Re: Securing a Debian 3.0 r0 system, and a few other quick questions . . .

To: debian-user@lists.debian.org
Subject: Re: Securing a Debian 3.0 r0 system, and a few other quick questions . . .
From: David Z Maze <dmaze@debian.org>
Date: Sat, 03 Aug 2002 16:08:55 -0400
Message-id: <[🔎] y68d6sz3dt4.fsf@multics.mit.edu>
In-reply-to: <[🔎] 200208031808.OAA08581@smtp7.covad.net> ("Doug MacFarlane"'s message of "Sat, 03 Aug 2002 18:02:10 +0000")
References: <[🔎] 200208031808.OAA08581@smtp7.covad.net>

"Doug MacFarlane" <madmac@covad.net> writes:
> 1.  I've diligently been adhering to (I believe) apt/debconf practice, and
> have resisted editing .conf files by hand, and using
> dpkg-reconfigure instead.  It works great - I can't complain - it
> does seem a little too easy though - no ego boost from being a Unix
> guy and being able to get it right the hard way . . .

(If you want to change the configuration files by hand, you should be
able to without a problem.  Things that are aggressively managed by
debconf usually have big flaming warnings at the top of the file.)

> At any rate, I need to make some changes to the basic IP config on
> my workstation - the questions that were asked at startup (hostname,
> IP address, etc.).  What's the package name?  net?  network?

I'd just edit /etc/hostname for the hostname and
/etc/network/interfaces for the network configuration (including the
default IP address).

> 2b.  What is the current thinking on securing port-level access to a host?
> Wietse Venenma's tcpwrapper was king in my day, is it still de
> rigeur? Or do people use iptable or ipchains or ipmasquerading to
> secure a host (NOT a LAN - it's not a firewall (yet) )?

Most people seem to go for ipchains/iptables firewalls for this sort
of thing these days.  My personal philosophy is to just know what
services are running on my machine, and deinstall anything I don't use.

> 2c.  I signed up for the security alert mailing list at lists.debian.org.
> How does one check to see if the alerts effect one's machine, and if
> the update mentioned is applicable?  What is the apt magic?

You generally want to check that you have security sources in your
/etc/apt/sources.list file, but then a normal APT update and upgrade
should get you the latest security fixes.

deb http://security.debian.org stable/updates main contrib non-free

> 2d.  Are there still generally accepted replacements to standard daemons
> that are considered more secure?  In my day, we ran wu-ftpd instead
> of ftpd, and xinetd instead of inetd, and so on . . . . I'm running
> ssh instead of telnetd - no sweat there . . . but what about the
> rest of the basics?

In general, the security problems get fixed or the packages get
removed.  I wouldn't particularly recommend one version of a daemon
over another because it's more secure; if there is a problem with a
package, security updates generally come out pretty quickly.

-- 
David Maze         dmaze@debian.org      http://people.debian.org/~dmaze/
"Theoretical politics is interesting.  Politicking should be illegal."
	-- Abra Mitchell

Reply to:

References:
- Securing a Debian 3.0 r0 system, and a few other quick questions . . .
  - From: "Doug MacFarlane" <madmac@covad.net>

Prev by Date: Re: problems with freeamp and vorbis
Next by Date: Re: VPN Tools!
Previous by thread: Re: Securing a Debian 3.0 r0 system, and a few other quick questions . . .
Next by thread: Re: Securing a Debian 3.0 r0 system, and a few other quick questions . . .
Index(es):
- Date
- Thread