[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: secure install

On Thu, Feb 15, 2001 at 03:34:07PM +0100, Raphael Bauduin wrote:
> Hi,
> I'm looking for a way to install a debian potato as securely as
> possible. I would follow this procedure in the future to install a lot
> of servers. The problem I have is that a lot of unwanted packages get
> installed by default (telnetd, exim, at, bc, fingerd, gpm, lpr, mtools,
> mutt, nfs-server, talkd, ....), and having to deinstall them manually
> each time is not very secure as one could forget a package anytime. It
> is also time consuming.

I am working on a web page to step through this, but in essence, I do a
base install, and after the reboot, I step through the install to the point
where I enter dselect, then choose 6 to exit.

One of the best features of dpkg is that you can do dpkg --get-selections
and dpkg --set-selections combined with an apt-get dselect-upgrade. I have
found that there are a finite number of base configurations, mailserver,
firewall, etc. I am working on my perspective of a package list for several
of these installs.

In any case, I sneaker-net the package list over to the box being built,
then do

dpkg --set-selections
apt-get dselect-upgrade

The system builds with the custom tailored package list. You can then
select the few specific packages that are host-specific as needed. 

This has the effect of giving you a custom-tailored list of what gets
installed and also simplifies backups. If you are careful about division of
your partitions, you can simply tar up the non-standard or unique
partitions (e.g. /home, /usr/local, /opt, etc.) and dpkg --get-selections
and redirect a file and you can regenerate a machine fairly quickly.

cfengine could also be an option in your situation too.

Bradley M. Alexander, CISSP              |   Co-Chairman,
Beowulf System Admin/Security Specialist |    NoVALUG/DCLUG Security SIG
Winstar Telecom                          |   balexander@winstar.com
(703) 889-1049                           |   storm@tux.org
If you don't know your rights, you don't have any.

Reply to: