Securing Debian HOWTO Javier Fernández-Sanguino Peña <[email protected]> v1.92 6 noviembre 2001Tue Oct 23 00:59:57 CEST 2001 Abstract This document describes the process of securing and hardening the default Debian installation. It covers some of the common taks to setup a secure network environment using Debian GNU/Linux. Copyright Notice Copyright c 2001 Alexander Reelsen, Javier Fernández-Sanguino Peña Copyright c 2000 Alexander Reelsen however it is distributed under the terms of the GNU free documentation license. This document is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY. i Contents 1 Introduction 1 1.1 Download the HOWTO ................................... 1 1.2 Organizational Notes/Feedback ............................... 2 1.3 Prior knowledge ....................................... 2 1.4 Things that need to be written (TODO) ........................... 2 1.5 Changelog .......................................... 4 1.5.1 Version 1.92 .................................... 4 1.5.2 Version 1.91 .................................... 4 1.5.3 Version 1.9 ..................................... 4 1.5.4 Version 1.8 ..................................... 5 1.5.5 Version 1.7 ..................................... 5 1.5.6 Version 1.6 ..................................... 5 1.5.7 Version 1.5 ..................................... 6 1.5.8 Version 1.4 ..................................... 6 1.5.9 Version 1.3 ..................................... 6 1.5.10 Version 1.2 ..................................... 6 1.5.11 Version 1.1 ..................................... 6 1.5.12 Version 1.0 ..................................... 6 1.6 Credits ............................................ 7 2 Before you begin 9 2.1 What do you want this system for? ............................. 9 2.2 Be aware of general security problems ........................... 9 2.3 How does Debian handle security? ............................. 11 CONTENTS ii 3 Before and during the installation 13 3.1 Choose a BIOS password .................................. 13 3.2 Choose an intelligent partition scheme ........................... 13 3.3 Set a root password ..................................... 14 3.4 Activate shadow passwords and MD5 passwords ..................... 14 3.5 Run the minimum number of services required ...................... 14 3.6 Read the debian security mailing lists ........................... 14 4 After Installation 15 4.1 Set a LILO or GRUB password ............................... 15 4.2 Disallow floppy booting ................................... 16 4.3 Mounting partitions the right way ............................. 16 4.4 Execute a security update .................................. 17 4.5 PAM — Pluggable Authentication Modules ........................ 18 4.6 The limits.conf file ..................................... 20 4.7 Customize /etc/inetd.conf .................................. 20 4.8 Edit /etc/login.defs ..................................... 20 4.9 Editing /etc/ftpusers ..................................... 21 4.10 Using tcpwrappers ..................................... 21 4.11 The importance of logs and alerts .............................. 22 4.11.1 Configuring where alerts are sent ......................... 22 4.11.2 Using a loghost ................................... 22 4.11.3 Logfile permissions ................................. 23 4.12 Setting up setuid check ................................... 24 4.13 Using su ........................................... 24 4.14 Using sudo ......................................... 24 4.15 Using chroot ......................................... 24 4.16 Configuring some kernel features .............................. 25 4.17 Do not use software depending on svgalib ......................... 27 4.18 Secure file transfers ..................................... 27 4.19 Using quotas ........................................ 27 4.20 chattr/lsattr ......................................... 28 4.21 Checking filesystem integrity ................................ 29 CONTENTS iii 5 Securing services running on your system 31 5.1 Securing ssh ......................................... 31 5.2 Securing FTP ........................................ 32 5.3 Securing access to the X Window System ......................... 32 5.3.1 Check your display manager ............................ 32 5.4 The lpd and lprng issue ................................... 33 5.5 Securing the mail daemon ................................. 33 5.6 Receiving mail securely ................................... 34 5.7 Securing BIND ....................................... 34 5.8 Securing Apache ...................................... 37 5.9 General chroot and suid paranoia .............................. 37 5.10 General cleartext password paranoia ............................ 37 5.11 Disabling NIS ........................................ 37 5.12 Disabling RPC services ................................... 38 5.13 Automatic hardening of Debian systems .......................... 38 5.13.1 Harden ....................................... 38 5.13.2 Bastille Linux .................................... 39 6 Before the compromise 41 6.1 Set up Intrusion Detection. ................................. 41 6.1.1 Network based intrusion detection: Using snort .................. 41 6.1.2 Host based detection ................................ 41 6.2 Useful kernel patches .................................... 42 6.3 Avoiding rootkits ...................................... 43 6.3.1 LKM - Loadable Kernel Modules ......................... 43 6.3.2 Detecting rootkits .................................. 44 6.4 Genius/Paranoia Ideas — what you could do ........................ 44 6.4.1 Building a honeypot ................................ 45 7 After the compromise 47 7.1 General behavior ...................................... 47 CONTENTS iv 8 Frequently asked Questions 49 8.1 Is Debian more secure than X? ............................... 49 8.2 Is there are hardening program for Debian? ........................ 49 8.3 How can I make service XYZ more secure? ........................ 49 8.4 Questions regarding users and groups ........................... 50 8.5 Are all system users necessary? ............................... 50 8.5.1 What is the difference between the adm and the staff group? ........... 52 8.6 Question regarding open ports ............................... 52 8.6.1 Why do I have port 111 open? ........................... 52 8.6.2 I have checked I have the following port (XYZ) open, can I close it? ....... 53 8.7 I have lost my password and cannot access the system!! .................. 53 8.8 Questions regarding the Debian security team ....................... 54 8.8.1 The signature on Debian advisories does not verify correctly! .......... 54 8.8.2 How is security handled for testing and unstable? ............. 54 8.8.3 Why are there no official mirrors for security.debian.org? ............. 54 8.8.4 How can I reach the security team? ........................ 54 8.8.5 How can I help with security? ........................... 54 8.8.6 How are security incidents handled in Debian? .................. 54 8.8.7 How is the Security Team composed? ....................... 55 A The hardening process step by step 57 B Configuration checklist 61 1 Chapter 1 Introduction One of the hardest things about writing security documents is that every case is unique. Two things you have to pay attention to are the threat environment and the security needs of the individual site, host, or network. For instance, the security needs of a home user are completely different from a network in a bank. While the primary threat a home user needs to face is the script kiddie type of cracker, a bank network has to worry about directed attacks. Additionally, the bank has to protect their customer’s data with arithmetic precision. In short, every user has to consider the tradeoff between usability and security/paranoia. Note that this HOWTO only covers issues relating to software. The best software in the world can’t protect you if someone can physically access the machine. You can place it under your desk, or you can place it in a hardened bunker with an army in front of it. Nevertheless the desktop computer can be much more secure (from a software point of view) than a physically protected one if the desktop is configured properly and the software on the protected machine is full of security holes. Obviously, you must consider both issues. This document just gives an overview of what you can do to increase the security of your Debian GNU/Linux system. If you have read other documents regarding Linux security, you will find that there are common issues which might overlap with this document. However, this document does not try to be the ultimate source of information you will be using, it only tries to adapt this same information so that it is meaningful to a Debian GNU/Linux system. Different distributions do some things in different ways (startup of daemons is an usual example); here, you will find material which is appropriate for Debian’s procedures and tools. If you have comments, additions or suggestions, please mail them to Alexander Reelsen (mailto: [email protected]) and Javier Fernández-Sanguino (mailto:[email protected]) and they will be incorporated into this HOWTO. 1.1 Download the HOWTO You can download or view the newest version of the Securing Debian HOWTO from the Debian Docu- mentation Project (http://www.debian.org/doc/manuals/securing-debian-howto/). Chapter 1. Introduction 2 Feel