As soon as new security bugs are revealed in packages, debian maintainers and
upstream authors generally patch them within days or even hours. After the bug
is fixed, a new package is provided on
http://security.debian.org. Put the following line in your sources.list
and you will get security updates automatically, whenever you update your
system.
deb http://security.debian.org/debian-security stable/updates main contrib non-free
Most people, who don't live in a country which prohibits importing or using
strong cryptography, should add this line as well:
deb http://security.debian.org/debian-non-US stable/non-US main contrib non-free
If you want, you can add the deb-src lines to apt as well. See the apt
manpage for further details.
You should try to avoid any network service which sends and receives
passwords in cleartext over a net like FTP/Telnet/NIS/RPC. The author
recommends the use of ssh instead of telnet and ftp to everybody.
Also you should not use NIS, the Network Information Service, if it is
possible, because it allows password sharing. This can be highly insecure if
your setup is broken.
Last, but not least, disable RPC wherever possible. Many security holes for
this service are known and can be easily exploited. On the other hand NFS
services are quite important in some networks, so find a balance of security
and usability in a network. Most of the DDoS (distributed denial of service)
attacks use rpc exploits to get into the system and act as a so called
agent/handler.
Disabling portmap is quite simple. There are different methods. The simplest
one is to remove every symlink relating to portmap in /etc/rc${runlevel}.d/.
You could as well chmod 644 /etc/init.d/portmap, but that gives an
error message when booting. You can also strip off the "start-stop-daemon"
part in /etc/init.d/portmap shell script.
Keep in mind that migrating from telnet to ssh, but using other cleartext
protocols does not increase your security in ANY way! Best
would be to remove ftp, telnet, pop, imap, http and to supersede them
with their respective crypted services.
Most of these above listed hints apply to every Unix system.
Some kernel patches exist, which significantly enhance system security. Here
are a few of them:
OpenWall patch by Solar Designer
This is a useful set of kernel restrictions, like restricted links,
FIFOs in /tmp, restricted /proc, special file descriptor handling,
non-executable user stack area and some more.
Homepage:
http://www.openwall.com/linux/
LIDS - Linux intrusion detection system by Huagang Xie & Philippe Biondi
This patch makes the process of creating a hardened Linux system easier. You
can restrict every process, give it rights to write or read files, or
remove, by default, the ability to read files. Furthermore you can also set
capabilities for certain processes. Even though it is still in the beta phase,
it is almost a must for the paranoid system administrator.
Homepage:
http://www.lids.org
POSIX Access Control Lists (ACLs) for Linux
This patch adds access control lists, an advanced method for restricting
access to files, to the linux kernel.
Homepage:
http://acl.bestbits.at/
Linux trustees
This patch adds a decent advanced permissions system to your Linux kernel. All
the objects are stored in the kernel memory, which allows fast lookup of all
permissions.
Homepage:
http://www.braysystems.com/linux/trustees.html
International kernel patch
This is a crypt-oriented kernel patch, therefore you have to pay attention to
your local laws regarding the use of cryptography. It basically adds use of
encrypted file systems.
Homepage:
http://www.kerneli.org
SubDomain
A kernel extension to create a more secure and easier to setup chroot
environment. You can specify the files needed for the chrooted service
manually and do not have to compile the services statically.
Homepage:
http://www.immunix.org/subdomain.html
UserIPAcct
This is not really a security related patch, but it allows you to create
quotas for the traffic on your server per user. And you can fetch
statistics about the user traffic.
Homepage:
http://rsmeyers.3ti.org/useripacct
This is probably the most unstable and funny section, since I hope that some
of the "duh. that sounds crazy"-ideas might be realized. Following here you
will find some - well, it depends on the point of view whether you say they
are genius, paranoid, crazy or secure - ideas to increase your security
rapidly but you will not come unscathed out of it.
Playing around with PAM
As said in the phrack 56 PAM article the nice thing with PAM is that "You are
limited only by what you can think of." It is true. Imagine root login only
possible with fingerprint or eyescan or cryptocard (why the heck did I do an
OR conjunction and not AND here).
Fascist Logging
I would say everything we talked about logging above is "soft logging". If you
want to perform real logging, get a printer with fanfold paper and log
everything hard by printing on it. Sounds funny, but it's reliable and it
cannot be removed.
CD distribution
This idea is very easy to realize and offers pretty security. Create a hardened
debian distribution, a damned good firewall, make an ISO of it and burn it on
CD. Make it bootable. Upshot of all this is a ro whole distribution with about
600 MB space for services and the fact to make it impossible for intruders to
get read write access on this system. Just make sure every data which should
get written, gets written over the wires. Anyway, the intruder cannot change
firewall rules, routing entries or start own daemons (he can, but reboot
and he has to hack into your system again to change them).
Switch module capability off
When you disable the usage of kernel modules at kernel compile time many
kernel based back doors are impossible to implement, since most of them are
based on installing modified kernel modules.
