Securing a Debian 3.0 r0 system, and a few other quick questions . . .
Team:
Well, I must say that I am very happy with my Debian 3.0 r0 systems - happy
enough that I need to get serious about making and keeping them useful and
secure!!
My true Unix sysadmin days ended about the time SunOS started shipping without
a C-compiler and with a SlowLaris label. I've setup and used a bunch of
different Unix systems since then, but I think, at this point in time, Jamin and the rest of his
ilk would clearly label me, perhaps correctly, a "diletante" (Note #1) until I prove otherwise
. . .
So, here goes, in no particular order . . .
1. I've diligently been adhering to (I believe) apt/debconf practice, and
have resisted editing .conf files by hand, and using dpkg-reconfigure instead.
It works great - I can't complain - it does seem a little too easy though
- no ego boost from being a Unix guy and being able to get it right the hard
way . . .
At any rate, I need to make some changes to the basic IP config on my workstation
- the questions that were asked at startup (hostname, IP address, etc.).
What's the package name? net? network?
2. I've noticed, in /var/log/daemon.log, what I think are attempted buffer
overflow attacks on rpc.statd, and a few logins to ftpd (I installed ftpd
'cuz I needed to move some files quick and dirty, and forgot to uninstall
it) from IPs that have no business logging in. . . . so:
2a. Where can I find a "Securing your Debian System HowTo"?
2b. What is the current thinking on securing port-level access to a host?
Wietse Venenma's tcpwrapper was king in my day, is it still de rigeur?
Or do people use iptable or ipchains or ipmasquerading to secure a host (NOT
a LAN - it's not a firewall (yet) )?
2c. I signed up for the security alert mailing list at lists.debian.org.
How does one check to see if the alerts effect one's machine, and if the
update mentioned is applicable? What is the apt magic?
2d. Are there still generally accepted replacements to standard daemons
that are considered more secure? In my day, we ran wu-ftpd instead of ftpd,
and xinetd instead of inetd, and so on . . . . I'm running ssh instead of
telnetd - no sweat there . . . but what about the rest of the basics?
OK - that's enough for now - if I can grok the inevitably complex responses in less than a week,
I'll be happy!!!
TIA
madmac
Note #1. From websters.com . . . .I believe variation 1 would be their application . . .
dil-et-tante Pronunciation Key (dl-t?nt, dl-t?nt, -t?nt, -tnt, -tnt)
n. pl. dil?et?tantes, also dil?et?tan?ti (-t?nt, -tn-)
1. A dabbler in an art or a field of knowledge. See Synonyms at amateur.
2. A lover of the fine arts; a connoisseur.
--
Doug MacFarlane
madmac@covad.net
Reply to: