Introduction
Authors
Where to get the manual (and available formats)
Organizational notes/feedback
Prior knowledge
Things that need to be written (FIXME/TODO)
Changelog/History
Version 3.17 (January 2015)
Version 3.16 (January 2013)
Version 3.15 (December 2010)
Version 3.14 (March 2009)
Version 3.13 (February 2008)
Version 3.12 (August 2007)
Version 3.11 (January 2007)
Version 3.10 (November 2006)
Version 3.9 (October 2006)
Version 3.8 (July 2006)
Version 3.7 (April 2006)
Version 3.6 (March 2006)
Version 3.5 (November 2005)
Version 3.4 (August-September 2005)
Version 3.3 (June 2005)
Version 3.2 (March 2005)
Version 3.1 (January 2005)
Version 3.0 (December 2004)
Version 2.99 (March 2004)
Version 2.98 (December 2003)
Version 2.97 (September 2003)
Version 2.96 (August 2003)
Version 2.95 (June 2003)
Version 2.94 (April 2003)
Version 2.93 (March 2003)
Version 2.92 (February 2003)
Version 2.91 (January/February 2003)
Version 2.9 (December 2002)
Version 2.8 (November 2002)
Version 2.7 (October 2002)
Version 2.6 (September 2002)
Version 2.5 (September 2002)
Version 2.5 (August 2002)
Version 2.4
Version 2.3
Version 2.3
Version 2.2
Version 2.1
Version 2.0
Version 1.99
Version 1.98
Version 1.97
Version 1.96
Version 1.95
Version 1.94
Version 1.93
Version 1.92
Version 1.91
Version 1.9
Version 1.8
Version 1.7
Version 1.6
Version 1.5
Version 1.4
Version 1.3
Version 1.2
Version 1.1
Version 1.0
Credits and thanks!
Before you begin
What do you want this system for?
Be aware of general security problems
How does Debian handle security?
Before and during the installation
Choose a BIOS password
Partitioning the system
Choose an intelligent partition scheme
Do not plug to the Internet until ready
Set a root password
Run the minimum number of services required
Disabling daemon services
Disabling inetd or its services
Install the minimum amount of software required
Removing Perl
Read the Debian security mailing lists
After installation
Subscribe to the Debian Security Announce mailing list
Execute a security update
Security update of libraries
Security update of the kernel
Change the BIOS (again)
Set a LILO or GRUB password
Disable root prompt on the initramfs
Remove root prompt on the kernel
Restricting console login access
Restricting system reboots through the console
Restricting the use of the Magic SysRq key
Mounting partitions the right way
Setting =1sp /tmp noexec
Setting /usr read-only
Providing secure user access
User authentication: PAM
Limiting resource usage: the =1splimits.conf file
User login actions: edit =1sp /etc /login.defs
User login actions: edit =1sp /etc /pam.d /login
Restricting ftp: editing =1sp /etc /ftpusers
Using su
Using sudo
Disallow remote administrative access
Restricting users's access
User auditing
Reviewing user profiles
Setting users umasks
Limiting what users can see/access
Generating user passwords
Checking user passwords
Logging off idle users
Using tcpwrappers
The importance of logs and alerts
Using and customizing logcheck
Configuring where alerts are sent
Using a loghost
Log file permissions
Adding kernel patches
Protecting against buffer overflows
Kernel patch protection for buffer overflows
Testing programs for overflows
Secure file transfers
File system limits and control
Using quotas
The ext2 filesystem specific attributes (chattr/lsattr)
Checking file system integrity
Setting up setuid check
Securing network access
Configuring kernel network features
Configuring syncookies
Securing the network on boot-time
Configuring firewall features
Disabling weak-end hosts issues
Protecting against ARP attacks
Taking a snapshot of the system
Other recommendations
Do not use software depending on svgalib
Securing services running on your system
Securing ssh
Chrooting ssh
Ssh clients
Disallowing file transfers
Restricing access to file transfer only
Securing Squid
Securing FTP
Securing access to the X Window System
Check your display manager
Securing printing access (the lpd and lprng issue)
Securing the mail service
Configuring a Nullmailer
Providing secure access to mailboxes
Receiving mail securely
Securing BIND
Bind configuration to avoid misuse
Changing BIND's user
Chrooting the name server
Securing Apache
Disabling users from publishing web contents
Logfiles permissions
Published web files
Securing finger
General chroot and suid paranoia
Making chrooted environments automatically
General cleartext password paranoia
Disabling NIS
Securing RPC services
Disabling RPC services completely
Limiting access to RPC services
Adding firewall capabilities
Firewalling the local system
Using a firewall to protect other systems
Setting up a firewall
Automatic hardening of Debian systems
Harden
Bastille Linux
Debian Security Infrastructure
The Debian Security Team
Debian Security Advisories
Vulnerability cross references
CVE compatibility
Security Tracker
Debian Security Build Infrastructure
Developer's guide to security updates
Package signing in Debian
The current scheme for package signature checks
Secure apt
Per distribution release check
Release check of non Debian sources
Alternative per-package signing scheme
Security tools in Debian
Remote vulnerability assessment tools
Network scanner tools
Internal audits
Auditing source code
Virtual Private Networks
Point to Point tunneling
Public Key Infrastructure (PKI)
SSL Infrastructure
Antivirus tools
GPG agent
Developer's Best Practices for OS Security
Best practices for security review and design
Creating users and groups for software daemons
Before the compromise
Keep your system secure
Tracking security vulnerabilities
Continuously update the system
Avoid using the unstable branch
Security support for the testing branch
Automatic updates in a Debian GNU/Linux system
Do periodic integrity checks
Set up Intrusion Detection
Network based intrusion detection
Host based intrusion detection
Avoiding root-kits
Loadable Kernel Modules (LKM)
Detecting root-kits
Genius/Paranoia Ideas โ what you could do
Building a honeypot
After the compromise (incident response)
General behavior
Backing up the system
Contact your local CERT
Forensic analysis
Analysis of malware
Frequently asked Questions (FAQ)
Security in the Debian operating system
Is Debian more secure than X?
There are many Debian bugs in Bugtraq. Does this mean that it is very vulnerable?
Does Debian have any certification related to security?
Are there any hardening programs for Debian?
I want to run XYZ service, which one should I choose?
How can I make service XYZ more secure in Debian?
How can I remove all the banners for services?
Are all Debian packages safe?
Why are some log files/configuration files world-readable, isn't this insecure?
Why does /root/ (or UserX) have 755 permissions?
After installing a grsec/firewall, I started receiving many console messages! How do I remove them?
Operating system users and groups
Why is there a new group when I add a new user? (or Why does Debian give each user one group?)
Questions regarding services and open ports
Common security issues
How do I accomplish setting up a service for my users without giving out shell accounts?
My system is vulnerable! (Are you sure?)
Vulnerability assessment scanner X says my Debian system is vulnerable!
I've seen an attack in my system's logs. Is my system compromised?
I have found strange 'MARK' lines in my logs: Am I compromised?
I found users using 'su' in my logs: Am I compromised?
I have found 'possible SYN flooding' in my logs: Am I under attack?
I have found strange root sessions in my logs: Am I compromised?
I have suffered a break-in, what do I do?
How can I trace an attack?
Program X in Debian is vulnerable, what do I do?
The version number for a package indicates that I am still running a vulnerable version!
Specific software
Questions regarding the Debian security team
The hardening process step by step
Configuration checklist
Setting up a stand-alone IDS
Setting up a bridge firewall
A bridge providing NAT and firewall capabilities
A bridge providing firewall capabilities
Basic IPtables rules
Sample script to change the default Bind installation.
Security update protected by a firewall
Chroot environment for SSH
Chrooting the ssh users
Using libpam-chroot
Patching the ssh server
Chrooting the ssh server
Setup a minimal system (the really easy way)
Automatically making the environment (the easy way)
Manually creating the environment (the hard way)
Chroot environment for Apache
Introduction
Licensing
Installing the server
See also