For example, in Debian woody it is around 40Mbs, try this:
$ size=0 $ for i in `grep -A 1 -B 1 "^Section: base" /var/lib/dpkg/available | grep -A 2 "^Priority: required" |grep "^Installed-Size" |cut -d : -f 2 `; do size=$(($size+$i)); done $ echo $size 34234
Many intrusions are made just to get access to resources to do illegitimate activity (denial of service attacks, spam, rogue ftp servers, dns pollution...) rather than to obtain confidential data from the compromised system.
You can make (on another system) a dummy package with equivs
Libpam-chroot
has not been yet thoroughly tested, it does work for
login
but it might not be easy to set up the environment for other
programs
Chpasswd
cannot handle MD5 password generation so it needs to be
given the password in encrypted form before using it, with the -e
option.
Try apt-cache search wordlist
for a list of available packages
which might provide wordlists. You can also retrieve wordlists from many ftp
sites over the Internet. FIXME: add links
be sure to use uppercase here since spawn will not work
In Debian the kernel-image
package installs the sources under
/usr/src/kernel-souce-2.X.X
, just substitute linux to
whatever kernel is installed
To reproduce this (example provided by Felix von Leitner on the bugtraq mailing list):
host a (eth0 connected to eth0 of host b): ifconfig eth0 10.0.0.1 ifconfig eth1 23.0.0.1 tcpserver -RHl localhost 23.0.0.1 8000 echo fnord host b: ifconfig eth0 10.0.0.2 route add 23.0.0.1 gw 10.0.0.1 telnet 23.0.0.1 8000
It seems, however, not to work with services bound to 127.0.0.1, you might need to write the tests using raw sockets.
The fact that this behaviour can be changed through routing was described by Matthew G. Marsh in the bugtraq thread:
eth0 = 1.1.1.1/24 eth1 = 2.2.2.2/24 ip rule add from 1.1.1.1/32 dev lo table 1 prio 15000 ip rule add from 2.2.2.2/32 dev lo table 2 prio 16000 ip route add default dev eth0 table 1 ip route add default dev eth1 table 2
There are some patches available for this behaviour as described in bugtraq's
thread at http://www.linuxvirtualserver.org/~julian/#hidden
and http://www.fefe.de/linux-eth-forwarding.diff
.
An attacker might have many problems pulling the access through after configuring the IP-address binding if he is not on the same broadcast domain (same network) as the attacked host. If the attack goes through a router it might be quite difficult for the answers to return somewhere.
To retrieve the list of mailer daemons available in Debian try:
$ apt-cache search mail-transport-agent
The list will not include qmail
, which is distributed only as
source code in the qmail-src
package.
A list of servers/daemons which support these protocols in Debian can be retrieved with:
$ apt-cache search pop3-server $ apt-cache search imap-server
unless you use the instdir option when calling dpkg
but then the chroot jail might be a little more complex
You only probably need it if using NFS (Network File System), NIS (Network Information System) or some other RPC-based service.
Unlike personal firewalls in other operating systems, Debian GNU/Linux does not
(yet) provide firewall generation interfaces that can make rules limiting them
per process or user. However, the iptables code can be configured to do this
(see the owner module in the iptables(8)
manpage)
Some operating systems have already been plagued with automatic-updates
problems such as the Mac OS X
Software Update vulnerabity
.
FIXME: probably the Internet Explorer vulnerability handling certificate chains has an impact on security updates on Microsoft Windows.
Some of them are provided when installing the harden-remoteaudit
package.
For more examples of how to configure gnupg
check
/usr/share/doc/mutt/examples/gpg.rc
.
You may also want to use the --quiet (-q) option to
reduce the output of apt-get
, which will stop the generation of
any output if no packages are installed.
Note that some packages might not use debconf
and updates
will stall due to packages asking for user input during configuration.
This is a common issue since many users want to maintain a stable system while updating some packages to unstable to gain the latest functionality. This need arises due to some projects evolving faster than the time between Debian's stable releases.
There are over 28 capabilities including: CAP_BSET, CAP_CHOWN, CAP_FOWNER, CAP_FSETID, CAP_FS_MASK, CAP_FULL_SET, CAP_INIT_EFF_SET, CAP_INIT_INH_SET, CAP_IPC_LOCK, CAP_IPC_OWNER, CAP_KILL, CAP_LEASE, CAP_LINUX_IMMUTABLE, CAP_MKNOD, CAP_NET_ADMIN, CAP_NET_BIND_SERVICE, CAP_NET_RAW, CAP_SETGID, CAP_SETPCAP, CAP_SETUID, CAP_SYS_ADMIN, CAP_SYS_BOOT, CAP_SYS_CHROOT, CAP_SYS_MODULE, CAP_SYS_NICE, CAP_SYS_PACCT, CAP_SYS_PTRACE, CAP_SYS_RAWIO, CAP_SYS_RESOURCE, CAP_SYS_TIME, and CAP_SYS_TTY_CONFIG. All of them can be activated or de-activated to harden your kernel.
You don't need to install lcap
to do this, but it's easier than
setting /proc/sys/kernel/cap-bound
by hand.
If you are adventurous, you can login to the system and save information on all running processes (you'll get a lot from /proc/nnn/). It is possible to get the whole executable code from memory, even if the attacker has deleted the executable files from disk. Then pull the power cord.
In fact, this is the tool used to build the CDROMs for the Gibraltar
project (a firewall on a
live CDROM based on the Debian distribution).
For example, based on the Securityfocus data, it might seem that Windows NT is more secure than Linux, which is a questionable assertion. After all, Linux distributions usually provide many more applications compared to Microsoft's Windows NT.
Without diminishing the fact that some distributions, such as RedHat or Mandrake, are also taking into account security in their standard installations by having the user select security profiles, or using wizards to help with configuration of personal firewalls.
Note that this is 'security by obscurity', and will probably not be worth the effort in the long term.
Notice that there are no SETUID files. This makes it more difficult for remote
users to escape the chroot
environment. However, it also prevents
users from changing their passwords, since the passwd
program
cannot modify the files /etc/passwd
or /etc/shadow
.
Securing Debian Manual
2.6 10 October 2002Wed, 18 Sep 2002 14:09:35 +0200[email protected]