[ previous ] [ Abstract ] [ Copyright Notice ] [ Contents ] [ next ]

Securing Debian HOWTO
Chapter 3 Before and during the installation

3.1 Choose a BIOS password

Before you install any operating system on your computer, set up a BIOS password and change the boot sequence to disable booting from a floppy. Otherwise a cracker only needs physical access and a boot disk to access your entire system.

Disabling booting without a password is even better. This can be very effective if you run a server, because it is not rebooted very often. The downside to this tactic is that rebooting requires human intervention which can cause problems if the machine is not easily accessible.

3.2 Choose an intelligent partition scheme

An intelligent partition scheme depends on the how the machine is used. A good rule of thumb is to be fairly liberal with your partitions and to pay attention to the following factors:

Any directory tree which a user has write permissions to, such as e.g. /home and /tmp, should be on a separate partition. This reduces the risk of a user DoS by filling up your "/" mount point and rendering the system unusable. (Note: this is not strictly true, since there is always some space reserved for root which a normal user cannot fill)

Any partition which can fluctuate, e.g. /var (especially /var/log) should also be on a separate partition. On a Debian system, you should create /var a little bit bigger than normal, because downloaded packages (the apt cache) are stored in /var/apt/cache/archives.

Any partition where you want to install non-distribution software should be on a separate partition. According to the File Hierarchy Standard, this is /opt or /usr/local. If these are separate partitions, they will not be erased if you (have to) reinstall Debian itself.

From a security point of view, it makes sense to try to move static data to its own partition, and then mount that partition read-only. Better yet, put the data on read-only media. See below for an elaboration.

3.3 Set a root password

Setting a good root password is the most basic requirement for having a secure system.

3.4 Activate shadow passwords and MD5 passwords

At the end of the installation, you will be asked if shadow passwords should be enabled. Answer yes to this question, so passwords will be kept in the file /etc/shadow. Only the root user and the group shadow have read access to this file, so no users will be able to grab a copy of this file in order to run a password cracker against it. You can switch between shadow passwords and normal passwords at any time by using shadowconfig. Furthermore you are queried during installation whether you want to use MD5 hashed passwords. This is generally a very good idea since it allows longer passwords and better encryption.

Read more on Shadow passwords in Shadow Password (/usr/share/doc/HOWTO/en-txt/Shadow-Password.txt.gz).

3.5 Run the minimum number of services required

You should not install services which are not needed on your machine. Every installed service introduces new, perhaps not obvious, but real security holes on your machine. If you still want to have some services but you use these rarely, use the update-commands, e.g. 'update-inetd' for removing them from the startup process.

FIXME: This section needs a list of services, and information about what they do and the security risk level involved, for newbies who don't have a clue.

3.6 Read the debian security mailing lists

It is never wrong to take a look at either the debian-security-announce mailing list, where advisories and fixes to released packages are announced by the Debian security team, or at debian-security@lists.debian.org, where you can participate in discussions about things related to Debian security.

In order to receive important security update alerts, send an email to debian-security-announce-request@lists.debian.org with the word "subscribe" in the subject line. You can also subscribe to this moderated email list via the web page at http://www.debian.org/MailingLists/subscribe

This mailing list has very low volume, and by subscribing to it you will be immediately alerted of security updates for the Debian distribution. This allows you to quickly download new packages with security bug fixes, which is very important in maintaining a secure system. (See Execute a security update, Section 4.4 for details on how to do this.)