After a standard installation, a system may still have some security vulnerabilities. Unless you can download updates for the vulnerable packages on another system (or you have mirrored security.debian.org for local use), the system will have to be connected to the Internet for the downloads.
However, as soon as you connect to the Internet you are exposing this system.
If one of your local services is vulnerable, you might be compromised even
before the update is finished! This may seem paranoid but, in fact, analysis
from the Honeynet Project
has shown that systems can be compromised in less than three days, even if the
system is not publicly known (i.e., not published in DNS records).
When doing an update on a system not protected by an external system like a firewall, it is possible to properly configure your local firewall to restrict connections involving only the security update itself. The example below shows how to set up such local firewall capabilities, which allow connections from security.debian.org only, logging all others.
FIXME: add IP address for security.debian.org (since otherwise you need DNS up to work) on /etc/hosts.
FIXME: test this setup to see if it works properly
FIXME: this will only work with HTTP URLs since ftp might need the ip_conntrack_ftp module, or use passive mode.
# iptables -F # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination # iptables -P INPUT DROP # iptables -P FORWARD DROP # iptables -P OUTPUT DROP # iptables -A OUTPUT -d security.debian.org -p 80 -j ACCEPT # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -A INPUT -p icmp -j ACCEPT # iptables -A INPUT -j LOG # iptables -A OUTPUT -j LOG # iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 LOG all -- anywhere anywhere LOG level warning Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT 80 -- anywhere security.debian.org LOG all -- anywhere anywhere LOG level warning
Securing Debian Manual
2.6 10 October 2002Wed, 18 Sep 2002 14:09:35 +0200[email protected]