[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Introductory security texts - ssh, tcpd, tripwire?

David Welton <davidw@gate.cks.com> writes:

> Hi, I'm looking for a basic document describing how to take some basic
> (but important) steps towards securing your computer.  Something that
> describes to the new user how to use things like tcpd, ssh, tripwire,
> and other things to keep their system secure.  Something that is not
> comprehensive, but that would take the person through some of the more
> important things that can make the system reasonably secure, at least
> from attackers who are not determined.

As it happens, I wrote a very basic set of instructions for my
coworkers.  This only describes the steps necessary to connect to the
internet safely, nothing fancy.  Hope it helps.  Please tell me of any
errors and security holes.

Oliver Schoett      <schoett@muc.de>



Why are you running a Linux system? Because it is better than the commercial
stuff, of course. One way in which it is better is that it has strong,
documented and configurable network security, so let's indulge in this

The way to attack a computer without accessing it physically is to exploit
the network services it offers. On a Linux system, network services are
provided by processes running as "daemons" in the background, such as

   * inetd,
   * rpc.portmap,
   * rpc.mountd,
   * rpc.nfsd,
   * innd,
   * nntpd,

to name the most common ones. You should check your system (with ps ax)
whether any of these programs have been started at system startup.

In the common case that you do not want to offer any network services to the
outside world, the safest and easiest way to be secure is to kill all the
network daemons and make sure they are not started at system startup
(comment out the lines starting them in the system startup scripts). If you
do that, you can skip the rest of this section.

If you need network services (for example, if you need to connect to your
own machine for local mail delivery or local news reading), you can run the
network server inetd in a configuration where you have connection attempts
logged and blocked or accepted selectively. To do this, I use the "TCP
wrapper" program tcpd, which is part of the netbase package of Debian
GNU/Linux. This package is controlled by three files described in the
following sections.


This file contains the service definitions for inetd. They should be either
commented out (with a # in front) or "wrapped" by tcpd, that is, each
service definition should not name the corresponding server program

   ... /some/directory/program program arg arg ...

but via tcpd, that is,

   ... /usr/sbin/tcpd /some/directory/program arg arg ...

Note that the second occurrence of "program" in the original line is

The "wrapper" program tcpd ensures that a connection attempt is allowed
before it starts the service specified in its argument list. It can also log
the connection attempts, start shell scripts, etc.


This file lists all service/client combinations that are not to be allowed
by tcpd. Mine reads (apart from comments):

   ALL: ALL: severity auth.warning

so that all connections are denied by default, and I get a warning for every
connection attempt that is denied.


This file lists all service/client combinations that are to be allowed by
tcpd. It has priority over hosts.deny. Mine reads (apart from other

   # allow connections from localhost
   ALL: 127.0.0.

which allows all connections from my own machine. But of course, you can
leave it empty if you do not want to connect from your machine to itself.

To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: