LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/www.debian.org/doc/manuals/securing-debian-howto/index.html

653 lines
48 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
<title>Securing Debian Manual</title>
<link href="index.en.html" rel="start">
<link href="ap-chroot-apache-env.en.html" rel="prev">
<link href="ch1.en.html" rel="next">
<link href="index.en.html#contents" rel="contents">
<link href="index.en.html#copyright" rel="copyright">
<link href="ch1.en.html" rel="chapter" title="1 Introduction">
<link href="ch2.en.html" rel="chapter" title="2 Before you begin">
<link href="ch3.en.html" rel="chapter" title="3 Before and during the installation">
<link href="ch4.en.html" rel="chapter" title="4 After installation">
<link href="ch-sec-services.en.html" rel="chapter" title="5 Securing services running on your system">
<link href="ch-automatic-harden.en.html" rel="chapter" title="6 Automatic hardening of Debian systems">
<link href="ch7.en.html" rel="chapter" title="7 Debian Security Infrastructure">
<link href="ch-sec-tools.en.html" rel="chapter" title="8 Security tools in Debian">
<link href="ch9.en.html" rel="chapter" title="9 Developer's Best Practices for OS Security">
<link href="ch10.en.html" rel="chapter" title="10 Before the compromise">
<link href="ch-after-compromise.en.html" rel="chapter" title="11 After the compromise (incident response)">
<link href="ch12.en.html" rel="chapter" title="12 Frequently asked Questions (FAQ)">
<link href="ap-harden-step.en.html" rel="appendix" title="A The hardening process step by step">
<link href="ap-checklist.en.html" rel="appendix" title="B Configuration checklist">
<link href="ap-snort-box.en.html" rel="appendix" title="C Setting up a stand-alone IDS">
<link href="ap-bridge-fw.en.html" rel="appendix" title="D Setting up a bridge firewall">
<link href="ap-bind-chuser.en.html" rel="appendix" title="E Sample script to change the default Bind installation.">
<link href="ap-fw-security-update.en.html" rel="appendix" title="F Security update protected by a firewall">
<link href="ap-chroot-ssh-env.en.html" rel="appendix" title="G <code>Chroot</code> environment for <code>SSH</code>">
<link href="ap-chroot-apache-env.en.html" rel="appendix" title="H <code>Chroot</code> environment for <code>Apache</code>">
<link href="ch1.en.html#s-authors" rel="section" title="1.1 Authors">
<link href="ch1.en.html#s1.2" rel="section" title="1.2 Where to get the manual (and available formats)">
<link href="ch1.en.html#s1.3" rel="section" title="1.3 Organizational notes/feedback">
<link href="ch1.en.html#s1.4" rel="section" title="1.4 Prior knowledge">
<link href="ch1.en.html#s1.5" rel="section" title="1.5 Things that need to be written (FIXME/TODO)">
<link href="ch1.en.html#s-changelog" rel="section" title="1.6 Changelog/History">
<link href="ch1.en.html#s-credits" rel="section" title="1.7 Credits and thanks!">
<link href="ch2.en.html#s2.1" rel="section" title="2.1 What do you want this system for?">
<link href="ch2.en.html#s-references" rel="section" title="2.2 Be aware of general security problems">
<link href="ch2.en.html#s2.3" rel="section" title="2.3 How does Debian handle security?">
<link href="ch3.en.html#s-bios-passwd" rel="section" title="3.1 Choose a BIOS password">
<link href="ch3.en.html#s3.2" rel="section" title="3.2 Partitioning the system">
<link href="ch3.en.html#s3.3" rel="section" title="3.3 Do not plug to the Internet until ready">
<link href="ch3.en.html#s3.4" rel="section" title="3.4 Set a root password">
<link href="ch3.en.html#s3.5" rel="section" title="3.5 Activate shadow passwords and MD5 passwords">
<link href="ch3.en.html#s3.6" rel="section" title="3.6 Run the minimum number of services required">
<link href="ch3.en.html#s3.7" rel="section" title="3.7 Install the minimum amount of software required">
<link href="ch3.en.html#s3.8" rel="section" title="3.8 Read the Debian security mailing lists">
<link href="ch4.en.html#s-debian-sec-announce" rel="section" title="4.1 Subscribe to the Debian Security Announce mailing list">
<link href="ch4.en.html#s-security-update" rel="section" title="4.2 Execute a security update">
<link href="ch4.en.html#s-bios-boot" rel="section" title="4.3 Change the BIOS (again)">
<link href="ch4.en.html#s-lilo-passwd" rel="section" title="4.4 Set a LILO or GRUB password">
<link href="ch4.en.html#s-kernel-initramfs-prompt" rel="section" title="4.5 Disable root prompt on the initramfs">
<link href="ch4.en.html#s-kernel-root-prompt" rel="section" title="4.6 Remove root prompt on the kernel">
<link href="ch4.en.html#s-restrict-console-login" rel="section" title="4.7 Restricting console login access">
<link href="ch4.en.html#s-restrict-reboots" rel="section" title="4.8 Restricting system reboots through the console">
<link href="ch4.en.html#s4.9" rel="section" title="4.9 Mounting partitions the right way">
<link href="ch4.en.html#s4.10" rel="section" title="4.10 Providing secure user access">
<link href="ch4.en.html#s-tcpwrappers" rel="section" title="4.11 Using tcpwrappers">
<link href="ch4.en.html#s-log-alerts" rel="section" title="4.12 The importance of logs and alerts">
<link href="ch4.en.html#s-kernel-patches" rel="section" title="4.13 Adding kernel patches">
<link href="ch4.en.html#s4.14" rel="section" title="4.14 Protecting against buffer overflows">
<link href="ch4.en.html#s4.15" rel="section" title="4.15 Secure file transfers">
<link href="ch4.en.html#s4.16" rel="section" title="4.16 File system limits and control">
<link href="ch4.en.html#s-network-secure" rel="section" title="4.17 Securing network access">
<link href="ch4.en.html#s-snapshot" rel="section" title="4.18 Taking a snapshot of the system">
<link href="ch4.en.html#s4.19" rel="section" title="4.19 Other recommendations">
<link href="ch-sec-services.en.html#s5.1" rel="section" title="5.1 Securing ssh">
<link href="ch-sec-services.en.html#s5.2" rel="section" title="5.2 Securing Squid">
<link href="ch-sec-services.en.html#s-ftp-secure" rel="section" title="5.3 Securing FTP">
<link href="ch-sec-services.en.html#s5.4" rel="section" title="5.4 Securing access to the X Window System">
<link href="ch-sec-services.en.html#s5.5" rel="section" title="5.5 Securing printing access (the lpd and lprng issue)">
<link href="ch-sec-services.en.html#s5.6" rel="section" title="5.6 Securing the mail service">
<link href="ch-sec-services.en.html#s-sec-bind" rel="section" title="5.7 Securing BIND">
<link href="ch-sec-services.en.html#s5.8" rel="section" title="5.8 Securing Apache">
<link href="ch-sec-services.en.html#s5.9" rel="section" title="5.9 Securing finger">
<link href="ch-sec-services.en.html#s-chroot" rel="section" title="5.10 General chroot and suid paranoia">
<link href="ch-sec-services.en.html#s5.11" rel="section" title="5.11 General cleartext password paranoia">
<link href="ch-sec-services.en.html#s5.12" rel="section" title="5.12 Disabling NIS">
<link href="ch-sec-services.en.html#s-rpc" rel="section" title="5.13 Securing RPC services">
<link href="ch-sec-services.en.html#s-firewall-setup" rel="section" title="5.14 Adding firewall capabilities">
<link href="ch-automatic-harden.en.html#s6.1" rel="section" title="6.1 Harden">
<link href="ch-automatic-harden.en.html#s6.2" rel="section" title="6.2 Bastille Linux">
<link href="ch7.en.html#s-debian-sec-team" rel="section" title="7.1 The Debian Security Team">
<link href="ch7.en.html#s-dsa" rel="section" title="7.2 Debian Security Advisories">
<link href="ch7.en.html#s7.3" rel="section" title="7.3 Security Tracker">
<link href="ch7.en.html#s7.4" rel="section" title="7.4 Debian Security Build Infrastructure">
<link href="ch7.en.html#s-deb-pack-sign" rel="section" title="7.5 Package signing in Debian">
<link href="ch-sec-tools.en.html#s-vuln-asses" rel="section" title="8.1 Remote vulnerability assessment tools">
<link href="ch-sec-tools.en.html#s8.2" rel="section" title="8.2 Network scanner tools">
<link href="ch-sec-tools.en.html#s8.3" rel="section" title="8.3 Internal audits">
<link href="ch-sec-tools.en.html#s8.4" rel="section" title="8.4 Auditing source code">
<link href="ch-sec-tools.en.html#s-vpn" rel="section" title="8.5 Virtual Private Networks">
<link href="ch-sec-tools.en.html#s8.6" rel="section" title="8.6 Public Key Infrastructure (PKI)">
<link href="ch-sec-tools.en.html#s8.7" rel="section" title="8.7 SSL Infrastructure">
<link href="ch-sec-tools.en.html#s8.8" rel="section" title="8.8 Antivirus tools">
<link href="ch-sec-tools.en.html#s-gpg-agent" rel="section" title="8.9 GPG agent">
<link href="ch9.en.html#s-bpp-devel-design" rel="section" title="9.1 Best practices for security review and design">
<link href="ch9.en.html#s-bpp-lower-privs" rel="section" title="9.2 Creating users and groups for software daemons">
<link href="ch10.en.html#s-keep-secure" rel="section" title="10.1 Keep your system secure">
<link href="ch10.en.html#s-periodic-integrity" rel="section" title="10.2 Do periodic integrity checks">
<link href="ch10.en.html#s-intrusion-detect" rel="section" title="10.3 Set up Intrusion Detection">
<link href="ch10.en.html#s10.4" rel="section" title="10.4 Avoiding root-kits">
<link href="ch10.en.html#s10.5" rel="section" title="10.5 Genius/Paranoia Ideas &mdash; what you could do">
<link href="ch-after-compromise.en.html#s11.1" rel="section" title="11.1 General behavior">
<link href="ch-after-compromise.en.html#s11.2" rel="section" title="11.2 Backing up the system">
<link href="ch-after-compromise.en.html#s11.3" rel="section" title="11.3 Contact your local CERT">
<link href="ch-after-compromise.en.html#s11.4" rel="section" title="11.4 Forensic analysis">
<link href="ch12.en.html#s12.1" rel="section" title="12.1 Security in the Debian operating system">
<link href="ch12.en.html#s-vulnerable-system" rel="section" title="12.2 My system is vulnerable! (Are you sure?)">
<link href="ch12.en.html#s-debian-sec-team-faq" rel="section" title="12.3 Questions regarding the Debian security team">
<link href="ap-bridge-fw.en.html#sD.1" rel="section" title="D.1 A bridge providing NAT and firewall capabilities">
<link href="ap-bridge-fw.en.html#sD.2" rel="section" title="D.2 A bridge providing firewall capabilities">
<link href="ap-bridge-fw.en.html#sD.3" rel="section" title="D.3 Basic IPtables rules">
<link href="ap-chroot-ssh-env.en.html#sG.1" rel="section" title="G.1 Chrooting the ssh users">
<link href="ap-chroot-ssh-env.en.html#sG.2" rel="section" title="G.2 Chrooting the ssh server">
<link href="ap-chroot-apache-env.en.html#sH.1" rel="section" title="H.1 Introduction">
<link href="ap-chroot-apache-env.en.html#sH.2" rel="section" title="H.2 Installing the server">
<link href="ap-chroot-apache-env.en.html#sH.3" rel="section" title="H.3 See also">
<link href="ch1.en.html#s1.6.1" rel="subsection" title="1.6.1 Version 3.16 (March 2011)">
<link href="ch1.en.html#s1.6.2" rel="subsection" title="1.6.2 Version 3.15 (December 2010)">
<link href="ch1.en.html#s1.6.3" rel="subsection" title="1.6.3 Version 3.14 (March 2009)">
<link href="ch1.en.html#s1.6.4" rel="subsection" title="1.6.4 Version 3.13 (Februrary 2008)">
<link href="ch1.en.html#s1.6.5" rel="subsection" title="1.6.5 Version 3.12 (August 2007)">
<link href="ch1.en.html#s1.6.6" rel="subsection" title="1.6.6 Version 3.11 (January 2007)">
<link href="ch1.en.html#s1.6.7" rel="subsection" title="1.6.7 Version 3.10 (November 2006)">
<link href="ch1.en.html#s1.6.8" rel="subsection" title="1.6.8 Version 3.9 (October 2006)">
<link href="ch1.en.html#s1.6.9" rel="subsection" title="1.6.9 Version 3.8 (July 2006)">
<link href="ch1.en.html#s1.6.10" rel="subsection" title="1.6.10 Version 3.7 (April 2006)">
<link href="ch1.en.html#s1.6.11" rel="subsection" title="1.6.11 Version 3.6 (March 2006)">
<link href="ch1.en.html#s1.6.12" rel="subsection" title="1.6.12 Version 3.5 (November 2005)">
<link href="ch1.en.html#s1.6.13" rel="subsection" title="1.6.13 Version 3.4 (August-September 2005)">
<link href="ch1.en.html#s1.6.14" rel="subsection" title="1.6.14 Version 3.3 (June 2005)">
<link href="ch1.en.html#s1.6.15" rel="subsection" title="1.6.15 Version 3.2 (March 2005)">
<link href="ch1.en.html#s1.6.16" rel="subsection" title="1.6.16 Version 3.1 (January 2005)">
<link href="ch1.en.html#s1.6.17" rel="subsection" title="1.6.17 Version 3.0 (December 2004)">
<link href="ch1.en.html#s1.6.18" rel="subsection" title="1.6.18 Version 2.99 (March 2004)">
<link href="ch1.en.html#s1.6.19" rel="subsection" title="1.6.19 Version 2.98 (December 2003)">
<link href="ch1.en.html#s1.6.20" rel="subsection" title="1.6.20 Version 2.97 (September 2003)">
<link href="ch1.en.html#s1.6.21" rel="subsection" title="1.6.21 Version 2.96 (August 2003)">
<link href="ch1.en.html#s1.6.22" rel="subsection" title="1.6.22 Version 2.95 (June 2003)">
<link href="ch1.en.html#s1.6.23" rel="subsection" title="1.6.23 Version 2.94 (April 2003)">
<link href="ch1.en.html#s1.6.24" rel="subsection" title="1.6.24 Version 2.93 (March 2003)">
<link href="ch1.en.html#s1.6.25" rel="subsection" title="1.6.25 Version 2.92 (February 2003)">
<link href="ch1.en.html#s1.6.26" rel="subsection" title="1.6.26 Version 2.91 (January/February 2003)">
<link href="ch1.en.html#s1.6.27" rel="subsection" title="1.6.27 Version 2.9 (December 2002)">
<link href="ch1.en.html#s1.6.28" rel="subsection" title="1.6.28 Version 2.8 (November 2002)">
<link href="ch1.en.html#s1.6.29" rel="subsection" title="1.6.29 Version 2.7 (October 2002)">
<link href="ch1.en.html#s1.6.30" rel="subsection" title="1.6.30 Version 2.6 (September 2002)">
<link href="ch1.en.html#s1.6.31" rel="subsection" title="1.6.31 Version 2.5 (September 2002)">
<link href="ch1.en.html#s1.6.32" rel="subsection" title="1.6.32 Version 2.5 (August 2002)">
<link href="ch1.en.html#s1.6.33" rel="subsection" title="1.6.33 Version 2.4">
<link href="ch1.en.html#s1.6.34" rel="subsection" title="1.6.34 Version 2.3">
<link href="ch1.en.html#s1.6.35" rel="subsection" title="1.6.35 Version 2.3">
<link href="ch1.en.html#s1.6.36" rel="subsection" title="1.6.36 Version 2.2">
<link href="ch1.en.html#s1.6.37" rel="subsection" title="1.6.37 Version 2.1">
<link href="ch1.en.html#s1.6.38" rel="subsection" title="1.6.38 Version 2.0">
<link href="ch1.en.html#s1.6.39" rel="subsection" title="1.6.39 Version 1.99">
<link href="ch1.en.html#s1.6.40" rel="subsection" title="1.6.40 Version 1.98">
<link href="ch1.en.html#s1.6.41" rel="subsection" title="1.6.41 Version 1.97">
<link href="ch1.en.html#s1.6.42" rel="subsection" title="1.6.42 Version 1.96">
<link href="ch1.en.html#s1.6.43" rel="subsection" title="1.6.43 Version 1.95">
<link href="ch1.en.html#s1.6.44" rel="subsection" title="1.6.44 Version 1.94">
<link href="ch1.en.html#s1.6.45" rel="subsection" title="1.6.45 Version 1.93">
<link href="ch1.en.html#s1.6.46" rel="subsection" title="1.6.46 Version 1.92">
<link href="ch1.en.html#s1.6.47" rel="subsection" title="1.6.47 Version 1.91">
<link href="ch1.en.html#s1.6.48" rel="subsection" title="1.6.48 Version 1.9">
<link href="ch1.en.html#s1.6.49" rel="subsection" title="1.6.49 Version 1.8">
<link href="ch1.en.html#s1.6.50" rel="subsection" title="1.6.50 Version 1.7">
<link href="ch1.en.html#s1.6.51" rel="subsection" title="1.6.51 Version 1.6">
<link href="ch1.en.html#s1.6.52" rel="subsection" title="1.6.52 Version 1.5">
<link href="ch1.en.html#s1.6.53" rel="subsection" title="1.6.53 Version 1.4">
<link href="ch1.en.html#s1.6.54" rel="subsection" title="1.6.54 Version 1.3">
<link href="ch1.en.html#s1.6.55" rel="subsection" title="1.6.55 Version 1.2">
<link href="ch1.en.html#s1.6.56" rel="subsection" title="1.6.56 Version 1.1">
<link href="ch1.en.html#s1.6.57" rel="subsection" title="1.6.57 Version 1.0">
<link href="ch3.en.html#s3.2.1" rel="subsection" title="3.2.1 Choose an intelligent partition scheme">
<link href="ch3.en.html#s3.2.1.1" rel="subsection" title="3.2.1.1 Selecting the appropriate file systems">
<link href="ch3.en.html#s-disableserv" rel="subsection" title="3.6.1 Disabling daemon services">
<link href="ch3.en.html#s-inetd" rel="subsection" title="3.6.2 Disabling <code>inetd</code> or its services">
<link href="ch3.en.html#s3.7.1" rel="subsection" title="3.7.1 Removing Perl">
<link href="ch4.en.html#s-lib-security-update" rel="subsection" title="4.2.1 Security update of libraries">
<link href="ch4.en.html#s-kernel-security-update" rel="subsection" title="4.2.2 Security update of the kernel">
<link href="ch4.en.html#s4.9.1" rel="subsection" title="4.9.1 Setting <code>/tmp</code> noexec">
<link href="ch4.en.html#s4.9.2" rel="subsection" title="4.9.2 Setting /usr read-only">
<link href="ch4.en.html#s-auth-pam" rel="subsection" title="4.10.1 User authentication: PAM">
<link href="ch4.en.html#s-user-limits" rel="subsection" title="4.10.2 Limiting resource usage: the <code>limits.conf</code> file">
<link href="ch4.en.html#s4.10.3" rel="subsection" title="4.10.3 User login actions: edit <code>/etc/login.defs</code>">
<link href="ch4.en.html#s4.10.4" rel="subsection" title="4.10.4 Restricting ftp: editing <code>/etc/ftpusers</code>">
<link href="ch4.en.html#s4.10.5" rel="subsection" title="4.10.5 Using su">
<link href="ch4.en.html#s4.10.6" rel="subsection" title="4.10.6 Using sudo">
<link href="ch4.en.html#s4.10.7" rel="subsection" title="4.10.7 Disallow remote administrative access">
<link href="ch4.en.html#s-user-restrict" rel="subsection" title="4.10.8 Restricting users's access">
<link href="ch4.en.html#s4.10.9" rel="subsection" title="4.10.9 User auditing">
<link href="ch4.en.html#s4.10.9.1" rel="subsection" title="4.10.9.1 Input and output audit with script">
<link href="ch4.en.html#s4.10.9.2" rel="subsection" title="4.10.9.2 Using the shell history file">
<link href="ch4.en.html#s4.10.9.3" rel="subsection" title="4.10.9.3 Complete user audit with accounting utilities">
<link href="ch4.en.html#s4.10.9.4" rel="subsection" title="4.10.9.4 Other user auditing methods">
<link href="ch4.en.html#s4.10.10" rel="subsection" title="4.10.10 Reviewing user profiles">
<link href="ch4.en.html#s4.10.11" rel="subsection" title="4.10.11 Setting users umasks">
<link href="ch4.en.html#s4.10.12" rel="subsection" title="4.10.12 Limiting what users can see/access">
<link href="ch4.en.html#s-limit-user-perm" rel="subsection" title="4.10.12.1 Limiting access to other user's information">
<link href="ch4.en.html#s-user-pwgen" rel="subsection" title="4.10.13 Generating user passwords">
<link href="ch4.en.html#s4.10.14" rel="subsection" title="4.10.14 Checking user passwords">
<link href="ch4.en.html#s-idle-logoff" rel="subsection" title="4.10.15 Logging off idle users">
<link href="ch4.en.html#s-custom-logcheck" rel="subsection" title="4.12.1 Using and customizing <code>logcheck</code>">
<link href="ch4.en.html#s4.12.2" rel="subsection" title="4.12.2 Configuring where alerts are sent">
<link href="ch4.en.html#s4.12.3" rel="subsection" title="4.12.3 Using a loghost">
<link href="ch4.en.html#s4.12.4" rel="subsection" title="4.12.4 Log file permissions">
<link href="ch4.en.html#s4.14.1" rel="subsection" title="4.14.1 Kernel patch protection for buffer overflows">
<link href="ch4.en.html#s4.14.2" rel="subsection" title="4.14.2 Testing programs for overflows">
<link href="ch4.en.html#s4.16.1" rel="subsection" title="4.16.1 Using quotas">
<link href="ch4.en.html#s-ext2attr" rel="subsection" title="4.16.2 The ext2 filesystem specific attributes (chattr/lsattr)">
<link href="ch4.en.html#s-check-integ" rel="subsection" title="4.16.3 Checking file system integrity">
<link href="ch4.en.html#s4.16.4" rel="subsection" title="4.16.4 Setting up setuid check">
<link href="ch4.en.html#s-kernel-conf" rel="subsection" title="4.17.1 Configuring kernel network features">
<link href="ch4.en.html#s-tcp-syncookies" rel="subsection" title="4.17.2 Configuring syncookies">
<link href="ch4.en.html#s-net-harden" rel="subsection" title="4.17.3 Securing the network on boot-time">
<link href="ch4.en.html#s-kernel-fw" rel="subsection" title="4.17.4 Configuring firewall features">
<link href="ch4.en.html#s-limit-bindaddr" rel="subsection" title="4.17.5 Disabling weak-end hosts issues">
<link href="ch4.en.html#s4.17.6" rel="subsection" title="4.17.6 Protecting against ARP attacks">
<link href="ch4.en.html#s4.19.1" rel="subsection" title="4.19.1 Do not use software depending on svgalib">
<link href="ch-sec-services.en.html#s-ssh-chroot" rel="subsection" title="5.1.1 Chrooting ssh">
<link href="ch-sec-services.en.html#s5.1.2" rel="subsection" title="5.1.2 Ssh clients">
<link href="ch-sec-services.en.html#s5.1.3" rel="subsection" title="5.1.3 Disallowing file transfers">
<link href="ch-sec-services.en.html#s-ssh-only-file" rel="subsection" title="5.1.4 Restricing access to file transfer only">
<link href="ch-sec-services.en.html#s5.4.1" rel="subsection" title="5.4.1 Check your display manager">
<link href="ch-sec-services.en.html#s5.6.1" rel="subsection" title="5.6.1 Configuring a Nullmailer">
<link href="ch-sec-services.en.html#s5.6.2" rel="subsection" title="5.6.2 Providing secure access to mailboxes">
<link href="ch-sec-services.en.html#s5.6.3" rel="subsection" title="5.6.3 Receiving mail securely">
<link href="ch-sec-services.en.html#s-configure-bind" rel="subsection" title="5.7.1 Bind configuration to avoid misuse">
<link href="ch-sec-services.en.html#s-user-bind" rel="subsection" title="5.7.2 Changing BIND's user">
<link href="ch-sec-services.en.html#s-chroot-bind" rel="subsection" title="5.7.3 Chrooting the name server">
<link href="ch-sec-services.en.html#s5.8.1" rel="subsection" title="5.8.1 Disabling users from publishing web contents">
<link href="ch-sec-services.en.html#s5.8.2" rel="subsection" title="5.8.2 Logfiles permissions">
<link href="ch-sec-services.en.html#s5.8.3" rel="subsection" title="5.8.3 Published web files">
<link href="ch-sec-services.en.html#s-auto-chroot" rel="subsection" title="5.10.1 Making chrooted environments automatically">
<link href="ch-sec-services.en.html#s5.13.1" rel="subsection" title="5.13.1 Disabling RPC services completely">
<link href="ch-sec-services.en.html#s5.13.2" rel="subsection" title="5.13.2 Limiting access to RPC services">
<link href="ch-sec-services.en.html#s5.14.1" rel="subsection" title="5.14.1 Firewalling the local system">
<link href="ch-sec-services.en.html#s5.14.2" rel="subsection" title="5.14.2 Using a firewall to protect other systems">
<link href="ch-sec-services.en.html#s5.14.3" rel="subsection" title="5.14.3 Setting up a firewall">
<link href="ch-sec-services.en.html#s-firewall-pack" rel="subsection" title="5.14.3.1 Using firewall packages">
<link href="ch-sec-services.en.html#s5.14.3.2" rel="subsection" title="5.14.3.2 Manual init.d configuration">
<link href="ch-sec-services.en.html#s5.14.3.3" rel="subsection" title="5.14.3.3 Configuring firewall rules through <code>ifup</code>">
<link href="ch-sec-services.en.html#s5.14.3.4" rel="subsection" title="5.14.3.4 Testing your firewall configuration">
<link href="ch7.en.html#s-crossreference" rel="subsection" title="7.2.1 Vulnerability cross references">
<link href="ch7.en.html#s-cve-compatible" rel="subsection" title="7.2.2 CVE compatibility">
<link href="ch7.en.html#s7.4.1" rel="subsection" title="7.4.1 Developer's guide to security updates">
<link href="ch7.en.html#s7.5.1" rel="subsection" title="7.5.1 The current scheme for package signature checks">
<link href="ch7.en.html#s-apt-0.6" rel="subsection" title="7.5.2 Secure apt">
<link href="ch7.en.html#s-check-releases" rel="subsection" title="7.5.3 Per distribution release check">
<link href="ch7.en.html#s7.5.3.1" rel="subsection" title="7.5.3.1 Basic concepts">
<link href="ch7.en.html#s7.5.3.2" rel="subsection" title="7.5.3.2 <code>Release</code> checksums">
<link href="ch7.en.html#s7.5.3.3" rel="subsection" title="7.5.3.3 Verification of the <code>Release</code> file">
<link href="ch7.en.html#s7.5.3.4" rel="subsection" title="7.5.3.4 Check of <code>Release.gpg</code> by <code>apt</code>">
<link href="ch7.en.html#s7.5.3.5" rel="subsection" title="7.5.3.5 How to tell apt what to trust">
<link href="ch7.en.html#s7.5.3.6" rel="subsection" title="7.5.3.6 Finding the key for a repository">
<link href="ch7.en.html#s-secure-apt-add-key" rel="subsection" title="7.5.3.7 Safely adding a key">
<link href="ch7.en.html#s7.5.3.8" rel="subsection" title="7.5.3.8 Verifying key integrity">
<link href="ch7.en.html#s7.5.3.9" rel="subsection" title="7.5.3.9 Debian archive key yearly rotation">
<link href="ch7.en.html#s7.5.3.10" rel="subsection" title="7.5.3.10 Known release checking problems">
<link href="ch7.en.html#s-manual-check-releases" rel="subsection" title="7.5.3.11 Manual per distribution release check">
<link href="ch7.en.html#s-check-non-debian-releases" rel="subsection" title="7.5.4 Release check of non Debian sources">
<link href="ch7.en.html#s-check-pkg-sign" rel="subsection" title="7.5.5 Alternative per-package signing scheme">
<link href="ch-sec-tools.en.html#s8.5.1" rel="subsection" title="8.5.1 Point to Point tunneling">
<link href="ch10.en.html#s-track-vulns" rel="subsection" title="10.1.1 Tracking security vulnerabilities">
<link href="ch10.en.html#s-keep-up-to-date" rel="subsection" title="10.1.2 Continuously update the system">
<link href="ch10.en.html#s10.1.2.1" rel="subsection" title="10.1.2.1 Manually checking which security updates are available">
<link href="ch10.en.html#s-update-desktop" rel="subsection" title="10.1.2.2 Checking for updates at the Desktop">
<link href="ch10.en.html#s-cron-apt" rel="subsection" title="10.1.2.3 Automatically checking for updates with cron-apt">
<link href="ch10.en.html#s-debsecan" rel="subsection" title="10.1.2.4 Automatically checking for security issues with debsecan">
<link href="ch10.en.html#s10.1.2.5" rel="subsection" title="10.1.2.5 Other methods for security updates">
<link href="ch10.en.html#s10.1.3" rel="subsection" title="10.1.3 Avoid using the unstable branch">
<link href="ch10.en.html#s-security-support-testing" rel="subsection" title="10.1.4 Security support for the testing branch">
<link href="ch10.en.html#s10.1.5" rel="subsection" title="10.1.5 Automatic updates in a Debian GNU/Linux system">
<link href="ch10.en.html#s10.3.1" rel="subsection" title="10.3.1 Network based intrusion detection">
<link href="ch10.en.html#s10.3.2" rel="subsection" title="10.3.2 Host based intrusion detection">
<link href="ch10.en.html#s-LKM" rel="subsection" title="10.4.1 Loadable Kernel Modules (LKM)">
<link href="ch10.en.html#s10.4.2" rel="subsection" title="10.4.2 Detecting root-kits">
<link href="ch10.en.html#s-proactive" rel="subsection" title="10.4.2.1 Proactive defense">
<link href="ch10.en.html#s10.4.2.2" rel="subsection" title="10.4.2.2 Reactive defense">
<link href="ch10.en.html#s10.5.1" rel="subsection" title="10.5.1 Building a honeypot">
<link href="ch-after-compromise.en.html#s11.4.1" rel="subsection" title="11.4.1 Analysis of malware">
<link href="ch12.en.html#s12.1.1" rel="subsection" title="12.1.1 Is Debian more secure than X?">
<link href="ch12.en.html#s12.1.1.1" rel="subsection" title="12.1.1.1 Is Debian more secure than other Linux distributions (such as Red Hat, SuSE...)?">
<link href="ch12.en.html#s12.1.2" rel="subsection" title="12.1.2 There are many Debian bugs in Bugtraq. Does this mean that it is very vulnerable?">
<link href="ch12.en.html#s12.1.3" rel="subsection" title="12.1.3 Does Debian have any certification related to security?">
<link href="ch12.en.html#s12.1.4" rel="subsection" title="12.1.4 Are there any hardening programs for Debian?">
<link href="ch12.en.html#s12.1.5" rel="subsection" title="12.1.5 I want to run XYZ service, which one should I choose?">
<link href="ch12.en.html#s12.1.6" rel="subsection" title="12.1.6 How can I make service XYZ more secure in Debian?">
<link href="ch12.en.html#s12.1.7" rel="subsection" title="12.1.7 How can I remove all the banners for services?">
<link href="ch12.en.html#s12.1.8" rel="subsection" title="12.1.8 Are all Debian packages safe?">
<link href="ch12.en.html#s12.1.9" rel="subsection" title="12.1.9 Why are some log files/configuration files world-readable, isn't this insecure?">
<link href="ch12.en.html#s12.1.10" rel="subsection" title="12.1.10 Why does /root/ (or UserX) have 755 permissions?">
<link href="ch12.en.html#s12.1.11" rel="subsection" title="12.1.11 After installing a grsec/firewall, I started receiving many console messages! How do I remove them?">
<link href="ch12.en.html#s-faq-os-users" rel="subsection" title="12.1.12 Operating system users and groups">
<link href="ch12.en.html#s12.1.12.1" rel="subsection" title="12.1.12.1 Are all system users necessary?">
<link href="ch12.en.html#s12.1.12.2" rel="subsection" title="12.1.12.2 I removed a system user! How can I recover?">
<link href="ch12.en.html#s12.1.12.3" rel="subsection" title="12.1.12.3 What is the difference between the adm and the staff group?">
<link href="ch12.en.html#s12.1.13" rel="subsection" title="12.1.13 Why is there a new group when I add a new user? (or Why does Debian give each user one group?)">
<link href="ch12.en.html#s12.1.14" rel="subsection" title="12.1.14 Questions regarding services and open ports">
<link href="ch12.en.html#s12.1.14.1" rel="subsection" title="12.1.14.1 Why are all services activated upon installation?">
<link href="ch12.en.html#s12.1.14.2" rel="subsection" title="12.1.14.2 Can I remove <code>inetd</code>?">
<link href="ch12.en.html#s12.1.14.3" rel="subsection" title="12.1.14.3 Why do I have port 111 open?">
<link href="ch12.en.html#s12.1.14.4" rel="subsection" title="12.1.14.4 What use is <code>identd</code> (port 113) for?">
<link href="ch12.en.html#s12.1.14.5" rel="subsection" title="12.1.14.5 I have services using port 1 and 6, what are they and how can I remove them?">
<link href="ch12.en.html#s12.1.14.6" rel="subsection" title="12.1.14.6 I found the port XYZ open, can I close it?">
<link href="ch12.en.html#s12.1.14.7" rel="subsection" title="12.1.14.7 Will removing services from <code>/etc/services</code> help secure my box?">
<link href="ch12.en.html#s12.1.15" rel="subsection" title="12.1.15 Common security issues">
<link href="ch12.en.html#s12.1.15.1" rel="subsection" title="12.1.15.1 I have lost my password and cannot access the system!">
<link href="ch12.en.html#s12.1.16" rel="subsection" title="12.1.16 How do I accomplish setting up a service for my users without giving out shell accounts?">
<link href="ch12.en.html#s-vulnasses-false-positive" rel="subsection" title="12.2.1 Vulnerability assessment scanner X says my Debian system is vulnerable!">
<link href="ch12.en.html#s12.2.2" rel="subsection" title="12.2.2 I've seen an attack in my system's logs. Is my system compromised?">
<link href="ch12.en.html#s12.2.3" rel="subsection" title="12.2.3 I have found strange 'MARK' lines in my logs: Am I compromised?">
<link href="ch12.en.html#s12.2.4" rel="subsection" title="12.2.4 I found users using 'su' in my logs: Am I compromised?">
<link href="ch12.en.html#s12.2.5" rel="subsection" title="12.2.5 I have found 'possible SYN flooding' in my logs: Am I under attack?">
<link href="ch12.en.html#s12.2.6" rel="subsection" title="12.2.6 I have found strange root sessions in my logs: Am I compromised?">
<link href="ch12.en.html#s12.2.7" rel="subsection" title="12.2.7 I have suffered a break-in, what do I do?">
<link href="ch12.en.html#s12.2.8" rel="subsection" title="12.2.8 How can I trace an attack?">
<link href="ch12.en.html#s12.2.9" rel="subsection" title="12.2.9 Program X in Debian is vulnerable, what do I do?">
<link href="ch12.en.html#s-version-backport" rel="subsection" title="12.2.10 The version number for a package indicates that I am still running a vulnerable version!">
<link href="ch12.en.html#s12.2.11" rel="subsection" title="12.2.11 Specific software">
<link href="ch12.en.html#s12.2.11.1" rel="subsection" title="12.2.11.1 <code>proftpd</code> is vulnerable to a Denial of Service attack.">
<link href="ch12.en.html#s12.2.11.2" rel="subsection" title="12.2.11.2 After installing <code>portsentry</code>, there are a lot of ports open.">
<link href="ch12.en.html#s12.3.1" rel="subsection" title="12.3.1 What is a Debian Security Advisory (DSA)?">
<link href="ch12.en.html#s12.3.2" rel="subsection" title="12.3.2 The signature on Debian advisories does not verify correctly!">
<link href="ch12.en.html#s12.3.3" rel="subsection" title="12.3.3 How is security handled in Debian?">
<link href="ch12.en.html#s12.3.4" rel="subsection" title="12.3.4 Why are you fiddling with an old version of that package?">
<link href="ch12.en.html#s12.3.5" rel="subsection" title="12.3.5 What is the policy for a fixed package to appear in security.debian.org?">
<link href="ch12.en.html#s12.3.6" rel="subsection" title="12.3.6 What does &quot;local (remote)&quot; mean?">
<link href="ch12.en.html#s12.3.7" rel="subsection" title="12.3.7 The version number for a package indicates that I am still running a vulnerable version!">
<link href="ch12.en.html#s-sec-unstable" rel="subsection" title="12.3.8 How is security handled for <samp>testing</samp> and <samp>unstable</samp>?">
<link href="ch12.en.html#s-sec-older" rel="subsection" title="12.3.9 I use an older version of Debian, is it supported by the Debian Security Team?">
<link href="ch12.en.html#s12.3.10" rel="subsection" title="12.3.10 How does <em>testing</em> get security updates?">
<link href="ch12.en.html#s12.3.11" rel="subsection" title="12.3.11 How is security handled for contrib and non-free?">
<link href="ch12.en.html#s12.3.12" rel="subsection" title="12.3.12 Why are there no official mirrors for security.debian.org?">
<link href="ch12.en.html#s12.3.13" rel="subsection" title="12.3.13 I've seen DSA 100 and DSA 102, now where is DSA 101?">
<link href="ch12.en.html#s12.3.14" rel="subsection" title="12.3.14 I tried to download a package listed in one of the security advisories, but I got a `file not found' error.">
<link href="ch12.en.html#s12.3.15" rel="subsection" title="12.3.15 How can I reach the security team?">
<link href="ch12.en.html#s12.3.16" rel="subsection" title="12.3.16 What difference is there between security@debian.org and debian-security@lists.debian.org?">
<link href="ch12.en.html#s12.3.17" rel="subsection" title="12.3.17 I guess I found a security problem, what should I do?">
<link href="ch12.en.html#s12.3.18" rel="subsection" title="12.3.18 How can I contribute to the Debian security team?">
<link href="ch12.en.html#s12.3.19" rel="subsection" title="12.3.19 Who is the Security Team composed of?">
<link href="ch12.en.html#s12.3.20" rel="subsection" title="12.3.20 Does the Debian Security team check every new package in Debian?">
<link href="ch12.en.html#s12.3.21" rel="subsection" title="12.3.21 How much time will it take Debian to fix vulnerability XXXX?">
<link href="ch12.en.html#s12.3.22" rel="subsection" title="12.3.22 How long will security updates be provided?">
<link href="ch12.en.html#s12.3.23" rel="subsection" title="12.3.23 How can I check the integrity of packages?">
<link href="ch12.en.html#s12.3.24" rel="subsection" title="12.3.24 What to do if a random package breaks after a security update?">
<link href="ap-chroot-ssh-env.en.html#sG.1.1" rel="subsection" title="G.1.1 Using <code>libpam-chroot</code>">
<link href="ap-chroot-ssh-env.en.html#sG.1.2" rel="subsection" title="G.1.2 Patching the <code>ssh</code> server">
<link href="ap-chroot-ssh-env.en.html#sG.2.1" rel="subsection" title="G.2.1 Setup a minimal system (the really easy way)">
<link href="ap-chroot-ssh-env.en.html#sG.2.2" rel="subsection" title="G.2.2 Automatically making the environment (the easy way)">
<link href="ap-chroot-ssh-env.en.html#sG.2.3" rel="subsection" title="G.2.3 Manually creating the environment (the hard way)">
<link href="ap-chroot-apache-env.en.html#sH.1.1" rel="subsection" title="H.1.1 Licensing">
</head>
<body>
<p><a name="index"></a></p>
<hr>
<p>
[ <a href="ap-chroot-apache-env.en.html">previous</a> ]
[ <a href="#contents">Contents</a> ]
[ <a href="ch1.en.html">1</a> ]
[ <a href="ch2.en.html">2</a> ]
[ <a href="ch3.en.html">3</a> ]
[ <a href="ch4.en.html">4</a> ]
[ <a href="ch-sec-services.en.html">5</a> ]
[ <a href="ch-automatic-harden.en.html">6</a> ]
[ <a href="ch7.en.html">7</a> ]
[ <a href="ch-sec-tools.en.html">8</a> ]
[ <a href="ch9.en.html">9</a> ]
[ <a href="ch10.en.html">10</a> ]
[ <a href="ch-after-compromise.en.html">11</a> ]
[ <a href="ch12.en.html">12</a> ]
[ <a href="ap-harden-step.en.html">A</a> ]
[ <a href="ap-checklist.en.html">B</a> ]
[ <a href="ap-snort-box.en.html">C</a> ]
[ <a href="ap-bridge-fw.en.html">D</a> ]
[ <a href="ap-bind-chuser.en.html">E</a> ]
[ <a href="ap-fw-security-update.en.html">F</a> ]
[ <a href="ap-chroot-ssh-env.en.html">G</a> ]
[ <a href="ap-chroot-apache-env.en.html">H</a> ]
[ <a href="ch1.en.html">next</a> ]
</p>
<hr>
<h1>
Securing Debian Manual
<br></h1>
<hr>
<h2><a name="abstract"></a>Abstract</h2>
<p>
This document describes security in the Debian project and in the Debian
operating system. Starting with the process of securing and hardening the
default Debian GNU/Linux distribution installation, it also covers some of the
common tasks to set up a secure network environment using Debian GNU/Linux,
gives additional information on the security tools available and talks about
how security is enforced in Debian by the security and audit team.
</p>
<hr>
<h2><a name="copyright"></a>Copyright Notice</h2>
<p>
Copyright &copy; 2002-2007 Javier Fern<72>ndez-Sanguino Pe<50>a
</p>
<p>
Copyright &copy; 2001 Alexander Reelsen, Javier Fern<72>ndez-Sanguino Pe<50>a
</p>
<p>
Copyright &copy; 2000 Alexander Reelsen
</p>
<p>
Some sections are copyright &copy; their respective authors, for details please
refer to <a href="ch1.en.html#s-credits">Credits and thanks!, Section 1.7</a>.
</p>
<p>
Permission is granted to copy, distribute and/or modify this document under the
terms of the <code><a
href="http://www.gnu.org/licenses/old-licenses/gpl-2.0.html">GNU General Public
License, Version 2</a></code> or any <code><a
href="http://www.gnu.org/copyleft/gpl.html">later version</a></code> published
by the Free Software Foundation. It is distributed in the hope that it will be
useful, but WITHOUT ANY WARRANTY.
</p>
<p>
Permission is granted to make and distribute verbatim copies of this document
provided the copyright notice and this permission notice are preserved on all
copies.
</p>
<p>
Permission is granted to copy and distribute modified versions of this document
under the conditions for verbatim copying, provided that the entire resulting
derived work is distributed under the terms of a permission notice identical to
this one.
</p>
<p>
Permission is granted to copy and distribute translations of this document into
another language, under the above conditions for modified versions, except that
this permission notice may be included in translations approved by the Free
Software Foundation instead of in the original English.
</p>
<hr>
<h2><a name="contents"></a>Contents</h2>
<ul>
<li><a href="ch1.en.html">1 Introduction</a>
<ul>
<li><a href="ch1.en.html#s-authors">1.1 Authors</a></li>
<li><a href="ch1.en.html#s1.2">1.2 Where to get the manual (and available formats)</a></li>
<li><a href="ch1.en.html#s1.3">1.3 Organizational notes/feedback</a></li>
<li><a href="ch1.en.html#s1.4">1.4 Prior knowledge</a></li>
<li><a href="ch1.en.html#s1.5">1.5 Things that need to be written (FIXME/TODO)</a></li>
<li><a href="ch1.en.html#s-changelog">1.6 Changelog/History</a></li>
<li><a href="ch1.en.html#s-credits">1.7 Credits and thanks!</a>
</ul></li>
<li><a href="ch2.en.html">2 Before you begin</a>
<ul>
<li><a href="ch2.en.html#s2.1">2.1 What do you want this system for?</a></li>
<li><a href="ch2.en.html#s-references">2.2 Be aware of general security problems</a></li>
<li><a href="ch2.en.html#s2.3">2.3 How does Debian handle security?</a>
</ul></li>
<li><a href="ch3.en.html">3 Before and during the installation</a>
<ul>
<li><a href="ch3.en.html#s-bios-passwd">3.1 Choose a BIOS password</a></li>
<li><a href="ch3.en.html#s3.2">3.2 Partitioning the system</a></li>
<li><a href="ch3.en.html#s3.3">3.3 Do not plug to the Internet until ready</a></li>
<li><a href="ch3.en.html#s3.4">3.4 Set a root password</a></li>
<li><a href="ch3.en.html#s3.5">3.5 Activate shadow passwords and MD5 passwords</a></li>
<li><a href="ch3.en.html#s3.6">3.6 Run the minimum number of services required</a></li>
<li><a href="ch3.en.html#s3.7">3.7 Install the minimum amount of software required</a></li>
<li><a href="ch3.en.html#s3.8">3.8 Read the Debian security mailing lists</a>
</ul></li>
<li><a href="ch4.en.html">4 After installation</a>
<ul>
<li><a href="ch4.en.html#s-debian-sec-announce">4.1 Subscribe to the Debian Security Announce mailing list</a></li>
<li><a href="ch4.en.html#s-security-update">4.2 Execute a security update</a></li>
<li><a href="ch4.en.html#s-bios-boot">4.3 Change the BIOS (again)</a></li>
<li><a href="ch4.en.html#s-lilo-passwd">4.4 Set a LILO or GRUB password</a></li>
<li><a href="ch4.en.html#s-kernel-initramfs-prompt">4.5 Disable root prompt on the initramfs</a></li>
<li><a href="ch4.en.html#s-kernel-root-prompt">4.6 Remove root prompt on the kernel</a></li>
<li><a href="ch4.en.html#s-restrict-console-login">4.7 Restricting console login access</a></li>
<li><a href="ch4.en.html#s-restrict-reboots">4.8 Restricting system reboots through the console</a></li>
<li><a href="ch4.en.html#s4.9">4.9 Mounting partitions the right way</a></li>
<li><a href="ch4.en.html#s4.10">4.10 Providing secure user access</a></li>
<li><a href="ch4.en.html#s-tcpwrappers">4.11 Using tcpwrappers</a></li>
<li><a href="ch4.en.html#s-log-alerts">4.12 The importance of logs and alerts</a></li>
<li><a href="ch4.en.html#s-kernel-patches">4.13 Adding kernel patches</a></li>
<li><a href="ch4.en.html#s4.14">4.14 Protecting against buffer overflows</a></li>
<li><a href="ch4.en.html#s4.15">4.15 Secure file transfers</a></li>
<li><a href="ch4.en.html#s4.16">4.16 File system limits and control</a></li>
<li><a href="ch4.en.html#s-network-secure">4.17 Securing network access</a></li>
<li><a href="ch4.en.html#s-snapshot">4.18 Taking a snapshot of the system</a></li>
<li><a href="ch4.en.html#s4.19">4.19 Other recommendations</a>
</ul></li>
<li><a href="ch-sec-services.en.html">5 Securing services running on your system</a>
<ul>
<li><a href="ch-sec-services.en.html#s5.1">5.1 Securing ssh</a></li>
<li><a href="ch-sec-services.en.html#s5.2">5.2 Securing Squid</a></li>
<li><a href="ch-sec-services.en.html#s-ftp-secure">5.3 Securing FTP</a></li>
<li><a href="ch-sec-services.en.html#s5.4">5.4 Securing access to the X Window System</a></li>
<li><a href="ch-sec-services.en.html#s5.5">5.5 Securing printing access (the lpd and lprng issue)</a></li>
<li><a href="ch-sec-services.en.html#s5.6">5.6 Securing the mail service</a></li>
<li><a href="ch-sec-services.en.html#s-sec-bind">5.7 Securing BIND</a></li>
<li><a href="ch-sec-services.en.html#s5.8">5.8 Securing Apache</a></li>
<li><a href="ch-sec-services.en.html#s5.9">5.9 Securing finger</a></li>
<li><a href="ch-sec-services.en.html#s-chroot">5.10 General chroot and suid paranoia</a></li>
<li><a href="ch-sec-services.en.html#s5.11">5.11 General cleartext password paranoia</a></li>
<li><a href="ch-sec-services.en.html#s5.12">5.12 Disabling NIS</a></li>
<li><a href="ch-sec-services.en.html#s-rpc">5.13 Securing RPC services</a></li>
<li><a href="ch-sec-services.en.html#s-firewall-setup">5.14 Adding firewall capabilities</a>
</ul></li>
<li><a href="ch-automatic-harden.en.html">6 Automatic hardening of Debian systems</a>
<ul>
<li><a href="ch-automatic-harden.en.html#s6.1">6.1 Harden</a></li>
<li><a href="ch-automatic-harden.en.html#s6.2">6.2 Bastille Linux</a>
</ul></li>
<li><a href="ch7.en.html">7 Debian Security Infrastructure</a>
<ul>
<li><a href="ch7.en.html#s-debian-sec-team">7.1 The Debian Security Team</a></li>
<li><a href="ch7.en.html#s-dsa">7.2 Debian Security Advisories</a></li>
<li><a href="ch7.en.html#s7.3">7.3 Security Tracker</a></li>
<li><a href="ch7.en.html#s7.4">7.4 Debian Security Build Infrastructure</a></li>
<li><a href="ch7.en.html#s-deb-pack-sign">7.5 Package signing in Debian</a>
</ul></li>
<li><a href="ch-sec-tools.en.html">8 Security tools in Debian</a>
<ul>
<li><a href="ch-sec-tools.en.html#s-vuln-asses">8.1 Remote vulnerability assessment tools</a></li>
<li><a href="ch-sec-tools.en.html#s8.2">8.2 Network scanner tools</a></li>
<li><a href="ch-sec-tools.en.html#s8.3">8.3 Internal audits</a></li>
<li><a href="ch-sec-tools.en.html#s8.4">8.4 Auditing source code</a></li>
<li><a href="ch-sec-tools.en.html#s-vpn">8.5 Virtual Private Networks</a></li>
<li><a href="ch-sec-tools.en.html#s8.6">8.6 Public Key Infrastructure (PKI)</a></li>
<li><a href="ch-sec-tools.en.html#s8.7">8.7 SSL Infrastructure</a></li>
<li><a href="ch-sec-tools.en.html#s8.8">8.8 Antivirus tools</a></li>
<li><a href="ch-sec-tools.en.html#s-gpg-agent">8.9 GPG agent</a>
</ul></li>
<li><a href="ch9.en.html">9 Developer's Best Practices for OS Security</a>
<ul>
<li><a href="ch9.en.html#s-bpp-devel-design">9.1 Best practices for security review and design</a></li>
<li><a href="ch9.en.html#s-bpp-lower-privs">9.2 Creating users and groups for software daemons</a>
</ul></li>
<li><a href="ch10.en.html">10 Before the compromise</a>
<ul>
<li><a href="ch10.en.html#s-keep-secure">10.1 Keep your system secure</a></li>
<li><a href="ch10.en.html#s-periodic-integrity">10.2 Do periodic integrity checks</a></li>
<li><a href="ch10.en.html#s-intrusion-detect">10.3 Set up Intrusion Detection</a></li>
<li><a href="ch10.en.html#s10.4">10.4 Avoiding root-kits</a></li>
<li><a href="ch10.en.html#s10.5">10.5 Genius/Paranoia Ideas &mdash; what you could do</a>
</ul></li>
<li><a href="ch-after-compromise.en.html">11 After the compromise (incident response)</a>
<ul>
<li><a href="ch-after-compromise.en.html#s11.1">11.1 General behavior</a></li>
<li><a href="ch-after-compromise.en.html#s11.2">11.2 Backing up the system</a></li>
<li><a href="ch-after-compromise.en.html#s11.3">11.3 Contact your local CERT</a></li>
<li><a href="ch-after-compromise.en.html#s11.4">11.4 Forensic analysis</a>
</ul></li>
<li><a href="ch12.en.html">12 Frequently asked Questions (FAQ)</a>
<ul>
<li><a href="ch12.en.html#s12.1">12.1 Security in the Debian operating system</a></li>
<li><a href="ch12.en.html#s-vulnerable-system">12.2 My system is vulnerable! (Are you sure?)</a></li>
<li><a href="ch12.en.html#s-debian-sec-team-faq">12.3 Questions regarding the Debian security team</a>
</ul></li>
<li><a href="ap-harden-step.en.html">A The hardening process step by step</a><li><a href="ap-checklist.en.html">B Configuration checklist</a><li><a href="ap-snort-box.en.html">C Setting up a stand-alone IDS</a><li><a href="ap-bridge-fw.en.html">D Setting up a bridge firewall</a>
<ul>
<li><a href="ap-bridge-fw.en.html#sD.1">D.1 A bridge providing NAT and firewall capabilities</a></li>
<li><a href="ap-bridge-fw.en.html#sD.2">D.2 A bridge providing firewall capabilities</a></li>
<li><a href="ap-bridge-fw.en.html#sD.3">D.3 Basic IPtables rules</a>
</ul></li>
<li><a href="ap-bind-chuser.en.html">E Sample script to change the default Bind installation.</a><li><a href="ap-fw-security-update.en.html">F Security update protected by a firewall</a><li><a href="ap-chroot-ssh-env.en.html">G <code>Chroot</code> environment for <code>SSH</code></a>
<ul>
<li><a href="ap-chroot-ssh-env.en.html#sG.1">G.1 Chrooting the ssh users</a></li>
<li><a href="ap-chroot-ssh-env.en.html#sG.2">G.2 Chrooting the ssh server</a>
</ul></li>
<li><a href="ap-chroot-apache-env.en.html">H <code>Chroot</code> environment for <code>Apache</code></a>
<ul>
<li><a href="ap-chroot-apache-env.en.html#sH.1">H.1 Introduction</a></li>
<li><a href="ap-chroot-apache-env.en.html#sH.2">H.2 Installing the server</a></li>
<li><a href="ap-chroot-apache-env.en.html#sH.3">H.3 See also</a></li>
</ul></li>
</ul>
<hr>
<p>
[ <a href="ap-chroot-apache-env.en.html">previous</a> ]
[ <a href="#contents">Contents</a> ]
[ <a href="ch1.en.html">1</a> ]
[ <a href="ch2.en.html">2</a> ]
[ <a href="ch3.en.html">3</a> ]
[ <a href="ch4.en.html">4</a> ]
[ <a href="ch-sec-services.en.html">5</a> ]
[ <a href="ch-automatic-harden.en.html">6</a> ]
[ <a href="ch7.en.html">7</a> ]
[ <a href="ch-sec-tools.en.html">8</a> ]
[ <a href="ch9.en.html">9</a> ]
[ <a href="ch10.en.html">10</a> ]
[ <a href="ch-after-compromise.en.html">11</a> ]
[ <a href="ch12.en.html">12</a> ]
[ <a href="ap-harden-step.en.html">A</a> ]
[ <a href="ap-checklist.en.html">B</a> ]
[ <a href="ap-snort-box.en.html">C</a> ]
[ <a href="ap-bridge-fw.en.html">D</a> ]
[ <a href="ap-bind-chuser.en.html">E</a> ]
[ <a href="ap-fw-security-update.en.html">F</a> ]
[ <a href="ap-chroot-ssh-env.en.html">G</a> ]
[ <a href="ap-chroot-apache-env.en.html">H</a> ]
[ <a href="ch1.en.html">next</a> ]
</p>
<hr>
<p>
Securing Debian Manual
</p>
<address>
Version: 3.13, Sun, 08 Apr 2012 02:48:09 +0000<br>
<br>
Javier Fern&aacute;ndez-Sanguino Pe&ntilde;a <code><a href="mailto:jfs@debian.org">jfs@debian.org</a></code><br>
<a href="ch1.en.html#s-authors">Authors, Section 1.1</a><br>
<br>
</address>
<hr>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink