[ previous ]
[ Contents ]
[ 1 ]
[ 2 ]
[ 3 ]
[ 4 ]
[ 5 ]
[ 6 ]
[ 7 ]
[ 8 ]
[ 9 ]
[ 10 ]
[ 11 ]
[ A ]
[ B ]
[ C ]
[ D ]
[ E ]
[ F ]
[ G ]
[ next ]
Securing Debian Manual
Chapter 1 - Introduction
One of the hardest things about writing security documents is that every case
is unique. Two things you have to pay attention to are the threat environment
and the security needs of the individual site, host, or network. For instance,
the security needs of a home user are completely different from a network in a
bank. While the primary threat a home user needs to face is the script kiddie
type of cracker, a bank network has to worry about directed attacks.
Additionally, the bank has to protect their customer's data with arithmetic
precision. In short, every user has to consider the tradeoff between usability
and security/paranoia.
Note that this manual only covers issues relating to software. The best
software in the world can't protect you if someone can physically access the
machine. You can place it under your desk, or you can place it in a hardened
bunker with an army in front of it. Nevertheless the desktop computer can be
much more secure (from a software point of view) than a physically protected
one if the desktop is configured properly and the software on the protected
machine is full of security holes. Obviously, you must consider both issues.
This document just gives an overview of what you can do to increase the
security of your Debian GNU/Linux system. If you have read other documents
regarding Linux security, you will find that there are common issues which
might overlap with this document. However, this document does not try to be
the ultimate source of information you will be using, it only tries to adapt
this same information so that it is meaningful to a Debian GNU/Linux system.
Different distributions do some things in different ways (startup of daemons is
one example); here, you will find material which is appropriate for Debian's
procedures and tools.
If you have comments, additions or suggestions, please mail them to Javier Fern�ndez-Sanguino
(alternate
address: [email protected]) and they will be incorporated into this manual.
1.1 Download the manual
You can download or view the newest version of the Securing Debian Manual from
the Debian
Documentation Project
. Feel free to check out the version control
system through its CVS
server
.
You can download also a text
version
from the Debian Documentation's Project site. Other
formats, like PDF, are not (yet) provided. However, you can download or
install the harden-doc
package
which provides this same document in HTML, txt and PDF formats.
1.2 Organizational Notes/Feedback
Now to the official part. At the moment I (Alexander Reelsen) wrote most
paragraphs of this manual, but in my opinion this should not stay the case. I
grew up and live with free software, it is part of my everyday use and I guess
yours, too. I encourage everybody to send me feedback, hints additions or any
other suggestions, you might have.
If you think, you can maintain a certain section or paragraph better, then
write to the document maintainer and you are welcome to do it. Especially if
you find a section marked as FIXME, that means the authors did not have the
time yet or the needed knowledge about the topic, drop them a mail immediately.
The topic of this manual makes it quite clear that it is important to keep it
up to date, and you can do your part. Please contribute.
1.3 Prior knowledge
The installation of Debian GNU/Linux is not very difficult and you should have
been able to install it. If you already have some knowledge about Linux or
other Unices and you are a bit familiar with basic security, it will be easier
to understand this manual, as this document cannot explain every little detail
of a feature (otherwise this would have been a book instead of a manual). If
you are not that familiar, however, you might want to take a look at Be aware of general security problems, Section
2.2 for where to find more in-depth information.
1.4 Things that need to be written (FIXME/TODO)
-
Consider writting a section on how to build Debian-based network appliances
(with information such as the base system,
equivs
and FAI).
-
Add information on how to set up a firewall using Debian GNU/Linux. The
section regarding firewalling is oriented currently towards a single system
(not protecting others...) also talk on how to test the setup.
-
Add information on setting up a proxy firewall with Debian GNU/Linux stating
specifically which packages provide proxy services (like
xfwp
,
xproxy
, ftp-proxy
, redir
,
smtpd
, nntp-cache
, dnrd
,
jftpgw
,oops
,pnsd
,
perdition
,transproxy
, tsocks
). Should
point to the manual for any other info. Also note that zorp is not (yet)
available as a Debian package but is a proxy firewall (they provide
Debian packages upstream).
-
Information on service configuration with file-rc
-
Check all the reference URLs and remove/fix those no longer available.
-
Add information on available replacements (in Debian) for common servers which
are useful for limited functionality. Examples:
-
local lpr with cups (package)?
-
apache with dhttpd/thttpd/wn (tux?)
-
exim/sendmail with ssmtpd/smtpd/postfix
-
More information regarding security-related kernel patches in Debian, including
the ones shown above and specific information on how to enable these patches in
a Debian system.
-
Linux Intrusion Detection (
lids-2.2.19
)
-
Linux Trustees (in package
trustees
)
-
kernel-patch-2.2.19-harden
-
Linux capabilities (in package
lcap
-
kernel-patch-freeswan,kernel-patch-int
-
Details of turning off unnecessary network services (besides
inetd
), it is partly in the hardening procedure but could be
broadened a bit.
-
Information regarding password rotation which is closely related to policy.
-
Policy, and educating users about policy.
-
More about tcpwrappers, and wrappers in general?
-
hosts.equiv
and other major security holes.
-
Issues with file sharing servers such as Samba and NFS?
-
suidmanager/dpkg-statoverrides.
-
Switching off the gnome IP things.
-
Talk about programs to make chroot jails.
Compartment
and
chrootuid
are waiting in incoming. Some others (makejail, jailer)
could also be introduced.
-
More information regarding log analysis software (i.e. logcheck and
logcolorise).
-
'advanced' routing (traffic policing is security related)
-
limiting
ssh
access to running certain commands.
-
secure ways to share a CD burner among users.
-
secure ways of providing networked sound in addition to network display
capabilities (so that X clients' sounds are played on the X server's sound
hardware)
-
using crypto loopback file systems.
-
encrypting the entire file system.
-
setting up a PKA for an organization.
-
using LDAP to manage users. There is a HOWTO of ldap+kerberos for Debian at
www.bayour.com written by Turbo Fredrikson.
-
How to remove information of reduced utility in production systems such as
/usr/share/doc, /usr/share/man (yes, security by obscurity).
1.5 Changelog/History
1.5.1 Version 2.6 (september 2002)
Changes by Chris Tillman, [email protected].
-
Changed around to improve grammar/spelling.
-
s/host.deny/hosts.deny/ (1 place)
-
Applied Larry Holish's patch (quite big, fixes a lot of FIXMEs)
1.5.2 Version 2.5 (september 2002)
Changes by Javier Fern�ndez-Sanguino Pe�a (me).
-
Fixed minor typos submitted by Thiemo Nagel.
-
Added a footnote suggested by Thiemo Nagel.
1.5.3 Version 2.5 (august 2002)
Changes by Javier Fern�ndez-Sanguino Pe�a (me). There were many things waiting
on my inbox (as far back as February) to be included, so I'm going to tag this
the back from honeymoon release :)
-
Applied a patch contributed by Philipe Gaspar regarding the Squid which also
kills a FIXME.
-
Yet another FAQ item regarding service banners taken from the debian-security
mailing list (thread "Telnet information" started 26th July 2002).
-
Added a note regarding use of CVE cross references in the How much time
does the Debian security team... FAQ item.
-
Added a new section regarding ARP attacks contributed by Arnaud
"Arhuman" Assad.
-
New FAQ item regarding dmesg and console login by the kernel.
-
Small tidbits of information to the signature-checking issues in packages (it
seems to not have gotten past beta release).
-
New FAQ item regarding vulnerability assessment tools false positives.
-
Added new sections to the chapter that contains information on package
signatures and reorganised it as a new Debian Security Infrastructure
chapter.
-
New FAQ item regarding Debian vs. other Linux distributions.
-
New section on mail user agents with GPG/PGP functionality in the security
tools chapter.
-
Clarified how to enable MD5 passwords in woody, added a pointer to PAM as well
as a note regarding the max definition in PAM.
-
Added a new appendix on how to create chroot environments (after fiddling a bit
with makejail and fixing, as well, some of its bugs), integrated duplicate
information in all the appendix.
-
Added some more information regarding
SSH
chrooting and its impact
on secure file transfers. Some information has been retrieved from the
debian-security mailing list (June 2002 thread: secure file
transfers).
-
New sections on how to do automatic updates on Debian systems as well as the
caveats of using testing or unstable regarding security updates.
-
New section regarding keeping up to date with security patches in the
Before compromise section as well as a new section about the
debian-security-announce mailing list.
-
Added information on how to automatically generate strong passwords.
-
New section regarding login of idle users.
-
Reorganised the securing mail server section based on the
Secure/hardened/minimal Debian (or "Why is the base system the way it
is?") thread on the debian-security mailing list (May 2002).
-
Reorganised the section on kernel network parameters, with information provided
in the debian-security mailing list (May 2002, syn flood attacked?
thread) and added a new FAQ item as well.
-
New section on how to check users passwords and which packages to install for
this.
-
New section on PPTP encryption with Microsoft clients discussed in the
debian-security mailing list (April 2002).
-
Added a new section describing what problems are there when binding any given
service to a specific IP address, this information was written based on the
bugtraq mailing list in the thread: Linux kernel 2.4 "weak end
host" issue (previously discussed on debian-security as "arp
problem") (started on May 9th 2002 by Felix von Leitner).
-
Added information on
ssh
protocol version 2.
-
Added two subsections related to Apache secure configuration (the things
specific to Debian, that is).
-
Added a new FAQ related to raw sockets, one related to /root, an item related
to users' groups and another one related to log and configuration files
permissions.
-
Added a pointer to a bug in libpam-cracklib that might still be open... (need
to check)
-
Added more information regarding forensics analysis (pending more information
on packet inspection tools such as
tcpflow
).
-
Changed the "what should I do regarding compromise" into a bullet
list and included some more stuff.
-
Added some information on how to set up the Xscreensaver to lock the screen
automatically after the configured timeout.
-
Added a note related to the utilities you should not install in the system.
Included a note regarding Perl and why it cannot be easily removed in Debian.
The idea came after reading Intersect's documents regarding Linux hardening.
-
Added information on lvm and journalling file systems, ext3 recommended. The
information there might be too generic, however.
-
Added a link to the online text version (check).
-
Added some more stuff to the information on firewalling the local system,
triggered by a comment made by Hubert Chan in the mailing list.
-
Added more information on PAM limits and pointers to Kurt Seifried's documents
(related to a post by him to bugtraq on April 4th 2002 answering a person that
had ``discovered'' a vulnerability in Debian GNU/Linux related to resource
starvation).
-
As suggested by Juli�n Mu�oz, provided more information on the default Debian
umask and what a user can access if he has been given a shell in the system
(scary, huh?)
-
Included a note in the BIOS password section due to a comment from Andreas
Wohlfeld.
-
Included patches provided by Alfred E. Heggestad fixing many of the typos
still present in the document.
-
Added a pointer to the changelog in the Credits section since most people who
contribute are listed here (and not there).
-
Added a few more notes to the chattr section and a new section after
installation talking about system snapshots. Both ideas were contributed by
Kurt Pomeroy.
-
Added a new section after installation just to remind users to change the
boot-up sequence.
-
Added some more TODO items provided by Korn Andras.
-
Added a pointer to the NIST's guidelines on how to secure DNS provided by
Daniel Quinlan.
-
Added a small paragraph regarding Debian's SSL certificates infrastructure.
-
Added Daniel Quinlan's suggestions regarding
ssh
authentication
and exim's relay configuration.
-
Added more information regarding securing bind including changes suggested by
Daniel Quinlan and an appendix with a script to make some of the changes
commented on in that section.
-
Added a pointer to another item regarding Bind chrooting (needs to be merged).
-
Added a one liner contributed by Cristian Ionescu-Idbohrn to retrieve packages
with tcpwrappers support.
-
Added a little bit more info on Debian's default PAM setup.
-
Included a FAQ question about using PAM to provide services without shell
accounts.
-
Moved two FAQ items to another section and added a new FAQ regarding attack
detection (and compromised systems).
-
Included information on how to set up a bridge firewall (including a sample
Appendix). Thanks go to Francois Bayar who sent this to me in March.
-
Added a FAQ regarding the syslogd's MARK heartbeat from a
question answered by Noah Meyerhans and Alain Tesio in December 2001.
-
Included information on buffer overflow protection as well as some information
on kernel patches.
-
Added more information (and reorganised) the firewall section. Updated the
information regarding the iptables package and the firewall generators
available.
-
Reorganized the information regarding log checking, moved logcheck information
from host intrusion detection to that section.
-
Added some information on how to prepare a static package for bind for
chrooting (untested).
-
Added a FAQ item regarding some specific servers/services (could be expanded
with some of the recommendations from the debian-security list).
-
Added some information on RPC services (and when it's necessary).
-
Added some more information on capabilities (and what lcap does). Is there any
good documentation on this? I haven't found any documentation on my 2.4
kernel.
1.5.4 Version 2.4
Changes by Javier Fern�ndez-Sanguino Pe�a.
-
Rewritten part of the BIOS section.
1.5.5 Version 2.3
Changes by Javier Fern�ndez-Sanguino Pe�a.
-
Wrapped most file locations with the file tag.
-
Fixed typo noticed by Edi Stojicevi.
-
Slightly changed the remote audit tools section.
-
Added more information regarding printers and cups config file (taken from a
thread on debian-security).
-
Added a patch submitted by Jesus Climent regarding access of valid system users
to Proftpd when configured as anonymous server.
-
Small change on partition schemes for the special case of mail servers.
-
Added Hacking Linux Exposed to the books section.
-
Fixed directory typo noticed by Eduardo P�rez Ureta.
-
Fixed /etc/ssh typo in checklist noticed by Edi Stojicevi.
1.5.6 Version 2.3
Changes by Javier Fern�ndez-Sanguino Pe�a.
-
Fixed location of dpkg conffile.
-
Remove Alexander from contact information.
-
Added alternate mail address.
-
Fixed Alexander mail address (even if commented out).
-
Fixed location of release keys (thanks to Pedro Zorzenon for pointing this
out).
1.5.7 Version 2.2
Changes by Javier Fern�ndez-Sanguino Pe�a.
-
Fixed typos, thanks to Jamin W. Collins.
-
Added a reference to apt-extracttemplate manpage (documents the
APT::ExtractTemplate config).
-
Added section about restricted SSH. Information based on that posted by Mark
Janssen, Christian G. Warden and Emmanuel Lacour on the debian-security
mailing list.
-
Added information on anti-virus software.
-
Added a FAQ: su logs due to the cron running as root.
1.5.8 Version 2.1
Changes by Javier Fern�ndez-Sanguino Pe�a.
-
Changed FIXME from lshell thanks to Oohara Yuuma.
-
Added package to sXid and removed comment since it *is* available.
-
Fixed a number of typos discovered by Oohara Yuuma.
-
ACID is now available in Debian (in the acidlab package) thanks to Oohara Yuuma
for noticing.
-
Fixed LinuxSecurity links (thanks to Dave Wreski for telling).
1.5.9 Version 2.0
Changes by Javier Fern�ndez-Sanguino Pe�a. I wanted to change to 2.0 when all
the FIXMEs were, er, fixed but I ran out of 1.9X numbers :(
-
Converted the HOWTO into a Manual (now I can properly say RTFM)
-
Added more information regarding tcp wrappers and Debian (now many services are
compiled with support for them so it's no longer an
inetd
issue).
-
Clarified the information on disabling services to make it more consistent (rpc
info still referred to update-rc.d)
-
Added small note on lprng.
-
Added some more info on compromised servers (still very rough)
-
Fixed typos reported by Mark Bucciarelli.
-
Added some more steps in password recovery to cover the cases when the admin
has set paranoid-mode=on.
-
Added some information to set paranoid-mode=on when login in console.
-
New paragraph to introduce service configuration.
-
Reorganised the After installation section so it is more broken up
into several issues and it's easier to read.
-
Wrote information on how to set up firewalls with the standard Debian 3.0 setup
(iptables package).
-
Small paragraph explaining why installing connected to the Internet is not a
good idea and how to avoid this using Debian tools.
-
Small paragraph on timely patching referencing to IEEE paper.
-
Appendix on how to set up a Debian snort box, based on what Vladimir sent to
the debian-security mailing list (September 3rd 2001)
-
Information on how logcheck is set up in Debian and how it can be used to set
up HIDS.
-
Information on user accounting and profile analysis.
-
Included apt.conf configuration for read-only /usr copied from Olaf
Meeuwissen's post to the debian-security mailing list
-
New section on VPN with some pointers and the packages available in Debian
(needs content on how to set up the VPNs and Debian-specific issues), based on
Jaroslaw Tabor's and Samuli Suonpaa's post to debian-security.
-
Small note regarding some programs to automatically build chroot jails
-
New FAQ item regarding identd based on a discussion in the debian-security
mailing list (February 2002, started by Johannes Weiss).
-
New FAQ item regarding
inetd
based on a discussion in the
debian-security mailing list (February 2002).
-
Introduced note on rcconf in the "disabling services" section.
-
Varied the approach regarding LKM, thanks to Philipe Gaspar
-
Added pointers to CERT documents and Counterpane resources
1.5.10 Version 1.99
Changes by Javier Fern�ndez-Sanguino Pe�a.
-
Added a new FAQ item regarding time to fix security vulnerabilities.
-
Reorganised FAQ sections.
-
Started writing a section regarding firewalling in Debian GNU/Linux (could be
broadened a bit)
-
Fixed typos sent by Matt Kraai
-
Added information on whisker and nbtscan to the auditing section.
1.5.11 Version 1.98
Changes by Javier Fern�ndez-Sanguino Pe�a.
-
Added a new section regarding auditing using Debian GNU/Linux.
-
Added info regarding finger daemon taken from the security mailing list.
1.5.12 Version 1.97
Changes by Javier Fern�ndez-Sanguino Pe�a.
-
Fixed link for Linux Trustees
-
Fixed typos (patches from Oohara Yuuma and Pedro Zorzenon)
1.5.13 Version 1.96
Changes by Javier Fern�ndez-Sanguino Pe�a.
-
Reorganized service installation and removal and added some new notes.
-
Added some notes regarding using integrity checkers as intrusion detection
tools.
-
Added a chapter regarding package signatures.
1.5.14 Version 1.95
Changes by Javier Fern�ndez-Sanguino Pe�a.
-
Added notes regarding Squid security sent by Philipe Gaspar.
-
Fixed rootkit links thanks to Philipe Gaspar.
1.5.15 Version 1.94
Changes by Javier Fern�ndez-Sanguino Pe�a.
-
Added some notes regarding Apache and Lpr/lpng.
-
Added some information regarding noexec and read-only partitions.
-
Rewrote how users can help in Debian security issues (FAQ item).
1.5.16 Version 1.93
Changes by Javier Fern�ndez-Sanguino Pe�a.
-
Fixed location of mail program.
-
Added some new items to the FAQ.
1.5.17 Version 1.92
Changes by Javier Fern�ndez-Sanguino Pe�a.
-
Added a small section on how Debian handles security
-
Clarified MD5 passwords (thanks to `rocky')
-
Added some more information regarding harden-X from Stephen van Egmond
-
Added some new items to the FAQ
1.5.18 Version 1.91
Changes by Javier Fern�ndez-Sanguino Pe�a.
-
Added some forensics information sent by Yotam Rubin.
-
Added information on how to build a honeynet using Debian GNU/Linux.
-
Fixed more typos (thanks Yotam!)
1.5.19 Version 1.9
Changes by Javier Fern�ndez-Sanguino Pe�a.
-
Added patch to fix misspellings and some new information (contributed by Yotam
Rubin)
-
Added some information on configuring Bind options to restrict access to the
DNS server.
-
Added information on how to automatically harden a Debian system (regarding the
harden package and bastille).
-
Removed some done TODOs and added some new ones.
1.5.20 Version 1.8
Changes by Javier Fern�ndez-Sanguino Pe�a.
-
Added the default user/group list provided by Joey Hess to the debian-security
mailing list.
-
Added information on Proftp contributed by Emmanuel Lacour.
-
Recovered the checklist Appendix from Era Eriksson.
-
Added some new TODO items and removed other fixed ones.
-
Manually included Era's patches since they were not all included in the
previous version.
1.5.21 Version 1.7
Changes by Era Eriksson.
-
Typo fixes and wording changes
Changes by Javier Fern�ndez-Sanguino Pe�a.
-
Minor changes to tags in order to keep on removing the tt tags and substitute
prgn/package tags for them.
1.5.22 Version 1.6
Changes by Javier Fern�ndez-Sanguino Pe�a.
-
Added pointer to document as published in the DDP (should supersede the
original in the near future)
-
Started a mini-FAQ (should be expanded) with some questions recovered from my
mailbox.
-
Added general information to consider while securing.
-
Added a paragraph regarding local (incoming) mail delivery.
-
Added some pointers to more information.
-
Added information regarding the printing service.
-
Added a security hardening checklist.
-
Reorganized NIS and RPC information.
-
Added some notes taken while reading this document on my new Visor :)
-
Fixed some badly formatted lines.
-
Added a Genius/Paranoia idea contributed by Gaby Schilders.
1.5.23 Version 1.5
Changes by Josip Rodin and Javier Fern�ndez-Sanguino Pe�a.
-
Added paragraphs related to BIND and some FIXMEs.
1.5.24 Version 1.4
-
Small setuid check paragraph
-
Found out how to use sgml2txt -f for the txt version
1.5.25 Version 1.3
-
Added a security update after installation paragraph
-
Added a proftpd paragraph
-
This time really wrote something about XDM, sorry for last time
1.5.26 Version 1.2
-
Lots of grammar corrections by James Treacy, new XDM paragraph
1.5.27 Version 1.1
-
Typo fixes, miscellaneous additions
1.5.28 Version 1.0
1.6 Credits and Thanks!
-
Alexander Reelsen wrote the original document.
-
Javier Fern�ndez-Sanguino added more info to the original doc.
-
Robert van der Meulen provided the quota paragraphs and many good ideas.
-
Ethan Benson corrected the PAM paragraph and had some good ideas.
-
Dariusz Puchalak contributed some information to several chapters.
-
Gaby Schilders contributed a nice Genius/Paranoia idea.
-
Era Eriksson smoothed out the language in a lot of places and contributed the
checklist appendix.
-
Philipe Gaspar wrote the LKM information.
-
Yotam Rubin contributed fixes for many typos as well as information regarding
bind versions and md5 passwords.
-
(Alexander) All the folks who encouraged me to write this HOWTO (which was
later turned into a Manual).
-
The whole Debian project.
[ previous ]
[ Contents ]
[ 1 ]
[ 2 ]
[ 3 ]
[ 4 ]
[ 5 ]
[ 6 ]
[ 7 ]
[ 8 ]
[ 9 ]
[ 10 ]
[ 11 ]
[ A ]
[ B ]
[ C ]
[ D ]
[ E ]
[ F ]
[ G ]
[ next ]
Securing Debian Manual
2.6 10 October 2002Wed, 18 Sep 2002 14:09:35 +0200
Javier Fern�ndez-Sanguino Pe�a [email protected]