FIXME: write them, extract from mailing list
A system is as secure as its administrator is capable of making it.
originally oriented towards some Linux distributions (Red Hat and Mandrake)
currently works for Debian. Steps are being taken to integrate the changes
made to the upstream version, in any case the package in Debian is, of course,
Some people believe, however, that a hardening tool does not eliminate the need for good administration.
You will find information in this document to make some services (FTP, Bind) more secure in Debian GNU/Linux. For services not covered here, however, check the program's documentation, or general Linux information. Most of the security guidelines for Unix systems apply also to Debian so securing service X in Debian is, most of the time, like securing the service for any other Linux distribution (or Unix, for that matter).
Read this document and take the appropiate measures outlined here. If you need assistance you might use the firstname.lastname@example.org to ask for advice on how to recover/patch your system.
Take a moment, first, to see if the vulnerability has been announced in public
security mailing lists (like Bugtraq) or other forums, the Debian Security Team
keeps up to date with this lists, so they might already be aware of the
problem. Do not take any further actions if you see an announcement already at
If you do not see any of this, please send mail on the affected packages as well as a description of the vulnerability as detailed as possible (proof of concept code is also ok) to email@example.com which will get you in touch with the security team.
Instead of upgrading to a new release we backport security fixes to the version that was shipped in the stable release. The reason we do this is to make sure that a release changes as little as possible so things will not change or break unexpectedly as a result of a security fix. You can check if you are running a secure version of a package by looking at the package changelog, or comparing its exact (upstream version -slash- debian release) version number with the version indicated in the Debian Security Advisory.
Yes and no. Debian comes with some predefined users (id < 99 as described
Policy) for some services so that installing new services is easy
(they are already run by the appropriate user). If you do not intend to
install new services, you can safely remove those users who do not own any
files in your system and do not run any services.
You can easily find users not owning any files by executing the following command (be sure to run it as root, since a common user might not have enough permissions to go through some sensitive directories):
cut -f 1 -d : /etc/passwd | while read i; do find / -user "$i" | grep -q . && echo "$i"; done
These users are provided by
base-passwd. You will find in its
documentation more information on how these users are handled in Debian.
The list of default users (with a corresponding group) follows:
/var/mailare owned by group mail, as is explained in policy. The user and group is used for other purposes as well by various MTA's.
/var/lib/postgresqlare owned by this user to enforce proper security.
Other groups which have no associated user:
wvdial, etc. to dial up a connection. The users in this group cannot configure the modem, they can just run the programs that make use of it.
/usr/src. It can be used locally to give a user the ability to manage system source code.
/etc/shadowis readable by this group. Some programs that need to be able to access the file are set gid shadow.
/var/run/utmpand similar files. Programs that need to be able to write to it are sgid utmp.
/home) without needing root privileges. Compare with group "adm", which is more related to monitoring/security.
'adm' are administrators and is mostly useful to allow them to read logfiles
without having to
su. 'staff' is useful for more helpdesk/junior
sysadmins type of people and gives them the ability to do things in
/usr/local and create directories in
Port 111 is sunrpc's portmapper, it is installed by default in all base installations of a Debian system since there is no need to know when a user's program might need RPC to work out correctly. In any case, it is used mostly for NFS. If you do not need it, remove it as explained in Disabling RPC services, Section 5.12.
Of course you can, the ports you are leaving open should adhere to your site's policy regarding public services available to other systems. Check if they are open by inetd (see Customize /etc/inetd.conf, Section 4.7) or by other installed packages and take appropriate measures (configure inetd, remove the package, avoid it running on bootup...)
The steps you need to take in order to recover from this depends on whether or not you have applied the suggested procedure for limiting access to Lilo and BIOS.
If you have limited both. You need to disable the BIOS features (only boot from hard disk) before proceeding, if you also forgot your BIOS password, you will have to open your system and manually remove the BIOS battery.
If you have bootup of CD-ROM or diskette enable, you can:
/etc/shadowand change the line:
root:asdfjl290341274075:XXXX:X:XXXX:X::: (X=any number)
If you are using LILO and have not restricted it. You can:
mount -o remount,rw /
passwd(since you are superuser it will not ask for the previous password).
This is most likely a problem on your end. The debian-security-announce list has a filter that only allows messages with a correct signature from one of the security team members to be posted.
Most likely some piece of mail software on your end slightly changes the message that breaks the signature. Make sure your software does not do any MIME encoding or decoding, or tab/space conversions.
Known culprits are fetchmail (with the mimedecode option enabled) and formail (from procmail 3.14 only).
The short answer is: it's not. Testing and unstable are rapidly moving targets and the security team does not have the resources needed to properly support those. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable.
A: The purpose of security.debian.org is to make security updates available as quickly and easily as possible. Mirrors would add extra complexity that is not needed and can cause frustration if they are not up to date.
A: Security information can be sent to firstname.lastname@example.org, which is read by all Debian developers. If you have sensitive information please use email@example.com which only the members of the security team read. If desired email can be encrypted with the Debian Security Contact key (key ID 363CCD95).
Please review each problem before reporting it to firstname.lastname@example.org. If you are able to provide patches, that would speed up the process. Do not simply forward bugtraq mails, since they are received already. Providing additional information, however, is always a good idea.
Once the Security Team receives a notification of an incident, one or more members review it and consider Debian/stable vulnerable or not. If our system is vulnerable, it is worked on a fix for the problem. The package maintainer is contacted as well, if he didn't contact the Security Team already. Finally the fix is tested and new packages are prepared, which then are compiled on all stable architectures and uploaded afterwards. After all this tasks are done a Debian Security Advisory (DSA) is sent to public mailing lists.
The Debian Security Team currently consists of five members and two secretaries. The Security Team itself appoints people to join the team.