Securing Debian HOWTO

Abstract

This document describes the process of securing and hardening the default Debian installation. It covers some of the common taks to setup a secure network environment using Debian GNU/Linux.

Copyright Notice

Copyright © 2001 Alexander Reelsen, Javier Fernández-Sanguino Peña Copyright © 2000 Alexander Reelsen however it is distributed under the terms of the GNU free documentation license. This document is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY.

Contents

• 1 Introduction
  • 1.1 Download the HOWTO
  • 1.2 Organizational Notes/Feedback
  • 1.3 Prior knowledge
  • 1.4 Things that need to be written (TODO)
  • 1.5 Changelog
  • 1.6 Credits
• 2 Before you begin
  • 2.1 What do you want this system for?
  • 2.2 Be aware of general security problems
  • 2.3 How does Debian handle security?
• 3 Before and during the installation
  • 3.1 Choose a BIOS password
  • 3.2 Choose an intelligent partition scheme
  • 3.3 Set a root password
  • 3.4 Activate shadow passwords and MD5 passwords
  • 3.5 Run the minimum number of services required
  • 3.6 Read the debian security mailing lists
• 4 After Installation
  • 4.1 Set a LILO or GRUB password
  • 4.2 Disallow floppy booting
  • 4.3 Mounting partitions the right way
  • 4.4 Execute a security update
  • 4.5 PAM — Pluggable Authentication Modules
  • 4.6 The limits.conf file
  • 4.7 Customize /etc/inetd.conf
  • 4.8 Edit /etc/login.defs
  • 4.9 Editing /etc/ftpusers
  • 4.10 Using tcpwrappers
  • 4.11 The importance of logs and alerts
  • 4.12 Setting up setuid check
  • 4.13 Using su
  • 4.14 Using sudo
  • 4.15 Using chroot
  • 4.16 Configuring some kernel features
  • 4.17 Do not use software depending on svgalib
  • 4.18 Secure file transfers
  • 4.19 Using quotas
  • 4.20 chattr/lsattr
  • 4.21 Checking filesystem integrity
• 5 Securing services running on your system
  • 5.1 Securing ssh
  • 5.2 Securing FTP
  • 5.3 Securing access to the X Window System
  • 5.4 The lpd and lprng issue
  • 5.5 Securing the mail daemon
  • 5.6 Receiving mail securely
  • 5.7 Securing BIND
  • 5.8 Securing Apache
  • 5.9 General chroot and suid paranoia
  • 5.10 General cleartext password paranoia
  • 5.11 Disabling NIS
  • 5.12 Disabling RPC services
  • 5.13 Automatic hardening of Debian systems
• 6 Before the compromise
  • 6.1 Set up Intrusion Detection.
  • 6.2 Useful kernel patches
  • 6.3 Avoiding rootkits
  • 6.4 Genius/Paranoia Ideas — what you could do
• 7 After the compromise
  • 7.1 General behavior
• 8 Frequently asked Questions
  • 8.1 Is Debian more secure than X?
  • 8.2 Is there are hardening program for Debian?
  • 8.3 How can I make service XYZ more secure?
  • 8.4 My system is vulnerable!
  • 8.5 I have suffered a break-in what do I do?
  • 8.6 Program X in Debian is vulnerable, what do I do?
  • 8.7 The version number for a package indicates that I am still running a vulnerable version!
  • 8.8 Questions regarding users and groups
  • 8.9 Are all system users necessary?
  • 8.10 Question regarding open ports
  • 8.11 I have lost my password and cannot access the system!!
  • 8.12 Questions regarding the Debian security team
• A The hardening process step by step
• B Configuration checklist