[ previous ] [ Contents ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ G ] [ H ] [ next ]

Securing Debian Manual

Abstract

This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team.

Copyright Notice

Copyright © 2002-2007 Javier Fernández-Sanguino Peña

Copyright © 2001 Alexander Reelsen, Javier Fernández-Sanguino Peña

Copyright © 2000 Alexander Reelsen

Some sections are copyright © their respective authors, for details please refer to Credits and thanks!, Section 1.7.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation. It is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY.

Permission is granted to make and distribute verbatim copies of this document provided the copyright notice and this permission notice are preserved on all copies.

Permission is granted to copy and distribute modified versions of this document under the conditions for verbatim copying, provided that the entire resulting derived work is distributed under the terms of a permission notice identical to this one.

Permission is granted to copy and distribute translations of this document into another language, under the above conditions for modified versions, except that this permission notice may be included in translations approved by the Free Software Foundation instead of in the original English.

Contents

• 1 Introduction
  • 1.1 Authors
  • 1.2 Where to get the manual (and available formats)
  • 1.3 Organizational notes/feedback
  • 1.4 Prior knowledge
  • 1.5 Things that need to be written (FIXME/TODO)
  • 1.6 Changelog/History
  • 1.7 Credits and thanks!
• 2 Before you begin
  • 2.1 What do you want this system for?
  • 2.2 Be aware of general security problems
  • 2.3 How does Debian handle security?
• 3 Before and during the installation
  • 3.1 Choose a BIOS password
  • 3.2 Partitioning the system
  • 3.3 Do not plug to the Internet until ready
  • 3.4 Set a root password
  • 3.5 Activate shadow passwords and MD5 passwords
  • 3.6 Run the minimum number of services required
  • 3.7 Install the minimum amount of software required
  • 3.8 Read the Debian security mailing lists
• 4 After installation
  • 4.1 Subscribe to the Debian Security Announce mailing list
  • 4.2 Execute a security update
  • 4.3 Change the BIOS (again)
  • 4.4 Set a LILO or GRUB password
  • 4.5 Disable root prompt on the initramfs
  • 4.6 Remove root prompt on the kernel
  • 4.7 Restricting console login access
  • 4.8 Restricting system reboots through the console
  • 4.9 Mounting partitions the right way
  • 4.10 Providing secure user access
  • 4.11 Using tcpwrappers
  • 4.12 The importance of logs and alerts
  • 4.13 Adding kernel patches
  • 4.14 Protecting against buffer overflows
  • 4.15 Secure file transfers
  • 4.16 File system limits and control
  • 4.17 Securing network access
  • 4.18 Taking a snapshot of the system
  • 4.19 Other recommendations
• 5 Securing services running on your system
  • 5.1 Securing ssh
  • 5.2 Securing Squid
  • 5.3 Securing FTP
  • 5.4 Securing access to the X Window System
  • 5.5 Securing printing access (the lpd and lprng issue)
  • 5.6 Securing the mail service
  • 5.7 Securing BIND
  • 5.8 Securing Apache
  • 5.9 Securing finger
  • 5.10 General chroot and suid paranoia
  • 5.11 General cleartext password paranoia
  • 5.12 Disabling NIS
  • 5.13 Securing RPC services
  • 5.14 Adding firewall capabilities
• 6 Automatic hardening of Debian systems
  • 6.1 Harden
  • 6.2 Bastille Linux
• 7 Debian Security Infrastructure
  • 7.1 The Debian Security Team
  • 7.2 Debian Security Advisories
  • 7.3 Security Tracker
  • 7.4 Debian Security Build Infrastructure
  • 7.5 Package signing in Debian
• 8 Security tools in Debian
  • 8.1 Remote vulnerability assessment tools
  • 8.2 Network scanner tools
  • 8.3 Internal audits
  • 8.4 Auditing source code
  • 8.5 Virtual Private Networks
  • 8.6 Public Key Infrastructure (PKI)
  • 8.7 SSL Infrastructure
  • 8.8 Antivirus tools
  • 8.9 GPG agent
• 9 Developer's Best Practices for OS Security
  • 9.1 Best practices for security review and design
  • 9.2 Creating users and groups for software daemons
• 10 Before the compromise
  • 10.1 Keep your system secure
  • 10.2 Do periodic integrity checks
  • 10.3 Set up Intrusion Detection
  • 10.4 Avoiding root-kits
  • 10.5 Genius/Paranoia Ideas — what you could do
• 11 After the compromise (incident response)
  • 11.1 General behavior
  • 11.2 Backing up the system
  • 11.3 Contact your local CERT
  • 11.4 Forensic analysis
• 12 Frequently asked Questions (FAQ)
  • 12.1 Security in the Debian operating system
  • 12.2 My system is vulnerable! (Are you sure?)
  • 12.3 Questions regarding the Debian security team
• A The hardening process step by step
• B Configuration checklist
• C Setting up a stand-alone IDS
• D Setting up a bridge firewall
  • D.1 A bridge providing NAT and firewall capabilities
  • D.2 A bridge providing firewall capabilities
  • D.3 Basic IPtables rules
• E Sample script to change the default Bind installation.
• F Security update protected by a firewall
• G Chroot environment for SSH
  • G.1 Chrooting the ssh users
  • G.2 Chrooting the ssh server
• H Chroot environment for Apache
  • H.1 Introduction
  • H.2 Installing the server
  • H.3 See also

[ previous ] [ Contents ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ G ] [ H ] [ next ]

Securing Debian Manual