LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/www.debian.org/doc/manuals/securing-debian-howto/ch3.en.html

1325 lines
66 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
<title>Securing Debian Manual - Before and during the installation</title>
<link href="index.en.html" rel="start">
<link href="ch2.en.html" rel="prev">
<link href="ch4.en.html" rel="next">
<link href="index.en.html#contents" rel="contents">
<link href="index.en.html#copyright" rel="copyright">
<link href="ch1.en.html" rel="chapter" title="1 Introduction">
<link href="ch2.en.html" rel="chapter" title="2 Before you begin">
<link href="ch3.en.html" rel="chapter" title="3 Before and during the installation">
<link href="ch4.en.html" rel="chapter" title="4 After installation">
<link href="ch-sec-services.en.html" rel="chapter" title="5 Securing services running on your system">
<link href="ch-automatic-harden.en.html" rel="chapter" title="6 Automatic hardening of Debian systems">
<link href="ch7.en.html" rel="chapter" title="7 Debian Security Infrastructure">
<link href="ch-sec-tools.en.html" rel="chapter" title="8 Security tools in Debian">
<link href="ch9.en.html" rel="chapter" title="9 Developer's Best Practices for OS Security">
<link href="ch10.en.html" rel="chapter" title="10 Before the compromise">
<link href="ch-after-compromise.en.html" rel="chapter" title="11 After the compromise (incident response)">
<link href="ch12.en.html" rel="chapter" title="12 Frequently asked Questions (FAQ)">
<link href="ap-harden-step.en.html" rel="appendix" title="A The hardening process step by step">
<link href="ap-checklist.en.html" rel="appendix" title="B Configuration checklist">
<link href="ap-snort-box.en.html" rel="appendix" title="C Setting up a stand-alone IDS">
<link href="ap-bridge-fw.en.html" rel="appendix" title="D Setting up a bridge firewall">
<link href="ap-bind-chuser.en.html" rel="appendix" title="E Sample script to change the default Bind installation.">
<link href="ap-fw-security-update.en.html" rel="appendix" title="F Security update protected by a firewall">
<link href="ap-chroot-ssh-env.en.html" rel="appendix" title="G <code>Chroot</code> environment for <code>SSH</code>">
<link href="ap-chroot-apache-env.en.html" rel="appendix" title="H <code>Chroot</code> environment for <code>Apache</code>">
<link href="ch1.en.html#s-authors" rel="section" title="1.1 Authors">
<link href="ch1.en.html#s1.2" rel="section" title="1.2 Where to get the manual (and available formats)">
<link href="ch1.en.html#s1.3" rel="section" title="1.3 Organizational notes/feedback">
<link href="ch1.en.html#s1.4" rel="section" title="1.4 Prior knowledge">
<link href="ch1.en.html#s1.5" rel="section" title="1.5 Things that need to be written (FIXME/TODO)">
<link href="ch1.en.html#s-changelog" rel="section" title="1.6 Changelog/History">
<link href="ch1.en.html#s-credits" rel="section" title="1.7 Credits and thanks!">
<link href="ch2.en.html#s2.1" rel="section" title="2.1 What do you want this system for?">
<link href="ch2.en.html#s-references" rel="section" title="2.2 Be aware of general security problems">
<link href="ch2.en.html#s2.3" rel="section" title="2.3 How does Debian handle security?">
<link href="ch3.en.html#s-bios-passwd" rel="section" title="3.1 Choose a BIOS password">
<link href="ch3.en.html#s3.2" rel="section" title="3.2 Partitioning the system">
<link href="ch3.en.html#s3.3" rel="section" title="3.3 Do not plug to the Internet until ready">
<link href="ch3.en.html#s3.4" rel="section" title="3.4 Set a root password">
<link href="ch3.en.html#s3.5" rel="section" title="3.5 Activate shadow passwords and MD5 passwords">
<link href="ch3.en.html#s3.6" rel="section" title="3.6 Run the minimum number of services required">
<link href="ch3.en.html#s3.7" rel="section" title="3.7 Install the minimum amount of software required">
<link href="ch3.en.html#s3.8" rel="section" title="3.8 Read the Debian security mailing lists">
<link href="ch4.en.html#s-debian-sec-announce" rel="section" title="4.1 Subscribe to the Debian Security Announce mailing list">
<link href="ch4.en.html#s-security-update" rel="section" title="4.2 Execute a security update">
<link href="ch4.en.html#s-bios-boot" rel="section" title="4.3 Change the BIOS (again)">
<link href="ch4.en.html#s-lilo-passwd" rel="section" title="4.4 Set a LILO or GRUB password">
<link href="ch4.en.html#s-kernel-initramfs-prompt" rel="section" title="4.5 Disable root prompt on the initramfs">
<link href="ch4.en.html#s-kernel-root-prompt" rel="section" title="4.6 Remove root prompt on the kernel">
<link href="ch4.en.html#s-restrict-console-login" rel="section" title="4.7 Restricting console login access">
<link href="ch4.en.html#s-restrict-reboots" rel="section" title="4.8 Restricting system reboots through the console">
<link href="ch4.en.html#s4.9" rel="section" title="4.9 Mounting partitions the right way">
<link href="ch4.en.html#s4.10" rel="section" title="4.10 Providing secure user access">
<link href="ch4.en.html#s-tcpwrappers" rel="section" title="4.11 Using tcpwrappers">
<link href="ch4.en.html#s-log-alerts" rel="section" title="4.12 The importance of logs and alerts">
<link href="ch4.en.html#s-kernel-patches" rel="section" title="4.13 Adding kernel patches">
<link href="ch4.en.html#s4.14" rel="section" title="4.14 Protecting against buffer overflows">
<link href="ch4.en.html#s4.15" rel="section" title="4.15 Secure file transfers">
<link href="ch4.en.html#s4.16" rel="section" title="4.16 File system limits and control">
<link href="ch4.en.html#s-network-secure" rel="section" title="4.17 Securing network access">
<link href="ch4.en.html#s-snapshot" rel="section" title="4.18 Taking a snapshot of the system">
<link href="ch4.en.html#s4.19" rel="section" title="4.19 Other recommendations">
<link href="ch-sec-services.en.html#s5.1" rel="section" title="5.1 Securing ssh">
<link href="ch-sec-services.en.html#s5.2" rel="section" title="5.2 Securing Squid">
<link href="ch-sec-services.en.html#s-ftp-secure" rel="section" title="5.3 Securing FTP">
<link href="ch-sec-services.en.html#s5.4" rel="section" title="5.4 Securing access to the X Window System">
<link href="ch-sec-services.en.html#s5.5" rel="section" title="5.5 Securing printing access (the lpd and lprng issue)">
<link href="ch-sec-services.en.html#s5.6" rel="section" title="5.6 Securing the mail service">
<link href="ch-sec-services.en.html#s-sec-bind" rel="section" title="5.7 Securing BIND">
<link href="ch-sec-services.en.html#s5.8" rel="section" title="5.8 Securing Apache">
<link href="ch-sec-services.en.html#s5.9" rel="section" title="5.9 Securing finger">
<link href="ch-sec-services.en.html#s-chroot" rel="section" title="5.10 General chroot and suid paranoia">
<link href="ch-sec-services.en.html#s5.11" rel="section" title="5.11 General cleartext password paranoia">
<link href="ch-sec-services.en.html#s5.12" rel="section" title="5.12 Disabling NIS">
<link href="ch-sec-services.en.html#s-rpc" rel="section" title="5.13 Securing RPC services">
<link href="ch-sec-services.en.html#s-firewall-setup" rel="section" title="5.14 Adding firewall capabilities">
<link href="ch-automatic-harden.en.html#s6.1" rel="section" title="6.1 Harden">
<link href="ch-automatic-harden.en.html#s6.2" rel="section" title="6.2 Bastille Linux">
<link href="ch7.en.html#s-debian-sec-team" rel="section" title="7.1 The Debian Security Team">
<link href="ch7.en.html#s-dsa" rel="section" title="7.2 Debian Security Advisories">
<link href="ch7.en.html#s7.3" rel="section" title="7.3 Security Tracker">
<link href="ch7.en.html#s7.4" rel="section" title="7.4 Debian Security Build Infrastructure">
<link href="ch7.en.html#s-deb-pack-sign" rel="section" title="7.5 Package signing in Debian">
<link href="ch-sec-tools.en.html#s-vuln-asses" rel="section" title="8.1 Remote vulnerability assessment tools">
<link href="ch-sec-tools.en.html#s8.2" rel="section" title="8.2 Network scanner tools">
<link href="ch-sec-tools.en.html#s8.3" rel="section" title="8.3 Internal audits">
<link href="ch-sec-tools.en.html#s8.4" rel="section" title="8.4 Auditing source code">
<link href="ch-sec-tools.en.html#s-vpn" rel="section" title="8.5 Virtual Private Networks">
<link href="ch-sec-tools.en.html#s8.6" rel="section" title="8.6 Public Key Infrastructure (PKI)">
<link href="ch-sec-tools.en.html#s8.7" rel="section" title="8.7 SSL Infrastructure">
<link href="ch-sec-tools.en.html#s8.8" rel="section" title="8.8 Antivirus tools">
<link href="ch-sec-tools.en.html#s-gpg-agent" rel="section" title="8.9 GPG agent">
<link href="ch9.en.html#s-bpp-devel-design" rel="section" title="9.1 Best practices for security review and design">
<link href="ch9.en.html#s-bpp-lower-privs" rel="section" title="9.2 Creating users and groups for software daemons">
<link href="ch10.en.html#s-keep-secure" rel="section" title="10.1 Keep your system secure">
<link href="ch10.en.html#s-periodic-integrity" rel="section" title="10.2 Do periodic integrity checks">
<link href="ch10.en.html#s-intrusion-detect" rel="section" title="10.3 Set up Intrusion Detection">
<link href="ch10.en.html#s10.4" rel="section" title="10.4 Avoiding root-kits">
<link href="ch10.en.html#s10.5" rel="section" title="10.5 Genius/Paranoia Ideas &mdash; what you could do">
<link href="ch-after-compromise.en.html#s11.1" rel="section" title="11.1 General behavior">
<link href="ch-after-compromise.en.html#s11.2" rel="section" title="11.2 Backing up the system">
<link href="ch-after-compromise.en.html#s11.3" rel="section" title="11.3 Contact your local CERT">
<link href="ch-after-compromise.en.html#s11.4" rel="section" title="11.4 Forensic analysis">
<link href="ch12.en.html#s12.1" rel="section" title="12.1 Security in the Debian operating system">
<link href="ch12.en.html#s-vulnerable-system" rel="section" title="12.2 My system is vulnerable! (Are you sure?)">
<link href="ch12.en.html#s-debian-sec-team-faq" rel="section" title="12.3 Questions regarding the Debian security team">
<link href="ap-bridge-fw.en.html#sD.1" rel="section" title="D.1 A bridge providing NAT and firewall capabilities">
<link href="ap-bridge-fw.en.html#sD.2" rel="section" title="D.2 A bridge providing firewall capabilities">
<link href="ap-bridge-fw.en.html#sD.3" rel="section" title="D.3 Basic IPtables rules">
<link href="ap-chroot-ssh-env.en.html#sG.1" rel="section" title="G.1 Chrooting the ssh users">
<link href="ap-chroot-ssh-env.en.html#sG.2" rel="section" title="G.2 Chrooting the ssh server">
<link href="ap-chroot-apache-env.en.html#sH.1" rel="section" title="H.1 Introduction">
<link href="ap-chroot-apache-env.en.html#sH.2" rel="section" title="H.2 Installing the server">
<link href="ap-chroot-apache-env.en.html#sH.3" rel="section" title="H.3 See also">
<link href="ch1.en.html#s1.6.1" rel="subsection" title="1.6.1 Version 3.16 (March 2011)">
<link href="ch1.en.html#s1.6.2" rel="subsection" title="1.6.2 Version 3.15 (December 2010)">
<link href="ch1.en.html#s1.6.3" rel="subsection" title="1.6.3 Version 3.14 (March 2009)">
<link href="ch1.en.html#s1.6.4" rel="subsection" title="1.6.4 Version 3.13 (Februrary 2008)">
<link href="ch1.en.html#s1.6.5" rel="subsection" title="1.6.5 Version 3.12 (August 2007)">
<link href="ch1.en.html#s1.6.6" rel="subsection" title="1.6.6 Version 3.11 (January 2007)">
<link href="ch1.en.html#s1.6.7" rel="subsection" title="1.6.7 Version 3.10 (November 2006)">
<link href="ch1.en.html#s1.6.8" rel="subsection" title="1.6.8 Version 3.9 (October 2006)">
<link href="ch1.en.html#s1.6.9" rel="subsection" title="1.6.9 Version 3.8 (July 2006)">
<link href="ch1.en.html#s1.6.10" rel="subsection" title="1.6.10 Version 3.7 (April 2006)">
<link href="ch1.en.html#s1.6.11" rel="subsection" title="1.6.11 Version 3.6 (March 2006)">
<link href="ch1.en.html#s1.6.12" rel="subsection" title="1.6.12 Version 3.5 (November 2005)">
<link href="ch1.en.html#s1.6.13" rel="subsection" title="1.6.13 Version 3.4 (August-September 2005)">
<link href="ch1.en.html#s1.6.14" rel="subsection" title="1.6.14 Version 3.3 (June 2005)">
<link href="ch1.en.html#s1.6.15" rel="subsection" title="1.6.15 Version 3.2 (March 2005)">
<link href="ch1.en.html#s1.6.16" rel="subsection" title="1.6.16 Version 3.1 (January 2005)">
<link href="ch1.en.html#s1.6.17" rel="subsection" title="1.6.17 Version 3.0 (December 2004)">
<link href="ch1.en.html#s1.6.18" rel="subsection" title="1.6.18 Version 2.99 (March 2004)">
<link href="ch1.en.html#s1.6.19" rel="subsection" title="1.6.19 Version 2.98 (December 2003)">
<link href="ch1.en.html#s1.6.20" rel="subsection" title="1.6.20 Version 2.97 (September 2003)">
<link href="ch1.en.html#s1.6.21" rel="subsection" title="1.6.21 Version 2.96 (August 2003)">
<link href="ch1.en.html#s1.6.22" rel="subsection" title="1.6.22 Version 2.95 (June 2003)">
<link href="ch1.en.html#s1.6.23" rel="subsection" title="1.6.23 Version 2.94 (April 2003)">
<link href="ch1.en.html#s1.6.24" rel="subsection" title="1.6.24 Version 2.93 (March 2003)">
<link href="ch1.en.html#s1.6.25" rel="subsection" title="1.6.25 Version 2.92 (February 2003)">
<link href="ch1.en.html#s1.6.26" rel="subsection" title="1.6.26 Version 2.91 (January/February 2003)">
<link href="ch1.en.html#s1.6.27" rel="subsection" title="1.6.27 Version 2.9 (December 2002)">
<link href="ch1.en.html#s1.6.28" rel="subsection" title="1.6.28 Version 2.8 (November 2002)">
<link href="ch1.en.html#s1.6.29" rel="subsection" title="1.6.29 Version 2.7 (October 2002)">
<link href="ch1.en.html#s1.6.30" rel="subsection" title="1.6.30 Version 2.6 (September 2002)">
<link href="ch1.en.html#s1.6.31" rel="subsection" title="1.6.31 Version 2.5 (September 2002)">
<link href="ch1.en.html#s1.6.32" rel="subsection" title="1.6.32 Version 2.5 (August 2002)">
<link href="ch1.en.html#s1.6.33" rel="subsection" title="1.6.33 Version 2.4">
<link href="ch1.en.html#s1.6.34" rel="subsection" title="1.6.34 Version 2.3">
<link href="ch1.en.html#s1.6.35" rel="subsection" title="1.6.35 Version 2.3">
<link href="ch1.en.html#s1.6.36" rel="subsection" title="1.6.36 Version 2.2">
<link href="ch1.en.html#s1.6.37" rel="subsection" title="1.6.37 Version 2.1">
<link href="ch1.en.html#s1.6.38" rel="subsection" title="1.6.38 Version 2.0">
<link href="ch1.en.html#s1.6.39" rel="subsection" title="1.6.39 Version 1.99">
<link href="ch1.en.html#s1.6.40" rel="subsection" title="1.6.40 Version 1.98">
<link href="ch1.en.html#s1.6.41" rel="subsection" title="1.6.41 Version 1.97">
<link href="ch1.en.html#s1.6.42" rel="subsection" title="1.6.42 Version 1.96">
<link href="ch1.en.html#s1.6.43" rel="subsection" title="1.6.43 Version 1.95">
<link href="ch1.en.html#s1.6.44" rel="subsection" title="1.6.44 Version 1.94">
<link href="ch1.en.html#s1.6.45" rel="subsection" title="1.6.45 Version 1.93">
<link href="ch1.en.html#s1.6.46" rel="subsection" title="1.6.46 Version 1.92">
<link href="ch1.en.html#s1.6.47" rel="subsection" title="1.6.47 Version 1.91">
<link href="ch1.en.html#s1.6.48" rel="subsection" title="1.6.48 Version 1.9">
<link href="ch1.en.html#s1.6.49" rel="subsection" title="1.6.49 Version 1.8">
<link href="ch1.en.html#s1.6.50" rel="subsection" title="1.6.50 Version 1.7">
<link href="ch1.en.html#s1.6.51" rel="subsection" title="1.6.51 Version 1.6">
<link href="ch1.en.html#s1.6.52" rel="subsection" title="1.6.52 Version 1.5">
<link href="ch1.en.html#s1.6.53" rel="subsection" title="1.6.53 Version 1.4">
<link href="ch1.en.html#s1.6.54" rel="subsection" title="1.6.54 Version 1.3">
<link href="ch1.en.html#s1.6.55" rel="subsection" title="1.6.55 Version 1.2">
<link href="ch1.en.html#s1.6.56" rel="subsection" title="1.6.56 Version 1.1">
<link href="ch1.en.html#s1.6.57" rel="subsection" title="1.6.57 Version 1.0">
<link href="ch3.en.html#s3.2.1" rel="subsection" title="3.2.1 Choose an intelligent partition scheme">
<link href="ch3.en.html#s3.2.1.1" rel="subsection" title="3.2.1.1 Selecting the appropriate file systems">
<link href="ch3.en.html#s-disableserv" rel="subsection" title="3.6.1 Disabling daemon services">
<link href="ch3.en.html#s-inetd" rel="subsection" title="3.6.2 Disabling <code>inetd</code> or its services">
<link href="ch3.en.html#s3.7.1" rel="subsection" title="3.7.1 Removing Perl">
<link href="ch4.en.html#s-lib-security-update" rel="subsection" title="4.2.1 Security update of libraries">
<link href="ch4.en.html#s-kernel-security-update" rel="subsection" title="4.2.2 Security update of the kernel">
<link href="ch4.en.html#s4.9.1" rel="subsection" title="4.9.1 Setting <code>/tmp</code> noexec">
<link href="ch4.en.html#s4.9.2" rel="subsection" title="4.9.2 Setting /usr read-only">
<link href="ch4.en.html#s-auth-pam" rel="subsection" title="4.10.1 User authentication: PAM">
<link href="ch4.en.html#s-user-limits" rel="subsection" title="4.10.2 Limiting resource usage: the <code>limits.conf</code> file">
<link href="ch4.en.html#s4.10.3" rel="subsection" title="4.10.3 User login actions: edit <code>/etc/login.defs</code>">
<link href="ch4.en.html#s4.10.4" rel="subsection" title="4.10.4 Restricting ftp: editing <code>/etc/ftpusers</code>">
<link href="ch4.en.html#s4.10.5" rel="subsection" title="4.10.5 Using su">
<link href="ch4.en.html#s4.10.6" rel="subsection" title="4.10.6 Using sudo">
<link href="ch4.en.html#s4.10.7" rel="subsection" title="4.10.7 Disallow remote administrative access">
<link href="ch4.en.html#s-user-restrict" rel="subsection" title="4.10.8 Restricting users's access">
<link href="ch4.en.html#s4.10.9" rel="subsection" title="4.10.9 User auditing">
<link href="ch4.en.html#s4.10.9.1" rel="subsection" title="4.10.9.1 Input and output audit with script">
<link href="ch4.en.html#s4.10.9.2" rel="subsection" title="4.10.9.2 Using the shell history file">
<link href="ch4.en.html#s4.10.9.3" rel="subsection" title="4.10.9.3 Complete user audit with accounting utilities">
<link href="ch4.en.html#s4.10.9.4" rel="subsection" title="4.10.9.4 Other user auditing methods">
<link href="ch4.en.html#s4.10.10" rel="subsection" title="4.10.10 Reviewing user profiles">
<link href="ch4.en.html#s4.10.11" rel="subsection" title="4.10.11 Setting users umasks">
<link href="ch4.en.html#s4.10.12" rel="subsection" title="4.10.12 Limiting what users can see/access">
<link href="ch4.en.html#s-limit-user-perm" rel="subsection" title="4.10.12.1 Limiting access to other user's information">
<link href="ch4.en.html#s-user-pwgen" rel="subsection" title="4.10.13 Generating user passwords">
<link href="ch4.en.html#s4.10.14" rel="subsection" title="4.10.14 Checking user passwords">
<link href="ch4.en.html#s-idle-logoff" rel="subsection" title="4.10.15 Logging off idle users">
<link href="ch4.en.html#s-custom-logcheck" rel="subsection" title="4.12.1 Using and customizing <code>logcheck</code>">
<link href="ch4.en.html#s4.12.2" rel="subsection" title="4.12.2 Configuring where alerts are sent">
<link href="ch4.en.html#s4.12.3" rel="subsection" title="4.12.3 Using a loghost">
<link href="ch4.en.html#s4.12.4" rel="subsection" title="4.12.4 Log file permissions">
<link href="ch4.en.html#s4.14.1" rel="subsection" title="4.14.1 Kernel patch protection for buffer overflows">
<link href="ch4.en.html#s4.14.2" rel="subsection" title="4.14.2 Testing programs for overflows">
<link href="ch4.en.html#s4.16.1" rel="subsection" title="4.16.1 Using quotas">
<link href="ch4.en.html#s-ext2attr" rel="subsection" title="4.16.2 The ext2 filesystem specific attributes (chattr/lsattr)">
<link href="ch4.en.html#s-check-integ" rel="subsection" title="4.16.3 Checking file system integrity">
<link href="ch4.en.html#s4.16.4" rel="subsection" title="4.16.4 Setting up setuid check">
<link href="ch4.en.html#s-kernel-conf" rel="subsection" title="4.17.1 Configuring kernel network features">
<link href="ch4.en.html#s-tcp-syncookies" rel="subsection" title="4.17.2 Configuring syncookies">
<link href="ch4.en.html#s-net-harden" rel="subsection" title="4.17.3 Securing the network on boot-time">
<link href="ch4.en.html#s-kernel-fw" rel="subsection" title="4.17.4 Configuring firewall features">
<link href="ch4.en.html#s-limit-bindaddr" rel="subsection" title="4.17.5 Disabling weak-end hosts issues">
<link href="ch4.en.html#s4.17.6" rel="subsection" title="4.17.6 Protecting against ARP attacks">
<link href="ch4.en.html#s4.19.1" rel="subsection" title="4.19.1 Do not use software depending on svgalib">
<link href="ch-sec-services.en.html#s-ssh-chroot" rel="subsection" title="5.1.1 Chrooting ssh">
<link href="ch-sec-services.en.html#s5.1.2" rel="subsection" title="5.1.2 Ssh clients">
<link href="ch-sec-services.en.html#s5.1.3" rel="subsection" title="5.1.3 Disallowing file transfers">
<link href="ch-sec-services.en.html#s-ssh-only-file" rel="subsection" title="5.1.4 Restricing access to file transfer only">
<link href="ch-sec-services.en.html#s5.4.1" rel="subsection" title="5.4.1 Check your display manager">
<link href="ch-sec-services.en.html#s5.6.1" rel="subsection" title="5.6.1 Configuring a Nullmailer">
<link href="ch-sec-services.en.html#s5.6.2" rel="subsection" title="5.6.2 Providing secure access to mailboxes">
<link href="ch-sec-services.en.html#s5.6.3" rel="subsection" title="5.6.3 Receiving mail securely">
<link href="ch-sec-services.en.html#s-configure-bind" rel="subsection" title="5.7.1 Bind configuration to avoid misuse">
<link href="ch-sec-services.en.html#s-user-bind" rel="subsection" title="5.7.2 Changing BIND's user">
<link href="ch-sec-services.en.html#s-chroot-bind" rel="subsection" title="5.7.3 Chrooting the name server">
<link href="ch-sec-services.en.html#s5.8.1" rel="subsection" title="5.8.1 Disabling users from publishing web contents">
<link href="ch-sec-services.en.html#s5.8.2" rel="subsection" title="5.8.2 Logfiles permissions">
<link href="ch-sec-services.en.html#s5.8.3" rel="subsection" title="5.8.3 Published web files">
<link href="ch-sec-services.en.html#s-auto-chroot" rel="subsection" title="5.10.1 Making chrooted environments automatically">
<link href="ch-sec-services.en.html#s5.13.1" rel="subsection" title="5.13.1 Disabling RPC services completely">
<link href="ch-sec-services.en.html#s5.13.2" rel="subsection" title="5.13.2 Limiting access to RPC services">
<link href="ch-sec-services.en.html#s5.14.1" rel="subsection" title="5.14.1 Firewalling the local system">
<link href="ch-sec-services.en.html#s5.14.2" rel="subsection" title="5.14.2 Using a firewall to protect other systems">
<link href="ch-sec-services.en.html#s5.14.3" rel="subsection" title="5.14.3 Setting up a firewall">
<link href="ch-sec-services.en.html#s-firewall-pack" rel="subsection" title="5.14.3.1 Using firewall packages">
<link href="ch-sec-services.en.html#s5.14.3.2" rel="subsection" title="5.14.3.2 Manual init.d configuration">
<link href="ch-sec-services.en.html#s5.14.3.3" rel="subsection" title="5.14.3.3 Configuring firewall rules through <code>ifup</code>">
<link href="ch-sec-services.en.html#s5.14.3.4" rel="subsection" title="5.14.3.4 Testing your firewall configuration">
<link href="ch7.en.html#s-crossreference" rel="subsection" title="7.2.1 Vulnerability cross references">
<link href="ch7.en.html#s-cve-compatible" rel="subsection" title="7.2.2 CVE compatibility">
<link href="ch7.en.html#s7.4.1" rel="subsection" title="7.4.1 Developer's guide to security updates">
<link href="ch7.en.html#s7.5.1" rel="subsection" title="7.5.1 The current scheme for package signature checks">
<link href="ch7.en.html#s-apt-0.6" rel="subsection" title="7.5.2 Secure apt">
<link href="ch7.en.html#s-check-releases" rel="subsection" title="7.5.3 Per distribution release check">
<link href="ch7.en.html#s7.5.3.1" rel="subsection" title="7.5.3.1 Basic concepts">
<link href="ch7.en.html#s7.5.3.2" rel="subsection" title="7.5.3.2 <code>Release</code> checksums">
<link href="ch7.en.html#s7.5.3.3" rel="subsection" title="7.5.3.3 Verification of the <code>Release</code> file">
<link href="ch7.en.html#s7.5.3.4" rel="subsection" title="7.5.3.4 Check of <code>Release.gpg</code> by <code>apt</code>">
<link href="ch7.en.html#s7.5.3.5" rel="subsection" title="7.5.3.5 How to tell apt what to trust">
<link href="ch7.en.html#s7.5.3.6" rel="subsection" title="7.5.3.6 Finding the key for a repository">
<link href="ch7.en.html#s-secure-apt-add-key" rel="subsection" title="7.5.3.7 Safely adding a key">
<link href="ch7.en.html#s7.5.3.8" rel="subsection" title="7.5.3.8 Verifying key integrity">
<link href="ch7.en.html#s7.5.3.9" rel="subsection" title="7.5.3.9 Debian archive key yearly rotation">
<link href="ch7.en.html#s7.5.3.10" rel="subsection" title="7.5.3.10 Known release checking problems">
<link href="ch7.en.html#s-manual-check-releases" rel="subsection" title="7.5.3.11 Manual per distribution release check">
<link href="ch7.en.html#s-check-non-debian-releases" rel="subsection" title="7.5.4 Release check of non Debian sources">
<link href="ch7.en.html#s-check-pkg-sign" rel="subsection" title="7.5.5 Alternative per-package signing scheme">
<link href="ch-sec-tools.en.html#s8.5.1" rel="subsection" title="8.5.1 Point to Point tunneling">
<link href="ch10.en.html#s-track-vulns" rel="subsection" title="10.1.1 Tracking security vulnerabilities">
<link href="ch10.en.html#s-keep-up-to-date" rel="subsection" title="10.1.2 Continuously update the system">
<link href="ch10.en.html#s10.1.2.1" rel="subsection" title="10.1.2.1 Manually checking which security updates are available">
<link href="ch10.en.html#s-update-desktop" rel="subsection" title="10.1.2.2 Checking for updates at the Desktop">
<link href="ch10.en.html#s-cron-apt" rel="subsection" title="10.1.2.3 Automatically checking for updates with cron-apt">
<link href="ch10.en.html#s-debsecan" rel="subsection" title="10.1.2.4 Automatically checking for security issues with debsecan">
<link href="ch10.en.html#s10.1.2.5" rel="subsection" title="10.1.2.5 Other methods for security updates">
<link href="ch10.en.html#s10.1.3" rel="subsection" title="10.1.3 Avoid using the unstable branch">
<link href="ch10.en.html#s-security-support-testing" rel="subsection" title="10.1.4 Security support for the testing branch">
<link href="ch10.en.html#s10.1.5" rel="subsection" title="10.1.5 Automatic updates in a Debian GNU/Linux system">
<link href="ch10.en.html#s10.3.1" rel="subsection" title="10.3.1 Network based intrusion detection">
<link href="ch10.en.html#s10.3.2" rel="subsection" title="10.3.2 Host based intrusion detection">
<link href="ch10.en.html#s-LKM" rel="subsection" title="10.4.1 Loadable Kernel Modules (LKM)">
<link href="ch10.en.html#s10.4.2" rel="subsection" title="10.4.2 Detecting root-kits">
<link href="ch10.en.html#s-proactive" rel="subsection" title="10.4.2.1 Proactive defense">
<link href="ch10.en.html#s10.4.2.2" rel="subsection" title="10.4.2.2 Reactive defense">
<link href="ch10.en.html#s10.5.1" rel="subsection" title="10.5.1 Building a honeypot">
<link href="ch-after-compromise.en.html#s11.4.1" rel="subsection" title="11.4.1 Analysis of malware">
<link href="ch12.en.html#s12.1.1" rel="subsection" title="12.1.1 Is Debian more secure than X?">
<link href="ch12.en.html#s12.1.1.1" rel="subsection" title="12.1.1.1 Is Debian more secure than other Linux distributions (such as Red Hat, SuSE...)?">
<link href="ch12.en.html#s12.1.2" rel="subsection" title="12.1.2 There are many Debian bugs in Bugtraq. Does this mean that it is very vulnerable?">
<link href="ch12.en.html#s12.1.3" rel="subsection" title="12.1.3 Does Debian have any certification related to security?">
<link href="ch12.en.html#s12.1.4" rel="subsection" title="12.1.4 Are there any hardening programs for Debian?">
<link href="ch12.en.html#s12.1.5" rel="subsection" title="12.1.5 I want to run XYZ service, which one should I choose?">
<link href="ch12.en.html#s12.1.6" rel="subsection" title="12.1.6 How can I make service XYZ more secure in Debian?">
<link href="ch12.en.html#s12.1.7" rel="subsection" title="12.1.7 How can I remove all the banners for services?">
<link href="ch12.en.html#s12.1.8" rel="subsection" title="12.1.8 Are all Debian packages safe?">
<link href="ch12.en.html#s12.1.9" rel="subsection" title="12.1.9 Why are some log files/configuration files world-readable, isn't this insecure?">
<link href="ch12.en.html#s12.1.10" rel="subsection" title="12.1.10 Why does /root/ (or UserX) have 755 permissions?">
<link href="ch12.en.html#s12.1.11" rel="subsection" title="12.1.11 After installing a grsec/firewall, I started receiving many console messages! How do I remove them?">
<link href="ch12.en.html#s-faq-os-users" rel="subsection" title="12.1.12 Operating system users and groups">
<link href="ch12.en.html#s12.1.12.1" rel="subsection" title="12.1.12.1 Are all system users necessary?">
<link href="ch12.en.html#s12.1.12.2" rel="subsection" title="12.1.12.2 I removed a system user! How can I recover?">
<link href="ch12.en.html#s12.1.12.3" rel="subsection" title="12.1.12.3 What is the difference between the adm and the staff group?">
<link href="ch12.en.html#s12.1.13" rel="subsection" title="12.1.13 Why is there a new group when I add a new user? (or Why does Debian give each user one group?)">
<link href="ch12.en.html#s12.1.14" rel="subsection" title="12.1.14 Questions regarding services and open ports">
<link href="ch12.en.html#s12.1.14.1" rel="subsection" title="12.1.14.1 Why are all services activated upon installation?">
<link href="ch12.en.html#s12.1.14.2" rel="subsection" title="12.1.14.2 Can I remove <code>inetd</code>?">
<link href="ch12.en.html#s12.1.14.3" rel="subsection" title="12.1.14.3 Why do I have port 111 open?">
<link href="ch12.en.html#s12.1.14.4" rel="subsection" title="12.1.14.4 What use is <code>identd</code> (port 113) for?">
<link href="ch12.en.html#s12.1.14.5" rel="subsection" title="12.1.14.5 I have services using port 1 and 6, what are they and how can I remove them?">
<link href="ch12.en.html#s12.1.14.6" rel="subsection" title="12.1.14.6 I found the port XYZ open, can I close it?">
<link href="ch12.en.html#s12.1.14.7" rel="subsection" title="12.1.14.7 Will removing services from <code>/etc/services</code> help secure my box?">
<link href="ch12.en.html#s12.1.15" rel="subsection" title="12.1.15 Common security issues">
<link href="ch12.en.html#s12.1.15.1" rel="subsection" title="12.1.15.1 I have lost my password and cannot access the system!">
<link href="ch12.en.html#s12.1.16" rel="subsection" title="12.1.16 How do I accomplish setting up a service for my users without giving out shell accounts?">
<link href="ch12.en.html#s-vulnasses-false-positive" rel="subsection" title="12.2.1 Vulnerability assessment scanner X says my Debian system is vulnerable!">
<link href="ch12.en.html#s12.2.2" rel="subsection" title="12.2.2 I've seen an attack in my system's logs. Is my system compromised?">
<link href="ch12.en.html#s12.2.3" rel="subsection" title="12.2.3 I have found strange 'MARK' lines in my logs: Am I compromised?">
<link href="ch12.en.html#s12.2.4" rel="subsection" title="12.2.4 I found users using 'su' in my logs: Am I compromised?">
<link href="ch12.en.html#s12.2.5" rel="subsection" title="12.2.5 I have found 'possible SYN flooding' in my logs: Am I under attack?">
<link href="ch12.en.html#s12.2.6" rel="subsection" title="12.2.6 I have found strange root sessions in my logs: Am I compromised?">
<link href="ch12.en.html#s12.2.7" rel="subsection" title="12.2.7 I have suffered a break-in, what do I do?">
<link href="ch12.en.html#s12.2.8" rel="subsection" title="12.2.8 How can I trace an attack?">
<link href="ch12.en.html#s12.2.9" rel="subsection" title="12.2.9 Program X in Debian is vulnerable, what do I do?">
<link href="ch12.en.html#s-version-backport" rel="subsection" title="12.2.10 The version number for a package indicates that I am still running a vulnerable version!">
<link href="ch12.en.html#s12.2.11" rel="subsection" title="12.2.11 Specific software">
<link href="ch12.en.html#s12.2.11.1" rel="subsection" title="12.2.11.1 <code>proftpd</code> is vulnerable to a Denial of Service attack.">
<link href="ch12.en.html#s12.2.11.2" rel="subsection" title="12.2.11.2 After installing <code>portsentry</code>, there are a lot of ports open.">
<link href="ch12.en.html#s12.3.1" rel="subsection" title="12.3.1 What is a Debian Security Advisory (DSA)?">
<link href="ch12.en.html#s12.3.2" rel="subsection" title="12.3.2 The signature on Debian advisories does not verify correctly!">
<link href="ch12.en.html#s12.3.3" rel="subsection" title="12.3.3 How is security handled in Debian?">
<link href="ch12.en.html#s12.3.4" rel="subsection" title="12.3.4 Why are you fiddling with an old version of that package?">
<link href="ch12.en.html#s12.3.5" rel="subsection" title="12.3.5 What is the policy for a fixed package to appear in security.debian.org?">
<link href="ch12.en.html#s12.3.6" rel="subsection" title="12.3.6 What does &quot;local (remote)&quot; mean?">
<link href="ch12.en.html#s12.3.7" rel="subsection" title="12.3.7 The version number for a package indicates that I am still running a vulnerable version!">
<link href="ch12.en.html#s-sec-unstable" rel="subsection" title="12.3.8 How is security handled for <samp>testing</samp> and <samp>unstable</samp>?">
<link href="ch12.en.html#s-sec-older" rel="subsection" title="12.3.9 I use an older version of Debian, is it supported by the Debian Security Team?">
<link href="ch12.en.html#s12.3.10" rel="subsection" title="12.3.10 How does <em>testing</em> get security updates?">
<link href="ch12.en.html#s12.3.11" rel="subsection" title="12.3.11 How is security handled for contrib and non-free?">
<link href="ch12.en.html#s12.3.12" rel="subsection" title="12.3.12 Why are there no official mirrors for security.debian.org?">
<link href="ch12.en.html#s12.3.13" rel="subsection" title="12.3.13 I've seen DSA 100 and DSA 102, now where is DSA 101?">
<link href="ch12.en.html#s12.3.14" rel="subsection" title="12.3.14 I tried to download a package listed in one of the security advisories, but I got a `file not found' error.">
<link href="ch12.en.html#s12.3.15" rel="subsection" title="12.3.15 How can I reach the security team?">
<link href="ch12.en.html#s12.3.16" rel="subsection" title="12.3.16 What difference is there between security@debian.org and debian-security@lists.debian.org?">
<link href="ch12.en.html#s12.3.17" rel="subsection" title="12.3.17 I guess I found a security problem, what should I do?">
<link href="ch12.en.html#s12.3.18" rel="subsection" title="12.3.18 How can I contribute to the Debian security team?">
<link href="ch12.en.html#s12.3.19" rel="subsection" title="12.3.19 Who is the Security Team composed of?">
<link href="ch12.en.html#s12.3.20" rel="subsection" title="12.3.20 Does the Debian Security team check every new package in Debian?">
<link href="ch12.en.html#s12.3.21" rel="subsection" title="12.3.21 How much time will it take Debian to fix vulnerability XXXX?">
<link href="ch12.en.html#s12.3.22" rel="subsection" title="12.3.22 How long will security updates be provided?">
<link href="ch12.en.html#s12.3.23" rel="subsection" title="12.3.23 How can I check the integrity of packages?">
<link href="ch12.en.html#s12.3.24" rel="subsection" title="12.3.24 What to do if a random package breaks after a security update?">
<link href="ap-chroot-ssh-env.en.html#sG.1.1" rel="subsection" title="G.1.1 Using <code>libpam-chroot</code>">
<link href="ap-chroot-ssh-env.en.html#sG.1.2" rel="subsection" title="G.1.2 Patching the <code>ssh</code> server">
<link href="ap-chroot-ssh-env.en.html#sG.2.1" rel="subsection" title="G.2.1 Setup a minimal system (the really easy way)">
<link href="ap-chroot-ssh-env.en.html#sG.2.2" rel="subsection" title="G.2.2 Automatically making the environment (the easy way)">
<link href="ap-chroot-ssh-env.en.html#sG.2.3" rel="subsection" title="G.2.3 Manually creating the environment (the hard way)">
<link href="ap-chroot-apache-env.en.html#sH.1.1" rel="subsection" title="H.1.1 Licensing">
</head>
<body>
<p><a name="ch3"></a></p>
<hr>
<p>
[ <a href="ch2.en.html">previous</a> ]
[ <a href="index.en.html#contents">Contents</a> ]
[ <a href="ch1.en.html">1</a> ]
[ <a href="ch2.en.html">2</a> ]
[ 3 ]
[ <a href="ch4.en.html">4</a> ]
[ <a href="ch-sec-services.en.html">5</a> ]
[ <a href="ch-automatic-harden.en.html">6</a> ]
[ <a href="ch7.en.html">7</a> ]
[ <a href="ch-sec-tools.en.html">8</a> ]
[ <a href="ch9.en.html">9</a> ]
[ <a href="ch10.en.html">10</a> ]
[ <a href="ch-after-compromise.en.html">11</a> ]
[ <a href="ch12.en.html">12</a> ]
[ <a href="ap-harden-step.en.html">A</a> ]
[ <a href="ap-checklist.en.html">B</a> ]
[ <a href="ap-snort-box.en.html">C</a> ]
[ <a href="ap-bridge-fw.en.html">D</a> ]
[ <a href="ap-bind-chuser.en.html">E</a> ]
[ <a href="ap-fw-security-update.en.html">F</a> ]
[ <a href="ap-chroot-ssh-env.en.html">G</a> ]
[ <a href="ap-chroot-apache-env.en.html">H</a> ]
[ <a href="ch4.en.html">next</a> ]
</p>
<hr>
<h1>
Securing Debian Manual
<br>Chapter 3 - Before and during the installation
</h1>
<hr>
<h2><a name="s-bios-passwd"></a>3.1 Choose a BIOS password</h2>
<p>
Before you install any operating system on your computer, set up a BIOS
password. After installation (once you have enabled bootup from the hard disk)
you should go back to the BIOS and change the boot sequence to disable booting
from floppy, CD-ROM and other devices that shouldn't boot. Otherwise a cracker
only needs physical access and a boot disk to access your entire system.
</p>
<p>
Disabling booting unless a password is supplied is even better. This can be
very effective if you run a server, because it is not rebooted very often. The
downside to this tactic is that rebooting requires human intervention which can
cause problems if the machine is not easily accessible.
</p>
<p>
Note: many BIOSes have well known default master passwords, and applications
also exist to retrieve the passwords from the BIOS. Corollary: don't depend on
this measure to secure console access to system.
</p>
<hr>
<h2><a name="s3.2"></a>3.2 Partitioning the system</h2>
<hr>
<h3><a name="s3.2.1"></a>3.2.1 Choose an intelligent partition scheme</h3>
<p>
An intelligent partition scheme depends on how the machine is used. A good
rule of thumb is to be fairly liberal with your partitions and to pay attention
to the following factors:
</p>
<ul>
<li>
<p>
Any directory tree which a user has write permissions to, such as e.g.
<code>/home</code>, <code>/tmp</code> and <code>/var/tmp/</code>, should be on
a separate partition. This reduces the risk of a user DoS by filling up your
&quot;/&quot; mount point and rendering the system unusable (Note: this is not
strictly true, since there is always some space reserved for root which a
normal user cannot fill), and it also prevents hardlink attacks. [<a
href="footnotes.en.html#f2" name="fr2">2</a>]
</p>
</li>
</ul>
<ul>
<li>
<p>
Any partition which can fluctuate, e.g. <code>/var</code> (especially
<code>/var/log</code>) should also be on a separate partition. On a Debian
system, you should create <code>/var</code> a little bit bigger than on other
systems, because downloaded packages (the apt cache) are stored in
<code>/var/cache/apt/archives</code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
Any partition where you want to install non-distribution software should be on
a separate partition. According to the File Hierarchy Standard, this is
<code>/opt</code> or <code>/usr/local</code>. If these are separate
partitions, they will not be erased if you (have to) reinstall Debian itself.
</p>
</li>
</ul>
<ul>
<li>
<p>
From a security point of view, it makes sense to try to move static data to its
own partition, and then mount that partition read-only. Better yet, put the
data on read-only media. See below for more details.
</p>
</li>
</ul>
<p>
In the case of a mail server it is important to have a separate partition for
the mail spool. Remote users (either knowingly or unknowingly) can fill the
mail spool (<code>/var/mail</code> and/or <code>/var/spool/mail</code>). If
the spool is on a separate partition, this situation will not render the system
unusable. Otherwise (if the spool directory is on the same partition as
<code>/var</code>) the system might have important problems: log entries will
not be created, packages cannot be installed, and some programs might even have
problems starting up (if they use <code>/var/run</code>).
</p>
<p>
Also, for partitions in which you cannot be sure of the needed space,
installing Logical Volume Manager (<code>lvm-common</code> and the needed
binaries for your kernel, this might be either <code>lvm10</code>,
<code>lvm6</code>, or <code>lvm5</code>). Using <samp>lvm</samp>, you can
create volume groups that expand multiple physical volumes.
</p>
<hr>
<h4><a name="s3.2.1.1"></a>3.2.1.1 Selecting the appropriate file systems</h4>
<p>
During the system partitioning you also have to decide which file system you
want to use. The default file system[<a href="footnotes.en.html#f3"
name="fr3">3</a>] selected in the Debian installation for Linux partitions is
<samp>ext3</samp>, a journaling file system. It is recommended that you always
use a journaling file system, such as <samp>ext3</samp>, <samp>reiserfs</samp>,
<samp>jfs</samp> or <samp>xfs</samp>, to minimize the problems derived from a
system crash in the following cases:
</p>
<ul>
<li>
<p>
for laptops in all the file systems installed. That way if you run out of
battery unexpectedly or the system freezes due to a hardware issue (such as X
configuration which is somewhat common) you will be less likely to lose data
during a hardware reboot.
</p>
</li>
</ul>
<ul>
<li>
<p>
for production systems which store large amounts of data (like mail servers,
ftp servers, network file systems...) it is recommended on these partitions.
That way, in the event of a system crash, the server will take less time to
recover and check the file systems, and data loss will be less likely.
</p>
</li>
</ul>
<p>
Leaving aside the performance issues regarding journalling file systems (since
this can sometimes turn into a religious war), it is usually better to use the
<samp>ext3</samp> file system. The reason for this is that it is backwards
compatible with <samp>ext2</samp>, so if there are any issues with the
journalling you can disable it and still have a working file system. Also, if
you need to recover the system with a bootdisk (or CD-ROM) you do not need a
custom kernel. If the kernel is 2.4 or 2.6 <samp>ext3</samp> support is
already available, if it is a 2.2 kernel you will be able to boot the file
system even if you lose journalling capabilities. If you are using other
journalling file systems you will find that you might not be able to recover
unless you have a 2.4 or 2.6 kernel with the needed modules built-in. If you
are stuck with a 2.2 kernel on the rescue disk, it might be even more difficult
to have it access <samp>reiserfs</samp> or <samp>xfs</samp>.
</p>
<p>
In any case, data integrity might be better under <samp>ext3</samp> since it
does file-data journalling while others do only meta-data journalling, see
<code><a
href="http://lwn.net/2001/0802/a/ext3-modes.php3">http://lwn.net/2001/0802/a/ext3-modes.php3</a></code>.
</p>
<p>
Notice, however, that there are some partitions that might not benefit from
using a journaling filesystem. For example, if you are using a separate
partition for <code>/tmp/</code> you might be better off using a standard
<samp>ext2</samp> filesystem as it will be cleaned up when the system boots.
</p>
<hr>
<h2><a name="s3.3"></a>3.3 Do not plug to the Internet until ready</h2>
<p>
The system should not be immediately connected to the Internet during
installation. This could sound stupid but network installation is a common
method. Since the system will install and activate services immediately, if
the system is connected to the Internet and the services are not properly
configured you are opening it to attack.
</p>
<p>
Also note that some services might have security vulnerabilities not fixed in
the packages you are using for installation. This is usually true if you are
installing from old media (like CD-ROMs). In this case, the system could even
be compromised before you finish installation!
</p>
<p>
Since Debian installation and upgrades can be done over the Internet you might
think it is a good idea to use this feature on installation. If the system is
going to be directly connected to the Internet (and not protected by a firewall
or NAT), it is best to install without connection to the Internet, using a
local packages mirror for both the Debian package sources and the security
updates. You can set up package mirrors by using another system connected to
the Internet with Debian-specific tools (if it's a Debian system) like
<code>apt-move</code> or <code>apt-proxy</code>, or other common mirroring
tools, to provide the archive to the installed system. If you cannot do this,
you can set up firewall rules to limit access to the system while doing the
update (see <a href="ap-fw-security-update.en.html">Security update protected
by a firewall, Appendix F</a>).
</p>
<hr>
<h2><a name="s3.4"></a>3.4 Set a root password</h2>
<p>
Setting a good root password is the most basic requirement for having a secure
system. See <code>passwd(1)</code> for some hints on how to create good
passwords. You can also use an automatic password generation program to do
this for you (see <a href="ch4.en.html#s-user-pwgen">Generating user passwords,
Section 4.10.13</a>).
</p>
<p>
Plenty of information on choosing good passwords can be found on the Internet;
two that provide a decent summary and rationale are Eric Wolfram's <code><a
href="http://wolfram.org/writing/howto/password.html">How to: Pick a Safe
Password</a></code> and Walter Belgers' <code><a
href="http://www.belgers.com/write/pwseceng.txt">Unix Password
Security</a></code>
</p>
<hr>
<h2><a name="s3.5"></a>3.5 Activate shadow passwords and MD5 passwords</h2>
<p>
At the end of the installation, you will be asked if shadow passwords should be
enabled. Answer yes to this question, so passwords will be kept in the file
<code>/etc/shadow</code>. Only the root user and the group shadow have read
access to this file, so no users will be able to grab a copy of this file in
order to run a password cracker against it. You can switch between shadow
passwords and normal passwords at any time by using <samp>shadowconfig</samp>.
</p>
<p>
Read more on shadow passwords in <code><a
href="http://www.tldp.org/HOWTO/Shadow-Password-HOWTO.html">Shadow
Password</a></code>
(<code>/usr/share/doc/HOWTO/en-txt/Shadow-Password.txt.gz</code>).
</p>
<p>
Furthermore, the installation uses MD5 hashed passwords per default. This is
generally a very good idea since it allows longer passwords and better
encryption. MD5 allows for passwords longer than 8 characters. This, if used
wisely, can make it more difficult for attackers to brute-force the system's
passwords. Regarding MD5 passwords, this is the default option when installing
the latest <code>passwd</code> package. You can recognize MD5 passwords in the
<code>/etc/shadow</code> file by their $1$ prefix.
</p>
<p>
This, as a matter of fact, modifies all files under <code>/etc/pam.d</code> by
substituting the password line and include md5 in it:
</p>
<pre>
password required pam_unix.so md5 nullok obscure min=6 max=16
</pre>
<p>
If <samp>max</samp> is not set over 8 the change will not be useful at all.
For more information on this read <a href="ch4.en.html#s-auth-pam">User
authentication: PAM, Section 4.10.1</a>.
</p>
<p>
Note: the default configuration in Debian, even when activating MD5 passwords,
does not modify the previously set <samp>max</samp> value.
</p>
<hr>
<h2><a name="s3.6"></a>3.6 Run the minimum number of services required</h2>
<p>
Services are programs such as ftp servers and web servers. Since they have to
be <em>listening</em> for incoming connections that request the service,
external computers can connect to yours. Services are sometimes vulnerable
(i.e. can be compromised under a given attack) and hence present a security
risk.
</p>
<p>
You should not install services which are not needed on your machine. Every
installed service might introduce new, perhaps not obvious (or known), security
holes on your computer.
</p>
<p>
As you may already know, when you install a given service the default behavior
is to activate it. In a default Debian installation, with no services
installed, the number of running services is quite low and the number of
network-oriented services is even lower. In a default Debian 3.1 standard
installation you will end up with OpenSSH, Exim (depending on how you
configured it) and the RPC portmapper available as network services[<a
href="footnotes.en.html#f4" name="fr4">4</a>]. If you did not go through a
standard installation but selected an expert installation you can end up with
no active network services. The RPC portmapper is installed by default because
it is needed for many services, for example NFS, to run on a given system.
However, it can be easily removed, see <a
href="ch-sec-services.en.html#s-rpc">Securing RPC services, Section 5.13</a>
for more information on how to secure or disable RPC services.
</p>
<p>
When you install a new network-related service (daemon) in your Debian
GNU/Linux system it can be enabled in two ways: through the <code>inetd</code>
superdaemon (i.e. a line will be added to <code>/etc/inetd.conf</code>) or
through a standalone program that binds itself to your network interfaces.
Standalone programs are controlled through the <code>/etc/init.d</code> files,
which are called at boot time through the SysV mechanism (or an alternative
one) by using symlinks in <code>/etc/rc?.d/*</code> (for more information on
how this is done read
<code>/usr/share/doc/sysvinit/README.runlevels.gz</code>).
</p>
<p>
If you want to keep some services but use them rarely, use the
<code>update-*</code> commands, e.g. <code>update-inetd</code> and
<code>update-rc.d</code> to remove them from the startup process. For more
information on how to disable network services read <a
href="#s-disableserv">Disabling daemon services, Section 3.6.1</a>. If you
want to change the default behaviour of starting up services on installation of
their associated packages[<a href="footnotes.en.html#f5" name="fr5">5</a>] use
<code>policy-rc.d</code>, please read
<code>/usr/share/doc/sysv-rc/README.policy-rc.d.gz</code> for more information.
</p>
<p>
<code>invoke-rc.d</code> support is mandatory in Debian, which means that for
Debian 4.0 <em>etch</em> and later releases you can write a policy-rc.d file
that forbids starting new daemons before you configure them. Although no such
scripts are packaged yet, they are quite simple to write. See
<code>policyrcd-script-zg2</code>.
</p>
<hr>
<h3><a name="s-disableserv"></a>3.6.1 Disabling daemon services</h3>
<p>
Disabling a daemon service is quite simple. You either remove the package
providing the program for that service or you remove or rename the startup
links under <code>/etc/rc${runlevel}.d/</code>. If you rename them make sure
they do not begin with 'S' so that they don't get started by
<code>/etc/init.d/rc</code>. Do not remove all the available links or the
package management system will regenerate them on package upgrades, make sure
you leave at least one link (typically a 'K', i.e. kill, link). For more
information read <code><a
href="http://www.debian.org/doc/manuals/reference/ch-system.en.html#s-custombootscripts">Customizing
runlevels</a></code> section of the Debian Reference (Chapter 2 - Debian
fundamentals).
</p>
<p>
You can remove these links manually or using <samp>update-rc.d</samp> (see
<code>update-rc.d(8)</code>). For example, you can disable a service from
executing in the multi-user runlevels by doing:
</p>
<pre>
# update-rc.d <var>name</var> stop <var>XX</var> 2 3 4 5 .
</pre>
<p>
Where <em>XX</em> is a number that determines when the stop action for that
service will be executed. Please note that, if you are <em>not</em> using
<code>file-rc</code>, <samp>update-rc.d -f <var>service</var> remove</samp>
will not work properly, since <em>all</em> links are removed, upon
re-installation or upgrade of the package these links will be re-generated
(probably not what you wanted). If you think this is not intuitive you are
probably right (see <code><a href="http://bugs.debian.org/67095">Bug
67095</a></code>). From the manpage:
</p>
<pre>
If any files /etc/rc<var>runlevel</var>.d/[SK]??name already exist then
update-rc.d does nothing. This is so that the system administrator
can rearrange the links, provided that they leave at least one
link remaining, without having their configuration overwritten.
</pre>
<p>
If you are using <code>file-rc</code> all the information regarding services
bootup is handled by a common configuration file and is maintained even if
packages are removed from the system.
</p>
<p>
You can use the TUI (Text User Interface) provided by <code>sysv-rc-conf</code>
to do all these changes easily (<code>sysv-rc-conf</code> works both for
<code>file-rc</code> and normal System V runlevels). You will also find
similar GUIs for desktop systems. You can also use the command line interface
of <code>sysv-rc-conf</code>:
</p>
<pre>
# sysv-rc-conf foobar off
</pre>
<p>
The advantage of using this utility is that the rc.d links are returned to the
status they had before the 'off' call if you re-enable the service with:
</p>
<pre>
# sysv-rc-conf foobar on
</pre>
<p>
Other (less recommended) methods of disabling services are:
</p>
<ul>
<li>
<p>
Removing the <code>/etc/init.d/<var>service_name</var></code> script and
removing the startup links using:
</p>
<pre>
# update-rc.d <var>name</var> remove
</pre>
</li>
</ul>
<ul>
<li>
<p>
Move the script file (<code>/etc/init.d/<var>service_name</var></code>) to
another name (for example
<code>/etc/init.d/OFF.<var>service_name</var></code>). This will leave
dangling symlinks under <code>/etc/rc${runlevel}.d/</code> and will generate
error messages when booting up the system.
</p>
</li>
</ul>
<ul>
<li>
<p>
Remove the execute permission from the
<code>/etc/init.d/<var>service_name</var></code> file. That will also generate
error messages when booting.
</p>
</li>
</ul>
<ul>
<li>
<p>
Edit the <code>/etc/init.d/<var>service_name</var></code> script to have it
stop immediately once it is executed (by adding an <code>exit 0</code> line at
the beginning or commenting out the <samp>start-stop-daemon</samp> part in it).
If you do this, you will not be able to use the script to startup the service
manually later on.
</p>
</li>
</ul>
<p>
Nevertheless, the files under <code>/etc/init.d</code> are configuration files
and should not get overwritten due to package upgrades if you have made local
changes to them.
</p>
<p>
Unlike other (UNIX) operating systems, services in Debian cannot be disabled by
modifying files in <code>/etc/default/<var>service_name</var></code>.
</p>
<p>
FIXME: Add more information on handling daemons using <code>file-rc</code>.
</p>
<hr>
<h3><a name="s-inetd"></a>3.6.2 Disabling <code>inetd</code> or its services</h3>
<p>
You should check if you really need the <code>inetd</code> daemon nowadays.
Inetd was always a way to compensate for kernel deficiencies, but those have
been taken care of in modern Linux kernels. Denial of Service possibilities
exist against <code>inetd</code> (which can increase the machine's load
tremendously), and many people always preferred using stand-alone daemons
instead of calling services via <code>inetd</code>. If you still want to run
some kind of <code>inetd</code> service, then at least switch to a more
configurable Inet daemon like <code>xinetd</code>, <code>rlinetd</code> or
<code>openbsd-inetd</code>.
</p>
<p>
You should stop all unneeded Inetd services on your system, like
<code>echo</code>, <code>chargen</code>, <code>discard</code>,
<code>daytime</code>, <code>time</code>, <code>talk</code>, <code>ntalk</code>
and r-services (<code>rsh</code>, <code>rlogin</code> and <code>rcp</code>)
which are considered HIGHLY insecure (use <code>ssh</code> instead).
</p>
<p>
You can disable services by editing <code>/etc/inetd.conf</code> directly, but
Debian provides a better alternative: <samp>update-inetd</samp> (which comments
the services in a way that it can easily be turned on again). You could remove
the <code>telnet</code> daemon by executing this commands to change the config
file and to restart the daemon (in this case the <code>telnet</code> service is
disabled):
</p>
<pre>
/usr/sbin/update-inetd --disable telnet
</pre>
<p>
If you do want services listening, but do not want to have them listen on all
IP addresses of your host, you might want to use an undocumented feature on
<code>inetd</code> (replace service name with service@ip syntax) or use an
alternative <code>inetd</code> daemon like <code>xinetd</code>.
</p>
<hr>
<h2><a name="s3.7"></a>3.7 Install the minimum amount of software required</h2>
<p>
Debian comes with <em>a lot</em> of software, for example the Debian 3.0
<em>woody</em> release includes 6 or 7 (depending on architecture) CD-ROMs of
software and thousands of packages, and the Debian 3.1 <em>sarge</em> release
ships with around 13 CD-ROMs of software. With so much software, and even if
the base system installation is quite reduced [<a href="footnotes.en.html#f6"
name="fr6">6</a>] you might get carried away and install more than is really
needed for your system.
</p>
<p>
Since you already know what the system is for (don't you?) you should only
install software that is really needed for it to work. Any unnecessary tool
that is installed might be used by a user that wants to compromise the system
or by an external intruder that has gotten shell access (or remote code
execution through an exploitable service).
</p>
<p>
The presence, for example, of development utilities (a C compiler) or
interpreted languages (such as <code>perl</code> - but see below -,
<code>python</code>, <code>tcl</code>...) may help an attacker compromise the
system even further:
</p>
<ul>
<li>
<p>
allowing him to do privilege escalation. It's easier, for example, to run
local exploits in the system if there is a debugger and compiler ready to
compile and test them!
</p>
</li>
</ul>
<ul>
<li>
<p>
providing tools that could help the attacker to use the compromised system as a
<em>base of attack</em> against other systems. [<a href="footnotes.en.html#f7"
name="fr7">7</a>]
</p>
</li>
</ul>
<p>
Of course, an intruder with local shell access can download his own set of
tools and execute them, and even the shell itself can be used to make complex
programs. Removing unnecessary software will not help <em>prevent</em> the
problem but will make it slightly more difficult for an attacker to proceed
(and some might give up in this situation looking for easier targets). So, if
you leave tools in a production system that could be used to remotely attack
systems (see <a href="ch-sec-tools.en.html#s-vuln-asses">Remote vulnerability
assessment tools, Section 8.1</a>) you can expect an intruder to use them too
if available.
</p>
<p>
Please notice that a default installation of Debian <em>sarge</em> (i.e. an
installation where no individual packages are selected) will install a number
of development packages that are not usually needed. This is because some
development packages are of <em>Standard</em> priority. If you are not going
to do any development you can safely remove the following packages from your
system, which will also help free up some space:
</p>
<pre>
Package Size
------------------------+--------
gdb 2,766,822
gcc-3.3 1,570,284
dpkg-dev 166,800
libc6-dev 2,531,564
cpp-3.3 1,391,346
manpages-dev 1,081,408
flex 257,678
g++ 1,384 (Note: virtual package)
linux-kernel-headers 1,377,022
bin86 82,090
cpp 29,446
gcc 4,896 (Note: virtual package)
g++-3.3 1,778,880
bison 702,830
make 366,138
libstdc++5-3.3-dev 774,982
</pre>
<p>
This is something that is fixed in releases post-sarge, see <code><a
href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=301273">Bug
#301273</a></code> and <code><a
href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=301138">Bug
#301138</a></code>. Due to a bug in the installation system this did not
happen when installing with the installation system of the Debian 3.0
<em>woody</em> release.
</p>
<hr>
<h3><a name="s3.7.1"></a>3.7.1 Removing Perl</h3>
<p>
You must take into account that removing <code>perl</code> might not be too
easy (as a matter of fact it can be quite difficult) in a Debian system since
it is used by many system utilities. Also, the <code>perl-base</code> is
<em>Priority: required</em> (that about says it all). It's still doable, but
you will not be able to run any <code>perl</code> application in the system;
you will also have to fool the package management system to think that the
<code>perl-base</code> is installed even if it's not. [<a
href="footnotes.en.html#f8" name="fr8">8</a>]
</p>
<p>
Which utilities use <code>perl</code>? You can see for yourself:
</p>
<pre>
$ for i in /bin/* /sbin/* /usr/bin/* /usr/sbin/*; do [ -f $i ] &amp;&amp; {
type=`file $i | grep -il perl`; [ -n &quot;$type&quot; ] &amp;&amp; echo $i; }; done
</pre>
<p>
These include the following utilities in packages with priority
<em>required</em> or <em>important</em>:
</p>
<ul>
<li>
<p>
<code>/usr/bin/chkdupexe</code> of package <code>util-linux</code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>/usr/bin/replay</code> of package <code>bsdutils</code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>/usr/sbin/cleanup-info</code> of package <code>dpkg</code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>/usr/sbin/dpkg-divert</code> of package <code>dpkg</code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>/usr/sbin/dpkg-statoverride</code> of package <code>dpkg</code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>/usr/sbin/install-info</code> of package <code>dpkg</code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>/usr/sbin/update-alternatives</code> of package <code>dpkg</code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>/usr/sbin/update-rc.d</code> of package <code>sysvinit</code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>/usr/bin/grog</code> of package <code>groff-base</code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>/usr/sbin/adduser</code> of package <code>adduser</code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>/usr/sbin/debconf-show</code> of package <code>debconf</code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>/usr/sbin/deluser</code> of package <code>adduser</code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>/usr/sbin/dpkg-preconfigure</code> of package <code>debconf</code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>/usr/sbin/dpkg-reconfigure</code> of package <code>debconf</code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>/usr/sbin/exigrep</code> of package <code>exim</code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>/usr/sbin/eximconfig</code> of package <code>exim</code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>/usr/sbin/eximstats</code> of package <code>exim</code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>/usr/sbin/exim-upgrade-to-r3</code> of package <code>exim</code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>/usr/sbin/exiqsumm</code> of package <code>exim</code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>/usr/sbin/keytab-lilo</code> of package <code>lilo</code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>/usr/sbin/liloconfig</code> of package <code>lilo</code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>/usr/sbin/lilo_find_mbr</code> of package <code>lilo</code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>/usr/sbin/syslogd-listfiles</code> of package <code>sysklogd</code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>/usr/sbin/syslog-facility</code> of package <code>sysklogd</code>.
</p>
</li>
</ul>
<ul>
<li>
<p>
<code>/usr/sbin/update-inetd</code> of package <code>netbase</code>.
</p>
</li>
</ul>
<p>
So, without Perl and, unless you remake these utilities in shell script, you
will probably not be able to manage any packages (so you will not be able to
upgrade the system, which is <em>not a Good Thing</em>).
</p>
<p>
If you are determined to remove Perl from the Debian base system, and you have
spare time, submit bug reports to the previous packages including (as a patch)
replacements for the utilities above written in shell script.
</p>
<p>
If you wish to check out which Debian packages depend on Perl you can use
</p>
<pre>
$ grep-available -s Package,Priority -F Depends perl
</pre>
<p>
or
</p>
<pre>
$ apt-cache rdepends perl
</pre>
<hr>
<h2><a name="s3.8"></a>3.8 Read the Debian security mailing lists</h2>
<p>
It is never wrong to take a look at either the debian-security-announce mailing
list, where advisories and fixes to released packages are announced by the
Debian security team, or at <code><a
href="mailto:debian-security@lists.debian.org">mailto:debian-security@lists.debian.org</a></code>,
where you can participate in discussions about things related to Debian
security.
</p>
<p>
In order to receive important security update alerts, send an email to <code><a
href="mailto:debian-security-announce-request@lists.debian.org">debian-security-announce-request@lists.debian.org</a></code>
with the word &quot;subscribe&quot; in the subject line. You can also
subscribe to this moderated email list via the web page at <code><a
href="http://www.debian.org/MailingLists/subscribe">http://www.debian.org/MailingLists/subscribe</a></code>.
</p>
<p>
This mailing list has very low volume, and by subscribing to it you will be
immediately alerted of security updates for the Debian distribution. This
allows you to quickly download new packages with security bug fixes, which is
very important in maintaining a secure system (see <a
href="ch4.en.html#s-security-update">Execute a security update, Section 4.2</a>
for details on how to do this).
</p>
<hr>
<p>
[ <a href="ch2.en.html">previous</a> ]
[ <a href="index.en.html#contents">Contents</a> ]
[ <a href="ch1.en.html">1</a> ]
[ <a href="ch2.en.html">2</a> ]
[ 3 ]
[ <a href="ch4.en.html">4</a> ]
[ <a href="ch-sec-services.en.html">5</a> ]
[ <a href="ch-automatic-harden.en.html">6</a> ]
[ <a href="ch7.en.html">7</a> ]
[ <a href="ch-sec-tools.en.html">8</a> ]
[ <a href="ch9.en.html">9</a> ]
[ <a href="ch10.en.html">10</a> ]
[ <a href="ch-after-compromise.en.html">11</a> ]
[ <a href="ch12.en.html">12</a> ]
[ <a href="ap-harden-step.en.html">A</a> ]
[ <a href="ap-checklist.en.html">B</a> ]
[ <a href="ap-snort-box.en.html">C</a> ]
[ <a href="ap-bridge-fw.en.html">D</a> ]
[ <a href="ap-bind-chuser.en.html">E</a> ]
[ <a href="ap-fw-security-update.en.html">F</a> ]
[ <a href="ap-chroot-ssh-env.en.html">G</a> ]
[ <a href="ap-chroot-apache-env.en.html">H</a> ]
[ <a href="ch4.en.html">next</a> ]
</p>
<hr>
<p>
Securing Debian Manual
</p>
<address>
Version: 3.13, Sun, 08 Apr 2012 02:48:09 +0000<br>
<br>
Javier Fern&aacute;ndez-Sanguino Pe&ntilde;a <code><a href="mailto:jfs@debian.org">jfs@debian.org</a></code><br>
<a href="ch1.en.html#s-authors">Authors, Section 1.1</a><br>
<br>
</address>
<hr>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink