Securing Debian HOWTO
Chapter 1 Introduction

One of the hardest things about writing security documents is that every case is unique. Two things you have to pay attention to are the threat environment and the security needs of the individual site, host, or network. For instance, the security needs of a home user are completely different from a network in a bank. While the primary threat a home user needs to face is the script kiddie type of cracker, a bank network has to worry about directed attacks. Additionally, the bank has to protect their customer's data with arithmetic precision. In short, every user has to consider the tradeoff between usability and security/paranoia.

Note that this HOWTO only covers issues relating to software. The best software in the world can't protect you if someone can physically access the machine. You can place it under your desk, or you can place it in a hardened bunker with an army in front of it. Nevertheless the desktop computer can be much more secure (from a software point of view) than a physically protected one if the desktop is configured properly and the software on the protected machine is full of security holes. Obviously, you must consider both issues.

This document just gives an overview of what you can do to increase the security of your Debian GNU/Linux system. If you have read other documents regarding Linux security, you will find that there are common issues which might overlap with this document. However, this document does not try to be the ultimate source of information you will be using, it only tries to adapt this same information so that it is meaningful to a Debian GNU/Linux system. Different distributions do some things in different ways (startup of daemons is an usual example); here, you will find material which is appropriate for Debian's procedures and tools.

If you have comments, additions or suggestions, please mail them to Alexander Reelsen and Javier Fernández-Sanguino and they will be incorporated into this HOWTO.

1.1 Download the HOWTO

You can download or view the newest version of the Securing Debian HOWTO from the Debian Documentation Project. Feel free to check out the version control system through its CVS server.

1.2 Organizational Notes/Feedback

Now to the official part. At the moment I (Alexander Reelsen) wrote most paragraphs of this HOWTO, but in my opinion this should not stay the case. I grew up and live with free software, it is part of my everyday use and I guess yours, too. I encourage everybody to send me feedback, hints additions or any other suggestions, you might have.

If you think, you can maintain a certain section or paragraph better, then write to the document maintainer and you are welcome to do it. Especially if you find a section marked as FIXME, that means the authors did not have the time yet or the needed knowledge about the topic, drop them a mail immediately.

The topic of this HOWTO makes it quite clear that it is important to keep it up to date, and you can do your part. Please contribute.

1.3 Prior knowledge

The installation of Debian GNU/Linux is not very difficult and you should have been able to install it. If you already have some knowledge about Linux or other Unices and you are a bit familiar with basic security, it will be easier to understand this HOWTO, as this document cannot explain every little detail of a feature (otherwise this would have been a book instead of a HOWTO). If you are not that familiar, however, you might want to take a look at Be aware of general security problems, Section 2.2 for where to find more in-depth information.

1.4 Things that need to be written (TODO)

• Add information on setting up a proxy firewall with Debian GNU/Linux stating specifically which packages provide proxy services (like xfwp, xproxy, ftp-proxy, redir, smtpd, nntp-cache, dnrd, jftpgw,oops,pnsd, perdition,transproxy, tsocks). Should point to the HOWTO for any other info.
• Check all the reference URLs and remove/fix those no longer available.
• Add information on available replacements (in Debian) for common servers which are useful for limited functionality. Examples:

  • local lpr with cups (package)?
  • remote lrp with lpr
  • bind with dnrd/maradns
  • apache with dhttpd/thttpd/wn (tux?)
  • exim/sendmail with ssmtpd/smtpd/postfix
  • squid with tinyproxy
  • ftpd with oftpd/vsftp
  • ...
• Information on Debian firewalling and what/how does it change from other distributions. Specifically, could mention firewalling script creators available in Debian (mason, easyfw...) and where should the firewalling code be enabled (common FAQ in debian-firewall?)
• More information regarding security-related kernel patches in Debian, including the ones show above and talking specifically on how to enable these patches in a Debian system.

  • Linux Intrusion Detection (lids-2.2.19)
  • NSA Enhanced Linux
  • kernel-patch-2.2.18-openwall
  • kernel-patch-2.2.19-harden
  • Linux capabilities (in package lcap
  • kernel-patch-freeswan,kernel-patch-int
• Add info on how the Security Team works in Debian. For example: security bugs are backported to the stable distribution if possible (even if the version has not changed), alerts are sent to mailing lists (including bugtraq)...
• Details of turning off unnecessary network services (besides inetd), it is partly in the hardening procedure but could be broadened a bit.
• Information regarding password rotation which is closely related to policy.
• Policy, and educating users about policy.
• More about tcpwrappers, and wrappers in general?
• hosts.equiv and other major security holes.
• Issues with file sharing servers such as Samba and NFS?
• suidmanager/dpkg-statoverrides.
• lpr and lprng.
• Switching off the gnome IP things.

1.5 Changelog

1.5.1 Version 1.92

Changes by Javier Fernández-Sanguino Peña.

• Added a small section on how Debian handles security
• Clarified MD5 passwords (thanks to `rocky')
• Added some more information regarding harden-X from Stephen van Egmond
• Added some new items to the FAQ

1.5.2 Version 1.91

Changes by Javier Fernández-Sanguino Peña.

• Added some forensics information sent by Yotam Rubin.
• Added information on how to build a honeynet using Debian GNU/Linux.
• Added some more TODOS.
• Fixed more typos (thanks Yotam!)

1.5.3 Version 1.9

Changes by Javier Fernández-Sanguino Peña.

• Added patch to fix mispellings and some new information (contributed by Yotam Rubin)
• Added references to other online (and offline) documentation both in a section (see Be aware of general security problems, Section 2.2) by itself and inline in some sections.
• Added some information on configuring Bind options to restrict access to the DNS server.
• Added information on how to automatically harden a Debian system (regarding the harden package and bastille).
• Removed some done TODOs and added some new ones.

1.5.4 Version 1.8

Changes by Javier Fernández-Sanguino Peña.

• Added the default user/group list provided by Joey Hess to the debian-security mailing list.
• Added information on LKM rootkits (LKM - Loadable Kernel Modules, Section 6.3.1) contributed by Philipe Gaspar.
• Added information on Proftp contributed by Emmanuel Lacour.
• Recovered the checklist Appendix from Era Eriksson.
• Added some new TODO items and removed other fixed ones.
• Manually included Era's patches since they were not all included in the previous version.

1.5.5 Version 1.7

Changes by Era Eriksson.

• Typo fixes and wording changes

Changes by Javier Fernández-Sanguino Peña.

• Minor changes to tags in order to keep on removing the tt tags and substitute them for prgn/package tags.

1.5.6 Version 1.6

Changes by Javier Fernández-Sanguino Peña.

• Added pointer to document as published in the DDP (should supersede the original in the near future)
• Started a mini-FAQ (should be expanded) with some questions recovered from my mailbox.
• Added general information to consider while securing.
• Added a paragraph regarding local (incoming) mail delivery.
• Added some pointers to more information.
• Added information regarding the printing service.
• Added a security hardening checklist.
• Reorganized NIS and RPC information.
• Added some notes taken while reading this document on my new Visor :)
• Fixed some badly formatted lines.
• Fixed some typos.
• Added a Genius/Paranoia idea contributed by Gaby Schilders.

1.5.7 Version 1.5

Changes by Josip Rodin and Javier Fernández-Sanguino Peña.

• Added paragraphs related to BIND and some FIXMEs.

1.5.8 Version 1.4

• Small setuid check paragraph
• Various minor cleanups
• Found out how to use sgml2txt -f for the txt version

1.5.9 Version 1.3

• Added a security update after installation paragraph
• Added a proftpd paragraph
• This time really wrote something about XDM, sorry for last time

1.5.10 Version 1.2

• Lots of grammar corrections by James Treacy, new XDM paragraph

1.5.11 Version 1.1

• Typo fixes, miscellaneous additions

1.5.12 Version 1.0

• Initial release

1.6 Credits

• Alexander Reelsen wrote the original document.
• Javier Fernández-Sanguino added more info to the original doc.
• Robert van der Meulen with the quota paragraphs and many good ideas
• Ethan Benson corrected the PAM paragraph and had some good ideas.
• Dariusz Puchalak contributed some information to several chapters.
• Gaby Schilders contributed a nice Genius/Paranoia idea.
• Era Eriksson smoothed out the language in a lot of places and contributed the checklist appendix.
• Philipe Gaspar wrote the LKM information.
• Yotam Rubin contributed fixes for many typos as well as information regarding bind versions and md5 passwords.
• All the people who made suggestions for improvement that (eventually) got included here.
• All the folks who encouraged me (Alexander) to write this HOWTO.
• The whole Debian project.