Securing Debian HOWTO
Chapter 2 Before you begin

2.1 What do you want this system for?

Securing Debian is not very different from securing any other system; in order to do it properly, you must first decide what do you intend to do with it. After this, you will have to consider that the following tasks need to be taken care of if you want a really secure system.

You will find that this manual is written from the bottom up, that is, you will read some information on tasks to do before, during and after the installation of your Debian system is made. The tasks can also be though of as:

• Decide which services you need and limit your system to those. This includes deactivating/uninstalling unneeded services, and adding firewall-like filters, or tcpwrappers.
• Limit users and permissions in your system.
• Harden offered services so that, in the event of a service compromise, the impact to your system is minimized.
• Use appropriate tools to guarantee that unauthorized use is detected so that you can take appropriate measures.

2.2 Be aware of general security problems

The following manual does not (usually) go into the details on why some issues are considered security risks. However, you might want to have a better background regarding general UNIX and (specific) Linux security. Take some time to read over security related documents in order to take informed decisions when you are encountered with different choices. Debian GNU/Linux is based on the Linux kernel, so many of the information regarding Linux, as well as from other distributions and general UNIX security also apply to it (even if the tools used, or the programs available, differ).

Some useful documents include:

• The Linux Security HOWTO is one of the best references regarding general Linux Security.
• The Linux Security Administrator's Guide (provided in Debian through the lasg package) is a complete guide that touches all the issues related to security in Linux, from kernel security to VPNs. It is somewhat obsolete (not updated since 1999) and has been superseded by the Linux Security Knowledge Base (currently not available online, used to be at http://www.securityportal.com/lskb/ which is also provided in Debian through the lksb package.
• In Securing and Optimizing Linux: RedHat Edition you can find a similar document to this manual but related to RedHat, some of the issues are not distribution-specific and also apply to Debian.
• For network administrators, a good reference for building a secure network is the Securing your Domain HOWTO.
• If you want to evaluate the programs you are going to use (or want to build up some new ones) you should read the Secure Programs HOWTO.
• If you are considering installing Firewall capabilities, you should read the Firewall HOWTO and the IPCHAINS HOWTO.

In any case, you have more information regarding the services here explained (NFS, NIS, SMB...) in many of the HOWTOs of the Linuxdoc Project, some of these documents speak on the security side of a given service, so be sure to take a look there too.

The HOWTO documents from the Linux Documentation Proyect are available in Debian GNU/Linux through the installation of the doc-linux-text (text version) or doc-linux-html (html version). After installation these documents will be available at the /usr/share/doc/HOWTO/en-txt and /usr/share/doc/HOWTO/en-html directories, respectively.

Other recommended Linux books:

• Maximum Linux Security : A Hacker's Guide to Protecting Your Linux Server and Network. Anonymous. Paperback - 829 pages. Sams Publishing. ISBN: 0672313413.July 1999.
• Linux Security By John S. Flowers. New Riders; ISBN: 0735700354 March 1999

Other books (which might be related to general issues regarding UNIX and security and not Linux specific):

• Practical Unix and Internet Security (2nd Edition) Garfinkel, Simpson, and Spafford, Gene; O'Reilly Associates; ISBN 0-56592-148-8; 1004pp; 1996.
• Firewalls and Internet Security Cheswick, William R. and Bellovin, Steven M.; Addison-Wesley; 1994; ISBN 0-201-63357-4; 320pp.

Some useful Web sites to keep uptodate regarding security:

• Security Focus the server that hosts the Bugtraq vulnerability database and list, and provides general security information, news and reports.
• Linux Security. General information regarding Linux security (tools, news...).
• Linux firewall and security site. General information regarding Linux firewalls and tools to control and administrate them.

2.3 How does Debian handle security?

Just so you have a general overview of security in Debian GNU/Linux you should take note of the different issues that Debian tackles in order to provide an overall secure system:

• Debian problems are always handled openly, even security related. As the Debian Social Contract states: We Won't Hide Problems We will keep our entire bug-report database open for public view at all times. Reports that users file on-line will immediately become visible to others. Security issues are discussed openly on the debian-security mailing list. Debian Security Advisories are sent to public mailing lists (both internal an external) and published on the public server.
• Debian follows security issues closely. The security team checks many security related sources, the most important being Bugtraq, on the lookout for packages with security issues that might be included in Debian.
• Security updates are the first priority. When a security problem arises in a Debian package, the security update is prepared as fast as possible and distributed for our stable and unstable releases, including all arquitectures.
• Information regarding security is centralized in a single point, http://security.debian.org/ is it.
• Debian is always trying to improve the overall security of the distribution starting out new projects, like automatic package signature verification mechanisms.
• Debian tries to provide a useful number of security related tools for system administration and monitoring. Developers try to tightly integrate this tools with the distribution in order to make them better suite to enforce local security policies. Tools include: integrity checkers, auditing tools, hardening tools, firewall tools, intrusion detection tools, etc..
• Package maintainers are aware of security issues. This leads to many "secure by default" service installations which might put some limits, sometimes, to its normal use. However, Debian does try to balance security issues and ease of administration, systems are not installed de-activated, for example, like on the BSD family distributions. In any case, some special security issues, like setuid programs, are part of the Debian Policy.

This same document tries to enforce, as well a better distribution security-wise, by publishing security information specific to Debian which complements other information-security documents related to the tools used by Debian or the operating system itself (see Be aware of general security problems, Section 2.2.