Securing Debian HOWTO

Total Page:16

File Type:pdf, Size:1020Kb

Securing Debian HOWTO Securing Debian HOWTO Javier Fernández-Sanguino Peña <[email protected]> v1.92 6 noviembre 2001Tue Oct 23 00:59:57 CEST 2001 Abstract This document describes the process of securing and hardening the default Debian installation. It covers some of the common taks to setup a secure network environment using Debian GNU/Linux. Copyright Notice Copyright c 2001 Alexander Reelsen, Javier Fernández-Sanguino Peña Copyright c 2000 Alexander Reelsen however it is distributed under the terms of the GNU free documentation license. This document is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY. i Contents 1 Introduction 1 1.1 Download the HOWTO ................................... 1 1.2 Organizational Notes/Feedback ............................... 2 1.3 Prior knowledge ....................................... 2 1.4 Things that need to be written (TODO) ........................... 2 1.5 Changelog .......................................... 4 1.5.1 Version 1.92 .................................... 4 1.5.2 Version 1.91 .................................... 4 1.5.3 Version 1.9 ..................................... 4 1.5.4 Version 1.8 ..................................... 5 1.5.5 Version 1.7 ..................................... 5 1.5.6 Version 1.6 ..................................... 5 1.5.7 Version 1.5 ..................................... 6 1.5.8 Version 1.4 ..................................... 6 1.5.9 Version 1.3 ..................................... 6 1.5.10 Version 1.2 ..................................... 6 1.5.11 Version 1.1 ..................................... 6 1.5.12 Version 1.0 ..................................... 6 1.6 Credits ............................................ 7 2 Before you begin 9 2.1 What do you want this system for? ............................. 9 2.2 Be aware of general security problems ........................... 9 2.3 How does Debian handle security? ............................. 11 CONTENTS ii 3 Before and during the installation 13 3.1 Choose a BIOS password .................................. 13 3.2 Choose an intelligent partition scheme ........................... 13 3.3 Set a root password ..................................... 14 3.4 Activate shadow passwords and MD5 passwords ..................... 14 3.5 Run the minimum number of services required ...................... 14 3.6 Read the debian security mailing lists ........................... 14 4 After Installation 15 4.1 Set a LILO or GRUB password ............................... 15 4.2 Disallow floppy booting ................................... 16 4.3 Mounting partitions the right way ............................. 16 4.4 Execute a security update .................................. 17 4.5 PAM — Pluggable Authentication Modules ........................ 18 4.6 The limits.conf file ..................................... 20 4.7 Customize /etc/inetd.conf .................................. 20 4.8 Edit /etc/login.defs ..................................... 20 4.9 Editing /etc/ftpusers ..................................... 21 4.10 Using tcpwrappers ..................................... 21 4.11 The importance of logs and alerts .............................. 22 4.11.1 Configuring where alerts are sent ......................... 22 4.11.2 Using a loghost ................................... 22 4.11.3 Logfile permissions ................................. 23 4.12 Setting up setuid check ................................... 24 4.13 Using su ........................................... 24 4.14 Using sudo ......................................... 24 4.15 Using chroot ......................................... 24 4.16 Configuring some kernel features .............................. 25 4.17 Do not use software depending on svgalib ......................... 27 4.18 Secure file transfers ..................................... 27 4.19 Using quotas ........................................ 27 4.20 chattr/lsattr ......................................... 28 4.21 Checking filesystem integrity ................................ 29 CONTENTS iii 5 Securing services running on your system 31 5.1 Securing ssh ......................................... 31 5.2 Securing FTP ........................................ 32 5.3 Securing access to the X Window System ......................... 32 5.3.1 Check your display manager ............................ 32 5.4 The lpd and lprng issue ................................... 33 5.5 Securing the mail daemon ................................. 33 5.6 Receiving mail securely ................................... 34 5.7 Securing BIND ....................................... 34 5.8 Securing Apache ...................................... 37 5.9 General chroot and suid paranoia .............................. 37 5.10 General cleartext password paranoia ............................ 37 5.11 Disabling NIS ........................................ 37 5.12 Disabling RPC services ................................... 38 5.13 Automatic hardening of Debian systems .......................... 38 5.13.1 Harden ....................................... 38 5.13.2 Bastille Linux .................................... 39 6 Before the compromise 41 6.1 Set up Intrusion Detection. ................................. 41 6.1.1 Network based intrusion detection: Using snort .................. 41 6.1.2 Host based detection ................................ 41 6.2 Useful kernel patches .................................... 42 6.3 Avoiding rootkits ...................................... 43 6.3.1 LKM - Loadable Kernel Modules ......................... 43 6.3.2 Detecting rootkits .................................. 44 6.4 Genius/Paranoia Ideas — what you could do ........................ 44 6.4.1 Building a honeypot ................................ 45 7 After the compromise 47 7.1 General behavior ...................................... 47 CONTENTS iv 8 Frequently asked Questions 49 8.1 Is Debian more secure than X? ............................... 49 8.2 Is there are hardening program for Debian? ........................ 49 8.3 How can I make service XYZ more secure? ........................ 49 8.4 Questions regarding users and groups ........................... 50 8.5 Are all system users necessary? ............................... 50 8.5.1 What is the difference between the adm and the staff group? ........... 52 8.6 Question regarding open ports ............................... 52 8.6.1 Why do I have port 111 open? ........................... 52 8.6.2 I have checked I have the following port (XYZ) open, can I close it? ....... 53 8.7 I have lost my password and cannot access the system!! .................. 53 8.8 Questions regarding the Debian security team ....................... 54 8.8.1 The signature on Debian advisories does not verify correctly! .......... 54 8.8.2 How is security handled for testing and unstable? ............. 54 8.8.3 Why are there no official mirrors for security.debian.org? ............. 54 8.8.4 How can I reach the security team? ........................ 54 8.8.5 How can I help with security? ........................... 54 8.8.6 How are security incidents handled in Debian? .................. 54 8.8.7 How is the Security Team composed? ....................... 55 A The hardening process step by step 57 B Configuration checklist 61 1 Chapter 1 Introduction One of the hardest things about writing security documents is that every case is unique. Two things you have to pay attention to are the threat environment and the security needs of the individual site, host, or network. For instance, the security needs of a home user are completely different from a network in a bank. While the primary threat a home user needs to face is the script kiddie type of cracker, a bank network has to worry about directed attacks. Additionally, the bank has to protect their customer’s data with arithmetic precision. In short, every user has to consider the tradeoff between usability and security/paranoia. Note that this HOWTO only covers issues relating to software. The best software in the world can’t protect you if someone can physically access the machine. You can place it under your desk, or you can place it in a hardened bunker with an army in front of it. Nevertheless the desktop computer can be much more secure (from a software point of view) than a physically protected one if the desktop is configured properly and the software on the protected machine is full of security holes. Obviously, you must consider both issues. This document just gives an overview of what you can do to increase the security of your Debian GNU/Linux system. If you have read other documents regarding Linux security, you will find that there are common issues which might overlap with this document. However, this document does not try to be the ultimate source of information you will be using, it only tries to adapt this same information so that it is meaningful to a Debian GNU/Linux system. Different distributions do some things in different ways (startup of daemons is an usual example); here, you will find material which is appropriate for Debian’s procedures and tools. If you have comments, additions or suggestions, please mail them to Alexander Reelsen (mailto: [email protected]) and Javier Fernández-Sanguino (mailto:[email protected]) and they will be incorporated into this HOWTO. 1.1 Download the HOWTO You can download or view the newest version of the Securing Debian HOWTO from the Debian Docu- mentation Project (http://www.debian.org/doc/manuals/securing-debian-howto/). Chapter 1. Introduction 2 Feel
Recommended publications
  • The Elinks Manual the Elinks Manual Table of Contents Preface
    The ELinks Manual The ELinks Manual Table of Contents Preface.......................................................................................................................................................ix 1. Getting ELinks up and running...........................................................................................................1 1.1. Building and Installing ELinks...................................................................................................1 1.2. Requirements..............................................................................................................................1 1.3. Recommended Libraries and Programs......................................................................................1 1.4. Further reading............................................................................................................................2 1.5. Tips to obtain a very small static elinks binary...........................................................................2 1.6. ECMAScript support?!...............................................................................................................4 1.6.1. Ok, so how to get the ECMAScript support working?...................................................4 1.6.2. The ECMAScript support is buggy! Shall I blame Mozilla people?..............................6 1.6.3. Now, I would still like NJS or a new JS engine from scratch. .....................................6 1.7. Feature configuration file (features.conf).............................................................................7
    [Show full text]
  • On Trends in Low-Level Exploitation
    On trends in low-level exploitation Christian W. Otterstad Department of Informatics, University of Bergen Abstract Low-level computer exploitation and its mitigation counterpart has accumulated some noteworthy history. Presently, especially in academia, it features a plethora of mitigation techniques and also various possible modes of attack. It has seen numerous developments building upon basic methods for both sides and certain trends have emerged. This paper is primarily an overview paper, focusing especially on x86 GNU/Linux. The basic reasons inherent for allowing low-level exploitability are identified and explained to provide background knowledge. The paper furthermore describes the history, present state of the art and future developments that are topical and appear to be important in the field. Several attack and defense techniques have overlapping notions with not always obvious differences. Herein the notion of the bar being raised for both exploits and mitigation methods is examined and extrapolated upon based on the known relevant present state and history. The difference between academia and the industry is discussed especially where it relates to application of new mitigation techniques. Based on this examination some patterns and trends are identified and a conjecture for the likely future development of both is presented and justified. This paper was presented at the NIK-2016 conference; see http://www.nik.no/. 1 Introduction and earlier related work In 1972 the paper “Computer Security Technology Planning Study” was published [1]. Since then, research surrounding the main ideas in this paper has grown to become a ma- ture and complex field in its own right. There are many different exploitation techniques and mitigation techniques.
    [Show full text]
  • Detecting Exploit Code Execution in Loadable Kernel Modules
    Detecting Exploit Code Execution in Loadable Kernel Modules HaizhiXu WenliangDu SteveJ.Chapin Systems Assurance Institute Syracuse University 3-114 CST, 111 College Place, Syracuse, NY 13210, USA g fhxu02, wedu, chapin @syr.edu Abstract and pointer checks can lead to kernel-level exploits, which can jeopardize the integrity of the running kernel. Inside the In current extensible monolithic operating systems, load- kernel, exploitcode has the privilegeto interceptsystem ser- able kernel modules (LKM) have unrestricted access to vice routines, to modify interrupt handlers, and to overwrite all portions of kernel memory and I/O space. As a result, kernel data. In such cases, the behavior of the entire sys- kernel-module exploitation can jeopardize the integrity of tem may become suspect. the entire system. In this paper, we analyze the threat that Kernel-level protection is different from user space pro- comes from the implicit trust relationship between the oper- tection. Not every application-level protection mechanism ating system kernel and loadable kernel modules. We then can be applied directly to kernel code, because privileges present a specification-directed access monitoring tool— of the kernel environment is different from that of the user HECK, that detects kernel modules for malicious code ex- space. For example, non-executableuser page [21] and non- ecution. Inside the module, HECK prevents code execution executable user stack [29] use virtual memory mapping sup- on the kernel stack and the data sections; on the bound- port for pages and segments, but inside the kernel, a page ary, HECK restricts the module’s access to only those kernel or segment fault can lead to kernel panic.
    [Show full text]
  • MX Linux Benutzerhandbuch V
    MX Linux Benutzerhandbuch v. 20210327 manual AT mxlinux DOT org MX Linux Webseite MX Linux deutschsprachiges Forum Strg-F = Dieses Handbuch durchsuchen Pos1 / Home = Zum Anfang des Dokuments Translation: Sigi Vranšak – SpinBit Informatik Schaan, 27.03.2021 Tools: LibreOffice 7.0.4, deepl.com Rückmeldungen zu diesem deutschsprachigen Handbuch bitte an: [email protected] OpenPGP 51F0D5C53CF46E29 Titel des englischen Originals: MX Linux Users Manual v. 20200801 Inhalt 1 Einleitung.........................................................................................................................................7 1.1 Über MX Linux..........................................................................................................................7 1.2 Über dieses Handbuch.............................................................................................................7 1.3 Systemanforderungen..............................................................................................................8 1.4 Unterstützung und «Lebensdauer» (EOL, End Of Life)...........................................................8 1.5 Fehler, Probleme und Anfragen, Anträge.................................................................................9 1.6 Migration, Upgrade (Aktualisierung nächste Hauptversion)..................................................10 1.7 Unsere Standpunkte...............................................................................................................10 1.7.1 Systemd..........................................................................................................................10
    [Show full text]
  • The Linux Gamers' HOWTO
    The Linux Gamers’ HOWTO Peter Jay Salzman Frédéric Delanoy Copyright © 2001, 2002 Peter Jay Salzman Copyright © 2003, 2004 Peter Jay SalzmanFrédéric Delanoy 2004-11-13 v.1.0.6 Abstract The same questions get asked repeatedly on Linux related mailing lists and news groups. Many of them arise because people don’t know as much as they should about how things "work" on Linux, at least, as far as games go. Gaming can be a tough pursuit; it requires knowledge from an incredibly vast range of topics from compilers to libraries to system administration to networking to XFree86 administration ... you get the picture. Every aspect of your computer plays a role in gaming. It’s a demanding topic, but this fact is shadowed by the primary goal of gaming: to have fun and blow off some steam. This document is a stepping stone to get the most common problems resolved and to give people the knowledge to begin thinking intelligently about what is going on with their games. Just as with anything else on Linux, you need to know a little more about what’s going on behind the scenes with your system to be able to keep your games healthy or to diagnose and fix them when they’re not. 1. Administra If you have ideas, corrections or questions relating to this HOWTO, please email me. By receiving feedback on this howto (even if I don’t have the time to answer), you make me feel like I’m doing something useful. In turn, it motivates me to write more and add to this document.
    [Show full text]
  • MX-18.3 Users Manual
    MX-18.3 Users Manual v. 20190614 manual AT mxlinux DOT org Ctrl-F = Search this Manual Ctrl+Home = Return to top Table of Contents 1 Introduction................................................................................2 2 Installation..................................................................................8 3 Configuration...........................................................................37 4 Basic use..................................................................................93 5 Software Management...........................................................126 6 Advanced use.........................................................................141 7 Under the hood.......................................................................164 8 Glossary.................................................................................178 1 Introduction 1.1 About MX Linux MX Linux is a cooperative venture between the antiX and former MEPIS communities, using the best tools and talents from each distro and including work and ideas originally created by Warren Woodford. It is a midweight OS designed to combine an elegant and efficient desktop with simple configuration, high stability, solid performance and medium-sized footprint. Relying on the excellent upstream work by Linux and the open-source community, we deploy Xfce 4.12 as Desktop Environment on top of a Debian Stable base, drawing from the core antiX system. Ongoing backports and outside additions to our Repos serve to keep components current with developments.
    [Show full text]
  • Pipenightdreams Osgcal-Doc Mumudvb Mpg123-Alsa Tbb
    pipenightdreams osgcal-doc mumudvb mpg123-alsa tbb-examples libgammu4-dbg gcc-4.1-doc snort-rules-default davical cutmp3 libevolution5.0-cil aspell-am python-gobject-doc openoffice.org-l10n-mn libc6-xen xserver-xorg trophy-data t38modem pioneers-console libnb-platform10-java libgtkglext1-ruby libboost-wave1.39-dev drgenius bfbtester libchromexvmcpro1 isdnutils-xtools ubuntuone-client openoffice.org2-math openoffice.org-l10n-lt lsb-cxx-ia32 kdeartwork-emoticons-kde4 wmpuzzle trafshow python-plplot lx-gdb link-monitor-applet libscm-dev liblog-agent-logger-perl libccrtp-doc libclass-throwable-perl kde-i18n-csb jack-jconv hamradio-menus coinor-libvol-doc msx-emulator bitbake nabi language-pack-gnome-zh libpaperg popularity-contest xracer-tools xfont-nexus opendrim-lmp-baseserver libvorbisfile-ruby liblinebreak-doc libgfcui-2.0-0c2a-dbg libblacs-mpi-dev dict-freedict-spa-eng blender-ogrexml aspell-da x11-apps openoffice.org-l10n-lv openoffice.org-l10n-nl pnmtopng libodbcinstq1 libhsqldb-java-doc libmono-addins-gui0.2-cil sg3-utils linux-backports-modules-alsa-2.6.31-19-generic yorick-yeti-gsl python-pymssql plasma-widget-cpuload mcpp gpsim-lcd cl-csv libhtml-clean-perl asterisk-dbg apt-dater-dbg libgnome-mag1-dev language-pack-gnome-yo python-crypto svn-autoreleasedeb sugar-terminal-activity mii-diag maria-doc libplexus-component-api-java-doc libhugs-hgl-bundled libchipcard-libgwenhywfar47-plugins libghc6-random-dev freefem3d ezmlm cakephp-scripts aspell-ar ara-byte not+sparc openoffice.org-l10n-nn linux-backports-modules-karmic-generic-pae
    [Show full text]
  • Categorical Variable Consolidation Tables
    CATEGORICAL VARIABLE CONSOLIDATION TABLES FlossMole Data Name Old number of codes New number of codes Table 1: Intended Audience 19 5 Table 2: FOSS Licenses 60 7 Table 3: Operating Systems 59 8 Table 4: Programming languages 73 8 Table 5: SF Project topics 243 19 Table 6: Project user interfaces 48 9 Table 7 DB Environment 33 3 Totals 535 59 Table 1: Intended Audience: Consolidated from 19 to 4 categories Rationale for this consolidation: Categories that had similar characteristics were grouped together. For example, Customer Service, Financial and Insurance, Healthcare Industry, Legal Industry, Manufacturing, Telecommunications Industry, Quality Engineers and Aerospace were grouped together under the new category “Business.” End Users/Desktop and Advanced End Users were grouped together under the new category “End Users.” Developers, Information Technology and System Administrators were grouped together under the new category “Computer Professionals.” Education, Religion, Science/Research and Other Audience were grouped under the new category “Other.” Categories containing large numbers of projects were generally left as individual categories. Perhaps Religion and Education should have be left as separate categories because of they contain a relatively large number of projects. Since Mike recommended we get the number of categories down to 50, I consolidated them into the “Other” category. What was done: I created a new table in sf merged called ‘categ_intend_aud_aug06’. This table is a duplicate of the ‘project_intended_audience01_aug_06’ table with the fields ‘new_code’ and ‘new_description’ added. I updated the new fields in the new table with the new codes and descriptions listed in the table below using a python script I (Bob English) wrote called add_categ_intend_aud.py.
    [Show full text]
  • Securing Debian Manual
    Securing Debian Manual Javier Fernández-Sanguino Peña <[email protected]> 2.6 10 octubre 2002Wed, 18 Sep 2002 14:09:35 +0200 Abstract This document describes the process of securing and hardening the default Debian installation. It covers some of the common tasks to set up a secure network environment using Debian GNU/Linux. It also gives additional information on the security tools available as well as the work done by the Debian security team. Copyright Notice Copyright © 2002 Javier Fernández-Sanguino Peña Copyright © 2001 Alexander Reelsen, Javier Fernández-Sanguino Peña Copyright © 2000 Alexander Reelsen Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 (http://www.fsf.org/copyleft/fdl. html) or any later version published by the Free Software Foundation. It is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY. i Contents 1 Introduction 1 1.1 Download the manual .................................. 1 1.2 Organizational Notes/Feedback ............................ 2 1.3 Prior knowledge ...................................... 2 1.4 Things that need to be written (FIXME/TODO) .................... 2 1.5 Changelog/History .................................... 5 1.5.1 Version 2.6 (september 2002) .......................... 5 1.5.2 Version 2.5 (september 2002) .......................... 5 1.5.3 Version 2.5 (august 2002) ............................ 5 1.5.4 Version 2.4 ..................................... 9 1.5.5 Version 2.3 ..................................... 9 1.5.6 Version 2.3 ..................................... 9 1.5.7 Version 2.2 ..................................... 10 1.5.8 Version 2.1 ..................................... 10 1.5.9 Version 2.0 ..................................... 10 1.5.10 Version 1.99 ...................................
    [Show full text]
  • Integrity Checking for Process Hardening
    Integrity Checking For Process Hardening by Kyung-suk Lhee B.A. Korea University, 1991 Graduate Diploma, Griffith University, 1993 M.A. Boston University, 1995 DISSERTATION Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Computer and Information Science in the Graduate School of Syracuse University May 2005 Advisor: Professor Steve J. Chapin Abstract Computer intrusions can occur in various ways. Many of them occur by exploiting program flaws and system configuration errors. Existing solutions that detects specific kinds of flaws are substantially different from each other, so aggregate use of them may be incompatible and require substantial changes in the current system and computing practice. Intrusion detection systems may not be the answer either, because they are inherently inaccurate and susceptible to false positives/negatives. This dissertation presents a taxonomy of security flaws that classifies program vulnerabilities into finite number of error categories, and presents a security mechanism that can produce accurate solutions for many of these error categories in a modular fashion. To be accurate, a solution should closely match the characteristic of the target error category. To ensure this, we focus only on error categories whose characteristics can be defined in terms of a violation of process integrity. The thesis of this work is that the proposed approach produces accurate solutions for many error categories. To prove the accuracy of produced solutions, we define the process integrity checking approach and analyze its properties. To prove that this approach can cover many error categories, we develop a classification of program security flaws and find error characteristics (in terms of a process integrity) from many of these categories.
    [Show full text]
  • Secure Programming for Linux HOWTO Secure Programming for Linux HOWTO
    Secure Programming for Linux HOWTO Secure Programming for Linux HOWTO Table of Contents Secure Programming for Linux HOWTO........................................................................................................1 David A. Wheeler, dwheeler@dwheeler.com.........................................................................................1 1.Introduction...........................................................................................................................................1 2.Background...........................................................................................................................................1 3.Summary of Linux Security Features...................................................................................................1 4.Validate All Input.................................................................................................................................1 5.Avoid Buffer Overflow.........................................................................................................................2 6.Structure Program Internals and Approach...........................................................................................2 7.Carefully Call Out to Other Resources.................................................................................................2 8.Send Information Back Judiciously......................................................................................................2 9.Special Topics.......................................................................................................................................2
    [Show full text]
  • EXPRESSSCOPE Engine 3 User's Guide
    EXPRESSSCOPE Engine 3 User’s Guide Scalable Modular Server DX2000 1. Overview 2. Configuring the Server Module 3. Configuring a Management PC 4. Networking 5. Using Remote Management 6. Troubleshooting 20.102.01-120-02 April, 2016 TRADEMARKS AND PATENTS EXPRESSSCOPE is registered trademarks of NEC Corporation. Microsoft, Windows and Windows Vista, Windows Media Player, Windows Server, Internet Explorer are registered trademarks of Microsoft Corporation in the United States and other countries. Firefox is registered trademarks of the Mozilla Foundation. Java is registered trademarks of Oracle and/or its affiliates. Red Hat is registered trademarks of Red Hat, Inc. in the United States and other countries. Active Directory is registered trademarks of Microsoft Corporation in the United States and other countries. NFS is registered trademarks of Sun Microsystems, Inc. in the United States and other countries. (Sun Microsystems is registered trademarks of Oracle and/or its affiliates) Linux is registered trademarks of Mr. Linus Torvalds in the United States and other countries. UNIX is registered trademarks of The Open Group in the United States and other countries. JavaScript is registered trademarks of Oracle and/or its affiliates. OpenLDAP is registered trademarks of the OpenLDAP Foundation. NOTES (1) No part of this manual may be reproduced in any form without the prior written permission of NEC Corporation. (2) The contents of this User’s Guide may be revised without prior notice. (3) The contents of this User's Guide shall not be copied or altered without the prior written permission of NEC Corporation. (4) All efforts have been made to ensure the accuracy of all information in this User's Guide.
    [Show full text]