Re: Securing a Debian 3.0 r0 system, and a few other quick questions . . .
"Doug MacFarlane" <madmac@covad.net> writes:
> 1. I've diligently been adhering to (I believe) apt/debconf practice, and
> have resisted editing .conf files by hand, and using
> dpkg-reconfigure instead. It works great - I can't complain - it
> does seem a little too easy though - no ego boost from being a Unix
> guy and being able to get it right the hard way . . .
(If you want to change the configuration files by hand, you should be
able to without a problem. Things that are aggressively managed by
debconf usually have big flaming warnings at the top of the file.)
> At any rate, I need to make some changes to the basic IP config on
> my workstation - the questions that were asked at startup (hostname,
> IP address, etc.). What's the package name? net? network?
I'd just edit /etc/hostname for the hostname and
/etc/network/interfaces for the network configuration (including the
default IP address).
> 2b. What is the current thinking on securing port-level access to a host?
> Wietse Venenma's tcpwrapper was king in my day, is it still de
> rigeur? Or do people use iptable or ipchains or ipmasquerading to
> secure a host (NOT a LAN - it's not a firewall (yet) )?
Most people seem to go for ipchains/iptables firewalls for this sort
of thing these days. My personal philosophy is to just know what
services are running on my machine, and deinstall anything I don't use.
> 2c. I signed up for the security alert mailing list at lists.debian.org.
> How does one check to see if the alerts effect one's machine, and if
> the update mentioned is applicable? What is the apt magic?
You generally want to check that you have security sources in your
/etc/apt/sources.list file, but then a normal APT update and upgrade
should get you the latest security fixes.
deb http://security.debian.org stable/updates main contrib non-free
> 2d. Are there still generally accepted replacements to standard daemons
> that are considered more secure? In my day, we ran wu-ftpd instead
> of ftpd, and xinetd instead of inetd, and so on . . . . I'm running
> ssh instead of telnetd - no sweat there . . . but what about the
> rest of the basics?
In general, the security problems get fixed or the packages get
removed. I wouldn't particularly recommend one version of a daemon
over another because it's more secure; if there is a problem with a
package, security updates generally come out pretty quickly.
--
David Maze dmaze@debian.org http://people.debian.org/~dmaze/
"Theoretical politics is interesting. Politicking should be illegal."
-- Abra Mitchell
Reply to: