Securing Debian Manual: Section 5.14.3.2 suggested additions

To: debian-doc@lists.debian.org
Subject: Securing Debian Manual: Section 5.14.3.2 suggested additions
From: Dominic Walden <dominic@dwalden.co.uk>
Date: Mon, 02 Jun 2014 14:41:29 +0100
Message-id: <[🔎] 87bnubig3a.fsf@dwalden.co.uk>

Hello, I sent this email to Javier some time ago. I'm not sure whether
it got lost, ignored, or filed somewhere for later consideration, so
I'm posting it here. So, sorry to Javier if I sound like a broken
record.


*** Start of message ***
Hi,

I've been working my way through this manual to increase the security
of my computer and I have a suggestion for the firewall script
presented in section 5.14.3.2.

As Debian have started to use dependency based boot sequencing since
Squeeze[1] init.d scripts need an LSB header, and configuring the boot
sequence should be left up to insserv (not update-rc.d). Otherwise, it
may behave differently than the author of the section had intended.

My modified version begins like this:

 #!/bin/sh ## BEGIN INIT INFO Provides: myfirewall Required-Start:
 #$local_fs Required-Stop: $local_fs Default-Start: S Default-Stop: 0
 #6 X-Start-Before: $network X-Stop-After: $network Short-Description:
 #My custom firewall.  ## END INIT INFO

which will start the script in S and stop it in 0 and 6, just like the
section recommends. It will also start it before the network goes up
and stop it after the network goes down.

To setup the boot script I just had to run: insserv myfirewall


Also, I believe there is an error in the script:

 # Remote management if [ -n "$NETWORK_MGMT" ] ; then /sbin/iptables
 -A INPUT -p tcp --src ${NETWORK_MGMT} --dport ${SSH_PORT} -j ACCEPT
 else /sbin/iptables -A INPUT -p tcp --dport ${SSH_PORT} -j ACCEPT fi

If $NETWORK_MGMT and $SSH_PORT are not set (which they are not by
default in the script) the else path will be taken and iptables will
return an error because --dport is given no arguments.

I'm not certain of the authors intentions but is the else branch
needed at all? If users who have not setup a management network want
to accept input to the ssh port they can add it to $TCP_SERVICES.

Personally, I just removed that whole section because I don't want to
setup a management network.

I have been running the script with the above modifications for a few
days now without issue.
*** End of Message ***


If you want, I could make a patch file?

Thanks,

Dominic

Reply to:

Follow-Ups:
- Re: Securing Debian Manual: Section 5.14.3.2 suggested additions
  - From: Joost van Baal-Ilić <joostvb-debian-doc-20140603-2@mdcc.cx>

Next by Date: r10419 - /man-cgi/extractor/compare-manpage-stats.pl
Next by thread: Re: Securing Debian Manual: Section 5.14.3.2 suggested additions
Index(es):
- Date
- Thread