840 lines
48 KiB
HTML
840 lines
48 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
|
|
|
|
<html>
|
|
|
|
<head>
|
|
|
|
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
|
|
|
|
<title>Securing Debian Manual - Before you begin</title>
|
|
|
|
<link href="index.en.html" rel="start">
|
|
<link href="ch1.en.html" rel="prev">
|
|
<link href="ch3.en.html" rel="next">
|
|
<link href="index.en.html#contents" rel="contents">
|
|
<link href="index.en.html#copyright" rel="copyright">
|
|
<link href="ch1.en.html" rel="chapter" title="1 Introduction">
|
|
<link href="ch2.en.html" rel="chapter" title="2 Before you begin">
|
|
<link href="ch3.en.html" rel="chapter" title="3 Before and during the installation">
|
|
<link href="ch4.en.html" rel="chapter" title="4 After installation">
|
|
<link href="ch-sec-services.en.html" rel="chapter" title="5 Securing services running on your system">
|
|
<link href="ch-automatic-harden.en.html" rel="chapter" title="6 Automatic hardening of Debian systems">
|
|
<link href="ch7.en.html" rel="chapter" title="7 Debian Security Infrastructure">
|
|
<link href="ch-sec-tools.en.html" rel="chapter" title="8 Security tools in Debian">
|
|
<link href="ch9.en.html" rel="chapter" title="9 Developer's Best Practices for OS Security">
|
|
<link href="ch10.en.html" rel="chapter" title="10 Before the compromise">
|
|
<link href="ch-after-compromise.en.html" rel="chapter" title="11 After the compromise (incident response)">
|
|
<link href="ch12.en.html" rel="chapter" title="12 Frequently asked Questions (FAQ)">
|
|
<link href="ap-harden-step.en.html" rel="appendix" title="A The hardening process step by step">
|
|
<link href="ap-checklist.en.html" rel="appendix" title="B Configuration checklist">
|
|
<link href="ap-snort-box.en.html" rel="appendix" title="C Setting up a stand-alone IDS">
|
|
<link href="ap-bridge-fw.en.html" rel="appendix" title="D Setting up a bridge firewall">
|
|
<link href="ap-bind-chuser.en.html" rel="appendix" title="E Sample script to change the default Bind installation.">
|
|
<link href="ap-fw-security-update.en.html" rel="appendix" title="F Security update protected by a firewall">
|
|
<link href="ap-chroot-ssh-env.en.html" rel="appendix" title="G <code>Chroot</code> environment for <code>SSH</code>">
|
|
<link href="ap-chroot-apache-env.en.html" rel="appendix" title="H <code>Chroot</code> environment for <code>Apache</code>">
|
|
<link href="ch1.en.html#s-authors" rel="section" title="1.1 Authors">
|
|
<link href="ch1.en.html#s1.2" rel="section" title="1.2 Where to get the manual (and available formats)">
|
|
<link href="ch1.en.html#s1.3" rel="section" title="1.3 Organizational notes/feedback">
|
|
<link href="ch1.en.html#s1.4" rel="section" title="1.4 Prior knowledge">
|
|
<link href="ch1.en.html#s1.5" rel="section" title="1.5 Things that need to be written (FIXME/TODO)">
|
|
<link href="ch1.en.html#s-changelog" rel="section" title="1.6 Changelog/History">
|
|
<link href="ch1.en.html#s-credits" rel="section" title="1.7 Credits and thanks!">
|
|
<link href="ch2.en.html#s2.1" rel="section" title="2.1 What do you want this system for?">
|
|
<link href="ch2.en.html#s-references" rel="section" title="2.2 Be aware of general security problems">
|
|
<link href="ch2.en.html#s2.3" rel="section" title="2.3 How does Debian handle security?">
|
|
<link href="ch3.en.html#s-bios-passwd" rel="section" title="3.1 Choose a BIOS password">
|
|
<link href="ch3.en.html#s3.2" rel="section" title="3.2 Partitioning the system">
|
|
<link href="ch3.en.html#s3.3" rel="section" title="3.3 Do not plug to the Internet until ready">
|
|
<link href="ch3.en.html#s3.4" rel="section" title="3.4 Set a root password">
|
|
<link href="ch3.en.html#s3.5" rel="section" title="3.5 Activate shadow passwords and MD5 passwords">
|
|
<link href="ch3.en.html#s3.6" rel="section" title="3.6 Run the minimum number of services required">
|
|
<link href="ch3.en.html#s3.7" rel="section" title="3.7 Install the minimum amount of software required">
|
|
<link href="ch3.en.html#s3.8" rel="section" title="3.8 Read the Debian security mailing lists">
|
|
<link href="ch4.en.html#s-debian-sec-announce" rel="section" title="4.1 Subscribe to the Debian Security Announce mailing list">
|
|
<link href="ch4.en.html#s-security-update" rel="section" title="4.2 Execute a security update">
|
|
<link href="ch4.en.html#s-bios-boot" rel="section" title="4.3 Change the BIOS (again)">
|
|
<link href="ch4.en.html#s-lilo-passwd" rel="section" title="4.4 Set a LILO or GRUB password">
|
|
<link href="ch4.en.html#s-kernel-initramfs-prompt" rel="section" title="4.5 Disable root prompt on the initramfs">
|
|
<link href="ch4.en.html#s-kernel-root-prompt" rel="section" title="4.6 Remove root prompt on the kernel">
|
|
<link href="ch4.en.html#s-restrict-console-login" rel="section" title="4.7 Restricting console login access">
|
|
<link href="ch4.en.html#s-restrict-reboots" rel="section" title="4.8 Restricting system reboots through the console">
|
|
<link href="ch4.en.html#s4.9" rel="section" title="4.9 Mounting partitions the right way">
|
|
<link href="ch4.en.html#s4.10" rel="section" title="4.10 Providing secure user access">
|
|
<link href="ch4.en.html#s-tcpwrappers" rel="section" title="4.11 Using tcpwrappers">
|
|
<link href="ch4.en.html#s-log-alerts" rel="section" title="4.12 The importance of logs and alerts">
|
|
<link href="ch4.en.html#s-kernel-patches" rel="section" title="4.13 Adding kernel patches">
|
|
<link href="ch4.en.html#s4.14" rel="section" title="4.14 Protecting against buffer overflows">
|
|
<link href="ch4.en.html#s4.15" rel="section" title="4.15 Secure file transfers">
|
|
<link href="ch4.en.html#s4.16" rel="section" title="4.16 File system limits and control">
|
|
<link href="ch4.en.html#s-network-secure" rel="section" title="4.17 Securing network access">
|
|
<link href="ch4.en.html#s-snapshot" rel="section" title="4.18 Taking a snapshot of the system">
|
|
<link href="ch4.en.html#s4.19" rel="section" title="4.19 Other recommendations">
|
|
<link href="ch-sec-services.en.html#s5.1" rel="section" title="5.1 Securing ssh">
|
|
<link href="ch-sec-services.en.html#s5.2" rel="section" title="5.2 Securing Squid">
|
|
<link href="ch-sec-services.en.html#s-ftp-secure" rel="section" title="5.3 Securing FTP">
|
|
<link href="ch-sec-services.en.html#s5.4" rel="section" title="5.4 Securing access to the X Window System">
|
|
<link href="ch-sec-services.en.html#s5.5" rel="section" title="5.5 Securing printing access (the lpd and lprng issue)">
|
|
<link href="ch-sec-services.en.html#s5.6" rel="section" title="5.6 Securing the mail service">
|
|
<link href="ch-sec-services.en.html#s-sec-bind" rel="section" title="5.7 Securing BIND">
|
|
<link href="ch-sec-services.en.html#s5.8" rel="section" title="5.8 Securing Apache">
|
|
<link href="ch-sec-services.en.html#s5.9" rel="section" title="5.9 Securing finger">
|
|
<link href="ch-sec-services.en.html#s-chroot" rel="section" title="5.10 General chroot and suid paranoia">
|
|
<link href="ch-sec-services.en.html#s5.11" rel="section" title="5.11 General cleartext password paranoia">
|
|
<link href="ch-sec-services.en.html#s5.12" rel="section" title="5.12 Disabling NIS">
|
|
<link href="ch-sec-services.en.html#s-rpc" rel="section" title="5.13 Securing RPC services">
|
|
<link href="ch-sec-services.en.html#s-firewall-setup" rel="section" title="5.14 Adding firewall capabilities">
|
|
<link href="ch-automatic-harden.en.html#s6.1" rel="section" title="6.1 Harden">
|
|
<link href="ch-automatic-harden.en.html#s6.2" rel="section" title="6.2 Bastille Linux">
|
|
<link href="ch7.en.html#s-debian-sec-team" rel="section" title="7.1 The Debian Security Team">
|
|
<link href="ch7.en.html#s-dsa" rel="section" title="7.2 Debian Security Advisories">
|
|
<link href="ch7.en.html#s7.3" rel="section" title="7.3 Security Tracker">
|
|
<link href="ch7.en.html#s7.4" rel="section" title="7.4 Debian Security Build Infrastructure">
|
|
<link href="ch7.en.html#s-deb-pack-sign" rel="section" title="7.5 Package signing in Debian">
|
|
<link href="ch-sec-tools.en.html#s-vuln-asses" rel="section" title="8.1 Remote vulnerability assessment tools">
|
|
<link href="ch-sec-tools.en.html#s8.2" rel="section" title="8.2 Network scanner tools">
|
|
<link href="ch-sec-tools.en.html#s8.3" rel="section" title="8.3 Internal audits">
|
|
<link href="ch-sec-tools.en.html#s8.4" rel="section" title="8.4 Auditing source code">
|
|
<link href="ch-sec-tools.en.html#s-vpn" rel="section" title="8.5 Virtual Private Networks">
|
|
<link href="ch-sec-tools.en.html#s8.6" rel="section" title="8.6 Public Key Infrastructure (PKI)">
|
|
<link href="ch-sec-tools.en.html#s8.7" rel="section" title="8.7 SSL Infrastructure">
|
|
<link href="ch-sec-tools.en.html#s8.8" rel="section" title="8.8 Antivirus tools">
|
|
<link href="ch-sec-tools.en.html#s-gpg-agent" rel="section" title="8.9 GPG agent">
|
|
<link href="ch9.en.html#s-bpp-devel-design" rel="section" title="9.1 Best practices for security review and design">
|
|
<link href="ch9.en.html#s-bpp-lower-privs" rel="section" title="9.2 Creating users and groups for software daemons">
|
|
<link href="ch10.en.html#s-keep-secure" rel="section" title="10.1 Keep your system secure">
|
|
<link href="ch10.en.html#s-periodic-integrity" rel="section" title="10.2 Do periodic integrity checks">
|
|
<link href="ch10.en.html#s-intrusion-detect" rel="section" title="10.3 Set up Intrusion Detection">
|
|
<link href="ch10.en.html#s10.4" rel="section" title="10.4 Avoiding root-kits">
|
|
<link href="ch10.en.html#s10.5" rel="section" title="10.5 Genius/Paranoia Ideas — what you could do">
|
|
<link href="ch-after-compromise.en.html#s11.1" rel="section" title="11.1 General behavior">
|
|
<link href="ch-after-compromise.en.html#s11.2" rel="section" title="11.2 Backing up the system">
|
|
<link href="ch-after-compromise.en.html#s11.3" rel="section" title="11.3 Contact your local CERT">
|
|
<link href="ch-after-compromise.en.html#s11.4" rel="section" title="11.4 Forensic analysis">
|
|
<link href="ch12.en.html#s12.1" rel="section" title="12.1 Security in the Debian operating system">
|
|
<link href="ch12.en.html#s-vulnerable-system" rel="section" title="12.2 My system is vulnerable! (Are you sure?)">
|
|
<link href="ch12.en.html#s-debian-sec-team-faq" rel="section" title="12.3 Questions regarding the Debian security team">
|
|
<link href="ap-bridge-fw.en.html#sD.1" rel="section" title="D.1 A bridge providing NAT and firewall capabilities">
|
|
<link href="ap-bridge-fw.en.html#sD.2" rel="section" title="D.2 A bridge providing firewall capabilities">
|
|
<link href="ap-bridge-fw.en.html#sD.3" rel="section" title="D.3 Basic IPtables rules">
|
|
<link href="ap-chroot-ssh-env.en.html#sG.1" rel="section" title="G.1 Chrooting the ssh users">
|
|
<link href="ap-chroot-ssh-env.en.html#sG.2" rel="section" title="G.2 Chrooting the ssh server">
|
|
<link href="ap-chroot-apache-env.en.html#sH.1" rel="section" title="H.1 Introduction">
|
|
<link href="ap-chroot-apache-env.en.html#sH.2" rel="section" title="H.2 Installing the server">
|
|
<link href="ap-chroot-apache-env.en.html#sH.3" rel="section" title="H.3 See also">
|
|
<link href="ch1.en.html#s1.6.1" rel="subsection" title="1.6.1 Version 3.16 (March 2011)">
|
|
<link href="ch1.en.html#s1.6.2" rel="subsection" title="1.6.2 Version 3.15 (December 2010)">
|
|
<link href="ch1.en.html#s1.6.3" rel="subsection" title="1.6.3 Version 3.14 (March 2009)">
|
|
<link href="ch1.en.html#s1.6.4" rel="subsection" title="1.6.4 Version 3.13 (Februrary 2008)">
|
|
<link href="ch1.en.html#s1.6.5" rel="subsection" title="1.6.5 Version 3.12 (August 2007)">
|
|
<link href="ch1.en.html#s1.6.6" rel="subsection" title="1.6.6 Version 3.11 (January 2007)">
|
|
<link href="ch1.en.html#s1.6.7" rel="subsection" title="1.6.7 Version 3.10 (November 2006)">
|
|
<link href="ch1.en.html#s1.6.8" rel="subsection" title="1.6.8 Version 3.9 (October 2006)">
|
|
<link href="ch1.en.html#s1.6.9" rel="subsection" title="1.6.9 Version 3.8 (July 2006)">
|
|
<link href="ch1.en.html#s1.6.10" rel="subsection" title="1.6.10 Version 3.7 (April 2006)">
|
|
<link href="ch1.en.html#s1.6.11" rel="subsection" title="1.6.11 Version 3.6 (March 2006)">
|
|
<link href="ch1.en.html#s1.6.12" rel="subsection" title="1.6.12 Version 3.5 (November 2005)">
|
|
<link href="ch1.en.html#s1.6.13" rel="subsection" title="1.6.13 Version 3.4 (August-September 2005)">
|
|
<link href="ch1.en.html#s1.6.14" rel="subsection" title="1.6.14 Version 3.3 (June 2005)">
|
|
<link href="ch1.en.html#s1.6.15" rel="subsection" title="1.6.15 Version 3.2 (March 2005)">
|
|
<link href="ch1.en.html#s1.6.16" rel="subsection" title="1.6.16 Version 3.1 (January 2005)">
|
|
<link href="ch1.en.html#s1.6.17" rel="subsection" title="1.6.17 Version 3.0 (December 2004)">
|
|
<link href="ch1.en.html#s1.6.18" rel="subsection" title="1.6.18 Version 2.99 (March 2004)">
|
|
<link href="ch1.en.html#s1.6.19" rel="subsection" title="1.6.19 Version 2.98 (December 2003)">
|
|
<link href="ch1.en.html#s1.6.20" rel="subsection" title="1.6.20 Version 2.97 (September 2003)">
|
|
<link href="ch1.en.html#s1.6.21" rel="subsection" title="1.6.21 Version 2.96 (August 2003)">
|
|
<link href="ch1.en.html#s1.6.22" rel="subsection" title="1.6.22 Version 2.95 (June 2003)">
|
|
<link href="ch1.en.html#s1.6.23" rel="subsection" title="1.6.23 Version 2.94 (April 2003)">
|
|
<link href="ch1.en.html#s1.6.24" rel="subsection" title="1.6.24 Version 2.93 (March 2003)">
|
|
<link href="ch1.en.html#s1.6.25" rel="subsection" title="1.6.25 Version 2.92 (February 2003)">
|
|
<link href="ch1.en.html#s1.6.26" rel="subsection" title="1.6.26 Version 2.91 (January/February 2003)">
|
|
<link href="ch1.en.html#s1.6.27" rel="subsection" title="1.6.27 Version 2.9 (December 2002)">
|
|
<link href="ch1.en.html#s1.6.28" rel="subsection" title="1.6.28 Version 2.8 (November 2002)">
|
|
<link href="ch1.en.html#s1.6.29" rel="subsection" title="1.6.29 Version 2.7 (October 2002)">
|
|
<link href="ch1.en.html#s1.6.30" rel="subsection" title="1.6.30 Version 2.6 (September 2002)">
|
|
<link href="ch1.en.html#s1.6.31" rel="subsection" title="1.6.31 Version 2.5 (September 2002)">
|
|
<link href="ch1.en.html#s1.6.32" rel="subsection" title="1.6.32 Version 2.5 (August 2002)">
|
|
<link href="ch1.en.html#s1.6.33" rel="subsection" title="1.6.33 Version 2.4">
|
|
<link href="ch1.en.html#s1.6.34" rel="subsection" title="1.6.34 Version 2.3">
|
|
<link href="ch1.en.html#s1.6.35" rel="subsection" title="1.6.35 Version 2.3">
|
|
<link href="ch1.en.html#s1.6.36" rel="subsection" title="1.6.36 Version 2.2">
|
|
<link href="ch1.en.html#s1.6.37" rel="subsection" title="1.6.37 Version 2.1">
|
|
<link href="ch1.en.html#s1.6.38" rel="subsection" title="1.6.38 Version 2.0">
|
|
<link href="ch1.en.html#s1.6.39" rel="subsection" title="1.6.39 Version 1.99">
|
|
<link href="ch1.en.html#s1.6.40" rel="subsection" title="1.6.40 Version 1.98">
|
|
<link href="ch1.en.html#s1.6.41" rel="subsection" title="1.6.41 Version 1.97">
|
|
<link href="ch1.en.html#s1.6.42" rel="subsection" title="1.6.42 Version 1.96">
|
|
<link href="ch1.en.html#s1.6.43" rel="subsection" title="1.6.43 Version 1.95">
|
|
<link href="ch1.en.html#s1.6.44" rel="subsection" title="1.6.44 Version 1.94">
|
|
<link href="ch1.en.html#s1.6.45" rel="subsection" title="1.6.45 Version 1.93">
|
|
<link href="ch1.en.html#s1.6.46" rel="subsection" title="1.6.46 Version 1.92">
|
|
<link href="ch1.en.html#s1.6.47" rel="subsection" title="1.6.47 Version 1.91">
|
|
<link href="ch1.en.html#s1.6.48" rel="subsection" title="1.6.48 Version 1.9">
|
|
<link href="ch1.en.html#s1.6.49" rel="subsection" title="1.6.49 Version 1.8">
|
|
<link href="ch1.en.html#s1.6.50" rel="subsection" title="1.6.50 Version 1.7">
|
|
<link href="ch1.en.html#s1.6.51" rel="subsection" title="1.6.51 Version 1.6">
|
|
<link href="ch1.en.html#s1.6.52" rel="subsection" title="1.6.52 Version 1.5">
|
|
<link href="ch1.en.html#s1.6.53" rel="subsection" title="1.6.53 Version 1.4">
|
|
<link href="ch1.en.html#s1.6.54" rel="subsection" title="1.6.54 Version 1.3">
|
|
<link href="ch1.en.html#s1.6.55" rel="subsection" title="1.6.55 Version 1.2">
|
|
<link href="ch1.en.html#s1.6.56" rel="subsection" title="1.6.56 Version 1.1">
|
|
<link href="ch1.en.html#s1.6.57" rel="subsection" title="1.6.57 Version 1.0">
|
|
<link href="ch3.en.html#s3.2.1" rel="subsection" title="3.2.1 Choose an intelligent partition scheme">
|
|
<link href="ch3.en.html#s3.2.1.1" rel="subsection" title="3.2.1.1 Selecting the appropriate file systems">
|
|
<link href="ch3.en.html#s-disableserv" rel="subsection" title="3.6.1 Disabling daemon services">
|
|
<link href="ch3.en.html#s-inetd" rel="subsection" title="3.6.2 Disabling <code>inetd</code> or its services">
|
|
<link href="ch3.en.html#s3.7.1" rel="subsection" title="3.7.1 Removing Perl">
|
|
<link href="ch4.en.html#s-lib-security-update" rel="subsection" title="4.2.1 Security update of libraries">
|
|
<link href="ch4.en.html#s-kernel-security-update" rel="subsection" title="4.2.2 Security update of the kernel">
|
|
<link href="ch4.en.html#s4.9.1" rel="subsection" title="4.9.1 Setting <code>/tmp</code> noexec">
|
|
<link href="ch4.en.html#s4.9.2" rel="subsection" title="4.9.2 Setting /usr read-only">
|
|
<link href="ch4.en.html#s-auth-pam" rel="subsection" title="4.10.1 User authentication: PAM">
|
|
<link href="ch4.en.html#s-user-limits" rel="subsection" title="4.10.2 Limiting resource usage: the <code>limits.conf</code> file">
|
|
<link href="ch4.en.html#s4.10.3" rel="subsection" title="4.10.3 User login actions: edit <code>/etc/login.defs</code>">
|
|
<link href="ch4.en.html#s4.10.4" rel="subsection" title="4.10.4 Restricting ftp: editing <code>/etc/ftpusers</code>">
|
|
<link href="ch4.en.html#s4.10.5" rel="subsection" title="4.10.5 Using su">
|
|
<link href="ch4.en.html#s4.10.6" rel="subsection" title="4.10.6 Using sudo">
|
|
<link href="ch4.en.html#s4.10.7" rel="subsection" title="4.10.7 Disallow remote administrative access">
|
|
<link href="ch4.en.html#s-user-restrict" rel="subsection" title="4.10.8 Restricting users's access">
|
|
<link href="ch4.en.html#s4.10.9" rel="subsection" title="4.10.9 User auditing">
|
|
<link href="ch4.en.html#s4.10.9.1" rel="subsection" title="4.10.9.1 Input and output audit with script">
|
|
<link href="ch4.en.html#s4.10.9.2" rel="subsection" title="4.10.9.2 Using the shell history file">
|
|
<link href="ch4.en.html#s4.10.9.3" rel="subsection" title="4.10.9.3 Complete user audit with accounting utilities">
|
|
<link href="ch4.en.html#s4.10.9.4" rel="subsection" title="4.10.9.4 Other user auditing methods">
|
|
<link href="ch4.en.html#s4.10.10" rel="subsection" title="4.10.10 Reviewing user profiles">
|
|
<link href="ch4.en.html#s4.10.11" rel="subsection" title="4.10.11 Setting users umasks">
|
|
<link href="ch4.en.html#s4.10.12" rel="subsection" title="4.10.12 Limiting what users can see/access">
|
|
<link href="ch4.en.html#s-limit-user-perm" rel="subsection" title="4.10.12.1 Limiting access to other user's information">
|
|
<link href="ch4.en.html#s-user-pwgen" rel="subsection" title="4.10.13 Generating user passwords">
|
|
<link href="ch4.en.html#s4.10.14" rel="subsection" title="4.10.14 Checking user passwords">
|
|
<link href="ch4.en.html#s-idle-logoff" rel="subsection" title="4.10.15 Logging off idle users">
|
|
<link href="ch4.en.html#s-custom-logcheck" rel="subsection" title="4.12.1 Using and customizing <code>logcheck</code>">
|
|
<link href="ch4.en.html#s4.12.2" rel="subsection" title="4.12.2 Configuring where alerts are sent">
|
|
<link href="ch4.en.html#s4.12.3" rel="subsection" title="4.12.3 Using a loghost">
|
|
<link href="ch4.en.html#s4.12.4" rel="subsection" title="4.12.4 Log file permissions">
|
|
<link href="ch4.en.html#s4.14.1" rel="subsection" title="4.14.1 Kernel patch protection for buffer overflows">
|
|
<link href="ch4.en.html#s4.14.2" rel="subsection" title="4.14.2 Testing programs for overflows">
|
|
<link href="ch4.en.html#s4.16.1" rel="subsection" title="4.16.1 Using quotas">
|
|
<link href="ch4.en.html#s-ext2attr" rel="subsection" title="4.16.2 The ext2 filesystem specific attributes (chattr/lsattr)">
|
|
<link href="ch4.en.html#s-check-integ" rel="subsection" title="4.16.3 Checking file system integrity">
|
|
<link href="ch4.en.html#s4.16.4" rel="subsection" title="4.16.4 Setting up setuid check">
|
|
<link href="ch4.en.html#s-kernel-conf" rel="subsection" title="4.17.1 Configuring kernel network features">
|
|
<link href="ch4.en.html#s-tcp-syncookies" rel="subsection" title="4.17.2 Configuring syncookies">
|
|
<link href="ch4.en.html#s-net-harden" rel="subsection" title="4.17.3 Securing the network on boot-time">
|
|
<link href="ch4.en.html#s-kernel-fw" rel="subsection" title="4.17.4 Configuring firewall features">
|
|
<link href="ch4.en.html#s-limit-bindaddr" rel="subsection" title="4.17.5 Disabling weak-end hosts issues">
|
|
<link href="ch4.en.html#s4.17.6" rel="subsection" title="4.17.6 Protecting against ARP attacks">
|
|
<link href="ch4.en.html#s4.19.1" rel="subsection" title="4.19.1 Do not use software depending on svgalib">
|
|
<link href="ch-sec-services.en.html#s-ssh-chroot" rel="subsection" title="5.1.1 Chrooting ssh">
|
|
<link href="ch-sec-services.en.html#s5.1.2" rel="subsection" title="5.1.2 Ssh clients">
|
|
<link href="ch-sec-services.en.html#s5.1.3" rel="subsection" title="5.1.3 Disallowing file transfers">
|
|
<link href="ch-sec-services.en.html#s-ssh-only-file" rel="subsection" title="5.1.4 Restricing access to file transfer only">
|
|
<link href="ch-sec-services.en.html#s5.4.1" rel="subsection" title="5.4.1 Check your display manager">
|
|
<link href="ch-sec-services.en.html#s5.6.1" rel="subsection" title="5.6.1 Configuring a Nullmailer">
|
|
<link href="ch-sec-services.en.html#s5.6.2" rel="subsection" title="5.6.2 Providing secure access to mailboxes">
|
|
<link href="ch-sec-services.en.html#s5.6.3" rel="subsection" title="5.6.3 Receiving mail securely">
|
|
<link href="ch-sec-services.en.html#s-configure-bind" rel="subsection" title="5.7.1 Bind configuration to avoid misuse">
|
|
<link href="ch-sec-services.en.html#s-user-bind" rel="subsection" title="5.7.2 Changing BIND's user">
|
|
<link href="ch-sec-services.en.html#s-chroot-bind" rel="subsection" title="5.7.3 Chrooting the name server">
|
|
<link href="ch-sec-services.en.html#s5.8.1" rel="subsection" title="5.8.1 Disabling users from publishing web contents">
|
|
<link href="ch-sec-services.en.html#s5.8.2" rel="subsection" title="5.8.2 Logfiles permissions">
|
|
<link href="ch-sec-services.en.html#s5.8.3" rel="subsection" title="5.8.3 Published web files">
|
|
<link href="ch-sec-services.en.html#s-auto-chroot" rel="subsection" title="5.10.1 Making chrooted environments automatically">
|
|
<link href="ch-sec-services.en.html#s5.13.1" rel="subsection" title="5.13.1 Disabling RPC services completely">
|
|
<link href="ch-sec-services.en.html#s5.13.2" rel="subsection" title="5.13.2 Limiting access to RPC services">
|
|
<link href="ch-sec-services.en.html#s5.14.1" rel="subsection" title="5.14.1 Firewalling the local system">
|
|
<link href="ch-sec-services.en.html#s5.14.2" rel="subsection" title="5.14.2 Using a firewall to protect other systems">
|
|
<link href="ch-sec-services.en.html#s5.14.3" rel="subsection" title="5.14.3 Setting up a firewall">
|
|
<link href="ch-sec-services.en.html#s-firewall-pack" rel="subsection" title="5.14.3.1 Using firewall packages">
|
|
<link href="ch-sec-services.en.html#s5.14.3.2" rel="subsection" title="5.14.3.2 Manual init.d configuration">
|
|
<link href="ch-sec-services.en.html#s5.14.3.3" rel="subsection" title="5.14.3.3 Configuring firewall rules through <code>ifup</code>">
|
|
<link href="ch-sec-services.en.html#s5.14.3.4" rel="subsection" title="5.14.3.4 Testing your firewall configuration">
|
|
<link href="ch7.en.html#s-crossreference" rel="subsection" title="7.2.1 Vulnerability cross references">
|
|
<link href="ch7.en.html#s-cve-compatible" rel="subsection" title="7.2.2 CVE compatibility">
|
|
<link href="ch7.en.html#s7.4.1" rel="subsection" title="7.4.1 Developer's guide to security updates">
|
|
<link href="ch7.en.html#s7.5.1" rel="subsection" title="7.5.1 The current scheme for package signature checks">
|
|
<link href="ch7.en.html#s-apt-0.6" rel="subsection" title="7.5.2 Secure apt">
|
|
<link href="ch7.en.html#s-check-releases" rel="subsection" title="7.5.3 Per distribution release check">
|
|
<link href="ch7.en.html#s7.5.3.1" rel="subsection" title="7.5.3.1 Basic concepts">
|
|
<link href="ch7.en.html#s7.5.3.2" rel="subsection" title="7.5.3.2 <code>Release</code> checksums">
|
|
<link href="ch7.en.html#s7.5.3.3" rel="subsection" title="7.5.3.3 Verification of the <code>Release</code> file">
|
|
<link href="ch7.en.html#s7.5.3.4" rel="subsection" title="7.5.3.4 Check of <code>Release.gpg</code> by <code>apt</code>">
|
|
<link href="ch7.en.html#s7.5.3.5" rel="subsection" title="7.5.3.5 How to tell apt what to trust">
|
|
<link href="ch7.en.html#s7.5.3.6" rel="subsection" title="7.5.3.6 Finding the key for a repository">
|
|
<link href="ch7.en.html#s-secure-apt-add-key" rel="subsection" title="7.5.3.7 Safely adding a key">
|
|
<link href="ch7.en.html#s7.5.3.8" rel="subsection" title="7.5.3.8 Verifying key integrity">
|
|
<link href="ch7.en.html#s7.5.3.9" rel="subsection" title="7.5.3.9 Debian archive key yearly rotation">
|
|
<link href="ch7.en.html#s7.5.3.10" rel="subsection" title="7.5.3.10 Known release checking problems">
|
|
<link href="ch7.en.html#s-manual-check-releases" rel="subsection" title="7.5.3.11 Manual per distribution release check">
|
|
<link href="ch7.en.html#s-check-non-debian-releases" rel="subsection" title="7.5.4 Release check of non Debian sources">
|
|
<link href="ch7.en.html#s-check-pkg-sign" rel="subsection" title="7.5.5 Alternative per-package signing scheme">
|
|
<link href="ch-sec-tools.en.html#s8.5.1" rel="subsection" title="8.5.1 Point to Point tunneling">
|
|
<link href="ch10.en.html#s-track-vulns" rel="subsection" title="10.1.1 Tracking security vulnerabilities">
|
|
<link href="ch10.en.html#s-keep-up-to-date" rel="subsection" title="10.1.2 Continuously update the system">
|
|
<link href="ch10.en.html#s10.1.2.1" rel="subsection" title="10.1.2.1 Manually checking which security updates are available">
|
|
<link href="ch10.en.html#s-update-desktop" rel="subsection" title="10.1.2.2 Checking for updates at the Desktop">
|
|
<link href="ch10.en.html#s-cron-apt" rel="subsection" title="10.1.2.3 Automatically checking for updates with cron-apt">
|
|
<link href="ch10.en.html#s-debsecan" rel="subsection" title="10.1.2.4 Automatically checking for security issues with debsecan">
|
|
<link href="ch10.en.html#s10.1.2.5" rel="subsection" title="10.1.2.5 Other methods for security updates">
|
|
<link href="ch10.en.html#s10.1.3" rel="subsection" title="10.1.3 Avoid using the unstable branch">
|
|
<link href="ch10.en.html#s-security-support-testing" rel="subsection" title="10.1.4 Security support for the testing branch">
|
|
<link href="ch10.en.html#s10.1.5" rel="subsection" title="10.1.5 Automatic updates in a Debian GNU/Linux system">
|
|
<link href="ch10.en.html#s10.3.1" rel="subsection" title="10.3.1 Network based intrusion detection">
|
|
<link href="ch10.en.html#s10.3.2" rel="subsection" title="10.3.2 Host based intrusion detection">
|
|
<link href="ch10.en.html#s-LKM" rel="subsection" title="10.4.1 Loadable Kernel Modules (LKM)">
|
|
<link href="ch10.en.html#s10.4.2" rel="subsection" title="10.4.2 Detecting root-kits">
|
|
<link href="ch10.en.html#s-proactive" rel="subsection" title="10.4.2.1 Proactive defense">
|
|
<link href="ch10.en.html#s10.4.2.2" rel="subsection" title="10.4.2.2 Reactive defense">
|
|
<link href="ch10.en.html#s10.5.1" rel="subsection" title="10.5.1 Building a honeypot">
|
|
<link href="ch-after-compromise.en.html#s11.4.1" rel="subsection" title="11.4.1 Analysis of malware">
|
|
<link href="ch12.en.html#s12.1.1" rel="subsection" title="12.1.1 Is Debian more secure than X?">
|
|
<link href="ch12.en.html#s12.1.1.1" rel="subsection" title="12.1.1.1 Is Debian more secure than other Linux distributions (such as Red Hat, SuSE...)?">
|
|
<link href="ch12.en.html#s12.1.2" rel="subsection" title="12.1.2 There are many Debian bugs in Bugtraq. Does this mean that it is very vulnerable?">
|
|
<link href="ch12.en.html#s12.1.3" rel="subsection" title="12.1.3 Does Debian have any certification related to security?">
|
|
<link href="ch12.en.html#s12.1.4" rel="subsection" title="12.1.4 Are there any hardening programs for Debian?">
|
|
<link href="ch12.en.html#s12.1.5" rel="subsection" title="12.1.5 I want to run XYZ service, which one should I choose?">
|
|
<link href="ch12.en.html#s12.1.6" rel="subsection" title="12.1.6 How can I make service XYZ more secure in Debian?">
|
|
<link href="ch12.en.html#s12.1.7" rel="subsection" title="12.1.7 How can I remove all the banners for services?">
|
|
<link href="ch12.en.html#s12.1.8" rel="subsection" title="12.1.8 Are all Debian packages safe?">
|
|
<link href="ch12.en.html#s12.1.9" rel="subsection" title="12.1.9 Why are some log files/configuration files world-readable, isn't this insecure?">
|
|
<link href="ch12.en.html#s12.1.10" rel="subsection" title="12.1.10 Why does /root/ (or UserX) have 755 permissions?">
|
|
<link href="ch12.en.html#s12.1.11" rel="subsection" title="12.1.11 After installing a grsec/firewall, I started receiving many console messages! How do I remove them?">
|
|
<link href="ch12.en.html#s-faq-os-users" rel="subsection" title="12.1.12 Operating system users and groups">
|
|
<link href="ch12.en.html#s12.1.12.1" rel="subsection" title="12.1.12.1 Are all system users necessary?">
|
|
<link href="ch12.en.html#s12.1.12.2" rel="subsection" title="12.1.12.2 I removed a system user! How can I recover?">
|
|
<link href="ch12.en.html#s12.1.12.3" rel="subsection" title="12.1.12.3 What is the difference between the adm and the staff group?">
|
|
<link href="ch12.en.html#s12.1.13" rel="subsection" title="12.1.13 Why is there a new group when I add a new user? (or Why does Debian give each user one group?)">
|
|
<link href="ch12.en.html#s12.1.14" rel="subsection" title="12.1.14 Questions regarding services and open ports">
|
|
<link href="ch12.en.html#s12.1.14.1" rel="subsection" title="12.1.14.1 Why are all services activated upon installation?">
|
|
<link href="ch12.en.html#s12.1.14.2" rel="subsection" title="12.1.14.2 Can I remove <code>inetd</code>?">
|
|
<link href="ch12.en.html#s12.1.14.3" rel="subsection" title="12.1.14.3 Why do I have port 111 open?">
|
|
<link href="ch12.en.html#s12.1.14.4" rel="subsection" title="12.1.14.4 What use is <code>identd</code> (port 113) for?">
|
|
<link href="ch12.en.html#s12.1.14.5" rel="subsection" title="12.1.14.5 I have services using port 1 and 6, what are they and how can I remove them?">
|
|
<link href="ch12.en.html#s12.1.14.6" rel="subsection" title="12.1.14.6 I found the port XYZ open, can I close it?">
|
|
<link href="ch12.en.html#s12.1.14.7" rel="subsection" title="12.1.14.7 Will removing services from <code>/etc/services</code> help secure my box?">
|
|
<link href="ch12.en.html#s12.1.15" rel="subsection" title="12.1.15 Common security issues">
|
|
<link href="ch12.en.html#s12.1.15.1" rel="subsection" title="12.1.15.1 I have lost my password and cannot access the system!">
|
|
<link href="ch12.en.html#s12.1.16" rel="subsection" title="12.1.16 How do I accomplish setting up a service for my users without giving out shell accounts?">
|
|
<link href="ch12.en.html#s-vulnasses-false-positive" rel="subsection" title="12.2.1 Vulnerability assessment scanner X says my Debian system is vulnerable!">
|
|
<link href="ch12.en.html#s12.2.2" rel="subsection" title="12.2.2 I've seen an attack in my system's logs. Is my system compromised?">
|
|
<link href="ch12.en.html#s12.2.3" rel="subsection" title="12.2.3 I have found strange 'MARK' lines in my logs: Am I compromised?">
|
|
<link href="ch12.en.html#s12.2.4" rel="subsection" title="12.2.4 I found users using 'su' in my logs: Am I compromised?">
|
|
<link href="ch12.en.html#s12.2.5" rel="subsection" title="12.2.5 I have found 'possible SYN flooding' in my logs: Am I under attack?">
|
|
<link href="ch12.en.html#s12.2.6" rel="subsection" title="12.2.6 I have found strange root sessions in my logs: Am I compromised?">
|
|
<link href="ch12.en.html#s12.2.7" rel="subsection" title="12.2.7 I have suffered a break-in, what do I do?">
|
|
<link href="ch12.en.html#s12.2.8" rel="subsection" title="12.2.8 How can I trace an attack?">
|
|
<link href="ch12.en.html#s12.2.9" rel="subsection" title="12.2.9 Program X in Debian is vulnerable, what do I do?">
|
|
<link href="ch12.en.html#s-version-backport" rel="subsection" title="12.2.10 The version number for a package indicates that I am still running a vulnerable version!">
|
|
<link href="ch12.en.html#s12.2.11" rel="subsection" title="12.2.11 Specific software">
|
|
<link href="ch12.en.html#s12.2.11.1" rel="subsection" title="12.2.11.1 <code>proftpd</code> is vulnerable to a Denial of Service attack.">
|
|
<link href="ch12.en.html#s12.2.11.2" rel="subsection" title="12.2.11.2 After installing <code>portsentry</code>, there are a lot of ports open.">
|
|
<link href="ch12.en.html#s12.3.1" rel="subsection" title="12.3.1 What is a Debian Security Advisory (DSA)?">
|
|
<link href="ch12.en.html#s12.3.2" rel="subsection" title="12.3.2 The signature on Debian advisories does not verify correctly!">
|
|
<link href="ch12.en.html#s12.3.3" rel="subsection" title="12.3.3 How is security handled in Debian?">
|
|
<link href="ch12.en.html#s12.3.4" rel="subsection" title="12.3.4 Why are you fiddling with an old version of that package?">
|
|
<link href="ch12.en.html#s12.3.5" rel="subsection" title="12.3.5 What is the policy for a fixed package to appear in security.debian.org?">
|
|
<link href="ch12.en.html#s12.3.6" rel="subsection" title="12.3.6 What does "local (remote)" mean?">
|
|
<link href="ch12.en.html#s12.3.7" rel="subsection" title="12.3.7 The version number for a package indicates that I am still running a vulnerable version!">
|
|
<link href="ch12.en.html#s-sec-unstable" rel="subsection" title="12.3.8 How is security handled for <samp>testing</samp> and <samp>unstable</samp>?">
|
|
<link href="ch12.en.html#s-sec-older" rel="subsection" title="12.3.9 I use an older version of Debian, is it supported by the Debian Security Team?">
|
|
<link href="ch12.en.html#s12.3.10" rel="subsection" title="12.3.10 How does <em>testing</em> get security updates?">
|
|
<link href="ch12.en.html#s12.3.11" rel="subsection" title="12.3.11 How is security handled for contrib and non-free?">
|
|
<link href="ch12.en.html#s12.3.12" rel="subsection" title="12.3.12 Why are there no official mirrors for security.debian.org?">
|
|
<link href="ch12.en.html#s12.3.13" rel="subsection" title="12.3.13 I've seen DSA 100 and DSA 102, now where is DSA 101?">
|
|
<link href="ch12.en.html#s12.3.14" rel="subsection" title="12.3.14 I tried to download a package listed in one of the security advisories, but I got a `file not found' error.">
|
|
<link href="ch12.en.html#s12.3.15" rel="subsection" title="12.3.15 How can I reach the security team?">
|
|
<link href="ch12.en.html#s12.3.16" rel="subsection" title="12.3.16 What difference is there between security@debian.org and debian-security@lists.debian.org?">
|
|
<link href="ch12.en.html#s12.3.17" rel="subsection" title="12.3.17 I guess I found a security problem, what should I do?">
|
|
<link href="ch12.en.html#s12.3.18" rel="subsection" title="12.3.18 How can I contribute to the Debian security team?">
|
|
<link href="ch12.en.html#s12.3.19" rel="subsection" title="12.3.19 Who is the Security Team composed of?">
|
|
<link href="ch12.en.html#s12.3.20" rel="subsection" title="12.3.20 Does the Debian Security team check every new package in Debian?">
|
|
<link href="ch12.en.html#s12.3.21" rel="subsection" title="12.3.21 How much time will it take Debian to fix vulnerability XXXX?">
|
|
<link href="ch12.en.html#s12.3.22" rel="subsection" title="12.3.22 How long will security updates be provided?">
|
|
<link href="ch12.en.html#s12.3.23" rel="subsection" title="12.3.23 How can I check the integrity of packages?">
|
|
<link href="ch12.en.html#s12.3.24" rel="subsection" title="12.3.24 What to do if a random package breaks after a security update?">
|
|
<link href="ap-chroot-ssh-env.en.html#sG.1.1" rel="subsection" title="G.1.1 Using <code>libpam-chroot</code>">
|
|
<link href="ap-chroot-ssh-env.en.html#sG.1.2" rel="subsection" title="G.1.2 Patching the <code>ssh</code> server">
|
|
<link href="ap-chroot-ssh-env.en.html#sG.2.1" rel="subsection" title="G.2.1 Setup a minimal system (the really easy way)">
|
|
<link href="ap-chroot-ssh-env.en.html#sG.2.2" rel="subsection" title="G.2.2 Automatically making the environment (the easy way)">
|
|
<link href="ap-chroot-ssh-env.en.html#sG.2.3" rel="subsection" title="G.2.3 Manually creating the environment (the hard way)">
|
|
<link href="ap-chroot-apache-env.en.html#sH.1.1" rel="subsection" title="H.1.1 Licensing">
|
|
|
|
</head>
|
|
|
|
<body>
|
|
|
|
<p><a name="ch2"></a></p>
|
|
<hr>
|
|
|
|
<p>
|
|
[ <a href="ch1.en.html">previous</a> ]
|
|
[ <a href="index.en.html#contents">Contents</a> ]
|
|
[ <a href="ch1.en.html">1</a> ]
|
|
[ 2 ]
|
|
[ <a href="ch3.en.html">3</a> ]
|
|
[ <a href="ch4.en.html">4</a> ]
|
|
[ <a href="ch-sec-services.en.html">5</a> ]
|
|
[ <a href="ch-automatic-harden.en.html">6</a> ]
|
|
[ <a href="ch7.en.html">7</a> ]
|
|
[ <a href="ch-sec-tools.en.html">8</a> ]
|
|
[ <a href="ch9.en.html">9</a> ]
|
|
[ <a href="ch10.en.html">10</a> ]
|
|
[ <a href="ch-after-compromise.en.html">11</a> ]
|
|
[ <a href="ch12.en.html">12</a> ]
|
|
[ <a href="ap-harden-step.en.html">A</a> ]
|
|
[ <a href="ap-checklist.en.html">B</a> ]
|
|
[ <a href="ap-snort-box.en.html">C</a> ]
|
|
[ <a href="ap-bridge-fw.en.html">D</a> ]
|
|
[ <a href="ap-bind-chuser.en.html">E</a> ]
|
|
[ <a href="ap-fw-security-update.en.html">F</a> ]
|
|
[ <a href="ap-chroot-ssh-env.en.html">G</a> ]
|
|
[ <a href="ap-chroot-apache-env.en.html">H</a> ]
|
|
[ <a href="ch3.en.html">next</a> ]
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h1>
|
|
Securing Debian Manual
|
|
<br>Chapter 2 - Before you begin
|
|
</h1>
|
|
|
|
<hr>
|
|
|
|
<h2><a name="s2.1"></a>2.1 What do you want this system for?</h2>
|
|
|
|
<p>
|
|
Securing Debian is not very different from securing any other system; in order
|
|
to do it properly, you must first decide what you intend to do with it. After
|
|
this, you will have to consider that the following tasks need to be taken care
|
|
of if you want a really secure system.
|
|
</p>
|
|
|
|
<p>
|
|
You will find that this manual is written from the bottom up, that is, you will
|
|
read some information on tasks to do before, during and after you install your
|
|
Debian system. The tasks can also be thought of as:
|
|
</p>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
Decide which services you need and limit your system to those. This includes
|
|
deactivating/uninstalling unneeded services, and adding firewall-like filters,
|
|
or tcpwrappers.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
Limit users and permissions in your system.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
Harden offered services so that, in the event of a service compromise, the
|
|
impact to your system is minimized.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
Use appropriate tools to guarantee that unauthorized use is detected so that
|
|
you can take appropriate measures.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
|
|
<hr>
|
|
|
|
<h2><a name="s-references"></a>2.2 Be aware of general security problems</h2>
|
|
|
|
<p>
|
|
The following manual does not (usually) go into the details on why some issues
|
|
are considered security risks. However, you might want to have a better
|
|
background regarding general UNIX and (specific) Linux security. Take some
|
|
time to read over security related documents in order to make informed
|
|
decisions when you are encountered with different choices. Debian GNU/Linux is
|
|
based on the Linux kernel, so much of the information regarding Linux, as well
|
|
as from other distributions and general UNIX security also apply to it (even if
|
|
the tools used, or the programs available, differ).
|
|
</p>
|
|
|
|
<p>
|
|
Some useful documents include:
|
|
</p>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
The <code><a href="http://www.tldp.org/HOWTO/Security-HOWTO/">Linux Security
|
|
HOWTO</a></code> (also available at <code><a
|
|
href="http://www.linuxsecurity.com/docs/LDP/Security-HOWTO.html">LinuxSecurity</a></code>)
|
|
is one of the best references regarding general Linux security.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
The <code><a
|
|
href="http://www.tldp.org/HOWTO/Security-Quickstart-HOWTO/">Security
|
|
Quick-Start HOWTO for Linux</a></code> is also a very good starting point for
|
|
novice users (both to Linux and security).
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
The <code><a href="http://seifried.org/lasg/">Linux Security Administrator's
|
|
Guide</a></code> is a complete guide that touches all the issues related to
|
|
security in Linux, from kernel security to VPNs. Note that it has not been
|
|
updated since 2001, but some information is still relevant. [<a
|
|
href="footnotes.en.html#f1" name="fr1">1</a>]
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
Kurt Seifried's <code><a
|
|
href="http://seifried.org/security/os/linux/20020324-securing-linux-step-by-step.html">Securing
|
|
Linux Step by Step</a></code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
In <code><a
|
|
href="http://www.tldp.org/links/p_books.html#securing_linux">Securing and
|
|
Optimizing Linux: RedHat Edition</a></code> you can find a similar document to
|
|
this manual but related to Red Hat, some of the issues are not
|
|
distribution-specific and also apply to Debian.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
Another Red Hat related document is <code><a
|
|
href="http://ltp.sourceforge.net/docs/RHEL-EAL3-Configuration-Guide.pdf">EAL3
|
|
Evaluated Configuration Guide for Red Hat Enterprise</a></code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
IntersectAlliance has published some documents that can be used as reference
|
|
cards on how to harden Linux servers (and their services), the documents are
|
|
available at <code><a
|
|
href="http://www.intersectalliance.com/projects/index.html">their
|
|
site</a></code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
For network administrators, a good reference for building a secure network is
|
|
the <code><a
|
|
href="http://www.linuxsecurity.com/docs/LDP/Securing-Domain-HOWTO/">Securing
|
|
your Domain HOWTO</a></code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
If you want to evaluate the programs you are going to use (or want to build up
|
|
some new ones) you should read the <code><a
|
|
href="http://www.tldp.org/HOWTO/Secure-Programs-HOWTO/">Secure Programs
|
|
HOWTO</a></code> (master copy is available at <code><a
|
|
href="http://www.dwheeler.com/secure-programs/">http://www.dwheeler.com/secure-programs/</a></code>,
|
|
it includes slides and talks from the author, David Wheeler)
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
If you are considering installing firewall capabilities, you should read the
|
|
<code><a href="http://www.tldp.org/HOWTO/Firewall-HOWTO.html">Firewall
|
|
HOWTO</a></code> and the <code><a
|
|
href="http://www.tldp.org/HOWTO/IPCHAINS-HOWTO.html">IPCHAINS HOWTO</a></code>
|
|
(for kernels previous to 2.4).
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
Finally, a good card to keep handy is the <code><a
|
|
href="http://www.linuxsecurity.com/docs/QuickRefCard.pdf">Linux Security
|
|
ReferenceCard</a></code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
In any case, there is more information regarding the services explained here
|
|
(NFS, NIS, SMB...) in many of the HOWTOs of the <code><a
|
|
href="http://www.tldp.org/">The Linux Documentation Project</a></code>. Some
|
|
of these documents speak on the security side of a given service, so be sure to
|
|
take a look there too.
|
|
</p>
|
|
|
|
<p>
|
|
The HOWTO documents from the Linux Documentation Project are available in
|
|
Debian GNU/Linux through the installation of the <code>doc-linux-text</code>
|
|
(text version) or <code>doc-linux-html</code> (HTML version). After
|
|
installation these documents will be available at the
|
|
<code>/usr/share/doc/HOWTO/en-txt</code> and
|
|
<code>/usr/share/doc/HOWTO/en-html</code> directories, respectively.
|
|
</p>
|
|
|
|
<p>
|
|
Other recommended Linux books:
|
|
</p>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
Maximum Linux Security : A Hacker's Guide to Protecting Your Linux Server and
|
|
Network. Anonymous. Paperback - 829 pages. Sams Publishing. ISBN:
|
|
0672313413. July 1999.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
Linux Security By John S. Flowers. New Riders; ISBN: 0735700354. March 1999.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code><a href="http://www.linux.org/books/ISBN_0072127732.html">Hacking Linux
|
|
Exposed</a></code> By Brian Hatch. McGraw-Hill Higher Education. ISBN
|
|
0072127732. April, 2001
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
Other books (which might be related to general issues regarding UNIX and
|
|
security and not Linux specific):
|
|
</p>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code><a href="http://www.ora.com/catalog/puis/noframes.html">Practical Unix
|
|
and Internet Security (2nd Edition)</a></code> Garfinkel, Simpson, and
|
|
Spafford, Gene; O'Reilly Associates; ISBN 0-56592-148-8; 1004pp; 1996.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
Firewalls and Internet Security Cheswick, William R. and Bellovin, Steven M.;
|
|
Addison-Wesley; 1994; ISBN 0-201-63357-4; 320pp.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
Some useful web sites to keep up to date regarding security:
|
|
</p>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code><a href="http://csrc.nist.gov/fasp/index.html">NIST Security
|
|
Guidelines</a></code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code><a href="http://www.securityfocus.com">Security Focus</a></code> the
|
|
server that hosts the Bugtraq vulnerability database and list, and provides
|
|
general security information, news and reports.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code><a href="http://www.linuxsecurity.com/">Linux Security</a></code>.
|
|
General information regarding Linux security (tools, news...). Most useful is
|
|
the <code><a
|
|
href="http://www.linuxsecurity.com/resources/documentation-1.html">main
|
|
documentation</a></code> page.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code><a href="http://www.linux-firewall-tools.com/linux/">Linux firewall and
|
|
security site</a></code>. General information regarding Linux firewalls and
|
|
tools to control and administrate them.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
|
|
<hr>
|
|
|
|
<h2><a name="s2.3"></a>2.3 How does Debian handle security?</h2>
|
|
|
|
<p>
|
|
Just so you have a general overview of security in Debian GNU/Linux you should
|
|
take note of the different issues that Debian tackles in order to provide an
|
|
overall secure system:
|
|
</p>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
Debian problems are always handled openly, even security related. Security
|
|
issues are discussed openly on the debian-security mailing list. Debian
|
|
Security Advisories (DSAs) are sent to public mailing lists (both internal and
|
|
external) and are published on the public server. As the <code><a
|
|
href="http://www.debian.org/social_contract">Debian Social Contract</a></code>
|
|
states:
|
|
</p>
|
|
|
|
<p>
|
|
<em>We will not hide problems</em>
|
|
</p>
|
|
|
|
<p>
|
|
<em>We will keep our entire bug report database open for public view at all
|
|
times. Reports that people file online will promptly become visible to
|
|
others.</em>
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
Debian follows security issues closely. The security team checks many security
|
|
related sources, the most important being <code><a
|
|
href="http://www.securityfocus.com/cgi-bin/vulns.pl">Bugtraq</a></code>, on the
|
|
lookout for packages with security issues that might be included in Debian.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
Security updates are the first priority. When a security problem arises in a
|
|
Debian package, the security update is prepared as fast as possible and
|
|
distributed for our stable, testing and unstable releases, including all
|
|
architectures.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
Information regarding security is centralized in a single point, <code><a
|
|
href="http://security.debian.org/">http://security.debian.org/</a></code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
Debian is always trying to improve the overall security of the distribution by
|
|
starting new projects, such as automatic package signature verification
|
|
mechanisms.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
Debian provides a number of useful security related tools for system
|
|
administration and monitoring. Developers try to tightly integrate these tools
|
|
with the distribution in order to make them a better suite to enforce local
|
|
security policies. Tools include: integrity checkers, auditing tools,
|
|
hardening tools, firewall tools, intrusion detection tools, etc.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
Package maintainers are aware of security issues. This leads to many
|
|
"secure by default" service installations which could impose certain
|
|
restrictions on their normal use. Debian does, however, try to balance
|
|
security and ease of administration - the programs are not de-activated when
|
|
you install them (as it is the case with say, the BSD family of operating
|
|
systems). In any case, prominent security issues (such as <samp>setuid</samp>
|
|
programs) are part of the <code><a
|
|
href="http://www.debian.org/doc/debian-policy/">Debian Policy</a></code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
By publishing security information specific to Debian and complementing other
|
|
information-security documents related to Debian (see <a
|
|
href="#s-references">Be aware of general security problems, Section 2.2</a>),
|
|
this document aims to produce better system installations security-wise.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<p>
|
|
[ <a href="ch1.en.html">previous</a> ]
|
|
[ <a href="index.en.html#contents">Contents</a> ]
|
|
[ <a href="ch1.en.html">1</a> ]
|
|
[ 2 ]
|
|
[ <a href="ch3.en.html">3</a> ]
|
|
[ <a href="ch4.en.html">4</a> ]
|
|
[ <a href="ch-sec-services.en.html">5</a> ]
|
|
[ <a href="ch-automatic-harden.en.html">6</a> ]
|
|
[ <a href="ch7.en.html">7</a> ]
|
|
[ <a href="ch-sec-tools.en.html">8</a> ]
|
|
[ <a href="ch9.en.html">9</a> ]
|
|
[ <a href="ch10.en.html">10</a> ]
|
|
[ <a href="ch-after-compromise.en.html">11</a> ]
|
|
[ <a href="ch12.en.html">12</a> ]
|
|
[ <a href="ap-harden-step.en.html">A</a> ]
|
|
[ <a href="ap-checklist.en.html">B</a> ]
|
|
[ <a href="ap-snort-box.en.html">C</a> ]
|
|
[ <a href="ap-bridge-fw.en.html">D</a> ]
|
|
[ <a href="ap-bind-chuser.en.html">E</a> ]
|
|
[ <a href="ap-fw-security-update.en.html">F</a> ]
|
|
[ <a href="ap-chroot-ssh-env.en.html">G</a> ]
|
|
[ <a href="ap-chroot-apache-env.en.html">H</a> ]
|
|
[ <a href="ch3.en.html">next</a> ]
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<p>
|
|
Securing Debian Manual
|
|
</p>
|
|
|
|
<address>
|
|
Version: 3.13, Sun, 08 Apr 2012 02:48:09 +0000<br>
|
|
<br>
|
|
Javier Fernández-Sanguino Peña <code><a href="mailto:jfs@debian.org">jfs@debian.org</a></code><br>
|
|
<a href="ch1.en.html#s-authors">Authors, Section 1.1</a><br>
|
|
<br>
|
|
</address>
|
|
<hr>
|
|
|
|
</body>
|
|
|
|
</html>
|
|
|