4306 lines
101 KiB
HTML
4306 lines
101 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
|
||
|
||
<html>
|
||
|
||
<head>
|
||
|
||
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
|
||
|
||
<title>Securing Debian Manual - Introduction</title>
|
||
|
||
<link href="index.en.html" rel="start">
|
||
<link href="index.en.html" rel="prev">
|
||
<link href="ch2.en.html" rel="next">
|
||
<link href="index.en.html#contents" rel="contents">
|
||
<link href="index.en.html#copyright" rel="copyright">
|
||
<link href="ch1.en.html" rel="chapter" title="1 Introduction">
|
||
<link href="ch2.en.html" rel="chapter" title="2 Before you begin">
|
||
<link href="ch3.en.html" rel="chapter" title="3 Before and during the installation">
|
||
<link href="ch4.en.html" rel="chapter" title="4 After installation">
|
||
<link href="ch-sec-services.en.html" rel="chapter" title="5 Securing services running on your system">
|
||
<link href="ch-automatic-harden.en.html" rel="chapter" title="6 Automatic hardening of Debian systems">
|
||
<link href="ch7.en.html" rel="chapter" title="7 Debian Security Infrastructure">
|
||
<link href="ch-sec-tools.en.html" rel="chapter" title="8 Security tools in Debian">
|
||
<link href="ch9.en.html" rel="chapter" title="9 Developer's Best Practices for OS Security">
|
||
<link href="ch10.en.html" rel="chapter" title="10 Before the compromise">
|
||
<link href="ch-after-compromise.en.html" rel="chapter" title="11 After the compromise (incident response)">
|
||
<link href="ch12.en.html" rel="chapter" title="12 Frequently asked Questions (FAQ)">
|
||
<link href="ap-harden-step.en.html" rel="appendix" title="A The hardening process step by step">
|
||
<link href="ap-checklist.en.html" rel="appendix" title="B Configuration checklist">
|
||
<link href="ap-snort-box.en.html" rel="appendix" title="C Setting up a stand-alone IDS">
|
||
<link href="ap-bridge-fw.en.html" rel="appendix" title="D Setting up a bridge firewall">
|
||
<link href="ap-bind-chuser.en.html" rel="appendix" title="E Sample script to change the default Bind installation.">
|
||
<link href="ap-fw-security-update.en.html" rel="appendix" title="F Security update protected by a firewall">
|
||
<link href="ap-chroot-ssh-env.en.html" rel="appendix" title="G <code>Chroot</code> environment for <code>SSH</code>">
|
||
<link href="ap-chroot-apache-env.en.html" rel="appendix" title="H <code>Chroot</code> environment for <code>Apache</code>">
|
||
<link href="ch1.en.html#s-authors" rel="section" title="1.1 Authors">
|
||
<link href="ch1.en.html#s1.2" rel="section" title="1.2 Where to get the manual (and available formats)">
|
||
<link href="ch1.en.html#s1.3" rel="section" title="1.3 Organizational notes/feedback">
|
||
<link href="ch1.en.html#s1.4" rel="section" title="1.4 Prior knowledge">
|
||
<link href="ch1.en.html#s1.5" rel="section" title="1.5 Things that need to be written (FIXME/TODO)">
|
||
<link href="ch1.en.html#s-changelog" rel="section" title="1.6 Changelog/History">
|
||
<link href="ch1.en.html#s-credits" rel="section" title="1.7 Credits and thanks!">
|
||
<link href="ch2.en.html#s2.1" rel="section" title="2.1 What do you want this system for?">
|
||
<link href="ch2.en.html#s-references" rel="section" title="2.2 Be aware of general security problems">
|
||
<link href="ch2.en.html#s2.3" rel="section" title="2.3 How does Debian handle security?">
|
||
<link href="ch3.en.html#s-bios-passwd" rel="section" title="3.1 Choose a BIOS password">
|
||
<link href="ch3.en.html#s3.2" rel="section" title="3.2 Partitioning the system">
|
||
<link href="ch3.en.html#s3.3" rel="section" title="3.3 Do not plug to the Internet until ready">
|
||
<link href="ch3.en.html#s3.4" rel="section" title="3.4 Set a root password">
|
||
<link href="ch3.en.html#s3.5" rel="section" title="3.5 Activate shadow passwords and MD5 passwords">
|
||
<link href="ch3.en.html#s3.6" rel="section" title="3.6 Run the minimum number of services required">
|
||
<link href="ch3.en.html#s3.7" rel="section" title="3.7 Install the minimum amount of software required">
|
||
<link href="ch3.en.html#s3.8" rel="section" title="3.8 Read the Debian security mailing lists">
|
||
<link href="ch4.en.html#s-debian-sec-announce" rel="section" title="4.1 Subscribe to the Debian Security Announce mailing list">
|
||
<link href="ch4.en.html#s-security-update" rel="section" title="4.2 Execute a security update">
|
||
<link href="ch4.en.html#s-bios-boot" rel="section" title="4.3 Change the BIOS (again)">
|
||
<link href="ch4.en.html#s-lilo-passwd" rel="section" title="4.4 Set a LILO or GRUB password">
|
||
<link href="ch4.en.html#s-kernel-initramfs-prompt" rel="section" title="4.5 Disable root prompt on the initramfs">
|
||
<link href="ch4.en.html#s-kernel-root-prompt" rel="section" title="4.6 Remove root prompt on the kernel">
|
||
<link href="ch4.en.html#s-restrict-console-login" rel="section" title="4.7 Restricting console login access">
|
||
<link href="ch4.en.html#s-restrict-reboots" rel="section" title="4.8 Restricting system reboots through the console">
|
||
<link href="ch4.en.html#s4.9" rel="section" title="4.9 Mounting partitions the right way">
|
||
<link href="ch4.en.html#s4.10" rel="section" title="4.10 Providing secure user access">
|
||
<link href="ch4.en.html#s-tcpwrappers" rel="section" title="4.11 Using tcpwrappers">
|
||
<link href="ch4.en.html#s-log-alerts" rel="section" title="4.12 The importance of logs and alerts">
|
||
<link href="ch4.en.html#s-kernel-patches" rel="section" title="4.13 Adding kernel patches">
|
||
<link href="ch4.en.html#s4.14" rel="section" title="4.14 Protecting against buffer overflows">
|
||
<link href="ch4.en.html#s4.15" rel="section" title="4.15 Secure file transfers">
|
||
<link href="ch4.en.html#s4.16" rel="section" title="4.16 File system limits and control">
|
||
<link href="ch4.en.html#s-network-secure" rel="section" title="4.17 Securing network access">
|
||
<link href="ch4.en.html#s-snapshot" rel="section" title="4.18 Taking a snapshot of the system">
|
||
<link href="ch4.en.html#s4.19" rel="section" title="4.19 Other recommendations">
|
||
<link href="ch-sec-services.en.html#s5.1" rel="section" title="5.1 Securing ssh">
|
||
<link href="ch-sec-services.en.html#s5.2" rel="section" title="5.2 Securing Squid">
|
||
<link href="ch-sec-services.en.html#s-ftp-secure" rel="section" title="5.3 Securing FTP">
|
||
<link href="ch-sec-services.en.html#s5.4" rel="section" title="5.4 Securing access to the X Window System">
|
||
<link href="ch-sec-services.en.html#s5.5" rel="section" title="5.5 Securing printing access (the lpd and lprng issue)">
|
||
<link href="ch-sec-services.en.html#s5.6" rel="section" title="5.6 Securing the mail service">
|
||
<link href="ch-sec-services.en.html#s-sec-bind" rel="section" title="5.7 Securing BIND">
|
||
<link href="ch-sec-services.en.html#s5.8" rel="section" title="5.8 Securing Apache">
|
||
<link href="ch-sec-services.en.html#s5.9" rel="section" title="5.9 Securing finger">
|
||
<link href="ch-sec-services.en.html#s-chroot" rel="section" title="5.10 General chroot and suid paranoia">
|
||
<link href="ch-sec-services.en.html#s5.11" rel="section" title="5.11 General cleartext password paranoia">
|
||
<link href="ch-sec-services.en.html#s5.12" rel="section" title="5.12 Disabling NIS">
|
||
<link href="ch-sec-services.en.html#s-rpc" rel="section" title="5.13 Securing RPC services">
|
||
<link href="ch-sec-services.en.html#s-firewall-setup" rel="section" title="5.14 Adding firewall capabilities">
|
||
<link href="ch-automatic-harden.en.html#s6.1" rel="section" title="6.1 Harden">
|
||
<link href="ch-automatic-harden.en.html#s6.2" rel="section" title="6.2 Bastille Linux">
|
||
<link href="ch7.en.html#s-debian-sec-team" rel="section" title="7.1 The Debian Security Team">
|
||
<link href="ch7.en.html#s-dsa" rel="section" title="7.2 Debian Security Advisories">
|
||
<link href="ch7.en.html#s7.3" rel="section" title="7.3 Security Tracker">
|
||
<link href="ch7.en.html#s7.4" rel="section" title="7.4 Debian Security Build Infrastructure">
|
||
<link href="ch7.en.html#s-deb-pack-sign" rel="section" title="7.5 Package signing in Debian">
|
||
<link href="ch-sec-tools.en.html#s-vuln-asses" rel="section" title="8.1 Remote vulnerability assessment tools">
|
||
<link href="ch-sec-tools.en.html#s8.2" rel="section" title="8.2 Network scanner tools">
|
||
<link href="ch-sec-tools.en.html#s8.3" rel="section" title="8.3 Internal audits">
|
||
<link href="ch-sec-tools.en.html#s8.4" rel="section" title="8.4 Auditing source code">
|
||
<link href="ch-sec-tools.en.html#s-vpn" rel="section" title="8.5 Virtual Private Networks">
|
||
<link href="ch-sec-tools.en.html#s8.6" rel="section" title="8.6 Public Key Infrastructure (PKI)">
|
||
<link href="ch-sec-tools.en.html#s8.7" rel="section" title="8.7 SSL Infrastructure">
|
||
<link href="ch-sec-tools.en.html#s8.8" rel="section" title="8.8 Antivirus tools">
|
||
<link href="ch-sec-tools.en.html#s-gpg-agent" rel="section" title="8.9 GPG agent">
|
||
<link href="ch9.en.html#s-bpp-devel-design" rel="section" title="9.1 Best practices for security review and design">
|
||
<link href="ch9.en.html#s-bpp-lower-privs" rel="section" title="9.2 Creating users and groups for software daemons">
|
||
<link href="ch10.en.html#s-keep-secure" rel="section" title="10.1 Keep your system secure">
|
||
<link href="ch10.en.html#s-periodic-integrity" rel="section" title="10.2 Do periodic integrity checks">
|
||
<link href="ch10.en.html#s-intrusion-detect" rel="section" title="10.3 Set up Intrusion Detection">
|
||
<link href="ch10.en.html#s10.4" rel="section" title="10.4 Avoiding root-kits">
|
||
<link href="ch10.en.html#s10.5" rel="section" title="10.5 Genius/Paranoia Ideas — what you could do">
|
||
<link href="ch-after-compromise.en.html#s11.1" rel="section" title="11.1 General behavior">
|
||
<link href="ch-after-compromise.en.html#s11.2" rel="section" title="11.2 Backing up the system">
|
||
<link href="ch-after-compromise.en.html#s11.3" rel="section" title="11.3 Contact your local CERT">
|
||
<link href="ch-after-compromise.en.html#s11.4" rel="section" title="11.4 Forensic analysis">
|
||
<link href="ch12.en.html#s12.1" rel="section" title="12.1 Security in the Debian operating system">
|
||
<link href="ch12.en.html#s-vulnerable-system" rel="section" title="12.2 My system is vulnerable! (Are you sure?)">
|
||
<link href="ch12.en.html#s-debian-sec-team-faq" rel="section" title="12.3 Questions regarding the Debian security team">
|
||
<link href="ap-bridge-fw.en.html#sD.1" rel="section" title="D.1 A bridge providing NAT and firewall capabilities">
|
||
<link href="ap-bridge-fw.en.html#sD.2" rel="section" title="D.2 A bridge providing firewall capabilities">
|
||
<link href="ap-bridge-fw.en.html#sD.3" rel="section" title="D.3 Basic IPtables rules">
|
||
<link href="ap-chroot-ssh-env.en.html#sG.1" rel="section" title="G.1 Chrooting the ssh users">
|
||
<link href="ap-chroot-ssh-env.en.html#sG.2" rel="section" title="G.2 Chrooting the ssh server">
|
||
<link href="ap-chroot-apache-env.en.html#sH.1" rel="section" title="H.1 Introduction">
|
||
<link href="ap-chroot-apache-env.en.html#sH.2" rel="section" title="H.2 Installing the server">
|
||
<link href="ap-chroot-apache-env.en.html#sH.3" rel="section" title="H.3 See also">
|
||
<link href="ch1.en.html#s1.6.1" rel="subsection" title="1.6.1 Version 3.16 (March 2011)">
|
||
<link href="ch1.en.html#s1.6.2" rel="subsection" title="1.6.2 Version 3.15 (December 2010)">
|
||
<link href="ch1.en.html#s1.6.3" rel="subsection" title="1.6.3 Version 3.14 (March 2009)">
|
||
<link href="ch1.en.html#s1.6.4" rel="subsection" title="1.6.4 Version 3.13 (Februrary 2008)">
|
||
<link href="ch1.en.html#s1.6.5" rel="subsection" title="1.6.5 Version 3.12 (August 2007)">
|
||
<link href="ch1.en.html#s1.6.6" rel="subsection" title="1.6.6 Version 3.11 (January 2007)">
|
||
<link href="ch1.en.html#s1.6.7" rel="subsection" title="1.6.7 Version 3.10 (November 2006)">
|
||
<link href="ch1.en.html#s1.6.8" rel="subsection" title="1.6.8 Version 3.9 (October 2006)">
|
||
<link href="ch1.en.html#s1.6.9" rel="subsection" title="1.6.9 Version 3.8 (July 2006)">
|
||
<link href="ch1.en.html#s1.6.10" rel="subsection" title="1.6.10 Version 3.7 (April 2006)">
|
||
<link href="ch1.en.html#s1.6.11" rel="subsection" title="1.6.11 Version 3.6 (March 2006)">
|
||
<link href="ch1.en.html#s1.6.12" rel="subsection" title="1.6.12 Version 3.5 (November 2005)">
|
||
<link href="ch1.en.html#s1.6.13" rel="subsection" title="1.6.13 Version 3.4 (August-September 2005)">
|
||
<link href="ch1.en.html#s1.6.14" rel="subsection" title="1.6.14 Version 3.3 (June 2005)">
|
||
<link href="ch1.en.html#s1.6.15" rel="subsection" title="1.6.15 Version 3.2 (March 2005)">
|
||
<link href="ch1.en.html#s1.6.16" rel="subsection" title="1.6.16 Version 3.1 (January 2005)">
|
||
<link href="ch1.en.html#s1.6.17" rel="subsection" title="1.6.17 Version 3.0 (December 2004)">
|
||
<link href="ch1.en.html#s1.6.18" rel="subsection" title="1.6.18 Version 2.99 (March 2004)">
|
||
<link href="ch1.en.html#s1.6.19" rel="subsection" title="1.6.19 Version 2.98 (December 2003)">
|
||
<link href="ch1.en.html#s1.6.20" rel="subsection" title="1.6.20 Version 2.97 (September 2003)">
|
||
<link href="ch1.en.html#s1.6.21" rel="subsection" title="1.6.21 Version 2.96 (August 2003)">
|
||
<link href="ch1.en.html#s1.6.22" rel="subsection" title="1.6.22 Version 2.95 (June 2003)">
|
||
<link href="ch1.en.html#s1.6.23" rel="subsection" title="1.6.23 Version 2.94 (April 2003)">
|
||
<link href="ch1.en.html#s1.6.24" rel="subsection" title="1.6.24 Version 2.93 (March 2003)">
|
||
<link href="ch1.en.html#s1.6.25" rel="subsection" title="1.6.25 Version 2.92 (February 2003)">
|
||
<link href="ch1.en.html#s1.6.26" rel="subsection" title="1.6.26 Version 2.91 (January/February 2003)">
|
||
<link href="ch1.en.html#s1.6.27" rel="subsection" title="1.6.27 Version 2.9 (December 2002)">
|
||
<link href="ch1.en.html#s1.6.28" rel="subsection" title="1.6.28 Version 2.8 (November 2002)">
|
||
<link href="ch1.en.html#s1.6.29" rel="subsection" title="1.6.29 Version 2.7 (October 2002)">
|
||
<link href="ch1.en.html#s1.6.30" rel="subsection" title="1.6.30 Version 2.6 (September 2002)">
|
||
<link href="ch1.en.html#s1.6.31" rel="subsection" title="1.6.31 Version 2.5 (September 2002)">
|
||
<link href="ch1.en.html#s1.6.32" rel="subsection" title="1.6.32 Version 2.5 (August 2002)">
|
||
<link href="ch1.en.html#s1.6.33" rel="subsection" title="1.6.33 Version 2.4">
|
||
<link href="ch1.en.html#s1.6.34" rel="subsection" title="1.6.34 Version 2.3">
|
||
<link href="ch1.en.html#s1.6.35" rel="subsection" title="1.6.35 Version 2.3">
|
||
<link href="ch1.en.html#s1.6.36" rel="subsection" title="1.6.36 Version 2.2">
|
||
<link href="ch1.en.html#s1.6.37" rel="subsection" title="1.6.37 Version 2.1">
|
||
<link href="ch1.en.html#s1.6.38" rel="subsection" title="1.6.38 Version 2.0">
|
||
<link href="ch1.en.html#s1.6.39" rel="subsection" title="1.6.39 Version 1.99">
|
||
<link href="ch1.en.html#s1.6.40" rel="subsection" title="1.6.40 Version 1.98">
|
||
<link href="ch1.en.html#s1.6.41" rel="subsection" title="1.6.41 Version 1.97">
|
||
<link href="ch1.en.html#s1.6.42" rel="subsection" title="1.6.42 Version 1.96">
|
||
<link href="ch1.en.html#s1.6.43" rel="subsection" title="1.6.43 Version 1.95">
|
||
<link href="ch1.en.html#s1.6.44" rel="subsection" title="1.6.44 Version 1.94">
|
||
<link href="ch1.en.html#s1.6.45" rel="subsection" title="1.6.45 Version 1.93">
|
||
<link href="ch1.en.html#s1.6.46" rel="subsection" title="1.6.46 Version 1.92">
|
||
<link href="ch1.en.html#s1.6.47" rel="subsection" title="1.6.47 Version 1.91">
|
||
<link href="ch1.en.html#s1.6.48" rel="subsection" title="1.6.48 Version 1.9">
|
||
<link href="ch1.en.html#s1.6.49" rel="subsection" title="1.6.49 Version 1.8">
|
||
<link href="ch1.en.html#s1.6.50" rel="subsection" title="1.6.50 Version 1.7">
|
||
<link href="ch1.en.html#s1.6.51" rel="subsection" title="1.6.51 Version 1.6">
|
||
<link href="ch1.en.html#s1.6.52" rel="subsection" title="1.6.52 Version 1.5">
|
||
<link href="ch1.en.html#s1.6.53" rel="subsection" title="1.6.53 Version 1.4">
|
||
<link href="ch1.en.html#s1.6.54" rel="subsection" title="1.6.54 Version 1.3">
|
||
<link href="ch1.en.html#s1.6.55" rel="subsection" title="1.6.55 Version 1.2">
|
||
<link href="ch1.en.html#s1.6.56" rel="subsection" title="1.6.56 Version 1.1">
|
||
<link href="ch1.en.html#s1.6.57" rel="subsection" title="1.6.57 Version 1.0">
|
||
<link href="ch3.en.html#s3.2.1" rel="subsection" title="3.2.1 Choose an intelligent partition scheme">
|
||
<link href="ch3.en.html#s3.2.1.1" rel="subsection" title="3.2.1.1 Selecting the appropriate file systems">
|
||
<link href="ch3.en.html#s-disableserv" rel="subsection" title="3.6.1 Disabling daemon services">
|
||
<link href="ch3.en.html#s-inetd" rel="subsection" title="3.6.2 Disabling <code>inetd</code> or its services">
|
||
<link href="ch3.en.html#s3.7.1" rel="subsection" title="3.7.1 Removing Perl">
|
||
<link href="ch4.en.html#s-lib-security-update" rel="subsection" title="4.2.1 Security update of libraries">
|
||
<link href="ch4.en.html#s-kernel-security-update" rel="subsection" title="4.2.2 Security update of the kernel">
|
||
<link href="ch4.en.html#s4.9.1" rel="subsection" title="4.9.1 Setting <code>/tmp</code> noexec">
|
||
<link href="ch4.en.html#s4.9.2" rel="subsection" title="4.9.2 Setting /usr read-only">
|
||
<link href="ch4.en.html#s-auth-pam" rel="subsection" title="4.10.1 User authentication: PAM">
|
||
<link href="ch4.en.html#s-user-limits" rel="subsection" title="4.10.2 Limiting resource usage: the <code>limits.conf</code> file">
|
||
<link href="ch4.en.html#s4.10.3" rel="subsection" title="4.10.3 User login actions: edit <code>/etc/login.defs</code>">
|
||
<link href="ch4.en.html#s4.10.4" rel="subsection" title="4.10.4 Restricting ftp: editing <code>/etc/ftpusers</code>">
|
||
<link href="ch4.en.html#s4.10.5" rel="subsection" title="4.10.5 Using su">
|
||
<link href="ch4.en.html#s4.10.6" rel="subsection" title="4.10.6 Using sudo">
|
||
<link href="ch4.en.html#s4.10.7" rel="subsection" title="4.10.7 Disallow remote administrative access">
|
||
<link href="ch4.en.html#s-user-restrict" rel="subsection" title="4.10.8 Restricting users's access">
|
||
<link href="ch4.en.html#s4.10.9" rel="subsection" title="4.10.9 User auditing">
|
||
<link href="ch4.en.html#s4.10.9.1" rel="subsection" title="4.10.9.1 Input and output audit with script">
|
||
<link href="ch4.en.html#s4.10.9.2" rel="subsection" title="4.10.9.2 Using the shell history file">
|
||
<link href="ch4.en.html#s4.10.9.3" rel="subsection" title="4.10.9.3 Complete user audit with accounting utilities">
|
||
<link href="ch4.en.html#s4.10.9.4" rel="subsection" title="4.10.9.4 Other user auditing methods">
|
||
<link href="ch4.en.html#s4.10.10" rel="subsection" title="4.10.10 Reviewing user profiles">
|
||
<link href="ch4.en.html#s4.10.11" rel="subsection" title="4.10.11 Setting users umasks">
|
||
<link href="ch4.en.html#s4.10.12" rel="subsection" title="4.10.12 Limiting what users can see/access">
|
||
<link href="ch4.en.html#s-limit-user-perm" rel="subsection" title="4.10.12.1 Limiting access to other user's information">
|
||
<link href="ch4.en.html#s-user-pwgen" rel="subsection" title="4.10.13 Generating user passwords">
|
||
<link href="ch4.en.html#s4.10.14" rel="subsection" title="4.10.14 Checking user passwords">
|
||
<link href="ch4.en.html#s-idle-logoff" rel="subsection" title="4.10.15 Logging off idle users">
|
||
<link href="ch4.en.html#s-custom-logcheck" rel="subsection" title="4.12.1 Using and customizing <code>logcheck</code>">
|
||
<link href="ch4.en.html#s4.12.2" rel="subsection" title="4.12.2 Configuring where alerts are sent">
|
||
<link href="ch4.en.html#s4.12.3" rel="subsection" title="4.12.3 Using a loghost">
|
||
<link href="ch4.en.html#s4.12.4" rel="subsection" title="4.12.4 Log file permissions">
|
||
<link href="ch4.en.html#s4.14.1" rel="subsection" title="4.14.1 Kernel patch protection for buffer overflows">
|
||
<link href="ch4.en.html#s4.14.2" rel="subsection" title="4.14.2 Testing programs for overflows">
|
||
<link href="ch4.en.html#s4.16.1" rel="subsection" title="4.16.1 Using quotas">
|
||
<link href="ch4.en.html#s-ext2attr" rel="subsection" title="4.16.2 The ext2 filesystem specific attributes (chattr/lsattr)">
|
||
<link href="ch4.en.html#s-check-integ" rel="subsection" title="4.16.3 Checking file system integrity">
|
||
<link href="ch4.en.html#s4.16.4" rel="subsection" title="4.16.4 Setting up setuid check">
|
||
<link href="ch4.en.html#s-kernel-conf" rel="subsection" title="4.17.1 Configuring kernel network features">
|
||
<link href="ch4.en.html#s-tcp-syncookies" rel="subsection" title="4.17.2 Configuring syncookies">
|
||
<link href="ch4.en.html#s-net-harden" rel="subsection" title="4.17.3 Securing the network on boot-time">
|
||
<link href="ch4.en.html#s-kernel-fw" rel="subsection" title="4.17.4 Configuring firewall features">
|
||
<link href="ch4.en.html#s-limit-bindaddr" rel="subsection" title="4.17.5 Disabling weak-end hosts issues">
|
||
<link href="ch4.en.html#s4.17.6" rel="subsection" title="4.17.6 Protecting against ARP attacks">
|
||
<link href="ch4.en.html#s4.19.1" rel="subsection" title="4.19.1 Do not use software depending on svgalib">
|
||
<link href="ch-sec-services.en.html#s-ssh-chroot" rel="subsection" title="5.1.1 Chrooting ssh">
|
||
<link href="ch-sec-services.en.html#s5.1.2" rel="subsection" title="5.1.2 Ssh clients">
|
||
<link href="ch-sec-services.en.html#s5.1.3" rel="subsection" title="5.1.3 Disallowing file transfers">
|
||
<link href="ch-sec-services.en.html#s-ssh-only-file" rel="subsection" title="5.1.4 Restricing access to file transfer only">
|
||
<link href="ch-sec-services.en.html#s5.4.1" rel="subsection" title="5.4.1 Check your display manager">
|
||
<link href="ch-sec-services.en.html#s5.6.1" rel="subsection" title="5.6.1 Configuring a Nullmailer">
|
||
<link href="ch-sec-services.en.html#s5.6.2" rel="subsection" title="5.6.2 Providing secure access to mailboxes">
|
||
<link href="ch-sec-services.en.html#s5.6.3" rel="subsection" title="5.6.3 Receiving mail securely">
|
||
<link href="ch-sec-services.en.html#s-configure-bind" rel="subsection" title="5.7.1 Bind configuration to avoid misuse">
|
||
<link href="ch-sec-services.en.html#s-user-bind" rel="subsection" title="5.7.2 Changing BIND's user">
|
||
<link href="ch-sec-services.en.html#s-chroot-bind" rel="subsection" title="5.7.3 Chrooting the name server">
|
||
<link href="ch-sec-services.en.html#s5.8.1" rel="subsection" title="5.8.1 Disabling users from publishing web contents">
|
||
<link href="ch-sec-services.en.html#s5.8.2" rel="subsection" title="5.8.2 Logfiles permissions">
|
||
<link href="ch-sec-services.en.html#s5.8.3" rel="subsection" title="5.8.3 Published web files">
|
||
<link href="ch-sec-services.en.html#s-auto-chroot" rel="subsection" title="5.10.1 Making chrooted environments automatically">
|
||
<link href="ch-sec-services.en.html#s5.13.1" rel="subsection" title="5.13.1 Disabling RPC services completely">
|
||
<link href="ch-sec-services.en.html#s5.13.2" rel="subsection" title="5.13.2 Limiting access to RPC services">
|
||
<link href="ch-sec-services.en.html#s5.14.1" rel="subsection" title="5.14.1 Firewalling the local system">
|
||
<link href="ch-sec-services.en.html#s5.14.2" rel="subsection" title="5.14.2 Using a firewall to protect other systems">
|
||
<link href="ch-sec-services.en.html#s5.14.3" rel="subsection" title="5.14.3 Setting up a firewall">
|
||
<link href="ch-sec-services.en.html#s-firewall-pack" rel="subsection" title="5.14.3.1 Using firewall packages">
|
||
<link href="ch-sec-services.en.html#s5.14.3.2" rel="subsection" title="5.14.3.2 Manual init.d configuration">
|
||
<link href="ch-sec-services.en.html#s5.14.3.3" rel="subsection" title="5.14.3.3 Configuring firewall rules through <code>ifup</code>">
|
||
<link href="ch-sec-services.en.html#s5.14.3.4" rel="subsection" title="5.14.3.4 Testing your firewall configuration">
|
||
<link href="ch7.en.html#s-crossreference" rel="subsection" title="7.2.1 Vulnerability cross references">
|
||
<link href="ch7.en.html#s-cve-compatible" rel="subsection" title="7.2.2 CVE compatibility">
|
||
<link href="ch7.en.html#s7.4.1" rel="subsection" title="7.4.1 Developer's guide to security updates">
|
||
<link href="ch7.en.html#s7.5.1" rel="subsection" title="7.5.1 The current scheme for package signature checks">
|
||
<link href="ch7.en.html#s-apt-0.6" rel="subsection" title="7.5.2 Secure apt">
|
||
<link href="ch7.en.html#s-check-releases" rel="subsection" title="7.5.3 Per distribution release check">
|
||
<link href="ch7.en.html#s7.5.3.1" rel="subsection" title="7.5.3.1 Basic concepts">
|
||
<link href="ch7.en.html#s7.5.3.2" rel="subsection" title="7.5.3.2 <code>Release</code> checksums">
|
||
<link href="ch7.en.html#s7.5.3.3" rel="subsection" title="7.5.3.3 Verification of the <code>Release</code> file">
|
||
<link href="ch7.en.html#s7.5.3.4" rel="subsection" title="7.5.3.4 Check of <code>Release.gpg</code> by <code>apt</code>">
|
||
<link href="ch7.en.html#s7.5.3.5" rel="subsection" title="7.5.3.5 How to tell apt what to trust">
|
||
<link href="ch7.en.html#s7.5.3.6" rel="subsection" title="7.5.3.6 Finding the key for a repository">
|
||
<link href="ch7.en.html#s-secure-apt-add-key" rel="subsection" title="7.5.3.7 Safely adding a key">
|
||
<link href="ch7.en.html#s7.5.3.8" rel="subsection" title="7.5.3.8 Verifying key integrity">
|
||
<link href="ch7.en.html#s7.5.3.9" rel="subsection" title="7.5.3.9 Debian archive key yearly rotation">
|
||
<link href="ch7.en.html#s7.5.3.10" rel="subsection" title="7.5.3.10 Known release checking problems">
|
||
<link href="ch7.en.html#s-manual-check-releases" rel="subsection" title="7.5.3.11 Manual per distribution release check">
|
||
<link href="ch7.en.html#s-check-non-debian-releases" rel="subsection" title="7.5.4 Release check of non Debian sources">
|
||
<link href="ch7.en.html#s-check-pkg-sign" rel="subsection" title="7.5.5 Alternative per-package signing scheme">
|
||
<link href="ch-sec-tools.en.html#s8.5.1" rel="subsection" title="8.5.1 Point to Point tunneling">
|
||
<link href="ch10.en.html#s-track-vulns" rel="subsection" title="10.1.1 Tracking security vulnerabilities">
|
||
<link href="ch10.en.html#s-keep-up-to-date" rel="subsection" title="10.1.2 Continuously update the system">
|
||
<link href="ch10.en.html#s10.1.2.1" rel="subsection" title="10.1.2.1 Manually checking which security updates are available">
|
||
<link href="ch10.en.html#s-update-desktop" rel="subsection" title="10.1.2.2 Checking for updates at the Desktop">
|
||
<link href="ch10.en.html#s-cron-apt" rel="subsection" title="10.1.2.3 Automatically checking for updates with cron-apt">
|
||
<link href="ch10.en.html#s-debsecan" rel="subsection" title="10.1.2.4 Automatically checking for security issues with debsecan">
|
||
<link href="ch10.en.html#s10.1.2.5" rel="subsection" title="10.1.2.5 Other methods for security updates">
|
||
<link href="ch10.en.html#s10.1.3" rel="subsection" title="10.1.3 Avoid using the unstable branch">
|
||
<link href="ch10.en.html#s-security-support-testing" rel="subsection" title="10.1.4 Security support for the testing branch">
|
||
<link href="ch10.en.html#s10.1.5" rel="subsection" title="10.1.5 Automatic updates in a Debian GNU/Linux system">
|
||
<link href="ch10.en.html#s10.3.1" rel="subsection" title="10.3.1 Network based intrusion detection">
|
||
<link href="ch10.en.html#s10.3.2" rel="subsection" title="10.3.2 Host based intrusion detection">
|
||
<link href="ch10.en.html#s-LKM" rel="subsection" title="10.4.1 Loadable Kernel Modules (LKM)">
|
||
<link href="ch10.en.html#s10.4.2" rel="subsection" title="10.4.2 Detecting root-kits">
|
||
<link href="ch10.en.html#s-proactive" rel="subsection" title="10.4.2.1 Proactive defense">
|
||
<link href="ch10.en.html#s10.4.2.2" rel="subsection" title="10.4.2.2 Reactive defense">
|
||
<link href="ch10.en.html#s10.5.1" rel="subsection" title="10.5.1 Building a honeypot">
|
||
<link href="ch-after-compromise.en.html#s11.4.1" rel="subsection" title="11.4.1 Analysis of malware">
|
||
<link href="ch12.en.html#s12.1.1" rel="subsection" title="12.1.1 Is Debian more secure than X?">
|
||
<link href="ch12.en.html#s12.1.1.1" rel="subsection" title="12.1.1.1 Is Debian more secure than other Linux distributions (such as Red Hat, SuSE...)?">
|
||
<link href="ch12.en.html#s12.1.2" rel="subsection" title="12.1.2 There are many Debian bugs in Bugtraq. Does this mean that it is very vulnerable?">
|
||
<link href="ch12.en.html#s12.1.3" rel="subsection" title="12.1.3 Does Debian have any certification related to security?">
|
||
<link href="ch12.en.html#s12.1.4" rel="subsection" title="12.1.4 Are there any hardening programs for Debian?">
|
||
<link href="ch12.en.html#s12.1.5" rel="subsection" title="12.1.5 I want to run XYZ service, which one should I choose?">
|
||
<link href="ch12.en.html#s12.1.6" rel="subsection" title="12.1.6 How can I make service XYZ more secure in Debian?">
|
||
<link href="ch12.en.html#s12.1.7" rel="subsection" title="12.1.7 How can I remove all the banners for services?">
|
||
<link href="ch12.en.html#s12.1.8" rel="subsection" title="12.1.8 Are all Debian packages safe?">
|
||
<link href="ch12.en.html#s12.1.9" rel="subsection" title="12.1.9 Why are some log files/configuration files world-readable, isn't this insecure?">
|
||
<link href="ch12.en.html#s12.1.10" rel="subsection" title="12.1.10 Why does /root/ (or UserX) have 755 permissions?">
|
||
<link href="ch12.en.html#s12.1.11" rel="subsection" title="12.1.11 After installing a grsec/firewall, I started receiving many console messages! How do I remove them?">
|
||
<link href="ch12.en.html#s-faq-os-users" rel="subsection" title="12.1.12 Operating system users and groups">
|
||
<link href="ch12.en.html#s12.1.12.1" rel="subsection" title="12.1.12.1 Are all system users necessary?">
|
||
<link href="ch12.en.html#s12.1.12.2" rel="subsection" title="12.1.12.2 I removed a system user! How can I recover?">
|
||
<link href="ch12.en.html#s12.1.12.3" rel="subsection" title="12.1.12.3 What is the difference between the adm and the staff group?">
|
||
<link href="ch12.en.html#s12.1.13" rel="subsection" title="12.1.13 Why is there a new group when I add a new user? (or Why does Debian give each user one group?)">
|
||
<link href="ch12.en.html#s12.1.14" rel="subsection" title="12.1.14 Questions regarding services and open ports">
|
||
<link href="ch12.en.html#s12.1.14.1" rel="subsection" title="12.1.14.1 Why are all services activated upon installation?">
|
||
<link href="ch12.en.html#s12.1.14.2" rel="subsection" title="12.1.14.2 Can I remove <code>inetd</code>?">
|
||
<link href="ch12.en.html#s12.1.14.3" rel="subsection" title="12.1.14.3 Why do I have port 111 open?">
|
||
<link href="ch12.en.html#s12.1.14.4" rel="subsection" title="12.1.14.4 What use is <code>identd</code> (port 113) for?">
|
||
<link href="ch12.en.html#s12.1.14.5" rel="subsection" title="12.1.14.5 I have services using port 1 and 6, what are they and how can I remove them?">
|
||
<link href="ch12.en.html#s12.1.14.6" rel="subsection" title="12.1.14.6 I found the port XYZ open, can I close it?">
|
||
<link href="ch12.en.html#s12.1.14.7" rel="subsection" title="12.1.14.7 Will removing services from <code>/etc/services</code> help secure my box?">
|
||
<link href="ch12.en.html#s12.1.15" rel="subsection" title="12.1.15 Common security issues">
|
||
<link href="ch12.en.html#s12.1.15.1" rel="subsection" title="12.1.15.1 I have lost my password and cannot access the system!">
|
||
<link href="ch12.en.html#s12.1.16" rel="subsection" title="12.1.16 How do I accomplish setting up a service for my users without giving out shell accounts?">
|
||
<link href="ch12.en.html#s-vulnasses-false-positive" rel="subsection" title="12.2.1 Vulnerability assessment scanner X says my Debian system is vulnerable!">
|
||
<link href="ch12.en.html#s12.2.2" rel="subsection" title="12.2.2 I've seen an attack in my system's logs. Is my system compromised?">
|
||
<link href="ch12.en.html#s12.2.3" rel="subsection" title="12.2.3 I have found strange 'MARK' lines in my logs: Am I compromised?">
|
||
<link href="ch12.en.html#s12.2.4" rel="subsection" title="12.2.4 I found users using 'su' in my logs: Am I compromised?">
|
||
<link href="ch12.en.html#s12.2.5" rel="subsection" title="12.2.5 I have found 'possible SYN flooding' in my logs: Am I under attack?">
|
||
<link href="ch12.en.html#s12.2.6" rel="subsection" title="12.2.6 I have found strange root sessions in my logs: Am I compromised?">
|
||
<link href="ch12.en.html#s12.2.7" rel="subsection" title="12.2.7 I have suffered a break-in, what do I do?">
|
||
<link href="ch12.en.html#s12.2.8" rel="subsection" title="12.2.8 How can I trace an attack?">
|
||
<link href="ch12.en.html#s12.2.9" rel="subsection" title="12.2.9 Program X in Debian is vulnerable, what do I do?">
|
||
<link href="ch12.en.html#s-version-backport" rel="subsection" title="12.2.10 The version number for a package indicates that I am still running a vulnerable version!">
|
||
<link href="ch12.en.html#s12.2.11" rel="subsection" title="12.2.11 Specific software">
|
||
<link href="ch12.en.html#s12.2.11.1" rel="subsection" title="12.2.11.1 <code>proftpd</code> is vulnerable to a Denial of Service attack.">
|
||
<link href="ch12.en.html#s12.2.11.2" rel="subsection" title="12.2.11.2 After installing <code>portsentry</code>, there are a lot of ports open.">
|
||
<link href="ch12.en.html#s12.3.1" rel="subsection" title="12.3.1 What is a Debian Security Advisory (DSA)?">
|
||
<link href="ch12.en.html#s12.3.2" rel="subsection" title="12.3.2 The signature on Debian advisories does not verify correctly!">
|
||
<link href="ch12.en.html#s12.3.3" rel="subsection" title="12.3.3 How is security handled in Debian?">
|
||
<link href="ch12.en.html#s12.3.4" rel="subsection" title="12.3.4 Why are you fiddling with an old version of that package?">
|
||
<link href="ch12.en.html#s12.3.5" rel="subsection" title="12.3.5 What is the policy for a fixed package to appear in security.debian.org?">
|
||
<link href="ch12.en.html#s12.3.6" rel="subsection" title="12.3.6 What does "local (remote)" mean?">
|
||
<link href="ch12.en.html#s12.3.7" rel="subsection" title="12.3.7 The version number for a package indicates that I am still running a vulnerable version!">
|
||
<link href="ch12.en.html#s-sec-unstable" rel="subsection" title="12.3.8 How is security handled for <samp>testing</samp> and <samp>unstable</samp>?">
|
||
<link href="ch12.en.html#s-sec-older" rel="subsection" title="12.3.9 I use an older version of Debian, is it supported by the Debian Security Team?">
|
||
<link href="ch12.en.html#s12.3.10" rel="subsection" title="12.3.10 How does <em>testing</em> get security updates?">
|
||
<link href="ch12.en.html#s12.3.11" rel="subsection" title="12.3.11 How is security handled for contrib and non-free?">
|
||
<link href="ch12.en.html#s12.3.12" rel="subsection" title="12.3.12 Why are there no official mirrors for security.debian.org?">
|
||
<link href="ch12.en.html#s12.3.13" rel="subsection" title="12.3.13 I've seen DSA 100 and DSA 102, now where is DSA 101?">
|
||
<link href="ch12.en.html#s12.3.14" rel="subsection" title="12.3.14 I tried to download a package listed in one of the security advisories, but I got a `file not found' error.">
|
||
<link href="ch12.en.html#s12.3.15" rel="subsection" title="12.3.15 How can I reach the security team?">
|
||
<link href="ch12.en.html#s12.3.16" rel="subsection" title="12.3.16 What difference is there between security@debian.org and debian-security@lists.debian.org?">
|
||
<link href="ch12.en.html#s12.3.17" rel="subsection" title="12.3.17 I guess I found a security problem, what should I do?">
|
||
<link href="ch12.en.html#s12.3.18" rel="subsection" title="12.3.18 How can I contribute to the Debian security team?">
|
||
<link href="ch12.en.html#s12.3.19" rel="subsection" title="12.3.19 Who is the Security Team composed of?">
|
||
<link href="ch12.en.html#s12.3.20" rel="subsection" title="12.3.20 Does the Debian Security team check every new package in Debian?">
|
||
<link href="ch12.en.html#s12.3.21" rel="subsection" title="12.3.21 How much time will it take Debian to fix vulnerability XXXX?">
|
||
<link href="ch12.en.html#s12.3.22" rel="subsection" title="12.3.22 How long will security updates be provided?">
|
||
<link href="ch12.en.html#s12.3.23" rel="subsection" title="12.3.23 How can I check the integrity of packages?">
|
||
<link href="ch12.en.html#s12.3.24" rel="subsection" title="12.3.24 What to do if a random package breaks after a security update?">
|
||
<link href="ap-chroot-ssh-env.en.html#sG.1.1" rel="subsection" title="G.1.1 Using <code>libpam-chroot</code>">
|
||
<link href="ap-chroot-ssh-env.en.html#sG.1.2" rel="subsection" title="G.1.2 Patching the <code>ssh</code> server">
|
||
<link href="ap-chroot-ssh-env.en.html#sG.2.1" rel="subsection" title="G.2.1 Setup a minimal system (the really easy way)">
|
||
<link href="ap-chroot-ssh-env.en.html#sG.2.2" rel="subsection" title="G.2.2 Automatically making the environment (the easy way)">
|
||
<link href="ap-chroot-ssh-env.en.html#sG.2.3" rel="subsection" title="G.2.3 Manually creating the environment (the hard way)">
|
||
<link href="ap-chroot-apache-env.en.html#sH.1.1" rel="subsection" title="H.1.1 Licensing">
|
||
|
||
</head>
|
||
|
||
<body>
|
||
|
||
<p><a name="ch1"></a></p>
|
||
<hr>
|
||
|
||
<p>
|
||
[ <a href="index.en.html">previous</a> ]
|
||
[ <a href="index.en.html#contents">Contents</a> ]
|
||
[ 1 ]
|
||
[ <a href="ch2.en.html">2</a> ]
|
||
[ <a href="ch3.en.html">3</a> ]
|
||
[ <a href="ch4.en.html">4</a> ]
|
||
[ <a href="ch-sec-services.en.html">5</a> ]
|
||
[ <a href="ch-automatic-harden.en.html">6</a> ]
|
||
[ <a href="ch7.en.html">7</a> ]
|
||
[ <a href="ch-sec-tools.en.html">8</a> ]
|
||
[ <a href="ch9.en.html">9</a> ]
|
||
[ <a href="ch10.en.html">10</a> ]
|
||
[ <a href="ch-after-compromise.en.html">11</a> ]
|
||
[ <a href="ch12.en.html">12</a> ]
|
||
[ <a href="ap-harden-step.en.html">A</a> ]
|
||
[ <a href="ap-checklist.en.html">B</a> ]
|
||
[ <a href="ap-snort-box.en.html">C</a> ]
|
||
[ <a href="ap-bridge-fw.en.html">D</a> ]
|
||
[ <a href="ap-bind-chuser.en.html">E</a> ]
|
||
[ <a href="ap-fw-security-update.en.html">F</a> ]
|
||
[ <a href="ap-chroot-ssh-env.en.html">G</a> ]
|
||
[ <a href="ap-chroot-apache-env.en.html">H</a> ]
|
||
[ <a href="ch2.en.html">next</a> ]
|
||
</p>
|
||
|
||
<hr>
|
||
|
||
<h1>
|
||
Securing Debian Manual
|
||
<br>Chapter 1 - Introduction
|
||
</h1>
|
||
|
||
<hr>
|
||
|
||
<p>
|
||
One of the hardest things about writing security documents is that every case
|
||
is unique. Two things you have to pay attention to are the threat environment
|
||
and the security needs of the individual site, host, or network. For instance,
|
||
the security needs of a home user are completely different from a network in a
|
||
bank. While the primary threat a home user needs to face is the script kiddie
|
||
type of cracker, a bank network has to worry about directed attacks.
|
||
Additionally, the bank has to protect their customer's data with arithmetic
|
||
precision. In short, every user has to consider the trade-off between
|
||
usability and security/paranoia.
|
||
</p>
|
||
|
||
<p>
|
||
Note that this manual only covers issues relating to software. The best
|
||
software in the world can't protect you if someone can physically access the
|
||
machine. You can place it under your desk, or you can place it in a hardened
|
||
bunker with an army in front of it. Nevertheless the desktop computer can be
|
||
much more secure (from a software point of view) than a physically protected
|
||
one if the desktop is configured properly and the software on the protected
|
||
machine is full of security holes. Obviously, you must consider both issues.
|
||
</p>
|
||
|
||
<p>
|
||
This document just gives an overview of what you can do to increase the
|
||
security of your Debian GNU/Linux system. If you have read other documents
|
||
regarding Linux security, you will find that there are common issues which
|
||
might overlap with this document. However, this document does not try to be
|
||
the ultimate source of information you will be using, it only tries to adapt
|
||
this same information so that it is meaningful to a Debian GNU/Linux system.
|
||
Different distributions do some things in different ways (startup of daemons is
|
||
one example); here, you will find material which is appropriate for Debian's
|
||
procedures and tools.
|
||
</p>
|
||
|
||
<hr>
|
||
|
||
<h2><a name="s-authors"></a>1.1 Authors</h2>
|
||
|
||
<p>
|
||
The current maintainer of this document is <code><a
|
||
href="mailto:jfs@debian.org">Javier Fern<72>ndez-Sanguino Pe<50>a</a></code>. Please
|
||
forward him any comments, additions or suggestions, and they will be considered
|
||
for inclusion in future releases of this manual.
|
||
</p>
|
||
|
||
<p>
|
||
This manual was started as a <em>HOWTO</em> by <code><a
|
||
href="mailto:ar@rhwd.de">Alexander Reelsen</a></code>. After it was published
|
||
on the Internet, <code><a href="mailto:jfs@debian.org">Javier
|
||
Fern<EFBFBD>ndez-Sanguino Pe<50>a</a></code> incorporated it into the <code><a
|
||
href="http://www.debian.org/doc">Debian Documentation Project</a></code>. A
|
||
number of people have contributed to this manual (all contributions are listed
|
||
in the changelog) but the following deserve special mention since they have
|
||
provided significant contributions (full sections, chapters or appendices):
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Stefano Canepa
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Era Eriksson
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Carlo Perassi
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Alexandre Ratti
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Jaime Robles
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Yotam Rubin
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Frederic Schutz
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Pedro Zorzenon Neto
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Oohara Yuuma
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Davor Ocelic
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h2><a name="s1.2"></a>1.2 Where to get the manual (and available formats)</h2>
|
||
|
||
<p>
|
||
You can download or view the latest version of the Securing Debian Manual from
|
||
the <code><a
|
||
href="http://www.debian.org/doc/manuals/securing-debian-howto/">Debian
|
||
Documentation Project</a></code>. If you are reading a copy from another site,
|
||
please check the primary copy in case it provides new information. If you are
|
||
reading a translation, please review the version the translation refers to to
|
||
the latest version available. If you find that the version is behind please
|
||
consider using the original copy or review the <a
|
||
href="#s-changelog">Changelog/History, Section 1.6</a> to see what has changed.
|
||
</p>
|
||
|
||
<p>
|
||
If you want a full copy of the manual you can either download the <code><a
|
||
href="http://www.debian.org/doc/manuals/securing-debian-howto/securing-debian-howto.en.txt">text
|
||
version</a></code> or the <code><a
|
||
href="http://www.debian.org/doc/manuals/securing-debian-howto/securing-debian-howto.en.pdf">PDF
|
||
version</a></code> from the Debian Documentation Project's site. These
|
||
versions might be more useful if you intend to copy the document over to a
|
||
portable device for offline reading or you want to print it out. Be
|
||
forewarned, the manual is over two hundred pages long and some of the code
|
||
fragments, due to the formatting tools used, are not wrapped in the PDF version
|
||
and might be printed incomplete.
|
||
</p>
|
||
|
||
<p>
|
||
The document is also provided in text, html and PDF formats in the <code><a
|
||
href="http://packages.debian.org/harden-doc">harden-doc</a></code> package.
|
||
Notice, however, that the package maybe not be completely up to date with the
|
||
document provided on the Debian site (but you can always use the source package
|
||
to build an updated version yourself).
|
||
</p>
|
||
|
||
<p>
|
||
This document is part of the documents distributed by the <code><a
|
||
href="https://alioth.debian.org/projects/ddp/">Debian Documentation
|
||
Project</a></code>. You can review the changes introduced in the document
|
||
using a web browser and obtaining information from the <code><a
|
||
href="http://anonscm.debian.org/viewvc/ddp/manuals/trunk/securing-howto">version
|
||
control logs online</a></code>. You can also checkout the code using SVN with
|
||
the following call in the command line:
|
||
</p>
|
||
|
||
<pre>
|
||
svn co svn://svn.debian.org/svn/ddp/manuals/trunk/securing-howto/
|
||
</pre>
|
||
|
||
<hr>
|
||
|
||
<h2><a name="s1.3"></a>1.3 Organizational notes/feedback</h2>
|
||
|
||
<p>
|
||
Now to the official part. At the moment I (Alexander Reelsen) wrote most
|
||
paragraphs of this manual, but in my opinion this should not stay the case. I
|
||
grew up and live with free software, it is part of my everyday use and I guess
|
||
yours, too. I encourage everybody to send me feedback, hints, additions or any
|
||
other suggestions you might have.
|
||
</p>
|
||
|
||
<p>
|
||
If you think, you can maintain a certain section or paragraph better, then
|
||
write to the document maintainer and you are welcome to do it. Especially if
|
||
you find a section marked as FIXME, that means the authors did not have the
|
||
time yet or the needed knowledge about the topic. Drop them a mail
|
||
immediately.
|
||
</p>
|
||
|
||
<p>
|
||
The topic of this manual makes it quite clear that it is important to keep it
|
||
up to date, and you can do your part. Please contribute.
|
||
</p>
|
||
|
||
<hr>
|
||
|
||
<h2><a name="s1.4"></a>1.4 Prior knowledge</h2>
|
||
|
||
<p>
|
||
The installation of Debian GNU/Linux is not very difficult and you should have
|
||
been able to install it. If you already have some knowledge about Linux or
|
||
other Unices and you are a bit familiar with basic security, it will be easier
|
||
to understand this manual, as this document cannot explain every little detail
|
||
of a feature (otherwise this would have been a book instead of a manual). If
|
||
you are not that familiar, however, you might want to take a look at <a
|
||
href="ch2.en.html#s-references">Be aware of general security problems, Section
|
||
2.2</a> for where to find more in-depth information.
|
||
</p>
|
||
|
||
<hr>
|
||
|
||
<h2><a name="s1.5"></a>1.5 Things that need to be written (FIXME/TODO)</h2>
|
||
|
||
<p>
|
||
This section describes all the things that need to be fixed in this manual.
|
||
Some paragraphs include <em>FIXME</em> or <em>TODO</em> tags describing what
|
||
content is missing (or what kind of work needs to be done). The purpose of
|
||
this section is to describe all the things that could be included in the future
|
||
in the manual, or enhancements that need to be done (or would be interesting to
|
||
add).
|
||
</p>
|
||
|
||
<p>
|
||
If you feel you can provide help in contributing content fixing any element of
|
||
this list (or the inline annotations), contact the main author (<a
|
||
href="#s-authors">Authors, Section 1.1</a>).
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
This document has yet to be updated based on the latest Debian releases. The
|
||
default configuration of some packages need to be adapted as they have been
|
||
modified since this document was written.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Expand the incident response information, maybe add some ideas derived from Red
|
||
Hat's Security Guide's <code><a
|
||
href="http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/ch-response.html">chapter
|
||
on incident response</a></code>.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Write about remote monitoring tools (to check for system availability) such as
|
||
<code>monit</code>, <code>daemontools</code> and <code>mon</code>. See
|
||
<code><a
|
||
href="http://linux.oreillynet.com/pub/a/linux/2002/05/09/sysadminguide.html">http://linux.oreillynet.com/pub/a/linux/2002/05/09/sysadminguide.html</a></code>.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Consider writing a section on how to build Debian-based network appliances
|
||
(with information such as the base system, <code>equivs</code> and FAI).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Check if <code><a
|
||
href="http://www.giac.org/practical/gsec/Chris_Koutras_GSEC.pdf">http://www.giac.org/practical/gsec/Chris_Koutras_GSEC.pdf</a></code>
|
||
has relevant info not yet covered here.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Add information on how to set up a laptop with Debian <code><a
|
||
href="http://www.giac.org/practical/gcux/Stephanie_Thomas_GCUX.pdf">http://www.giac.org/practical/gcux/Stephanie_Thomas_GCUX.pdf</a></code>.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Add information on how to set up a firewall using Debian GNU/Linux. The
|
||
section regarding firewalling is oriented currently towards a single system
|
||
(not protecting others...) also talk on how to test the setup.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Add information on setting up a proxy firewall with Debian GNU/Linux stating
|
||
specifically which packages provide proxy services (like <code>xfwp</code>,
|
||
<code>ftp-proxy</code>, <code>redir</code>, <code>smtpd</code>,
|
||
<code>dnrd</code>, <code>jftpgw</code>, <code>oops</code>, <code>pdnsd</code>,
|
||
<code>perdition</code>, <code>transproxy</code>, <code>tsocks</code>). Should
|
||
point to the manual for any other info. Note that <code>zorp</code> is now
|
||
available as a Debian package and <em>is</em> a proxy firewall (they also
|
||
provide Debian packages upstream).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Information on service configuration with file-rc.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Check all the reference URLs and remove/fix those no longer available.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Add information on available replacements (in Debian) for common servers which
|
||
are useful for limited functionality. Examples:
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
local lpr with cups (package)?
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
remote lrp with lpr
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
bind with dnrd/maradns
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
apache with dhttpd/thttpd/wn (tux?)
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
exim/sendmail with ssmtpd/smtpd/postfix
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
squid with tinyproxy
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
ftpd with oftpd/vsftp
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
...
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
More information regarding security-related kernel patches in Debian, including
|
||
the ones shown above and specific information on how to enable these patches in
|
||
a Debian system.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Linux Intrusion Detection (<code>kernel-patch-2.4-lids</code>)
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Linux Trustees (in package <code>trustees</code>)
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
<code><a href="http://wiki.debian.org/SELinux">NSA Enhanced Linux</a></code>
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
<code>linux-patch-openswan</code>
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Details of turning off unnecessary network services (besides
|
||
<code>inetd</code>), it is partly in the hardening procedure but could be
|
||
broadened a bit.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Information regarding password rotation which is closely related to policy.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Policy, and educating users about policy.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
More about tcpwrappers, and wrappers in general?
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
<code>hosts.equiv</code> and other major security holes.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Issues with file sharing servers such as Samba and NFS?
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
suidmanager/dpkg-statoverrides.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
lpr and lprng.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Switching off the GNOME IP things.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Talk about pam_chroot (see <code><a
|
||
href="http://lists.debian.org/debian-security/2002/debian-security-200205/msg00011.html">http://lists.debian.org/debian-security/2002/debian-security-200205/msg00011.html</a></code>)
|
||
and its usefulness to limit users. Introduce information related to <code><a
|
||
href="http://online.securityfocus.com/infocus/1575">http://online.securityfocus.com/infocus/1575</a></code>.
|
||
<code>pdmenu</code>, for example is available in Debian (whereas flash is not).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Talk about chrooting services, some more info on <code><a
|
||
href="http://www.linuxfocus.org/English/January2002/article225.shtml">http://www.linuxfocus.org/English/January2002/article225.shtml</a></code>.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Talk about programs to make chroot jails. <code>compartment</code> and
|
||
<code>chrootuid</code> are waiting in incoming. Some others (makejail, jailer)
|
||
could also be introduced.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
More information regarding log analysis software (i.e. logcheck and
|
||
logcolorise).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
'advanced' routing (traffic policing is security related).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
limiting <code>ssh</code> access to running certain commands.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
using dpkg-statoverride.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
secure ways to share a CD burner among users.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
secure ways of providing networked sound in addition to network display
|
||
capabilities (so that X clients' sounds are played on the X server's sound
|
||
hardware).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
securing web browsers.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
setting up ftp over <code>ssh</code>.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
using crypto loopback file systems.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
encrypting the entire file system.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
steganographic tools.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
setting up a PKA for an organization.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
using LDAP to manage users. There is a HOWTO of ldap+kerberos for Debian at
|
||
<code><a href="http://www.bayour.com">http://www.bayour.com</a></code> written
|
||
by Turbo Fredrikson.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
How to remove information of reduced utility in production systems such as
|
||
<code>/usr/share/doc</code>, <code>/usr/share/man</code> (yes, security by
|
||
obscurity).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
More information on lcap based on the packages README file (well, not there
|
||
yet, see <code><a
|
||
href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=169465">Bug
|
||
#169465</a></code>) and from the article from LWN: <code><a
|
||
href="http://lwn.net/1999/1202/kernel.php3">Kernel development</a></code>.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Add Colin's article on how to setup a chroot environment for a full sid system
|
||
(<code><a
|
||
href="http://people.debian.org/~walters/chroot.html">http://people.debian.org/~walters/chroot.html</a></code>).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Add information on running multiple <code>snort</code> sensors in a given
|
||
system (check bug reports sent to <code>snort</code>).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Add information on setting up a honeypot (<code>honeyd</code>).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Describe situation wrt to FreeSwan (orphaned) and OpenSwan. VPN section needs
|
||
to be rewritten.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Add a specific section about databases, current installation defaults and how
|
||
to secure access.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Add a section about the usefulness of virtual servers (Xen et al).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Explain how to use some integrity checkers (AIDE, integrit or samhain). The
|
||
basics are simple and could even explain some configuration improvements.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h2><a name="s-changelog"></a>1.6 Changelog/History</h2>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.1"></a>1.6.1 Version 3.16 (March 2011)</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Indicate that the document is not updated with latest versions.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Update pointers to current location of sources.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Update information on security updates for newer releases.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Point information for Developers to online sources instead of keeping the
|
||
information in the document, to prevent duplication.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fix shell script example in Appendix.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fix reference errors.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.2"></a>1.6.2 Version 3.15 (December 2010)</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Change reference to Log Analysis' website as this is no longer available.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.3"></a>1.6.3 Version 3.14 (March 2009)</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Change the section related to choosing a filesystem: note that ext3 is now the
|
||
default.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Change the name of the packages related to enigmail to reflect naming changes
|
||
introduced in Debian.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.4"></a>1.6.4 Version 3.13 (Februrary 2008)</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Change URLs pointing to Bastille Linux since the domain has been <code><a
|
||
href="http://www.bastille-unix.org/press-release-newname.html">purchased by a
|
||
cybersquatter</a></code>.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fix pointers to Linux Ramen and Lion worms.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Use linux-image in the examples instead of the (old) kernel-image packages.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fix typos spotted by Francesco Poli.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.5"></a>1.6.5 Version 3.12 (August 2007)</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Update the information related to security updates. Drop the text talking
|
||
about Tiger and include information on the update-notifier and adept tools (for
|
||
Desktops) as well as debsecan. Also include some pointers to other tools
|
||
available.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Divide the firewall applications based on target users and add fireflier to the
|
||
Desktop firewall applications list.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Remove references to libsafe, it's not in the archive any longer (was removed
|
||
January 2006).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fix the location of syslog's configuration, thanks to John Talbut.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.6"></a>1.6.6 Version 3.11 (January 2007)</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a. Thanks go to Francesco Poli for his
|
||
extensive review of the document.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Remove most references to the woody release as it is no longer available (in
|
||
the archive) and security support for it is no longer available.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Describe how to restrict users so that they can only do file transfers.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a note regarding the debian-private declasiffication decision.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Updated link of incident handling guides.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a note saying that development tools (compilers, etc.) are not installed
|
||
now in the default 'etch' installation.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fix references to the master security server.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Add pointers to additional APT-secure documentation.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Improve the description of APT signatures.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Comment out some things which are not yet final related to the mirror's
|
||
official public keys.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed name of the Debian Testing Security Team.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Remove reference to sarge in an example.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Update the antivirus section, clamav is now available on the release. Also
|
||
mention the f-prot installer.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Removes all references to freeswan as it is obsolete.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Describe issues related to ruleset changes to the firewall if done remotely and
|
||
provide some tips (in footnotes).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Update the information related to the IDS installation, mention BASE and the
|
||
need to setup a logging database.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Rewrite the "running bind as a non-root user" section as this no
|
||
longer applies to Bind9. Also remove the reference to the init.d script since
|
||
the changes need to be done through /etc/default.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Remove the obsolete way to setup iptables rulesets as woody is no longer
|
||
supported.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Revert the advice regarding LOG_UNKFAIL_ENAB it should be set to 'no' (as per
|
||
default).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added more information related to updating the system with desktop tools
|
||
(including update-notifier) and describe aptitude usage to update the system.
|
||
Also note that dselect is deprecated.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Updated the contents of the FAQ and remove redundant paragraphs.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Review and update the section related to forensic analysis of malware.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Remove or fix some dead links.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fix many typos and gramatical errors reported by Francesco Poli.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.7"></a>1.6.7 Version 3.10 (November 2006)</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Provide examples using apt-cache's rdepends as suggested by Ozer Sarilar.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fix location of Squid's user's manual because of its relocation as notified by
|
||
Oskar Pearson (its maintainer).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fix information regarding umask, it's logins.defs (and not limits.conf) where
|
||
this can be configured for all login connections. Also state what is Debian's
|
||
default and what would be a more restrictive value for both users and root.
|
||
Thanks to Reinhard Tartler for spotting the bug.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.8"></a>1.6.8 Version 3.9 (October 2006)</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Add information on how to track security vulnerabilities and add references to
|
||
the Debian Testing Security Tracker.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Add more information on the security support for testing.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fix a large number of typos with a patch provided by Simon Brandmair.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added section on how to disable root prompt on initramfs provided by Max
|
||
Attems.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Remove references to queso.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Note that testing is now security-supported in the introduction.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.9"></a>1.6.9 Version 3.8 (July 2006)</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Rewrote the information on how to setup ssh chroots to clarify the different
|
||
options available, thank to Bruce Park for bringing up the different mistakes
|
||
in this appendix.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fix lsof call as suggested by Christophe Sahut.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Include patches for typo fixes from Uwe Hermann.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fix typo in reference spotted by Moritz Naumann.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.10"></a>1.6.10 Version 3.7 (April 2006)</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Add a section on Debian Developer's best practices for security.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Ammended firewall script with comments from WhiteGhost.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.11"></a>1.6.11 Version 3.6 (March 2006)</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Included a patch from Thomas Sj<53>gren which describes that <samp>noexec</samp>
|
||
works as expected with "new" kernels, adds information regarding
|
||
tempfile handling, and some new pointers to external documentation.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Add a pointer to Dan Farmer's and Wietse Venema's forensic discovery web site,
|
||
as suggested by Freek Dijkstra, and expanded a little bit the forensic analysis
|
||
section with more pointers.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed URL of Italy's CERT, thanks to Christoph Auer.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Reuse Joey Hess' information at the wiki on secure apt and introduce it in the
|
||
infrastructure section.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Review sections referring to old versions (woody or potato).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fix some cosmetic issues with patch from Simon Brandmair.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Included patches from Carlo Perassi: acl patches are obsolete, openwall patches
|
||
are obsolete too, removed fixme notes about 2.2 and 2.4 series kernels, hap is
|
||
obsolete (and not present in WNPP), remove references to Immunix (StackGuard is
|
||
now in Novell's hands), and fix a FIXME about the use of bsign or elfsign.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Updated references to SElinux web pages to point to the Wiki (currently the
|
||
most up to date source of information).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Include file tags and make a more consistent use of "MD5 sum" with a
|
||
patch from Jens Seidel.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Patch from Joost van Baal improving the information on the firewall section
|
||
(pointing to the wiki instead of listing all firewall packages available)
|
||
(Closes: #339865).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Review the FAQ section on vulnerability stats, thanks to Carlos Galisteo de
|
||
Cabo for pointing out that it was out of date.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Use the quote from the Social Contract 1.1 instead of 1.0 as suggested by
|
||
Francesco Poli.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.12"></a>1.6.12 Version 3.5 (November 2005)</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Note on the SSH section that the chroot will not work if using the nodev option
|
||
in the partition and point to the latest ssh packages with the chroot patch,
|
||
thanks to Lutz Broedel for pointing these issues out.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fix typo spotted by Marcos Roberto Greiner (md5sum should be sha1sum in code
|
||
snippet).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Included Jens Seidel's patch fixing a number of package names and typos.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Slightly update of the tools section, removed tools no longer available and
|
||
added some new ones.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Rewrite parts of the section related to where to find this document and what
|
||
formats are available (the website does provide a PDF version). Also note that
|
||
copies on other sites and translations might be obsolete (many of the Google
|
||
hits for the manual in other sites are actually out of date).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.13"></a>1.6.13 Version 3.4 (August-September 2005)</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Improved the after installation security enhancements related to kernel
|
||
configuration for network level protection with a sysctl.conf file provided by
|
||
Will Moy.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Improved the gdm section, thanks to Simon Brandmair.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Typo fixes from Fr<46>d<EFBFBD>ric Bothamy and Simon Brandmair.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Improvements in the after installation sections related to how to generate the
|
||
MD5 (or SHA-1) sums of binaries for periodic review.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Updated the after installation sections regarding checksecurity configuration
|
||
(was out of date).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.14"></a>1.6.14 Version 3.3 (June 2005)</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a code snippet to use grep-available to generate the list of packages
|
||
depending on Perl. As requested in #302470.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Rewrite of the section on network services (which ones are installed and how to
|
||
disable them).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added more information to the honeypot deployment section mentioning useful
|
||
Debian packages.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.15"></a>1.6.15 Version 3.2 (March 2005)</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Expanded the PAM configuration limits section.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added information on how to use pam_chroot for openssh (based on pam_chroot's
|
||
README).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed some minor issues reported by Dan Jacobson.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Updated the kernel patches information partially based on a patch from Carlo
|
||
Perassi and also by adding deprecation notes and new kernel patches available
|
||
(adamantix).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Included patch from Simon Brandmair that fixes a sentence related to login
|
||
failures in terminal.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added Mozilla/Thunderbird to the valid GPG agents as suggested by Kapolnai
|
||
Richard.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Expanded the section on security updates mentioning library and kernel updates
|
||
and how to detect when services need to be restarted.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Rewrote the firewall section, moved the information that applies to woody down
|
||
and expand the other sections including some information on how to manually set
|
||
the firewall (with a sample script) and how to test the firewall configuration.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added some information preparing for the 3.1 release.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added more detailed information on kernel upgrades, specifically targeted at
|
||
those that used the old installation system.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a small section on the experimental apt 0.6 release which provides
|
||
package signing checks. Moved old content to the section and also added a
|
||
pointer to changes made in aptitude.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Typo fixes spotted by Fr<46>d<EFBFBD>ric Bothamy.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.16"></a>1.6.16 Version 3.1 (January 2005)</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added clarification to ro /usr with patch from Joost van Baal.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Apply patch from Jens Seidel fixing many typos.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
FreeSWAN is dead, long live OpenSWAN.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added information on restricting access to RPC services (when they cannot be
|
||
disabled) also included patch provided by Aarre Laakso.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Update aj's apt-check-sigs script.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Apply patch Carlo Perassi fixing URLs.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Apply patch from Davor Ocelic fixing many errors, typos, urls, grammar and
|
||
FIXMEs. Also adds some additional information to some sections.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Rewrote the section on user auditing, highlight the usage of script which does
|
||
not have some of the issues associated to shell history.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.17"></a>1.6.17 Version 3.0 (December 2004)</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Rewrote the user-auditing information and include examples on how to use
|
||
script.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.18"></a>1.6.18 Version 2.99 (March 2004)</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added information on references in DSAs and CVE-Compatibility.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added information on apt 0.6 (apt-secure merge in experimental).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed location of Chroot daemons HOWTO as suggested by Shuying Wang.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Changed APACHECTL line in the Apache chroot example (even if its not used at
|
||
all) as suggested by Leonard Norrgard.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a footnote regarding hardlink attacks if partitions are not setup
|
||
properly.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added some missing steps in order to run bind as named as provided by Jeffrey
|
||
Prosa.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added notes about Nessus and Snort out-of-dateness in woody and availability of
|
||
backported packages.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a chapter regarding periodic integrity test checks.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Clarified the status of testing regarding security updates (Debian bug 233955).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added more information regarding expected contents in securetty (since it's
|
||
kernel specific).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added pointer to snoopylogger (Debian bug 179409).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added reference to guarddog (Debian bug 170710).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
<code>apt-ftparchive</code> is in <code>apt-utils</code>, not in
|
||
<code>apt</code> (thanks to Emmanuel Chantreau for pointing this out).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Removed jvirus from AV list.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.19"></a>1.6.19 Version 2.98 (December 2003)</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed URL as suggested by Frank Lichtenheld.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed PermitRootLogin typo as suggested by Stefan Lindenau.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.20"></a>1.6.20 Version 2.97 (September 2003)</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added those that have made the most significant contributions to this manual
|
||
(please mail me if you think you should be in the list and are not).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added some blurb about FIXME/TODOs.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Moved the information on security updates to the beginning of the section as
|
||
suggested by Elliott Mitchell.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added grsecurity to the list of kernel-patches for security but added a
|
||
footnote on the current issues with it as suggested by Elliott Mitchell.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Removed loops (echo to 'all') in the kernel's network security script as
|
||
suggested by Elliott Mitchell.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added more (up-to-date) information in the antivirus section.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Rewrote the buffer overflow protection section and added more information on
|
||
patches to the compiler to enable this kind of protection.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.21"></a>1.6.21 Version 2.96 (August 2003)</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Removed (and then re-added) appendix on chrooting Apache. The appendix is now
|
||
dual-licensed.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.22"></a>1.6.22 Version 2.95 (June 2003)</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed typos spotted by Leonard Norrgard.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a section on how to contact CERT for incident handling (<code><a
|
||
href="#after-compromise">#after-compromise</a></code>).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
More information on setting up a Squid proxy.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a pointer and removed a FIXME thanks to Helge H. F.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed a typo (save_inactive) spotted by Philippe Faes.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed several typos spotted by Jaime Robles.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.23"></a>1.6.23 Version 2.94 (April 2003)</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Following Maciej Stachura's suggestions I've expanded the section on limiting
|
||
users.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed typo spotted by Wolfgang Nolte.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed links with patch contributed by Ruben Leote Mendes.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a link to David Wheeler's excellent document on the footnote about
|
||
counting security vulnerabilities.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.24"></a>1.6.24 Version 2.93 (March 2003)</h3>
|
||
|
||
<p>
|
||
Changes made by Fr<46>d<EFBFBD>ric Sch<63>tz.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
rewrote entirely the section of ext2 attributes (lsattr/chattr).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.25"></a>1.6.25 Version 2.92 (February 2003)</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a and Fr<46>d<EFBFBD>ric Sch<63>tz.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Merge section 9.3 ("useful kernel patches") into section 4.13
|
||
("Adding kernel patches"), and added some content.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a few more TODOs.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added information on how to manually check for updates and also about cron-apt.
|
||
That way Tiger is not perceived as the only way to do automatic update checks.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Slightly rewrite of the section on executing a security updates due to
|
||
Jean-Marc Ranger comments.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a note on Debian's installation (which will suggest the user to execute a
|
||
security update right after installation).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.26"></a>1.6.26 Version 2.91 (January/February 2003)</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a (me).
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a patch contributed by Fr<46>d<EFBFBD>ric Sch<63>tz.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a few more references on capabilities thanks to Fr<46>d<EFBFBD>ric.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Slight changes in the bind section adding a reference to BIND's 9 online
|
||
documentation and proper references in the first area (Hi Pedro!).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed the changelog date - new year :-).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a reference to Colin's articles for the TODOs.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Removed reference to old ssh+chroot patches.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
More patches from Carlo Perassi.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Typo fixes (recursive in Bind is recursion), pointed out by Maik Holtkamp.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.27"></a>1.6.27 Version 2.9 (December 2002)</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a (me).
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Reorganized the information on chroot (merged two sections, it didn't make much
|
||
sense to have them separated).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added the notes on chrooting Apache provided by Alexandre Ratti.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Applied patches contributed by Guillermo Jover.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.28"></a>1.6.28 Version 2.8 (November 2002)</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a (me).
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Applied patches from Carlo Perassi, fixes include: re-wrapping the lines, URL
|
||
fixes, and fixed some FIXMEs.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Updated the contents of the Debian security team FAQ.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a link to the Debian security team FAQ and the Debian Developer's
|
||
reference, the duplicated sections might (just might) be removed in the future.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed the hand-made auditing section with comments from Michal Zielinski.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added links to wordlists (contributed by Carlo Perassi).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed some typos (still many around).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed TDP links as suggested by John Summerfield.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.29"></a>1.6.29 Version 2.7 (October 2002)</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a (me). Note: I still have a lot of
|
||
pending changes in my mailbox (which is currently about 5 Mbs in size).
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Some typo fixes contributed by Tuyen Dinh, Bartek Golenko and Daniel K.
|
||
Gebhart.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Note regarding /dev/kmem rootkits contributed by Laurent Bonnaud.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed typos and FIXMEs contributed by Carlo Perassi.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.30"></a>1.6.30 Version 2.6 (September 2002)</h3>
|
||
|
||
<p>
|
||
Changes by Chris Tillman, tillman@voicetrak.com.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Changed around to improve grammar/spelling.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
s/host.deny/hosts.deny/ (1 place).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Applied Larry Holish's patch (quite big, fixes a lot of FIXMEs).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.31"></a>1.6.31 Version 2.5 (September 2002)</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a (me).
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed minor typos submitted by Thiemo Nagel.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a footnote suggested by Thiemo Nagel.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed an URL link.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.32"></a>1.6.32 Version 2.5 (August 2002)</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a (me). There were many things waiting
|
||
on my inbox (as far back as February) to be included, so I'm going to tag this
|
||
the <em>back from honeymoon</em> release :).
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Applied a patch contributed by Philipe Gaspar regarding the Squid which also
|
||
kills a FIXME.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Yet another FAQ item regarding service banners taken from the debian-security
|
||
mailing list (thread "Telnet information" started 26th July 2002).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a note regarding use of CVE cross references in the <em>How much time
|
||
does the Debian security team...</em> FAQ item.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a new section regarding ARP attacks contributed by Arnaud
|
||
"Arhuman" Assad.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
New FAQ item regarding dmesg and console login by the kernel.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Small tidbits of information to the signature-checking issues in packages (it
|
||
seems to not have gotten past beta release).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
New FAQ item regarding vulnerability assessment tools false positives.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added new sections to the chapter that contains information on package
|
||
signatures and reorganized it as a new <em>Debian Security Infrastructure</em>
|
||
chapter.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
New FAQ item regarding Debian vs. other Linux distributions.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
New section on mail user agents with GPG/PGP functionality in the security
|
||
tools chapter.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Clarified how to enable MD5 passwords in woody, added a pointer to PAM as well
|
||
as a note regarding the max definition in PAM.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a new appendix on how to create chroot environments (after fiddling a bit
|
||
with makejail and fixing, as well, some of its bugs), integrated duplicate
|
||
information in all the appendix.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added some more information regarding <code>SSH</code> chrooting and its impact
|
||
on secure file transfers. Some information has been retrieved from the
|
||
debian-security mailing list (June 2002 thread: <em>secure file
|
||
transfers</em>).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
New sections on how to do automatic updates on Debian systems as well as the
|
||
caveats of using testing or unstable regarding security updates.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
New section regarding keeping up to date with security patches in the
|
||
<em>Before compromise</em> section as well as a new section about the
|
||
debian-security-announce mailing list.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added information on how to automatically generate strong passwords.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
New section regarding login of idle users.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Reorganized the securing mail server section based on the
|
||
<em>Secure/hardened/minimal Debian (or "Why is the base system the way it
|
||
is?")</em> thread on the debian-security mailing list (May 2002).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Reorganized the section on kernel network parameters, with information provided
|
||
in the debian-security mailing list (May 2002, <em>syn flood attacked?</em>
|
||
thread) and added a new FAQ item as well.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
New section on how to check users passwords and which packages to install for
|
||
this.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
New section on PPTP encryption with Microsoft clients discussed in the
|
||
debian-security mailing list (April 2002).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a new section describing what problems are there when binding any given
|
||
service to a specific IP address, this information was written based on the
|
||
Bugtraq mailing list in the thread: <em>Linux kernel 2.4 "weak end
|
||
host" issue (previously discussed on debian-security as "arp
|
||
problem")</em> (started on May 9th 2002 by Felix von Leitner).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added information on <code>ssh</code> protocol version 2.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added two subsections related to Apache secure configuration (the things
|
||
specific to Debian, that is).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a new FAQ related to raw sockets, one related to /root, an item related
|
||
to users' groups and another one related to log and configuration files
|
||
permissions.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a pointer to a bug in libpam-cracklib that might still be open... (need
|
||
to check).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added more information regarding forensics analysis (pending more information
|
||
on packet inspection tools such as <code>tcpflow</code>).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Changed the "what should I do regarding compromise" into a bullet
|
||
list and included some more stuff.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added some information on how to set up the Xscreensaver to lock the screen
|
||
automatically after the configured timeout.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a note related to the utilities you should not install in the system.
|
||
Included a note regarding Perl and why it cannot be easily removed in Debian.
|
||
The idea came after reading Intersect's documents regarding Linux hardening.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added information on lvm and journalling file systems, ext3 recommended. The
|
||
information there might be too generic, however.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a link to the online text version (check).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added some more stuff to the information on firewalling the local system,
|
||
triggered by a comment made by Hubert Chan in the mailing list.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added more information on PAM limits and pointers to Kurt Seifried's documents
|
||
(related to a post by him to Bugtraq on April 4th 2002 answering a person that
|
||
had ``discovered'' a vulnerability in Debian GNU/Linux related to resource
|
||
starvation).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
As suggested by Juli<6C>n Mu<4D>oz, provided more information on the default Debian
|
||
umask and what a user can access if he has been given a shell in the system
|
||
(scary, huh?).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Included a note in the BIOS password section due to a comment from Andreas
|
||
Wohlfeld.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Included patches provided by Alfred E. Heggestad fixing many of the typos
|
||
still present in the document.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a pointer to the changelog in the Credits section since most people who
|
||
contribute are listed here (and not there).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a few more notes to the chattr section and a new section after
|
||
installation talking about system snapshots. Both ideas were contributed by
|
||
Kurt Pomeroy.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a new section after installation just to remind users to change the
|
||
boot-up sequence.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added some more TODO items provided by Korn Andras.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a pointer to the NIST's guidelines on how to secure DNS provided by
|
||
Daniel Quinlan.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a small paragraph regarding Debian's SSL certificates infrastructure.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added Daniel Quinlan's suggestions regarding <code>ssh</code> authentication
|
||
and exim's relay configuration.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added more information regarding securing bind including changes suggested by
|
||
Daniel Quinlan and an appendix with a script to make some of the changes
|
||
commented on in that section.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a pointer to another item regarding Bind chrooting (needs to be merged).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a one liner contributed by Cristian Ionescu-Idbohrn to retrieve packages
|
||
with tcpwrappers support.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a little bit more info on Debian's default PAM setup.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Included a FAQ question about using PAM to provide services without shell
|
||
accounts.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Moved two FAQ items to another section and added a new FAQ regarding attack
|
||
detection (and compromised systems).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Included information on how to set up a bridge firewall (including a sample
|
||
Appendix). Thanks to Francois Bayart who sent this to me in March.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a FAQ regarding the syslogd's <em>MARK</em> <em>heartbeat</em> from a
|
||
question answered by Noah Meyerhans and Alain Tesio in December 2001.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Included information on buffer overflow protection as well as some information
|
||
on kernel patches.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added more information (and reorganized) the firewall section. Updated the
|
||
information regarding the iptables package and the firewall generators
|
||
available.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Reorganized the information regarding log checking, moved logcheck information
|
||
from host intrusion detection to that section.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added some information on how to prepare a static package for bind for
|
||
chrooting (untested).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a FAQ item regarding some specific servers/services (could be expanded
|
||
with some of the recommendations from the debian-security list).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added some information on RPC services (and when it's necessary).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added some more information on capabilities (and what lcap does). Is there any
|
||
good documentation on this? I haven't found any documentation on my 2.4
|
||
kernel.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed some typos.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.33"></a>1.6.33 Version 2.4</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Rewritten part of the BIOS section.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.34"></a>1.6.34 Version 2.3</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Wrapped most file locations with the file tag.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed typo noticed by Edi Stojicevi.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Slightly changed the remote audit tools section.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added some todo items.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added more information regarding printers and cups config file (taken from a
|
||
thread on debian-security).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a patch submitted by Jesus Climent regarding access of valid system users
|
||
to Proftpd when configured as anonymous server.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Small change on partition schemes for the special case of mail servers.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added Hacking Linux Exposed to the books section.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed directory typo noticed by Eduardo P<>rez Ureta.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed /etc/ssh typo in checklist noticed by Edi Stojicevi.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.35"></a>1.6.35 Version 2.3</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed location of dpkg conffile.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Remove Alexander from contact information.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added alternate mail address.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed Alexander mail address (even if commented out).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed location of release keys (thanks to Pedro Zorzenon for pointing this
|
||
out).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.36"></a>1.6.36 Version 2.2</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed typos, thanks to Jamin W. Collins.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a reference to apt-extracttemplate manpage (documents the
|
||
APT::ExtractTemplate config).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added section about restricted SSH. Information based on that posted by Mark
|
||
Janssen, Christian G. Warden and Emmanuel Lacour on the debian-security
|
||
mailing list.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added information on antivirus software.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a FAQ: su logs due to the cron running as root.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.37"></a>1.6.37 Version 2.1</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Changed FIXME from lshell thanks to Oohara Yuuma.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added package to sXid and removed comment since it *is* available.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed a number of typos discovered by Oohara Yuuma.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
ACID is now available in Debian (in the acidlab package) thanks to Oohara Yuuma
|
||
for noticing.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed LinuxSecurity links (thanks to Dave Wreski for telling).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.38"></a>1.6.38 Version 2.0</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a. I wanted to change to 2.0 when all
|
||
the FIXMEs were fixed but I ran out of 1.9X numbers :(.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Converted the HOWTO into a Manual (now I can properly say RTFM).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added more information regarding tcp wrappers and Debian (now many services are
|
||
compiled with support for them so it's no longer an <code>inetd</code> issue).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Clarified the information on disabling services to make it more consistent (rpc
|
||
info still referred to update-rc.d).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added small note on lprng.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added some more info on compromised servers (still very rough).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed typos reported by Mark Bucciarelli.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added some more steps in password recovery to cover the cases when the admin
|
||
has set paranoid-mode=on.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added some information to set paranoid-mode=on when login in console.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
New paragraph to introduce service configuration.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Reorganized the <em>After installation</em> section so it is more broken up
|
||
into several issues and it's easier to read.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Wrote information on how to set up firewalls with the standard Debian 3.0 setup
|
||
(iptables package).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Small paragraph explaining why installing connected to the Internet is not a
|
||
good idea and how to avoid this using Debian tools.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Small paragraph on timely patching referencing to IEEE paper.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Appendix on how to set up a Debian snort box, based on what Vladimir sent to
|
||
the debian-security mailing list (September 3rd 2001).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Information on how logcheck is set up in Debian and how it can be used to set
|
||
up HIDS.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Information on user accounting and profile analysis.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Included apt.conf configuration for read-only /usr copied from Olaf
|
||
Meeuwissen's post to the debian-security mailing list.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
New section on VPN with some pointers and the packages available in Debian
|
||
(needs content on how to set up the VPNs and Debian-specific issues), based on
|
||
Jaroslaw Tabor's and Samuli Suonpaa's post to debian-security.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Small note regarding some programs to automatically build chroot jails.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
New FAQ item regarding identd based on a discussion in the debian-security
|
||
mailing list (February 2002, started by Johannes Weiss).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
New FAQ item regarding <code>inetd</code> based on a discussion in the
|
||
debian-security mailing list (February 2002).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Introduced note on rcconf in the "disabling services" section.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Varied the approach regarding LKM, thanks to Philipe Gaspar.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added pointers to CERT documents and Counterpane resources.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.39"></a>1.6.39 Version 1.99</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a new FAQ item regarding time to fix security vulnerabilities.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Reorganized FAQ sections.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Started writing a section regarding firewalling in Debian GNU/Linux (could be
|
||
broadened a bit).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed typos sent by Matt Kraai.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed DNS information.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added information on whisker and nbtscan to the auditing section.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed some wrong URLs.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.40"></a>1.6.40 Version 1.98</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a new section regarding auditing using Debian GNU/Linux.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added info regarding finger daemon taken from the security mailing list.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.41"></a>1.6.41 Version 1.97</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed link for Linux Trustees.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed typos (patches from Oohara Yuuma and Pedro Zorzenon).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.42"></a>1.6.42 Version 1.96</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Reorganized service installation and removal and added some new notes.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added some notes regarding using integrity checkers as intrusion detection
|
||
tools.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a chapter regarding package signatures.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.43"></a>1.6.43 Version 1.95</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added notes regarding Squid security sent by Philipe Gaspar.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed rootkit links thanks to Philipe Gaspar.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.44"></a>1.6.44 Version 1.94</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added some notes regarding Apache and Lpr/lpng.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added some information regarding noexec and read-only partitions.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Rewrote how users can help in Debian security issues (FAQ item).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.45"></a>1.6.45 Version 1.93</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed location of mail program.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added some new items to the FAQ.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.46"></a>1.6.46 Version 1.92</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a small section on how Debian handles security.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Clarified MD5 passwords (thanks to `rocky').
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added some more information regarding harden-X from Stephen van Egmond.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added some new items to the FAQ.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.47"></a>1.6.47 Version 1.91</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added some forensics information sent by Yotam Rubin.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added information on how to build a honeynet using Debian GNU/Linux.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added some more TODOS.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed more typos (thanks Yotam!).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.48"></a>1.6.48 Version 1.9</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added patch to fix misspellings and some new information (contributed by Yotam
|
||
Rubin).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added references to other online (and offline) documentation both in a section
|
||
(see <a href="ch2.en.html#s-references">Be aware of general security problems,
|
||
Section 2.2</a>) by itself and inline in some sections.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added some information on configuring Bind options to restrict access to the
|
||
DNS server.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added information on how to automatically harden a Debian system (regarding the
|
||
harden package and bastille).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Removed some done TODOs and added some new ones.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.49"></a>1.6.49 Version 1.8</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added the default user/group list provided by Joey Hess to the debian-security
|
||
mailing list.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added information on LKM root-kits (<a href="ch10.en.html#s-LKM">Loadable
|
||
Kernel Modules (LKM), Section 10.4.1</a>) contributed by Philipe Gaspar.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added information on Proftp contributed by Emmanuel Lacour.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Recovered the checklist Appendix from Era Eriksson.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added some new TODO items and removed other fixed ones.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Manually included Era's patches since they were not all included in the
|
||
previous version.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.50"></a>1.6.50 Version 1.7</h3>
|
||
|
||
<p>
|
||
Changes by Era Eriksson.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Typo fixes and wording changes.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Minor changes to tags in order to keep on removing the tt tags and substitute
|
||
prgn/package tags for them.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.51"></a>1.6.51 Version 1.6</h3>
|
||
|
||
<p>
|
||
Changes by Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added pointer to document as published in the DDP (should supersede the
|
||
original in the near future).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Started a mini-FAQ (should be expanded) with some questions recovered from my
|
||
mailbox.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added general information to consider while securing.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a paragraph regarding local (incoming) mail delivery.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added some pointers to more information.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added information regarding the printing service.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a security hardening checklist.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Reorganized NIS and RPC information.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added some notes taken while reading this document on my new Visor :).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed some badly formatted lines.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Fixed some typos.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a Genius/Paranoia idea contributed by Gaby Schilders.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.52"></a>1.6.52 Version 1.5</h3>
|
||
|
||
<p>
|
||
Changes by Josip Rodin and Javier Fern<72>ndez-Sanguino Pe<50>a.
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added paragraphs related to BIND and some FIXMEs.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.53"></a>1.6.53 Version 1.4</h3>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Small setuid check paragraph
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Various minor cleanups.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Found out how to use <samp>sgml2txt -f</samp> for the txt version.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.54"></a>1.6.54 Version 1.3</h3>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a security update after installation paragraph.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Added a proftpd paragraph.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
This time really wrote something about XDM, sorry for last time.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.55"></a>1.6.55 Version 1.2</h3>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Lots of grammar corrections by James Treacy, new XDM paragraph.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.56"></a>1.6.56 Version 1.1</h3>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Typo fixes, miscellaneous additions.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="s1.6.57"></a>1.6.57 Version 1.0</h3>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Initial release.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<h2><a name="s-credits"></a>1.7 Credits and thanks!</h2>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Alexander Reelsen wrote the original document.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Javier Fern<72>ndez-Sanguino added more info to the original doc.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Robert van der Meulen provided the quota paragraphs and many good ideas.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Ethan Benson corrected the PAM paragraph and had some good ideas.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Dariusz Puchalak contributed some information to several chapters.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Gaby Schilders contributed a nice Genius/Paranoia idea.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Era Eriksson smoothed out the language in a lot of places and contributed the
|
||
checklist appendix.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Philipe Gaspar wrote the LKM information.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Yotam Rubin contributed fixes for many typos as well as information regarding
|
||
bind versions and MD5 passwords.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Francois Bayart provided the appendix describing how to set up a bridge
|
||
firewall.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Joey Hess wrote the section describing how Secure Apt works on the <code><a
|
||
href="http://wiki.debian.org/SecureApt">Debian Wiki</a></code>.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Martin F. Krafft wrote some information on his blog regarding fingerprint
|
||
verification which was also reused for the Secure Apt section.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Francesco Poli did an extensive review of the manual and provided quite a lot
|
||
of bug reports and typo fixes which improved and helped update the document.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
All the people who made suggestions for improvements that (eventually) were
|
||
included here (see <a href="#s-changelog">Changelog/History, Section 1.6</a>).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
(Alexander) All the folks who encouraged me to write this HOWTO (which was
|
||
later turned into a manual).
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
The whole Debian project.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<hr>
|
||
|
||
<p>
|
||
[ <a href="index.en.html">previous</a> ]
|
||
[ <a href="index.en.html#contents">Contents</a> ]
|
||
[ 1 ]
|
||
[ <a href="ch2.en.html">2</a> ]
|
||
[ <a href="ch3.en.html">3</a> ]
|
||
[ <a href="ch4.en.html">4</a> ]
|
||
[ <a href="ch-sec-services.en.html">5</a> ]
|
||
[ <a href="ch-automatic-harden.en.html">6</a> ]
|
||
[ <a href="ch7.en.html">7</a> ]
|
||
[ <a href="ch-sec-tools.en.html">8</a> ]
|
||
[ <a href="ch9.en.html">9</a> ]
|
||
[ <a href="ch10.en.html">10</a> ]
|
||
[ <a href="ch-after-compromise.en.html">11</a> ]
|
||
[ <a href="ch12.en.html">12</a> ]
|
||
[ <a href="ap-harden-step.en.html">A</a> ]
|
||
[ <a href="ap-checklist.en.html">B</a> ]
|
||
[ <a href="ap-snort-box.en.html">C</a> ]
|
||
[ <a href="ap-bridge-fw.en.html">D</a> ]
|
||
[ <a href="ap-bind-chuser.en.html">E</a> ]
|
||
[ <a href="ap-fw-security-update.en.html">F</a> ]
|
||
[ <a href="ap-chroot-ssh-env.en.html">G</a> ]
|
||
[ <a href="ap-chroot-apache-env.en.html">H</a> ]
|
||
[ <a href="ch2.en.html">next</a> ]
|
||
</p>
|
||
|
||
<hr>
|
||
|
||
<p>
|
||
Securing Debian Manual
|
||
</p>
|
||
|
||
<address>
|
||
Version: 3.13, Sun, 08 Apr 2012 02:48:09 +0000<br>
|
||
<br>
|
||
Javier Fernández-Sanguino Peña <code><a href="mailto:jfs@debian.org">jfs@debian.org</a></code><br>
|
||
<a href="ch1.en.html#s-authors">Authors, Section 1.1</a><br>
|
||
<br>
|
||
</address>
|
||
<hr>
|
||
|
||
</body>
|
||
|
||
</html>
|
||
|