[ previous ] [ Contents ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ G ] [ H ] [ next ]
Below is a post-installation, step-by-step procedure for hardening a Debian 2.2 GNU/Linux system. This is one possible approach to such a procedure and is oriented toward the hardening of network services. It is included to show the entire process you might use during configuration. Also, see Configuration checklist, Appendix B.
Install the system, taking into account the information regarding partitioning included earlier in this document. After base installation, go into custom install. Do not select task packages. Select shadow passwords.
Using dselect, remove all unneeded but selected packages before
doing [I]nstall. Keep the bare minimum of packages for the system.
Update all software from the latest packages available at security.debian.org as explained previously in Execute a security update, Section 4.2.
Implement the suggestions presented in this manual regarding user quotas, login
definitions and lilo
Make a list of services currently running on your system. Try:
$ ps aux
$ netstat -pn -l -A inet
# /usr/sbin/lsof -i | grep LISTEN
You will need to install lsof-2.2 for the third command to work
(run it as root). You should be aware that lsof can translate the
word LISTEN to your locale settings.
In order to remove unnecessary services, first determine what package provides
the service and how it is started. This can be accomplished by checking the
program that listens in the socket. The following shell script, which uses the
programs lsof and dpkg, does just that:
#!/bin/sh
# FIXME: this is quick and dirty; replace with a more robust script snippet
for i in `sudo lsof -i | grep LISTEN | cut -d " " -f 1 |sort -u` ; do
pack=`dpkg -S $i |grep bin |cut -f 1 -d : | uniq`
echo "Service $i is installed by $pack";
init=`dpkg -L $pack |grep init.d/ `
if [ ! -z "$init" ]; then
echo "and is run by $init"
fi
done
Once you find any unwanted services, remove the associated package (with
dpkg --purge), or disable the service from starting automatically
at boot time using update-rc.d (see Disabling daemon services, Section 3.6.1).
For inetd services (launched by the superdaemon), check which services are
enabled in /etc/inetd.conf using:
$ grep -v "^#" /etc/inetd.conf | sort -u
Then disable those services that are not needed by commenting out the line that
includes them in /etc/inetd.conf, removing the package, or using
update-inetd.
If you have wrapped services (those using /usr/sbin/tcpd), check
that the files /etc/hosts.allow and /etc/hosts.deny
are configured according to your service policy.
If the server uses more than one external interface, depending on the service, you may want to limit the service to listen on a specific interface. For example, if you want internal FTP access only, make the FTP daemon listen only on your management interface, not on all interfaces (i.e, 0.0.0.0:21).
Re-boot the machine, or switch to single user mode and then back to multiuser using the commands:
# init 1
(....)
# init 2
Check the services now available, and, if necessary, repeat the steps above.
Now install the needed services, if you have not done so already, and configure them properly.
Use the following shell command to determine what user each available service is running as:
# for i in `/usr/sbin/lsof -i |grep LISTEN |cut -d " " -f 1 |sort -u`; \
> do user=`ps ef |grep $i |grep -v grep |cut -f 1 -d " "` ; \
> echo "Service $i is running as user $user"; done
Consider changing these services to a specific user/group and maybe
chroot'ing them for increased security. You can do this by
changing the /etc/init.d scripts which start the service. Most
services in Debian use start-stop-daemon, which has options
(--change-uid and --chroot) for accomplishing this.
A word of warning regarding the chroot'ing of services: you may
need to put all the files installed by the package (use dpkg -L) providing the
service, as well as any packages it depends on, in the chroot'ed
environment. Information about setting up a chroot environment
for the ssh program can be found in Chroot environment for
SSH, Appendix G.
Repeat the steps above in order to check that only desired services are running and that they are running as the desired user/group combination.
Test the installed services in order to see if they work as expected.
Check the system using a vulnerability assessment scanner (like
nessus), in order to determine vulnerabilities in the system
(i.e., misconfiguration, old services or unneeded services).
Install network and host intrusion measures like snort and
logcheck.
Repeat the network scanner step and verify that the intrusion detection systems are working correctly.
For the truly paranoid, also consider the following:
Add firewalling capabilities to the system, accepting incoming connections only to offered services and limiting outgoing connections only to those that are authorized.
Re-check the installation with a new vulnerability assessment using a network scanner.
Using a network scanner, check outbound connections from the system to an outside host and verify that unwanted connections do not find their way out.
FIXME: this procedure considers service hardening but not system hardening at the user level, include information regarding checking user permissions, SETUID files and freezing changes in the system using the ext2 file system.
[ previous ] [ Contents ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ G ] [ H ] [ next ]
Securing Debian Manual
Version: 3.13, Sun, 08 Apr 2012 02:48:09 +0000jfs@debian.org