Re: Secure/hardened/minimal Debian (or "Why is the base system the way it is?")
On Sun, 2002-05-19 at 22:32, Nicole Zimmerman wrote:
I did something similar in building firewalls.
> What I did was:
> 1. Install potato out of the "box" (we have a local mirror)
I did the same, except that I used woody. After doing a base install,
you could use apt's dependency-fixing capability to install only the
end-item packages you wish (e.g. from a base install, apt-get install
> 2. Thin potato out (remove unnecessary packages, compilers, etc)
> 3. Make a custom 2.4 kernel with NO loadable modules (because we know the
> hardware, we can do this) and with iptables
I build a custom kernel as well.
> 4. Install back-compiled packages for SSH, postgres, anything else (system
> requirements, plus SSH2 security advantages)
> 5. Switch partitions over to ext3 (if I ship the box and the box goes down
> and fails an fsck, we either give them root or send a tech, expensive
> either way)
> 6. Configure some of the packages to be "more" secure (e.g.
> exim configuration)
> 7. Configure an iptables firewall to further restrict access to
> illegitamite ports (anything but 80 and our 3 proprietary ports)
> (8: Install our software, test, etc)
The other thing I do is to maintain a package list of machines I build.
It for instance, I have selection of workstation packagelists, laptop,
mailserver, firewall and the like. In essence, I do a
dpkg --get-selections > packagelist
This gives me the option of doing a base install, then doing
dpkg --set-selections < packagelist
in lieu of FAI. Putting the packagelist, drive partitioning information,
and copies of tweaked datafiles onto a CD (like the woody minicd), would
allow you to replicate machines relatively quickly.
Bradley M. Alexander | storm [at] debian.org
Debian Developer, Security Engineer | storm [at] tux.org
Debian/GNU Linux Developer | Visit the 99th VFS website at:
MCO, 99th VFS 'Tuskegee Airmen' | server2048.virtualave.net/onyx23
DSA 0x54434E65: 37F6 BCA6 621D 920C E02E E3C8 73B2 C019 5443 4E65
RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A C8 9C F0 93 75 A0 01 34
You don't shoot to kill; You shoot to stay alive.
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact email@example.com