Securing Debian Manual
Total Page:16
File Type:pdf, Size:1020Kb
Securing Debian Manual Javier Fernández-Sanguino Peña <[email protected]> 2.6 10 octubre 2002Wed, 18 Sep 2002 14:09:35 +0200 Abstract This document describes the process of securing and hardening the default Debian installation. It covers some of the common tasks to set up a secure network environment using Debian GNU/Linux. It also gives additional information on the security tools available as well as the work done by the Debian security team. Copyright Notice Copyright © 2002 Javier Fernández-Sanguino Peña Copyright © 2001 Alexander Reelsen, Javier Fernández-Sanguino Peña Copyright © 2000 Alexander Reelsen Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 (http://www.fsf.org/copyleft/fdl. html) or any later version published by the Free Software Foundation. It is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY. i Contents 1 Introduction 1 1.1 Download the manual .................................. 1 1.2 Organizational Notes/Feedback ............................ 2 1.3 Prior knowledge ...................................... 2 1.4 Things that need to be written (FIXME/TODO) .................... 2 1.5 Changelog/History .................................... 5 1.5.1 Version 2.6 (september 2002) .......................... 5 1.5.2 Version 2.5 (september 2002) .......................... 5 1.5.3 Version 2.5 (august 2002) ............................ 5 1.5.4 Version 2.4 ..................................... 9 1.5.5 Version 2.3 ..................................... 9 1.5.6 Version 2.3 ..................................... 9 1.5.7 Version 2.2 ..................................... 10 1.5.8 Version 2.1 ..................................... 10 1.5.9 Version 2.0 ..................................... 10 1.5.10 Version 1.99 .................................... 12 1.5.11 Version 1.98 .................................... 12 1.5.12 Version 1.97 .................................... 12 1.5.13 Version 1.96 .................................... 12 1.5.14 Version 1.95 .................................... 13 1.5.15 Version 1.94 .................................... 13 1.5.16 Version 1.93 .................................... 13 1.5.17 Version 1.92 .................................... 13 CONTENTS ii 1.5.18 Version 1.91 .................................... 13 1.5.19 Version 1.9 ..................................... 14 1.5.20 Version 1.8 ..................................... 14 1.5.21 Version 1.7 ..................................... 14 1.5.22 Version 1.6 ..................................... 15 1.5.23 Version 1.5 ..................................... 15 1.5.24 Version 1.4 ..................................... 15 1.5.25 Version 1.3 ..................................... 16 1.5.26 Version 1.2 ..................................... 16 1.5.27 Version 1.1 ..................................... 16 1.5.28 Version 1.0 ..................................... 16 1.6 Credits and Thanks! .................................... 16 2 Before you begin 19 2.1 What do you want this system for? ........................... 19 2.2 Be aware of general security problems ......................... 19 2.3 How does Debian handle security? ........................... 21 3 Before and during the installation 23 3.1 Choose a BIOS password ................................. 23 3.2 Partitioning the system .................................. 23 3.2.1 Choose an intelligent partition scheme .................... 23 3.3 Do not plug to the Internet until ready ......................... 25 3.4 Set a root password .................................... 25 3.5 Activate shadow passwords and MD5 passwords .................. 25 3.6 Run the minimum number of services required .................... 26 3.6.1 Disabling daemon services ........................... 27 3.6.2 Disabling inetd services ............................ 28 3.7 Install the minimum amount of software required .................. 28 3.7.1 Removing Perl .................................. 29 3.8 Read the debian security mailing lists ......................... 31 CONTENTS iii 4 After Installation 33 4.1 Change the BIOS (again) ................................. 33 4.2 Set a LILO or GRUB password ............................. 33 4.3 Remove root prompt on the kernel ........................... 34 4.4 Disallow floppy booting ................................. 35 4.5 Restricting console login access ............................. 36 4.6 Restricting system reboots through the console .................... 36 4.7 Mounting partitions the right way ........................... 36 4.7.1 Setting /tmp noexec ............................... 37 4.7.2 Setting /usr read-only .............................. 38 4.8 Execute a security update ................................ 38 4.9 Subscribe to the Debian Security Announce mailing List .............. 39 4.10 Providing secure user access ............................... 39 4.10.1 User authentication: PAM ............................ 39 4.10.2 Limiting resource usage: the limits.conf file ............... 42 4.10.3 User Login actions: edit /etc/login.defs ................. 42 4.10.4 Restricting ftp: editing /etc/ftpusers ................... 44 4.10.5 Using su ...................................... 44 4.10.6 Using sudo .................................... 44 4.10.7 Disallow remote adminitrative access ..................... 44 4.10.8 Restricting users’s access ............................ 44 4.10.9 Hand-made user auditing ............................ 45 4.10.10 Complete user audit ............................... 46 4.10.11 Reviewing user profiles ............................. 46 4.10.12 Setting users umasks ............................... 46 4.10.13 Limiting what users can see/access ...................... 47 4.10.14 Generating user passwords ........................... 48 4.10.15 Checking user passwords ............................ 48 4.10.16 Logging off idle users .............................. 49 4.11 Using tcpwrappers .................................... 49 4.12 The importance of logs and alerts ............................ 50 CONTENTS iv 4.12.1 Using and customising logcheck ....................... 51 4.12.2 Configuring where alerts are sent ....................... 52 4.12.3 Using a loghost .................................. 52 4.12.4 Log file permissions ............................... 53 4.13 Using chroot ....................................... 54 4.14 Adding kernel patches .................................. 54 4.15 Protecting against buffer overflows ........................... 55 4.16 Secure file transfers .................................... 56 4.17 File System limits and control .............................. 56 4.17.1 Using quotas ................................... 56 4.17.2 chattr/lsattr .................................... 57 4.17.3 Checking file system integrity .......................... 58 4.17.4 Setting up setuid check ............................. 59 4.18 Securing network access ................................. 59 4.18.1 Configuring kernel network features ...................... 59 4.18.2 Securing the network on boot-time ....................... 60 4.18.3 Configuring firewall features .......................... 62 4.18.4 Disabling weak-end hosts issues ........................ 62 4.18.5 Protecting against ARP attacks ......................... 63 4.19 Taking a snapshot of the system ............................. 64 4.20 Other recommendations ................................. 65 4.20.1 Do not use software depending on svgalib .................. 65 5 Securing services running on your system 67 5.1 Securing ssh ........................................ 68 5.1.1 Chrooting ssh ................................... 69 5.1.2 Ssh clients ..................................... 70 5.1.3 Disallowing file transfers ............................ 70 5.2 Securing Squid ...................................... 70 5.3 Securing FTP ........................................ 71 5.4 Securing access to the X Window System ....................... 71 CONTENTS v 5.4.1 Check your display manager .......................... 73 5.5 Securing printing access (The lpd and lprng issue) .................. 73 5.6 Securing the mail service ................................. 74 5.6.1 Configuring a Nullmailer ............................ 74 5.6.2 Providing secure access to mailboxes ..................... 76 5.6.3 Receiving mail securely ............................. 76 5.7 Securing BIND ....................................... 77 5.7.1 Changing BIND’s user .............................. 79 5.7.2 Chrooting the name server ........................... 81 5.8 Securing Apache ..................................... 83 5.8.1 Disabling users from publishing web contents ................ 83 5.8.2 Logfiles permissions ............................... 84 5.8.3 Published web files ................................ 84 5.9 Securing finger ...................................... 84 5.10 General chroot and suid paranoia ............................ 85 5.10.1 Automaking chrooting programs ........................ 85 5.11 General cleartext password paranoia .......................... 85 5.12 Disabling NIS ....................................... 86 5.13 Disabling RPC services .................................. 86 5.14 Adding firewall capabilities ............................... 87 5.14.1 Firewalling the local system ........................... 87 5.14.2 Using a firewall to protect other systems ................... 88 5.14.3 Configuring the firewall ............................. 88 6 Automatic