Securing Debian Manual

Abstract

This document describes security in the Debian project. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation. It also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security team.

Copyright Notice

Copyright © 2002, 2003 Javier Fernández-Sanguino Peña

Copyright © 2001 Alexander Reelsen, Javier Fernández-Sanguino Peña

Copyright © 2000 Alexander Reelsen

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation. It is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY.

Contents

• 1 Introduction
• 1.1 Download the manual
• 1.2 Organizational Notes/Feedback
• 1.3 Prior knowledge
• 1.4 Things that need to be written (FIXME/TODO)
• 1.5 Changelog/History
• 1.6 Credits and Thanks!
• 2 Before you begin
• 2.1 What do you want this system for?
• 2.2 Be aware of general security problems
• 2.3 How does Debian handle security?
• 3 Before and during the installation
• 3.1 Choose a BIOS password
• 3.2 Partitioning the system
• 3.3 Do not plug to the Internet until ready
• 3.4 Set a root password
• 3.5 Activate shadow passwords and MD5 passwords
• 3.6 Run the minimum number of services required
• 3.7 Install the minimum amount of software required
• 3.8 Read the debian security mailing lists
• 4 After Installation
• 4.1 Change the BIOS (again)
• 4.2 Set a LILO or GRUB password
• 4.3 Remove root prompt on the kernel
• 4.4 Disallow floppy booting
• 4.5 Restricting console login access
• 4.6 Restricting system reboots through the console
• 4.7 Mounting partitions the right way
• 4.8 Execute a security update
• 4.9 Subscribe to the Debian Security Announce mailing List
• 4.10 Providing secure user access
• 4.11 Using tcpwrappers
• 4.12 The importance of logs and alerts
• 4.13 Adding kernel patches
• 4.14 Protecting against buffer overflows
• 4.15 Secure file transfers
• 4.16 File System limits and control
• 4.17 Securing network access
• 4.18 Taking a snapshot of the system
• 4.19 Other recommendations
• 5 Securing services running on your system
• 5.1 Securing ssh
• 5.2 Securing Squid
• 5.3 Securing FTP
• 5.4 Securing access to the X Window System
• 5.5 Securing printing access (The lpd and lprng issue)
• 5.6 Securing the mail service
• 5.7 Securing BIND
• 5.8 Securing Apache
• 5.9 Securing finger
• 5.10 General chroot and suid paranoia
• 5.11 General cleartext password paranoia
• 5.12 Disabling NIS
• 5.13 Disabling RPC services
• 5.14 Adding firewall capabilities
• 6 Automatic hardening of Debian systems
• 6.1 Harden
• 6.2 Bastille Linux
• 7 Debian Security Infrastructure
• 7.1 The Debian Security Team
• 7.2 Debian Security Advisories
• 7.3 Debian Security Build Infrastructure
• 7.4 Package signing in Debian
• 8 Security tools in Debian
• 8.1 Remote vulnerability assesment tools
• 8.2 Network scanner tools
• 8.3 Internal audits
• 8.4 Auditing source code
• 8.5 Virtual Private Networks
• 8.6 Public Key Infrastructure (PKI)
• 8.7 SSL Infrastructure
• 8.8 Anti-virus tools
• 8.9 GPG agent
• 9 Before the compromise
• 9.1 Continuously update the system
• 9.2 Set up Intrusion Detection
• 9.3 Avoiding root-kits
• 9.4 Genius/Paranoia Ideas — what you could do
• 10 After the compromise
• 10.1 General behavior
• 10.2 Backing up the system
• 10.3 Forensic analysis
• 11 Frequently asked Questions (FAQ)
• 11.1 Security in the Debian operating system
• 11.2 My system is vulnerable! (Are you sure?)
• 11.3 Questions regarding the Debian security team
• A The hardening process step by step
• B Configuration checklist
• C Setting up a stand-alone IDS
• D Setting up a bridge firewall
• D.1 A bridge providing NAT and firewall capabilities
• D.2 A bridge providing firewall capabilities
• D.3 Basic IPtables rules
• E Sample script to change the default Bind installation.
• F Security update protected by a firewall
• G Chroot environment for SSH
• G.1 Automatically making the environment (the easy way)
• G.2 Patching SSH to enable chroot functionality
• G.3 Handmade environment (the hard way)
• H Chroot environment for Apache
• H.1 Introduction
• H.2 Installing the server
• H.3 See also

Securing Debian Manual