priming the pump I
Date: Sun, 22 Feb 1998 06:59:13 -0600 (CST)
From: Henry Hollenberg <speed@barney.iamerica.net>
To: debian-devel@lists.debian.org
Subject: Building a bastion host using Debian.
Has anyone written up a howto for stripping down a Debian system for
service as a bastion host?
The system should be really bare bones, no gcc, limited ports
no kernel module support, no perl and around 10 running processes
or so. All this to make the system a real pain in the axx to use
once a hacker breaks in. This should give an administrator a little
more time to pick up the break-in before the internal network is
"invaded". I understand that Debian is very secure and I should be
using it throughout our network, but we have alot of legacy systems
and systems tied to machines that can not be changed....they need to
have strong security between them and the net.
I have been fiddeling with this for awhile and have developed a list of
packages that I think are needed. Would love some input at this point,
and yes my prozac dosage is correct.
Thanks
Henry Hollenberg speed@barney.iamerica.net
###########################################################
Here's my package list:
The last set of packages below are still in limbo...still have questions
on them.
The first four sets are grouped by :
_req_: Debian's got to have it to run.
_nec-run_: Needed for a running bastion.
_nec-build_:
Needed to build a bastion, but these packages will be
removed before connecting to the internet.
_cut_:
packages which at first glance seem to be needed for
linux but would give a hacker too many tools to work with once
the bastion is broken into. Hopefully we can slow them down
long enough for an automatic run of "Tripwire" etc. to detect
the breakin.
p.s. See the very end of this message for my working plan for a Debian
linux firewall.
Package: libreadline2 _req_
Package: mbr _req_
Package: procps _req_
Package: ncurses-base _req_
Package: adduser _req_
Package: setserial _req_
Package: textutils _req_
Package: electric-fence _req_
Package: sed _req_
Package: passwd _req_
Package: base-passwd _req_
Package: util-linux _req_
Package: update _req_
Package: libc5 _req_
Package: makedev _req_
Package: ncurses-bin _req_
Package: ldso _req_
Package: timezone _req_
Package: kbd _req_
Package: base-files _req_
Package: shellutils _req_
Package: grep _req_
Package: mount _req_
Package: getty _req_
Package: sysvinit _req_
Package: hostname _req_
Package: login _req_
Package: fileutils _req_
Package: login _req_
Package: fileutils _req_
Package: bash _req_
Package: sysklogd _req_
Package: qmail-src _nec-run_
Package: ncurses3.0 _nec-run_ less, util-linux
Package: nvi _nec-run_
Package: lilo _nec-run_
Package: cron _nec-run_
Package: less _nec-run_
Package: at _nec-run_
Package: libdb1 _nec-run_
Package: netbase _nec-run_
Package: perl _nec-build_
Package: modconf _nec-build_
Package: bsdmainutils _nec-build_
Package: patch _nec-build_
Package: libreadline2-dev _nec-build_
Package: bin86 _nec-build_
Package: make _nec-build_
Package: dpkg-ftp _nec-build_
Package: binutils _nec-build_
Package: cpp _nec-build_
Package: dpkg-dev _nec-build_
Package: libg++27 _nec-build_
Package: dnsutils _nec-build_
Package: libbfd2.7.0.9 _nec-build_
Package: gcc _nec-build_
Package: netstd _nec-build_
Package: libc5-dev _nec-build_
Package: gdb _nec-build_
Package: libg++27-dev _nec-build_
Package: rcs _cut_
Package: emacs _cut_
Package: gpm _cut_
Package: cpio _cut_
Package: flex _cut_
Package: tetex-extra _cut_
Package: lsof _cut_
Package: mh _cut_
Package: procmail _cut_
Package: ppp _cut_ needed if connecting via ppp
Package: file _cut_
Package: fdflush _cut_ (spend $30 on a Teac)
Package: tetex-base _cut_
Package: tcl74-dev _cut_
Package: tetex-bin _cut_
Package: ncurses3.0-dev _cut_
Package: mailx _cut_
Package: libelf0 _cut_
Package: mtools _cut_
Package: sharutils _cut_
Package: strace _cut_
Package: wg15-locale _cut_
Package: strace _cut_
Package: wg15-locale _cut_
Package: manpages _cut_
Package: doc-linux _cut_
Package: lpr _cut_
Package: doc-debian _cut_
Package: man-db _cut_
Package: debian-policy _cut_
Package: wenglish _cut_
Package: groff _cut_
Package: time _cut_
Package: info _cut_
Package: biff _cut_
Package: dialog _nec-build_ .vs. _nec-run_ modconf depends
Package: libgdbm1 _nec-build_ perl depends .vs. _nec-run_
Package: libdb1-dev _nec-build_ .vs. _nec-run_ apache
Package: inewsinn _cut_ .vs. Although I'm not completely sure
.vs. how I will set up news at our site.
Package: smail _cut_ .vs. Replace with qmail?
Package: diff _req_ .vs. Is this really required? or can
.vs. I mark it _nec-build_ or _cut_
Package: tar _nec-build_ .vs. Marked as req in distribution.
Package: gzip _nec-build_ .vs. Marked as req in distribution.
Package: syslinux _cut_ .vs. Marked as req in distribution.
Package: dpkg _nec-build_ .vs. Marked as req in distribution.
Package: findutils _nec-build_ .vs. Marked as req in distribution.
Package: e2fsprogs _req_ .vs. Is this really required? ie Is it
.vs. it needed to do fsck at boot?
Package: modutils _nec-build_ .vs. Marked as req in distribution.
Package: mawk _req_ .vs. Is this really required? What would
.vs. it be used for on a bastion host?
Package: debianutils _req_ .vs. Is this really required? Is this
.vs. used to set up a custom kernel?
Package: bsdutils _nec-run_ .vs. rm /usr/bin/script
.vs. ? rm/usr/bin/logger will this
.vs. break sysklogd?
Package: ncurses-term _nec-run_ .vs. _cut_
Package: m4 _nec-run_ .vs. _nec-build_ Do I really need a
.vs. macro processor to run a bastion?
Package: ed _nec-run_ .vs. use red instead? Where is it?
Package: libgdbm1-dev _nec-build_ .vs. _nec-run_ for apache
Package: kernel-source-2.0.30 _nec-build_ .vs. Which kernel is stable
.vs. and has needed security
.vs. for bastion?
Firewall Architecture = screened subnet:
-inet
-outer router (pipeline 50 running secure access software for flexible IP
filters)
-perimeter net with bastion host as above (I guess I'll need to subnet my
class C in half to make the IP filter rules work for the three networks.
- inner router (another stripped down bastion host Debian linux machine)
- inner network - my hosts and internal mail hub/DNS.
Plan on allowing these services to start with: DNS, mail, news, outgoing
ftp and telnet and http, No incoming telnet or ftp for now.
I have made a few modifications to the filter rules in the book and will
type these up. (O'reilly Firewall book.)
DNS: on bastion host as primary and internal host as secondary.
mail: incoming relayed thru bastion host using qmail? relayed to internal
mail hub, outgoing goes directly thru bastion host.
NNTP: hosts connect straight to my internet service providor's news server
via filters vs. running this thru bastion based proxy....haven't decided.
FTP: PASV outgoing clients only....no need to proxy.
Telnet: outgoing only ....filters only
HTTP: APACHE http server and cache server running on the bastion host.
That's it!!!
Thanks Henry Hollenberg speed@barney.iamerica.net
Henry Hollenberg speed@barney.iamerica.net
--
E-mail the word "unsubscribe" to debian-firewall-request@lists.debian.org
TO UNSUBSCRIBE FROM THIS MAILING LIST. Trouble? e-mail to listmaster@debian.org .
Reply to: