Re: secure install
On Thu, Feb 15, 2001 at 03:34:07PM +0100, Raphael Bauduin wrote:
> I'm looking for a way to install a debian potato as securely as
> possible. I would follow this procedure in the future to install a lot
> of servers. The problem I have is that a lot of unwanted packages get
> installed by default (telnetd, exim, at, bc, fingerd, gpm, lpr, mtools,
> mutt, nfs-server, talkd, ....), and having to deinstall them manually
> each time is not very secure as one could forget a package anytime. It
> is also time consuming.
I am working on a web page to step through this, but in essence, I do a
base install, and after the reboot, I step through the install to the point
where I enter dselect, then choose 6 to exit.
One of the best features of dpkg is that you can do dpkg --get-selections
and dpkg --set-selections combined with an apt-get dselect-upgrade. I have
found that there are a finite number of base configurations, mailserver,
firewall, etc. I am working on my perspective of a package list for several
of these installs.
In any case, I sneaker-net the package list over to the box being built,
The system builds with the custom tailored package list. You can then
select the few specific packages that are host-specific as needed.
This has the effect of giving you a custom-tailored list of what gets
installed and also simplifies backups. If you are careful about division of
your partitions, you can simply tar up the non-standard or unique
partitions (e.g. /home, /usr/local, /opt, etc.) and dpkg --get-selections
and redirect a file and you can regenerate a machine fairly quickly.
cfengine could also be an option in your situation too.
Bradley M. Alexander, CISSP | Co-Chairman,
Beowulf System Admin/Security Specialist | NoVALUG/DCLUG Security SIG
Winstar Telecom | firstname.lastname@example.org
(703) 889-1049 | email@example.com
If you don't know your rights, you don't have any.