After doing a standard installation a system might still have security vulnerabilities, if so, there might be updates available from Debian for the release. However, if you cannot download the packages for the upgrade on another system (or mirror security.debian.org yourself for local use) you need to connect to the Internet to do a security update.
However, when connecting yourself to the Internet you are exposing yourself.
If one of your local services is vulnerable you might be compromised even
before the update is finished! You might find this paranoid but, in fact,
analysis from the
Project show than systems can be compromised in less than three days
even if the system is not known publicly (i.e. not published in dns records).
When doing an update on a system not protected by an external system (a firewall) you can, however, properly configure your local firewall to only allow the security update itself. See the example below to see how the local firewall capabilities to provide a restricted setup in which only connections to security.debian.org are allowed whileas the rest are logged.
FIXME: add IP address for security.debian.org (since otherwise you need DNS up to work) on /etc/hosts.
FIXME: test this setup to see if it works properly
FIXME: this will only work with http urls since ftp might need the ip_conntrack_ftp module, or use passive mode.
# iptables -F # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination # iptables -P INPUT DROP # iptables -P FORWARD DROP # iptables -P OUTPUT DROP # iptables -A OUTPUT -d security.debian.org -p 80 -j ACCEPT # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -A INPUT -p icmp -j ACCEPT # iptables -A INPUT -j LOG # iptables -A OUTPUT -j LOG # iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 LOG all -- anywhere anywhere LOG level warning Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT 80 -- anywhere security.debian.org LOG all -- anywhere anywhere LOG level warning
Securing Debian Manual2.5 (beta) 29 augusti 2002Sat, 17 Aug 2002 12:23:36 +0200