Securing Debian Manual
Footnotes

1

For example, in Debian woody it is around 40Mbs, try this:

       $ size=0
       $ for i in `grep -A 1 -B 1 "^Section: base" /var/lib/dpkg/available |
       grep -A 2 "^Priority: required" |grep "^Installed-Size" |cut -d : -f 2
       `; do size=$(($size+$i)); done
       $ echo $size
       34234

2

Many intrusions are made just to get access to resources to do illegitimate activity (denial of service attacks, spam, rogue ftp servers, dns pollution...) rather than to obtain confidential data from the compromised system.

3

You can make (on another system) a dummy package with equivs

4

Libpam-chroot has not been yet thoroughly tested, it does work for login but it might not be easy to set up the environment for other programs

5

Chpasswd cannot handle MD5 password generation so it needs to be given the password in encrypted form before using it, with the -e option.

6

Try apt-cache search wordlist for a list of available packages which might provide wordlists. You can also retrieve wordlists from many ftp sites over the Internet. FIXME: add links

7

be sure to use uppercase here since spawn will not work

8

In Debian the kernel-image package installs the sources under /usr/src/kernel-souce-2.X.X, just substitute linux to whatever kernel is installed

9

To reproduce this (example provided by Felix von Leitner on the bugtraq mailing list):

        host a (eth0 connected to eth0 of host b):
          ifconfig eth0 10.0.0.1
          ifconfig eth1 23.0.0.1
          tcpserver -RHl localhost 23.0.0.1 8000 echo fnord
     
        host b:
          ifconfig eth0 10.0.0.2
          route add 23.0.0.1 gw 10.0.0.1
          telnet 23.0.0.1 8000

It seems, however, not to work with services bound to 127.0.0.1, you might need to write the tests using raw sockets.

10

The fact that this behaviour can be changed through routing was described by Matthew G. Marsh in the bugtraq thread:

     eth0 = 1.1.1.1/24
     eth1 = 2.2.2.2/24
     
     ip rule add from 1.1.1.1/32 dev lo table 1 prio 15000
     ip rule add from 2.2.2.2/32 dev lo table 2 prio 16000
     
     ip route add default dev eth0 table 1
     ip route add default dev eth1 table 2

11

There are some patches available for this behaviour as described in bugtraq's thread at http://www.linuxvirtualserver.org/~julian/#hidden and http://www.fefe.de/linux-eth-forwarding.diff.

12

An attacker might have many problems pulling the access through after configuring the IP-address binding if he is not on the same broadcast domain (same network) as the attacked host. If the attack goes through a router it might be quite difficult for the answers to return somewhere.

13

To retrieve the list of mailer daemons available in Debian try:

     $ apt-cache search mail-transport-agent

The list will not include qmail, which is distributed only as source code in the qmail-src package.

14

A list of servers/daemons which support these protocols in Debian can be retrieved with:

     $ apt-cache search pop3-server
     $ apt-cache search imap-server

15

unless you use the instdir option when calling dpkg but then the chroot jail might be a little more complex

16

You only probably need it if using NFS (Network File System), NIS (Network Information System) or some other RPC-based service.

17

Unlike personal firewalls in other operating systems, Debian GNU/Linux does not (yet) provide firewall generation interfaces that can make rules limiting them per process or user. However, the iptables code can be configured to do this (see the owner module in the iptables(8) manpage)

18

Some operating systems have already been plagued with automatic-updates problems such as the Mac OS X Software Update vulnerabity.

FIXME: probably the Internet Explorer vulnerability handling certificate chains has an impact on security updates on Microsoft Windows.

19

Some of them are provided when installing the harden-remoteaudit package.

20

For more examples of how to configure gnupg check /usr/share/doc/mutt/examples/gpg.rc.

21

You may also want to use the --quiet (-q) option to reduce the output of apt-get, which will stop the generation of any output if no packages are installed.

22

Note that some packages might not use debconf and updates will stall due to packages asking for user input during configuration.

23

This is a common issue since many users want to maintain a stable system while updating some packages to unstable to gain the latest functionality. This need arises due to some projects evolving faster than the time between Debian's stable releases.

24

There are over 28 capabilities including: CAP_BSET, CAP_CHOWN, CAP_FOWNER, CAP_FSETID, CAP_FS_MASK, CAP_FULL_SET, CAP_INIT_EFF_SET, CAP_INIT_INH_SET, CAP_IPC_LOCK, CAP_IPC_OWNER, CAP_KILL, CAP_LEASE, CAP_LINUX_IMMUTABLE, CAP_MKNOD, CAP_NET_ADMIN, CAP_NET_BIND_SERVICE, CAP_NET_RAW, CAP_SETGID, CAP_SETPCAP, CAP_SETUID, CAP_SYS_ADMIN, CAP_SYS_BOOT, CAP_SYS_CHROOT, CAP_SYS_MODULE, CAP_SYS_NICE, CAP_SYS_PACCT, CAP_SYS_PTRACE, CAP_SYS_RAWIO, CAP_SYS_RESOURCE, CAP_SYS_TIME, and CAP_SYS_TTY_CONFIG. All of them can be activated or de-activated to harden your kernel.

25

You don't need to install lcap to do this, but it's easier than setting /proc/sys/kernel/cap-bound by hand.

26

If you are adventurous, you can login to the system and save information on all running processes (you'll get a lot from /proc/nnn/). It is possible to get the whole executable code from memory, even if the attacker has deleted the executable files from disk. Then pull the power cord.

27

In fact, this is the tool used to build the CDROMs for the Gibraltar project (a firewall on a live CDROM based on the Debian distribution).

28

For example, based on the Securityfocus data, it might seem that Windows NT is more secure than Linux, which is a questionable assertion. After all, Linux distributions usually provide many more applications compared to Microsoft's Windows NT.

29

Without diminishing the fact that some distributions, such as RedHat or Mandrake, are also taking into account security in their standard installations by having the user select security profiles, or using wizards to help with configuration of personal firewalls.

30

Note that this is 'security by obscurity', and will probably not be worth the effort in the long term.

31

Notice that there are no SETUID files. This makes it more difficult for remote users to escape the chroot environment. However, it also prevents users from changing their passwords, since the passwd program cannot modify the files /etc/passwd or /etc/shadow.


Securing Debian Manual

2.6 10 October 2002Wed, 18 Sep 2002 14:09:35 +0200
Javier Fern�ndez-Sanguino Pe�a [email protected]