding periodic integrity test checks.
</p>
</li>
</ul>
<ul>
<li>
<p>
Clarified the status of testing regarding security updates (Debian bug 233955).
</p>
</li>
</ul>
<ul>
<li>
<p>
Added more information regarding expected contents in securetty (since it's
kernel specific).
</p>
</li>
</ul>
<ul>
<li>
<p>
Added pointer to snoopylogger (Debian bug 179409).
</p>
</li>
</ul>
<ul>
<li>
<p>
Added reference to guarddog (Debian bug 170710).
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>apt-ftparchive</code> is in <code>apt-utils</code>, not in
<code>apt</code> (thanks to Emmanuel Chantreau for pointing this out).
</p>
</li>
</ul>
<ul>
<li>
<p>
Removed jvirus from AV list.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.19"></a>1.6.19 Version 2.98 (December 2003)</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Fixed URL as suggested by Frank Lichtenheld.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fixed PermitRootLogin typo as suggested by Stefan Lindenau.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.20"></a>1.6.20 Version 2.97 (September 2003)</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Added those that have made the most significant contributions to this manual
(please mail me if you think you should be in the list and are not).
</p>
</li>
</ul>
<ul>
<li>
<p>
Added some blurb about FIXME/TODOs.
</p>
</li>
</ul>
<ul>
<li>
<p>
Moved the information on security updates to the beginning of the section as
suggested by Elliott Mitchell.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added grsecurity to the list of kernel-patches for security but added a
footnote on the current issues with it as suggested by Elliott Mitchell.
</p>
</li>
</ul>
<ul>
<li>
<p>
Removed loops (echo to 'all') in the kernel's network security script as
suggested by Elliott Mitchell.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added more (up-to-date) information in the antivirus section.
</p>
</li>
</ul>
<ul>
<li>
<p>
Rewrote the buffer overflow protection section and added more information on
patches to the compiler to enable this kind of protection.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.21"></a>1.6.21 Version 2.96 (August 2003)</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Removed (and then re-added) appendix on chrooting Apache.  The appendix is now
dual-licensed.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.22"></a>1.6.22 Version 2.95 (June 2003)</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Fixed typos spotted by Leonard Norrgard.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a section on how to contact CERT for incident handling (<code><a
href="#after-compromise">#after-compromise</a></code>).
</p>
</li>
</ul>
<ul>
<li>
<p>
More information on setting up a Squid proxy.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a pointer and removed a FIXME thanks to Helge H.  F.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fixed a typo (save_inactive) spotted by Philippe Faes.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fixed several typos spotted by Jaime Robles.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.23"></a>1.6.23 Version 2.94 (April 2003)</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Following Maciej Stachura's suggestions I've expanded the section on limiting
users.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fixed typo spotted by Wolfgang Nolte.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fixed links with patch contributed by Ruben Leote Mendes.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a link to David Wheeler's excellent document on the footnote about
counting security vulnerabilities.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.24"></a>1.6.24 Version 2.93 (March 2003)</h3>

<p>
Changes made by Fr<46>d<EFBFBD>ric Sch<63>tz.
</p>
<ul>
<li>
<p>
rewrote entirely the section of ext2 attributes (lsattr/chattr).
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.25"></a>1.6.25 Version 2.92 (February 2003)</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a and Fr<46>d<EFBFBD>ric Sch<63>tz.
</p>
<ul>
<li>
<p>
Merge section 9.3 (&quot;useful kernel patches&quot;) into section 4.13
(&quot;Adding kernel patches&quot;), and added some content.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a few more TODOs.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added information on how to manually check for updates and also about cron-apt.
That way Tiger is not perceived as the only way to do automatic update checks.
</p>
</li>
</ul>
<ul>
<li>
<p>
Slightly rewrite of the section on executing a security updates due to
Jean-Marc Ranger comments.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a note on Debian's installation (which will suggest the user to execute a
security update right after installation).
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.26"></a>1.6.26 Version 2.91 (January/February 2003)</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a (me).
</p>
<ul>
<li>
<p>
Added a patch contributed by Fr<46>d<EFBFBD>ric Sch<63>tz.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a few more references on capabilities thanks to Fr<46>d<EFBFBD>ric.
</p>
</li>
</ul>
<ul>
<li>
<p>
Slight changes in the bind section adding a reference to BIND's 9 online
documentation and proper references in the first area (Hi Pedro!).
</p>
</li>
</ul>
<ul>
<li>
<p>
Fixed the changelog date - new year :-).
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a reference to Colin's articles for the TODOs.
</p>
</li>
</ul>
<ul>
<li>
<p>
Removed reference to old ssh+chroot patches.
</p>
</li>
</ul>
<ul>
<li>
<p>
More patches from Carlo Perassi.
</p>
</li>
</ul>
<ul>
<li>
<p>
Typo fixes (recursive in Bind is recursion), pointed out by Maik Holtkamp.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.27"></a>1.6.27 Version 2.9 (December 2002)</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a (me).
</p>
<ul>
<li>
<p>
Reorganized the information on chroot (merged two sections, it didn't make much
sense to have them separated).
</p>
</li>
</ul>
<ul>
<li>
<p>
Added the notes on chrooting Apache provided by Alexandre Ratti.
</p>
</li>
</ul>
<ul>
<li>
<p>
Applied patches contributed by Guillermo Jover.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.28"></a>1.6.28 Version 2.8 (November 2002)</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a (me).
</p>
<ul>
<li>
<p>
Applied patches from Carlo Perassi, fixes include: re-wrapping the lines, URL
fixes, and fixed some FIXMEs.
</p>
</li>
</ul>
<ul>
<li>
<p>
Updated the contents of the Debian security team FAQ.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a link to the Debian security team FAQ and the Debian Developer's
reference, the duplicated sections might (just might) be removed in the future.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fixed the hand-made auditing section with comments from Michal Zielinski.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added links to wordlists (contributed by Carlo Perassi).
</p>
</li>
</ul>
<ul>
<li>
<p>
Fixed some typos (still many around).
</p>
</li>
</ul>
<ul>
<li>
<p>
Fixed TDP links as suggested by John Summerfield.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.29"></a>1.6.29 Version 2.7 (October 2002)</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a (me).  Note: I still have a lot of
pending changes in my mailbox (which is currently about 5 Mbs in size).
</p>
<ul>
<li>
<p>
Some typo fixes contributed by Tuyen Dinh, Bartek Golenko and Daniel K.
Gebhart.
</p>
</li>
</ul>
<ul>
<li>
<p>
Note regarding /dev/kmem rootkits contributed by Laurent Bonnaud.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fixed typos and FIXMEs contributed by Carlo Perassi.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.30"></a>1.6.30 Version 2.6 (September 2002)</h3>

<p>
Changes by Chris Tillman, tillman@voicetrak.com.
</p>
<ul>
<li>
<p>
Changed around to improve grammar/spelling.
</p>
</li>
</ul>
<ul>
<li>
<p>
s/host.deny/hosts.deny/ (1 place).
</p>
</li>
</ul>
<ul>
<li>
<p>
Applied Larry Holish's patch (quite big, fixes a lot of FIXMEs).
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.31"></a>1.6.31 Version 2.5 (September 2002)</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a (me).
</p>
<ul>
<li>
<p>
Fixed minor typos submitted by Thiemo Nagel.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a footnote suggested by Thiemo Nagel.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fixed an URL link.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.32"></a>1.6.32 Version 2.5 (August 2002)</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a (me).  There were many things waiting
on my inbox (as far back as February) to be included, so I'm going to tag this
the <em>back from honeymoon</em> release :).
</p>
<ul>
<li>
<p>
Applied a patch contributed by Philipe Gaspar regarding the Squid which also
kills a FIXME.
</p>
</li>
</ul>
<ul>
<li>
<p>
Yet another FAQ item regarding service banners taken from the debian-security
mailing list (thread &quot;Telnet information&quot; started 26th July 2002).
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a note regarding use of CVE cross references in the <em>How much time
does the Debian security team...</em> FAQ item.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a new section regarding ARP attacks contributed by Arnaud
&quot;Arhuman&quot; Assad.
</p>
</li>
</ul>
<ul>
<li>
<p>
New FAQ item regarding dmesg and console login by the kernel.
</p>
</li>
</ul>
<ul>
<li>
<p>
Small tidbits of information to the signature-checking issues in packages (it
seems to not have gotten past beta release).
</p>
</li>
</ul>
<ul>
<li>
<p>
New FAQ item regarding vulnerability assessment tools false positives.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added new sections to the chapter that contains information on package
signatures and reorganized it as a new <em>Debian Security Infrastructure</em>
chapter.
</p>
</li>
</ul>
<ul>
<li>
<p>
New FAQ item regarding Debian vs.  other Linux distributions.
</p>
</li>
</ul>
<ul>
<li>
<p>
New section on mail user agents with GPG/PGP functionality in the security
tools chapter.
</p>
</li>
</ul>
<ul>
<li>
<p>
Clarified how to enable MD5 passwords in woody, added a pointer to PAM as well
as a note regarding the max definition in PAM.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a new appendix on how to create chroot environments (after fiddling a bit
with makejail and fixing, as well, some of its bugs), integrated duplicate
information in all the appendix.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added some more information regarding <code>SSH</code> chrooting and its impact
on secure file transfers.  Some information has been retrieved from the
debian-security mailing list (June 2002 thread: <em>secure file
transfers</em>).
</p>
</li>
</ul>
<ul>
<li>
<p>
New sections on how to do automatic updates on Debian systems as well as the
caveats of using testing or unstable regarding security updates.
</p>
</li>
</ul>
<ul>
<li>
<p>
New section regarding keeping up to date with security patches in the
<em>Before compromise</em> section as well as a new section about the
debian-security-announce mailing list.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added information on how to automatically generate strong passwords.
</p>
</li>
</ul>
<ul>
<li>
<p>
New section regarding login of idle users.
</p>
</li>
</ul>
<ul>
<li>
<p>
Reorganized the securing mail server section based on the
<em>Secure/hardened/minimal Debian (or &quot;Why is the base system the way it
is?&quot;)</em> thread on the debian-security mailing list (May 2002).
</p>
</li>
</ul>
<ul>
<li>
<p>
Reorganized the section on kernel network parameters, with information provided
in the debian-security mailing list (May 2002, <em>syn flood attacked?</em>
thread) and added a new FAQ item as well.
</p>
</li>
</ul>
<ul>
<li>
<p>
New section on how to check users passwords and which packages to install for
this.
</p>
</li>
</ul>
<ul>
<li>
<p>
New section on PPTP encryption with Microsoft clients discussed in the
debian-security mailing list (April 2002).
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a new section describing what problems are there when binding any given
service to a specific IP address, this information was written based on the
Bugtraq mailing list in the thread: <em>Linux kernel 2.4 &quot;weak end
host&quot; issue (previously discussed on debian-security as &quot;arp
problem&quot;)</em> (started on May 9th 2002 by Felix von Leitner).
</p>
</li>
</ul>
<ul>
<li>
<p>
Added information on <code>ssh</code> protocol version 2.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added two subsections related to Apache secure configuration (the things
specific to Debian, that is).
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a new FAQ related to raw sockets, one related to /root, an item related
to users' groups and another one related to log and configuration files
permissions.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a pointer to a bug in libpam-cracklib that might still be open...  (need
to check).
</p>
</li>
</ul>
<ul>
<li>
<p>
Added more information regarding forensics analysis (pending more information
on packet inspection tools such as <code>tcpflow</code>).
</p>
</li>
</ul>
<ul>
<li>
<p>
Changed the &quot;what should I do regarding compromise&quot; into a bullet
list and included some more stuff.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added some information on how to set up the Xscreensaver to lock the screen
automatically after the configured timeout.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a note related to the utilities you should not install in the system.
Included a note regarding Perl and why it cannot be easily removed in Debian.
The idea came after reading Intersect's documents regarding Linux hardening.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added information on lvm and journalling file systems, ext3 recommended.  The
information there might be too generic, however.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a link to the online text version (check).
</p>
</li>
</ul>
<ul>
<li>
<p>
Added some more stuff to the information on firewalling the local system,
triggered by a comment made by Hubert Chan in the mailing list.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added more information on PAM limits and pointers to Kurt Seifried's documents
(related to a post by him to Bugtraq on April 4th 2002 answering a person that
had ``discovered'' a vulnerability in Debian GNU/Linux related to resource
starvation).
</p>
</li>
</ul>
<ul>
<li>
<p>
As suggested by Juli<6C>n Mu<4D>oz, provided more information on the default Debian
umask and what a user can access if he has been given a shell in the system
(scary, huh?).
</p>
</li>
</ul>
<ul>
<li>
<p>
Included a note in the BIOS password section due to a comment from Andreas
Wohlfeld.
</p>
</li>
</ul>
<ul>
<li>
<p>
Included patches provided by Alfred E.  Heggestad fixing many of the typos
still present in the document.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a pointer to the changelog in the Credits section since most people who
contribute are listed here (and not there).
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a few more notes to the chattr section and a new section after
installation talking about system snapshots.  Both ideas were contributed by
Kurt Pomeroy.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a new section after installation just to remind users to change the
boot-up sequence.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added some more TODO items provided by Korn Andras.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a pointer to the NIST's guidelines on how to secure DNS provided by
Daniel Quinlan.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a small paragraph regarding Debian's SSL certificates infrastructure.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added Daniel Quinlan's suggestions regarding <code>ssh</code> authentication
and exim's relay configuration.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added more information regarding securing bind including changes suggested by
Daniel Quinlan and an appendix with a script to make some of the changes
commented on in that section.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a pointer to another item regarding Bind chrooting (needs to be merged).
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a one liner contributed by Cristian Ionescu-Idbohrn to retrieve packages
with tcpwrappers support.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a little bit more info on Debian's default PAM setup.
</p>
</li>
</ul>
<ul>
<li>
<p>
Included a FAQ question about using PAM to provide services without shell
accounts.
</p>
</li>
</ul>
<ul>
<li>
<p>
Moved two FAQ items to another section and added a new FAQ regarding attack
detection (and compromised systems).
</p>
</li>
</ul>
<ul>
<li>
<p>
Included information on how to set up a bridge firewall (including a sample
Appendix).  Thanks to Francois Bayart who sent this to me in March.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a FAQ regarding the syslogd's <em>MARK</em> <em>heartbeat</em> from a
question answered by Noah Meyerhans and Alain Tesio in December 2001.
</p>
</li>
</ul>
<ul>
<li>
<p>
Included information on buffer overflow protection as well as some information
on kernel patches.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added more information (and reorganized) the firewall section.  Updated the
information regarding the iptables package and the firewall generators
available.
</p>
</li>
</ul>
<ul>
<li>
<p>
Reorganized the information regarding log checking, moved logcheck information
from host intrusion detection to that section.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added some information on how to prepare a static package for bind for
chrooting (untested).
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a FAQ item regarding some specific servers/services (could be expanded
with some of the recommendations from the debian-security list).
</p>
</li>
</ul>
<ul>
<li>
<p>
Added some information on RPC services (and when it's necessary).
</p>
</li>
</ul>
<ul>
<li>
<p>
Added some more information on capabilities (and what lcap does).  Is there any
good documentation on this?  I haven't found any documentation on my 2.4
kernel.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fixed some typos.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.33"></a>1.6.33 Version 2.4</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Rewritten part of the BIOS section.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.34"></a>1.6.34 Version 2.3</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Wrapped most file locations with the file tag.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fixed typo noticed by Edi Stojicevi.
</p>
</li>
</ul>
<ul>
<li>
<p>
Slightly changed the remote audit tools section.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added some todo items.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added more information regarding printers and cups config file (taken from a
thread on debian-security).
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a patch submitted by Jesus Climent regarding access of valid system users
to Proftpd when configured as anonymous server.
</p>
</li>
</ul>
<ul>
<li>
<p>
Small change on partition schemes for the special case of mail servers.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added Hacking Linux Exposed to the books section.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fixed directory typo noticed by Eduardo P<>rez Ureta.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fixed /etc/ssh typo in checklist noticed by Edi Stojicevi.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.35"></a>1.6.35 Version 2.3</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Fixed location of dpkg conffile.
</p>
</li>
</ul>
<ul>
<li>
<p>
Remove Alexander from contact information.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added alternate mail address.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fixed Alexander mail address (even if commented out).
</p>
</li>
</ul>
<ul>
<li>
<p>
Fixed location of release keys (thanks to Pedro Zorzenon for pointing this
out).
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.36"></a>1.6.36 Version 2.2</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Fixed typos, thanks to Jamin W.  Collins.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a reference to apt-extracttemplate manpage (documents the
APT::ExtractTemplate config).
</p>
</li>
</ul>
<ul>
<li>
<p>
Added section about restricted SSH.  Information based on that posted by Mark
Janssen, Christian G.  Warden and Emmanuel Lacour on the debian-security
mailing list.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added information on antivirus software.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a FAQ: su logs due to the cron running as root.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.37"></a>1.6.37 Version 2.1</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Changed FIXME from lshell thanks to Oohara Yuuma.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added package to sXid and removed comment since it *is* available.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fixed a number of typos discovered by Oohara Yuuma.
</p>
</li>
</ul>
<ul>
<li>
<p>
ACID is now available in Debian (in the acidlab package) thanks to Oohara Yuuma
for noticing.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fixed LinuxSecurity links (thanks to Dave Wreski for telling).
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.38"></a>1.6.38 Version 2.0</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.  I wanted to change to 2.0 when all
the FIXMEs were fixed but I ran out of 1.9X numbers :(.
</p>
<ul>
<li>
<p>
Converted the HOWTO into a Manual (now I can properly say RTFM).
</p>
</li>
</ul>
<ul>
<li>
<p>
Added more information regarding tcp wrappers and Debian (now many services are
compiled with support for them so it's no longer an <code>inetd</code> issue).
</p>
</li>
</ul>
<ul>
<li>
<p>
Clarified the information on disabling services to make it more consistent (rpc
info still referred to update-rc.d).
</p>
</li>
</ul>
<ul>
<li>
<p>
Added small note on lprng.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added some more info on compromised servers (still very rough).
</p>
</li>
</ul>
<ul>
<li>
<p>
Fixed typos reported by Mark Bucciarelli.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added some more steps in password recovery to cover the cases when the admin
has set paranoid-mode=on.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added some information to set paranoid-mode=on when login in console.
</p>
</li>
</ul>
<ul>
<li>
<p>
New paragraph to introduce service configuration.
</p>
</li>
</ul>
<ul>
<li>
<p>
Reorganized the <em>After installation</em> section so it is more broken up
into several issues and it's easier to read.
</p>
</li>
</ul>
<ul>
<li>
<p>
Wrote information on how to set up firewalls with the standard Debian 3.0 setup
(iptables package).
</p>
</li>
</ul>
<ul>
<li>
<p>
Small paragraph explaining why installing connected to the Internet is not a
good idea and how to avoid this using Debian tools.
</p>
</li>
</ul>
<ul>
<li>
<p>
Small paragraph on timely patching referencing to IEEE paper.
</p>
</li>
</ul>
<ul>
<li>
<p>
Appendix on how to set up a Debian snort box, based on what Vladimir sent to
the debian-security mailing list (September 3rd 2001).
</p>
</li>
</ul>
<ul>
<li>
<p>
Information on how logcheck is set up in Debian and how it can be used to set
up HIDS.
</p>
</li>
</ul>
<ul>
<li>
<p>
Information on user accounting and profile analysis.
</p>
</li>
</ul>
<ul>
<li>
<p>
Included apt.conf configuration for read-only /usr copied from Olaf
Meeuwissen's post to the debian-security mailing list.
</p>
</li>
</ul>
<ul>
<li>
<p>
New section on VPN with some pointers and the packages available in Debian
(needs content on how to set up the VPNs and Debian-specific issues), based on
Jaroslaw Tabor's and Samuli Suonpaa's post to debian-security.
</p>
</li>
</ul>
<ul>
<li>
<p>
Small note regarding some programs to automatically build chroot jails.
</p>
</li>
</ul>
<ul>
<li>
<p>
New FAQ item regarding identd based on a discussion in the debian-security
mailing list (February 2002, started by Johannes Weiss).
</p>
</li>
</ul>
<ul>
<li>
<p>
New FAQ item regarding <code>inetd</code> based on a discussion in the
debian-security mailing list (February 2002).
</p>
</li>
</ul>
<ul>
<li>
<p>
Introduced note on rcconf in the &quot;disabling services&quot; section.
</p>
</li>
</ul>
<ul>
<li>
<p>
Varied the approach regarding LKM, thanks to Philipe Gaspar.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added pointers to CERT documents and Counterpane resources.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.39"></a>1.6.39 Version 1.99</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Added a new FAQ item regarding time to fix security vulnerabilities.
</p>
</li>
</ul>
<ul>
<li>
<p>
Reorganized FAQ sections.
</p>
</li>
</ul>
<ul>
<li>
<p>
Started writing a section regarding firewalling in Debian GNU/Linux (could be
broadened a bit).
</p>
</li>
</ul>
<ul>
<li>
<p>
Fixed typos sent by Matt Kraai.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fixed DNS information.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added information on whisker and nbtscan to the auditing section.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fixed some wrong URLs.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.40"></a>1.6.40 Version 1.98</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Added a new section regarding auditing using Debian GNU/Linux.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added info regarding finger daemon taken from the security mailing list.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.41"></a>1.6.41 Version 1.97</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Fixed link for Linux Trustees.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fixed typos (patches from Oohara Yuuma and Pedro Zorzenon).
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.42"></a>1.6.42 Version 1.96</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Reorganized service installation and removal and added some new notes.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added some notes regarding using integrity checkers as intrusion detection
tools.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a chapter regarding package signatures.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.43"></a>1.6.43 Version 1.95</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Added notes regarding Squid security sent by Philipe Gaspar.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fixed rootkit links thanks to Philipe Gaspar.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.44"></a>1.6.44 Version 1.94</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Added some notes regarding Apache and Lpr/lpng.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added some information regarding noexec and read-only partitions.
</p>
</li>
</ul>
<ul>
<li>
<p>
Rewrote how users can help in Debian security issues (FAQ item).
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.45"></a>1.6.45 Version 1.93</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Fixed location of mail program.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added some new items to the FAQ.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.46"></a>1.6.46 Version 1.92</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Added a small section on how Debian handles security.
</p>
</li>
</ul>
<ul>
<li>
<p>
Clarified MD5 passwords (thanks to `rocky').
</p>
</li>
</ul>
<ul>
<li>
<p>
Added some more information regarding harden-X from Stephen van Egmond.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added some new items to the FAQ.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.47"></a>1.6.47 Version 1.91</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Added some forensics information sent by Yotam Rubin.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added information on how to build a honeynet using Debian GNU/Linux.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added some more TODOS.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fixed more typos (thanks Yotam!).
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.48"></a>1.6.48 Version 1.9</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Added patch to fix misspellings and some new information (contributed by Yotam
Rubin).
</p>
</li>
</ul>
<ul>
<li>
<p>
Added references to other online (and offline) documentation both in a section
(see <a href="ch2.en.html#s-references">Be aware of general security problems,
Section 2.2</a>) by itself and inline in some sections.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added some information on configuring Bind options to restrict access to the
DNS server.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added information on how to automatically harden a Debian system (regarding the
harden package and bastille).
</p>
</li>
</ul>
<ul>
<li>
<p>
Removed some done TODOs and added some new ones.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.49"></a>1.6.49 Version 1.8</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Added the default user/group list provided by Joey Hess to the debian-security
mailing list.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added information on LKM root-kits (<a href="ch10.en.html#s-LKM">Loadable
Kernel Modules (LKM), Section 10.4.1</a>) contributed by Philipe Gaspar.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added information on Proftp contributed by Emmanuel Lacour.
</p>
</li>
</ul>
<ul>
<li>
<p>
Recovered the checklist Appendix from Era Eriksson.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added some new TODO items and removed other fixed ones.
</p>
</li>
</ul>
<ul>
<li>
<p>
Manually included Era's patches since they were not all included in the
previous version.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.50"></a>1.6.50 Version 1.7</h3>

<p>
Changes by Era Eriksson.
</p>
<ul>
<li>
<p>
Typo fixes and wording changes.
</p>
</li>
</ul>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Minor changes to tags in order to keep on removing the tt tags and substitute
prgn/package tags for them.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.51"></a>1.6.51 Version 1.6</h3>

<p>
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Added pointer to document as published in the DDP (should supersede the
original in the near future).
</p>
</li>
</ul>
<ul>
<li>
<p>
Started a mini-FAQ (should be expanded) with some questions recovered from my
mailbox.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added general information to consider while securing.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a paragraph regarding local (incoming) mail delivery.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added some pointers to more information.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added information regarding the printing service.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a security hardening checklist.
</p>
</li>
</ul>
<ul>
<li>
<p>
Reorganized NIS and RPC information.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added some notes taken while reading this document on my new Visor :).
</p>
</li>
</ul>
<ul>
<li>
<p>
Fixed some badly formatted lines.
</p>
</li>
</ul>
<ul>
<li>
<p>
Fixed some typos.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a Genius/Paranoia idea contributed by Gaby Schilders.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.52"></a>1.6.52 Version 1.5</h3>

<p>
Changes by Josip Rodin and Javier Fern<72>ndez-Sanguino Pe<50>a.
</p>
<ul>
<li>
<p>
Added paragraphs related to BIND and some FIXMEs.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.53"></a>1.6.53 Version 1.4</h3>
<ul>
<li>
<p>
Small setuid check paragraph
</p>
</li>
</ul>
<ul>
<li>
<p>
Various minor cleanups.
</p>
</li>
</ul>
<ul>
<li>
<p>
Found out how to use <samp>sgml2txt -f</samp> for the txt version.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.54"></a>1.6.54 Version 1.3</h3>
<ul>
<li>
<p>
Added a security update after installation paragraph.
</p>
</li>
</ul>
<ul>
<li>
<p>
Added a proftpd paragraph.
</p>
</li>
</ul>
<ul>
<li>
<p>
This time really wrote something about XDM, sorry for last time.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.55"></a>1.6.55 Version 1.2</h3>
<ul>
<li>
<p>
Lots of grammar corrections by James Treacy, new XDM paragraph.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.56"></a>1.6.56 Version 1.1</h3>
<ul>
<li>
<p>
Typo fixes, miscellaneous additions.
</p>
</li>
</ul>

<hr>

<h3><a name="s1.6.57"></a>1.6.57 Version 1.0</h3>
<ul>
<li>
<p>
Initial release.
</p>
</li>
</ul>

<hr>

<h2><a name="s-credits"></a>1.7 Credits and thanks!</h2>
<ul>
<li>
<p>
Alexander Reelsen wrote the original document.
</p>
</li>
</ul>
<ul>
<li>
<p>
Javier Fern<72>ndez-Sanguino added more info to the original doc.
</p>
</li>
</ul>
<ul>
<li>
<p>
Robert van der Meulen provided the quota paragraphs and many good ideas.
</p>
</li>
</ul>
<ul>
<li>
<p>
Ethan Benson corrected the PAM paragraph and had some good ideas.
</p>
</li>
</ul>
<ul>
<li>
<p>
Dariusz Puchalak contributed some information to several chapters.
</p>
</li>
</ul>
<ul>
<li>
<p>
Gaby Schilders contributed a nice Genius/Paranoia idea.
</p>
</li>
</ul>
<ul>
<li>
<p>
Era Eriksson smoothed out the language in a lot of places and contributed the
checklist appendix.
</p>
</li>
</ul>
<ul>
<li>
<p>
Philipe Gaspar wrote the LKM information.
</p>
</li>
</ul>
<ul>
<li>
<p>
Yotam Rubin contributed fixes for many typos as well as information regarding
bind versions and MD5 passwords.
</p>
</li>
</ul>
<ul>
<li>
<p>
Francois Bayart provided the appendix describing how to set up a bridge
firewall.
</p>
</li>
</ul>
<ul>
<li>
<p>
Joey Hess wrote the section describing how Secure Apt works on the <code><a
href="http://wiki.debian.org/SecureApt">Debian Wiki</a></code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
Martin F.  Krafft wrote some information on his blog regarding fingerprint
verification which was also reused for the Secure Apt section.
</p>
</li>
</ul>
<ul>
<li>
<p>
Francesco Poli did an extensive review of the manual and provided quite a lot
of bug reports and typo fixes which improved and helped update the document.
</p>
</li>
</ul>
<ul>
<li>
<p>
All the people who made suggestions for improvements that (eventually) were
included here (see <a href="#s-changelog">Changelog/History, Section 1.6</a>).
</p>
</li>
</ul>
<ul>
<li>
<p>
(Alexander) All the folks who encouraged me to write this HOWTO (which was
later turned into a manual).
</p>
</li>
</ul>
<ul>
<li>
<p>
The whole Debian project.
</p>
</li>
</ul>

<hr>

<p>
[ <a href="index.en.html">previous</a> ]
[ <a href="index.en.html#contents">Contents</a> ]
[ 1 ]
[ <a href="ch2.en.html">2</a> ]
[ <a href="ch3.en.html">3</a> ]
[ <a href="ch4.en.html">4</a> ]
[ <a href="ch-sec-services.en.html">5</a> ]
[ <a href="ch-automatic-harden.en.html">6</a> ]
[ <a href="ch7.en.html">7</a> ]
[ <a href="ch-sec-tools.en.html">8</a> ]
[ <a href="ch9.en.html">9</a> ]
[ <a href="ch10.en.html">10</a> ]
[ <a href="ch-after-compromise.en.html">11</a> ]
[ <a href="ch12.en.html">12</a> ]
[ <a href="ap-harden-step.en.html">A</a> ]
[ <a href="ap-checklist.en.html">B</a> ]
[ <a href="ap-snort-box.en.html">C</a> ]
[ <a href="ap-bridge-fw.en.html">D</a> ]
[ <a href="ap-bind-chuser.en.html">E</a> ]
[ <a href="ap-fw-security-update.en.html">F</a> ]
[ <a href="ap-chroot-ssh-env.en.html">G</a> ]
[ <a href="ap-chroot-apache-env.en.html">H</a> ]
[ <a href="ch2.en.html">next</a> ]
</p>

<hr>

<p>
Securing Debian Manual
</p>

<address>
Version: 3.13, Sun, 08 Apr 2012 02:48:09 +0000<br>
<br>
Javier Fern&aacute;ndez-Sanguino Pe&ntilde;a <code><a href="mailto:jfs@debian.org">jfs@debian.org</a></code><br>
<a href="ch1.en.html#s-authors">Authors, Section 1.1</a><br>
<br>
</address>
<hr>

</body>

</html>