Re: Securing a Debian 3.0 r0 system, and a few other quick questions . . .
<quote who="Doug MacFarlane">
> 1. I've diligently been adhering to (I believe) apt/debconf practice,
> and have resisted editing .conf files by hand, and using dpkg-reconfigure
> instead.
dpkg-reconfigure is nice, but at least for most packages that I use it doesn't
come anywhere near adequate. I still have to edit conf files extensivly.
> At any rate, I need to make some changes to the basic IP config on my
> workstation - the questions that were asked at startup (hostname, IP
> address, etc.).
edit the individual files /etc/network/interfaces /etc/hostname etc.
if you change hostname you will have to manually update those services
which depend upon the hostname, such as mail services and web services,
etc..some may not..but many times they do.
> 2a. Where can I find a "Securing your Debian System HowTo"?
I haven't seen one that is really good. My debian systems are locked
down tight in general. I suppose i could write a quick document and
post it. Although much of my practicies violate policy by changing
locations of files and changing the way things run. I am still writing
my LDAP howto, and my MRTG howto, maybe Securing Debian HOWTO should
be next.....
> 2b. What is the current thinking on securing port-level access to a
> host?
> Wietse Venenma's tcpwrapper was king in my day, is it still de rigeur?
I use a combonation of ipchains and xinetd(for those services which
need xinetd). I don't rely upon tcp_wrappers anymore(by tcp_wrappers
i am specifically referring to hosts.allow and hosts.deny).
> Or do people use iptable or ipchains or ipmasquerading to secure a host
> (NOT a LAN - it's not a firewall (yet) )?
I use multiple firewalls and NAT. My company for example is laid out like
this on the outside:
(internet)->[Router/firewall/static NAT]->IDS/firewall->Firewall/NAT to
internal network.
I block services and stuff that I would never want on the external
network such as rpc services on the router, then block more on the other
hosts depending on what they are running. the IDS is a bridged system
so theres no way for anyone to connect to it from the outside. All
outgoing traffic from the internal lan is NAT'd once at a linux NAT
device and NAT'd again at the router, the IP of the originating traffic
is not routable, if you were to traceroute to it, the traceroute will
end up in an infinate loop bouncing back between the serial interface
of my router and the serial interface of my upstream provider's router.
> 2c. I signed up for the security alert mailing list at lists.debian.org.
> How does one check to see if the alerts effect one's machine, and if the
> update mentioned is applicable? What is the apt magic?
apt-get update ; apt-get upgrade ..if you don't have the package
installed you don't need the update so don't worry ..
> 2d. Are there still generally accepted replacements to standard daemons
> that are considered more secure? In my day, we ran wu-ftpd instead of
> ftpd, and xinetd instead of inetd, and so on . . . . I'm running ssh
> instead of telnetd - no sweat there . . . but what about the rest of the
> basics?
For systems that really need ftp I try to use Ncftpd(free for non
commercial up to 5 concurrent connections), because I have never,
ever seen any security problems reported with it. Thats not to say that
it has none though. proftpd would probably be my next choice but that
too has had some security problems like wuftpd. the default ftpd(openbsd
port) is possibly about the same security but it too for a LONG time
in debian potato suffered from a severe DOS vulnerability. I believe
it is fixed now though. Postfix or exim or qmail for email, qmail has
the best record I think for security. I am not sure if postfix or
exim have ever hadproblems. djbdns(sp?) has the best record for
nameserver security, written by the qmail author. I still prefer
BIND on my systems though(runing as non-root uid/gid and chrooted).
rpc services - disable them all if you want security. or at LEAST firewall
them all. I could go into more but there really is a lot to take
into account. I reccomend ditching inetd in favor of xinetd, and
bind as many services as you can in xinetd to the loopback interface.
I also have postfix bind to the loopback interface, and have it
smarthost(relayhost) to a mail hub for sending mail. Most of my
servers do not need to recieve mail but I still like them to be
able to send mail out for various reasons. As for SSH, on my
secure systems i disable password authentication and restrict
to key authentication only. Also syslog servers are important
as well. store the logs on a different host, and back them
up often. or if your real paranoid send the logs straight to
a printer.
securing debian is not a real easy task unfortunately. It is getting
better, by not listning to X connections on tcp by default, and
probably a few more things.
In my opinion, the best tools for securing any unix system are:
lsof, nmap, and a good understanding of what you want to have
running on that system so you can track down and disable the rest.
good luck
nate
Reply to: