Securing Debian HOWTO
Appendix A The hardening process step by step

A procedure is always useful, since it allows you to see the entire process of hardening the system and enables you to take decisions. A possible approach for such a procedure Debian 2.2 GNU/Linux is shown below. This is a post-installation procedure, for a checklist of measures to be taken, step by step, during configuration see Configuration checklist, Appendix B. Also, this procedure is (for the moment) more oriented towards hardening of network services.

• Do an installation of the system (take into account information in this howto regarding partitioning). After base installation go into custom install, do not select task packages but select shadow passwords.
• go through dselect and remove unneeded but selected packages before doing [I]nstall. Leave the bare minimum software in the server.
• Update all software from latest packages available at security.debian.org as explained previously in Execute a security update, Section 4.4.
• implement the suggested issues presented in this manual regarding user quotas, login definitions and lilo
• in order to do a service hardening, make a list of services currently awake in your system.

       $ ps -aux
       $ netstat -pn -l -A inet 
       $ /usr/sbin/lsof -i |grep LISTEN
  

  You will need to install lsof-2.2 for the second command to work (run it as root).

• in order to remove unnecessary services, first determine how is it started and which package provides it. You can do this easily by checking the program that listens in the socket, the following example will tell you using this tools and dpkg

       #!/bin/sh
       # FIXME: this is quick and dirty; replace with a more robust script snippet
       for i in `sudo lsof -i | grep LISTEN | cut -d " " -f 1 |sort -u` ; do
               pack=`dpkg -S $i |grep bin |cut -f 1 -d : | uniq`
               echo "Service $i is installed by $pack";
               init=`dpkg -L $pack |grep init.d/ `
               if [ ! -z "$init" ]; then
                        echo "and is run by $init"
               fi
       done
  

• Once you find unwanted services, remove the package (with dpkg --purge) or, if useful but should not be enabled on startup, use update-rc.d in order to remove them from the system startup.
• For inetd services (launched by the superdaemon) you can just check the enabled services, for example with:

       $ grep -v "^#" /etc/inetd.conf | sort -u
  

  and disable those not needed by commenting the line that includes them, removing the package, or using update-inetd

• If you have wrapped services (those using /usr/sbin/tcpd) check that the /etc/hosts.allow and /etc/hosts.deny are configured according to your service policy.
• If possible, and depending on each service, you might want to limit services when using more than one external interface to listen only on one of them. For example, if you want internal FTP access make the FTP daemon listen only on your management interface, not on all interfaces (i.e, 0.0.0.0:21).
• Reboot the machine, or switch it to single user and back to multiuser with

       $ init 0
       (....)
       $ init 2
  

• Check the services now available, and, if necessary, repeat steps above.
• Install now the needed services if you have not done so already, and configure them properly.
• Check what users are being used to run available services for example with:

       $ for i in `/usr/sbin/lsof -i |grep LISTEN |cut -d " " -f 1 |sort -u`; do user=`ps -ef |grep $i |grep -v grep |cut -f 1 -d " "` ; echo "Service $i is running as user $user"; done
  

  and consider changing these services to a give user/group and maybe also chrooting them for increased security. You can do this by changing the /etc/init.d scripts, where the service starts. Most services in Debian use start-stop-daemon so you can use the --change-uid option and the --chroot option to setup those services. Chrooting services is beyond the scope of this document but a word of warning is necessary: you might need to put all the files installed by the service package using dpkg -L and the packages it depends on in the chrooted environment.

• Repeat steps above in order to check that only desired services are running and that they are run as the desired user/group combination.
• Test the installed services in order to see if they work as expected.
• Check the system using a vulnerability assessment scanner (like nessus) in order to determine vulnerabilities in the system (misconfigurations, old services or unneeded services).
• Install network intrusion measures and host intrusion measures (like snort and logsentry).
• Repeat the network scanner step and verify that the intrusion detection systems work fine.

For the truly paranoid, consider also the following:

• Add firewalling capabilities to the system, accepting incoming connections only to offered services and limiting outgoing connections to those authorized.
• Recheck the installation with a new vulnerability assessment with a network scanner.
• Check outgoing connections using a network scanner from the system to a host outside and verify that unwanted connections do not find their way out.

FIXME: this procedure considers service hardening but not system hardening at the user level, include information regarding checking user permissions, setuid files and freezing changes in the system using the ext2 filesystem.