[ precedente ]
[ Contenuti ]
[ 1 ]
[ 2 ]
[ 3 ]
[ 4 ]
[ 5 ]
[ 6 ]
[ 7 ]
[ 8 ]
[ 9 ]
[ 10 ]
[ 11 ]
[ A ]
[ B ]
[ C ]
[ D ]
[ E ]
[ F ]
[ G ]
[ H ]
[ I ]
[ successivo ]
Securing Debian Manual
Capitolo 1 - Introduzione
Una delle cose più difficili nello scrivere documenti riguardanti la sicurezza
è che ogni caso è unico. Due cose a cui va prestata attenzione sono l'ambiente
minaccioso e le necessità di sicurezza del singolo sito, host o rete. Per
esempio, le necessità di sicurezza di un utente domestico sono completamente
differenti da quelle di una rete bancaria. Mentre il rischio principale che un
utente domestico deve affrontare sono i cracker tipo «script kiddie», una rete
bancaria deve preoccuparsi degli attacchi diretti. Inoltre, la banca deve
proteggere i dati dei propri clienti con precisione matematica. In breve, ogni
utente deve considerare il compromesso tra usabilità e sicurezza/paranoia.
Occorre tenere presente che questo manuale copre soltanto argomenti relativi al
software. Il miglior software del mondo non vi può proteggere se qualcuno ha
accesso fisico alla macchina. Si può metterla sotto la scrivania, oppure in un
bunker protetto da un esercito. Tuttavia un desktop computer può essere
maggiormente sicuro (da un punto di vista software) che uno protetto
fisicamente se il desktop computer è configurato correttamente e il software
sulla macchina protetta è pieno di falle di sicurezza. Naturalmente, vanno
considerate ambedue le situazioni.
Questo documento dà soltanto uno sguardo a quanto si può fare per incrementare
la sicurezza del proprio sistema Debian GNU/Linux. Se avete letto altri
documenti riguardanti la sicurezza in Linux, vedrete come argomenti comuni
possono sovrapporsi a questo documento. In ogni caso, questo documento non
cerca di essere l'ultima risorsa di informazioni di cui si possa avere bisogno,
cerca soltanto di adattare queste stesse informazioni così che siano
utilizzabili in un sistema Debian GNU/Linux. Distribuzioni diverse fanno
alcune cose in modi differenti (per esempio l'avvio dei demoni); qui troverete
materiale appropriato per gli strumenti e le procedure di Debian.
1.1 Autore
L'attuale manutentore di questo documento è: Javier Fernández-Sanguino
Mandate a lui
ogni commento, aggiunta o suggerimento e questi verranno considerate per essere
incluse nelle future versioni di questo manuale.
Questo manuale è stato iniziato con un HOWTO da Alexander Reelsen
. Dopo la sua
pubblicazione su Internet Javier
Fernández-Sanguino
lo ha incorporato nel Debian Documentation Project
. Un
buon numero di persone hanno contribuito a questo manuale (tutti coloro che
hanno contribuito sono elencati nel changelog) ma le seguenti persone devono
avere una menzione speciale dato che hanno fornito in contributo significativo
(intere sezioni, capitoli o appendici):
1.2 Scaricare il manuale
Potete scaricare o visionare l'ultima versione del Securing Debian Manual dal
Debian
Documentation Project
. Potete controllare l'ultima versione
attraverso il server
CVS
Debian.
È disponibile anche una versione in puro
testo
dal sito del progetto di documentazione Debian. Altri
formati, come il PDF, non sono (ancora) disponibili. In ogni caso, potete
installare il pacchetto harden-doc
che fornisce
lo stesso documento nei formati HTML, txt e PDF. Controllate però che il
pacchetto sia aggiornato rispetto al documento fornito su Internet (potete
comunque utilizzare il pacchetto sorgente per costruirvi una vostra versione
aggiornata!).
1.3 Note/Feedback organizzativi
Ed ora la parte ufficiale. Fino ad ora io (Alexander Reelsen) ho scritto la
maggioranza dei paragrafi di questo manuale, ma è mia opinione che non dovrebbe
continuare così. Sono cresciuto e vivo con il software libero, è parte del mio
uso quotidiano e immagino anche del vostro. Incoraggio tutti a spedirmi
feedback, aggiunte od ogni altro tipo di suggerimento che possiate fornirmi.
Se ritenete di poter mantenere un certo capitolo o meglio una sezione, allora
scrivete al manutentore del documento e sarete i benvenuti. Specificatamente,
se trovate in una sezione dei contrassegni come "FIXME", questo
significa che l'autore non ha il tempo o la conoscenza necessaria
sull'argomento, inviate un'email immediatamente.
L'argomento di questo manuale rende abbastanza chiara l'importanza di
mantenerlo aggiornato e ognuno può fare la propria parte. Per favore,
contribuite.
1.4 Conoscenze preliminari
L'installazione di Debian GNU/Linux non è molto difficile e dovreste essere in
grado di eseguirla. Se avete già alcune conoscenze di Linux o di altri sistemi
Unix e un po' di familiarità con gli aspetti base della sicurezza, risulterà
semplice comprendere questo manuale, dal momento che questo documento non può
entrare in ogni piccolo dettaglio di ogni caratteristica presa in
considerazione (altrimenti sarebbe stato un libro e non un manuale). Se non
avete questa familiarità con la materia, in ogni caso, potete dare uno sguardo
a Conoscere i problemi generali di
sicurezza, Sezione 2.2, per trovare dove reperire informazioni più
dettagliate.
1.5 Argomenti da scrivere
Questo paragrafo descrive tutte le cose che devone essere sistemate in questo
manuale. Alcuni paragrafi includono i tag FIXME o TODO per
descrivere quale contenuto manca (o quale tipo di lavoro deve essere fatto).
Lo scopo di questo paragrafo è di descrivere tutte quelle cose che
potrebbero essere incluse nel Manuale o miglioramenti che devono essere fatti
(o dovrebbero essere aggiunti).
Se pensate di poter fornire aiuto nel contribuire contenuti per sistemare
alcuni degli elementi della lista (o le note incluse) contattate l'autore
principale (Autore, Sezione 1.1)
-
Considerare l'opportunità di scrivere una sezione riguardante la costruzione di
applicazioni di rete basate su Debian (completa di informazioni su sistema di
base,
equivs
e FAI).
-
Aggiungere informazioni su come installare un firewall usando Debian GNU/Linux.
La sezione riguardante il firewalling è attualmente orientata verso un singolo
sistema (non proteggendo gli altri...) e inoltre scrivere su come testare
l'installazione.
-
Aggiungere informazioni su come configurare un proxy firewall con Debian
GNU/Linux partendo specificatamente da pacchetti che forniscono servizi di
proxy (come
xfwp
, xproxy
, ftp-proxy
,
redir
, smtpd
, nntp-cache
,
dnrd
, jftpgw
, oops
, pnsd
,
perdition
, transproxy
, tsocks
). Si
dovrebbe puntare al manuale per ogni altra informazione. Si noti che
zorp
è ora disponibile come pacchetto Debian ed è un
proxy firewall (vengono anche forniti pacchetti Debian upstream).
-
Informazioni sulla configurazione dei servizi con i file-rc.
-
Controllare tutte le URL di riferimento e rimuovere/correggere quelle non più
disponibili.
-
Aggiungere informazioni sui sostituti disponibili (in Debian) per i server
comuni, utili per le limitate funzionalità. Per esempio:
-
lpr locale con cups (pacchetto)?
-
apache con dhttpd/thttpd/wn (tux?)
-
exim/sendmail con ssmtpd/smtpd/postfix
-
Maggiori informazioni riguardanti le patch per il kernel riguardanti la
sicurezza in Debian, incluse quelle mostrate sopra e informazioni specifiche su
come rendere attive queste patch in un sistema Debian.
-
Linux Intrusion Detection (
lids-2.2.19
)
-
Linux Trustees (nel pacchetto
trustees
)
-
kernel-patch-2.2.19-harden
-
kernel-patch-freeswan, kernel-patch-int
-
Dettagli su come disattivare servizi di rete non necessari (a parte
inetd
), sono trattati in parte nelle procedure di irrobustimento
ma potrebbero essere estesi un po'.
-
Informazioni riguardanti la rotazione delle password che è strettamente
collegato alle policy (convenzioni adottate in Debian).
-
Politica ed educazione degli utenti al riguardo.
-
Maggior dettagli per i tcpwrapper e i wrapper in generale?
-
hosts.equiv
e altri importanti buchi di sicurezza.
-
Informazioni sui server di condivisione dei file come Samba ed NFS?
-
suidmanager/dpkg-statoverrides.
-
Disabilitare le "cose" IP di GNOME
-
Scrivere sui programmi per realizzare gabbie chroot.
Compartment
e chrootuid
sono in attesa per l'ingresso. Anche alcuni altri
(makejail, jailer) potrebbero essere introdotti.
-
Maggiori informazioni al riguardo del software per l'analisi dei log (per
esempio logcheck e logcolorise).
-
Routing "avanzato" (le politiche di traffico sono connesse con la
sicurezza).
-
Limitare l'accesso con
ssh
per eseguire solo alcuni comandi.
-
Un modo sicuro per condividere un masterizzatore tra gli utenti.
-
Modi sicuri per fornire suoni sulla rete in aggiunta alle capacità di display
di rete (così che i suoni dei client X siano eseguiti sull'hardware del server
X).
-
Rendere sicuri i web browser.
-
Usare un loopback file system crittografato.
-
Crittografare l'intero file system.
-
Strumenti steganografici.
-
Impostare un PKA per un'organizzazione.
-
Utilizzare LDAP per gestire gli utenti. Esiste un HOWTO di ldap+kerberos per
Debian presso www.bayour.com scritto da Turbo Fredrikson.
-
Come rimuovere le informazioni di scarsa utilità nei sistemi in produzione come
/usr/share/doc, /usr/share/man (sì, sicurezza tramite riservatezza).
-
Maggiori informazioni su lcap basate sul file README dei pacchetti (bene, non
ancora, vedete il
Bug
#169465
) e dall'articolo da LWN: Kernel development
.
-
Aggiungere informazioni su come attivare più sensori snort in un dato sistema
(controllare i rapporti sui bachi spediti da snort)
-
Aggiungere informazioni su come configurare una honeypot (
honeyd
)
1.6 Changelog/History
1.6.1 Version 2.97 (september 2003)
Changes by Javier Fernández-Sanguino Peña
-
Added those that have made the most significant contributions to this manual
(please mail me if you think you should be in the list and are not).
-
Added some blurb about FIXME/TODOs
-
Moved the information on security updates to the beginning of the section as
suggested by Elliott Mitchell.
-
Added grsecurity to the list of kernel-patches for security but added a
footnote on the current issues with it as suggested by Elliott Mitchell.
-
Removed loops (echo to 'all') in the kernel's network security script as
suggested by Elliott Mitchell.
-
Added more (up-to-date) information in the antivirus section.
-
Rewrote the buffer overflow protection section and added more information on
patches to the compiler to enable this kind of protection.
1.6.2 Version 2.96 (august 2003)
Changes by Javier Fernández-Sanguino Peña
-
Removed (and then readded) appendix on chrooting Apache. The appendix is now
dual-licensed.
1.6.3 Version 2.95 (june 2003)
Changes by Javier Fernández-Sanguino Peña
-
Fixed typos spotted by Leonard Norrgard
-
More information on setting up a Squid proxy.
-
Added a pointer and removed a FIXME thanks to Helge H. F.
-
Fixed a typo (save_inactive) spotted by Philippe Faes.
-
Fixed several typos spotted by Jaime Robles.
1.6.4 Version 2.94 (april 2003)
Changes by Javier Fernández-Sanguino Peña
-
Following Maciej Stachura's suggestions I've expanded the section on limiting
users.
-
Fixed typo spotted by Wolfgang Nolte.
-
Fixed links with patch contributed by Ruben Leote Mendes.
-
Added a link to David Wheeler's excellent document on the footnote about
counting security vulnerabilities.
1.6.5 Version 2.93 (march 2003)
Changes made by Frédéric Schütz.
-
rewrote entirely the section of ext2 attributes (lsattr/chattr)
1.6.6 Version 2.92 (february 2003)
Changes by Javier Fernández-Sanguino Peña and Frédéric Schütz.
-
Merge section 9.3 ("useful kernel patches") into section 4.13
("Adding kernel patches"), and added some content.
-
Added information on how to manually check for updates and also about cron-apt.
That way Tiger is not perceived as the only way to do automatic update checks.
-
Slightly rewrite of the section on executing a security updates due to
Jean-Marc Ranger comments.
-
Added a note on Debian's installation (which will suggest the user to execute a
security update right after installation)
1.6.7 Version 2.91 (january/february 2003)
Changes by Javier Fernández-Sanguino Peña (me).
-
Added a patch contributed by Frédéric Schütz.
-
Added a few more references on capabilities thanks to Frédéric.
-
Slight changes in the bind section adding a reference to BIND's 9 online
documentation and proper references in the first area (Hi Pedro!)
-
Fixed the changelog date - new year :-)
-
Added a reference to Colin's articles for the TODOs.
-
Removed reference to old ssh+chroot patches.
-
More patches from Carlo Perassi.
-
Typo fixes (recursive in Bind is recursion), pointed out by Maik Holtkamp.
1.6.8 Version 2.91 (january 2002)
Changes by Javier Fernández-Sanguino Peña (me).
-
Added a patch contributed by Frederic Schutz.
-
Added a few more references on capabilities thanks to Frederic.
1.6.9 Version 2.9 (december 2002)
Changes by Javier Fernández-Sanguino Peña (me).
-
Reorganised the information on chroot (merged two sections, it didn't make much
sense to have them separated)
-
Added the notes on chrooting Apache provided by Alexandre Raitti.
-
Applied patches contributed by Guillermo Jover.
1.6.10 Version 2.8 (november 2002)
Changes by Javier Fernández-Sanguino Peña (me).
-
Applied patches from Carlo Perassi, fixes include: re-wrapping the lines, url
fixes, and fixed some FIXMEs
-
Updated the contents of the Debian security team FAQ.
-
Added a link to the Debian security team FAQ and the Debian Developer's
reference, the duplicated sections might (just might) be removed in the future.
-
Fixed the hand-made auditing section with comments from Michal Zielinski.
-
Added links to wordlists (contributed by Carlo Perassi)
-
Fixed some typos (still many around).
-
Fixed TDP links as suggested by John Summerfield.
1.6.11 Version 2.7 (october 2002)
Changes by Javier Fernández-Sanguino Peña (me). Note: I still have a lot of
pending changes in my mailbox (which is currently about 5 Mbs in size).
-
Some typo fixes contributed by Tuyen Dinh, Bartek Golenko and Daniel K.
Gebhart.
-
Note regarding /dev/kmem rootkits contributed by Laurent Bonnaud
-
Fixed typos and FIXMEs contributed by Carlo Perassi.
1.6.12 Version 2.6 (september 2002)
Changes by Chris Tillman, tillman@voicetrak.com.
-
Changed around to improve grammar/spelling.
-
s/host.deny/hosts.deny/ (1 place)
-
Applied Larry Holish's patch (quite big, fixes a lot of FIXMEs)
1.6.13 Version 2.5 (september 2002)
Changes by Javier Fernández-Sanguino Peña (me).
-
Fixed minor typos submitted by Thiemo Nagel.
-
Added a footnote suggested by Thiemo Nagel.
1.6.14 Version 2.5 (august 2002)
Changes by Javier Fernández-Sanguino Peña (me). There were many things waiting
on my inbox (as far back as February) to be included, so I'm going to tag this
the back from honeymoon release :)
-
Applied a patch contributed by Philipe Gaspar regarding the Squid which also
kills a FIXME.
-
Yet another FAQ item regarding service banners taken from the debian-security
mailing list (thread "Telnet information" started 26th July 2002).
-
Added a note regarding use of CVE cross references in the How much time
does the Debian security team... FAQ item.
-
Added a new section regarding ARP attacks contributed by Arnaud
"Arhuman" Assad.
-
New FAQ item regarding dmesg and console login by the kernel.
-
Small tidbits of information to the signature-checking issues in packages (it
seems to not have gotten past beta release).
-
New FAQ item regarding vulnerability assessment tools false positives.
-
Added new sections to the chapter that contains information on package
signatures and reorganised it as a new Debian Security Infrastructure
chapter.
-
New FAQ item regarding Debian vs. other Linux distributions.
-
New section on mail user agents with GPG/PGP functionality in the security
tools chapter.
-
Clarified how to enable MD5 passwords in woody, added a pointer to PAM as well
as a note regarding the max definition in PAM.
-
Added a new appendix on how to create chroot environments (after fiddling a bit
with makejail and fixing, as well, some of its bugs), integrated duplicate
information in all the appendix.
-
Added some more information regarding
SSH
chrooting and its impact
on secure file transfers. Some information has been retrieved from the
debian-security mailing list (June 2002 thread: secure file
transfers).
-
New sections on how to do automatic updates on Debian systems as well as the
caveats of using testing or unstable regarding security updates.
-
New section regarding keeping up to date with security patches in the
Before compromise section as well as a new section about the
debian-security-announce mailing list.
-
Added information on how to automatically generate strong passwords.
-
New section regarding login of idle users.
-
Reorganised the securing mail server section based on the
Secure/hardened/minimal Debian (or "Why is the base system the way it
is?") thread on the debian-security mailing list (May 2002).
-
Reorganised the section on kernel network parameters, with information provided
in the debian-security mailing list (May 2002, syn flood attacked?
thread) and added a new FAQ item as well.
-
New section on how to check users passwords and which packages to install for
this.
-
New section on PPTP encryption with Microsoft clients discussed in the
debian-security mailing list (April 2002).
-
Added a new section describing what problems are there when binding any given
service to a specific IP address, this information was written based on the
bugtraq mailing list in the thread: Linux kernel 2.4 "weak end
host" issue (previously discussed on debian-security as "arp
problem") (started on May 9th 2002 by Felix von Leitner).
-
Added information on
ssh
protocol version 2.
-
Added two subsections related to Apache secure configuration (the things
specific to Debian, that is).
-
Added a new FAQ related to raw sockets, one related to /root, an item related
to users' groups and another one related to log and configuration files
permissions.
-
Added a pointer to a bug in libpam-cracklib that might still be open... (need
to check)
-
Added more information regarding forensics analysis (pending more information
on packet inspection tools such as
tcpflow
).
-
Changed the "what should I do regarding compromise" into a bullet
list and included some more stuff.
-
Added some information on how to set up the Xscreensaver to lock the screen
automatically after the configured timeout.
-
Added a note related to the utilities you should not install in the system.
Included a note regarding Perl and why it cannot be easily removed in Debian.
The idea came after reading Intersect's documents regarding Linux hardening.
-
Added information on lvm and journalling file systems, ext3 recommended. The
information there might be too generic, however.
-
Added a link to the online text version (check).
-
Added some more stuff to the information on firewalling the local system,
triggered by a comment made by Hubert Chan in the mailing list.
-
Added more information on PAM limits and pointers to Kurt Seifried's documents
(related to a post by him to bugtraq on April 4th 2002 answering a person that
had ``discovered'' a vulnerability in Debian GNU/Linux related to resource
starvation).
-
As suggested by Julián Muñoz, provided more information on the default Debian
umask and what a user can access if he has been given a shell in the system
(scary, huh?)
-
Included a note in the BIOS password section due to a comment from Andreas
Wohlfeld.
-
Included patches provided by Alfred E. Heggestad fixing many of the typos
still present in the document.
-
Added a pointer to the changelog in the Credits section since most people who
contribute are listed here (and not there).
-
Added a few more notes to the chattr section and a new section after
installation talking about system snapshots. Both ideas were contributed by
Kurt Pomeroy.
-
Added a new section after installation just to remind users to change the
boot-up sequence.
-
Added some more TODO items provided by Korn Andras.
-
Added a pointer to the NIST's guidelines on how to secure DNS provided by
Daniel Quinlan.
-
Added a small paragraph regarding Debian's SSL certificates infrastructure.
-
Added Daniel Quinlan's suggestions regarding
ssh
authentication
and exim's relay configuration.
-
Added more information regarding securing bind including changes suggested by
Daniel Quinlan and an appendix with a script to make some of the changes
commented on in that section.
-
Added a pointer to another item regarding Bind chrooting (needs to be merged).
-
Added a one liner contributed by Cristian Ionescu-Idbohrn to retrieve packages
with tcpwrappers support.
-
Added a little bit more info on Debian's default PAM setup.
-
Included a FAQ question about using PAM to provide services without shell
accounts.
-
Moved two FAQ items to another section and added a new FAQ regarding attack
detection (and compromised systems).
-
Included information on how to set up a bridge firewall (including a sample
Appendix). Thanks go to Francois Bayar who sent this to me in March.
-
Added a FAQ regarding the syslogd's MARK heartbeat from a
question answered by Noah Meyerhans and Alain Tesio in December 2001.
-
Included information on buffer overflow protection as well as some information
on kernel patches.
-
Added more information (and reorganised) the firewall section. Updated the
information regarding the iptables package and the firewall generators
available.
-
Reorganized the information regarding log checking, moved logcheck information
from host intrusion detection to that section.
-
Added some information on how to prepare a static package for bind for
chrooting (untested).
-
Added a FAQ item regarding some specific servers/services (could be expanded
with some of the recommendations from the debian-security list).
-
Added some information on RPC services (and when it's necessary).
-
Added some more information on capabilities (and what lcap does). Is there any
good documentation on this? I haven't found any documentation on my 2.4
kernel.
1.6.15 Version 2.4
Changes by Javier Fernández-Sanguino Peña.
-
Rewritten part of the BIOS section.
1.6.16 Version 2.3
Changes by Javier Fernández-Sanguino Peña.
-
Wrapped most file locations with the file tag.
-
Fixed typo noticed by Edi Stojicevi.
-
Slightly changed the remote audit tools section.
-
Added more information regarding printers and cups config file (taken from a
thread on debian-security).
-
Added a patch submitted by Jesus Climent regarding access of valid system users
to Proftpd when configured as anonymous server.
-
Small change on partition schemes for the special case of mail servers.
-
Added Hacking Linux Exposed to the books section.
-
Fixed directory typo noticed by Eduardo Pérez Ureta.
-
Fixed /etc/ssh typo in checklist noticed by Edi Stojicevi.
1.6.17 Version 2.3
Changes by Javier Fernández-Sanguino Peña.
-
Fixed location of dpkg conffile.
-
Remove Alexander from contact information.
-
Added alternate mail address.
-
Fixed Alexander mail address (even if commented out).
-
Fixed location of release keys (thanks to Pedro Zorzenon for pointing this
out).
1.6.18 Version 2.2
Changes by Javier Fernández-Sanguino Peña.
-
Fixed typos, thanks to Jamin W. Collins.
-
Added a reference to apt-extracttemplate manpage (documents the
APT::ExtractTemplate config).
-
Added section about restricted SSH. Information based on that posted by Mark
Janssen, Christian G. Warden and Emmanuel Lacour on the debian-security
mailing list.
-
Added information on antivirus software.
-
Added a FAQ: su logs due to the cron running as root.
1.6.19 Version 2.1
Changes by Javier Fernández-Sanguino Peña.
-
Changed FIXME from lshell thanks to Oohara Yuuma.
-
Added package to sXid and removed comment since it *is* available.
-
Fixed a number of typos discovered by Oohara Yuuma.
-
ACID is now available in Debian (in the acidlab package) thanks to Oohara Yuuma
for noticing.
-
Fixed LinuxSecurity links (thanks to Dave Wreski for telling).
1.6.20 Version 2.0
Changes by Javier Fernández-Sanguino Peña. I wanted to change to 2.0 when all
the FIXMEs were, er, fixed but I ran out of 1.9X numbers :(
-
Converted the HOWTO into a Manual (now I can properly say RTFM)
-
Added more information regarding tcp wrappers and Debian (now many services are
compiled with support for them so it's no longer an
inetd
issue).
-
Clarified the information on disabling services to make it more consistent (rpc
info still referred to update-rc.d)
-
Added small note on lprng.
-
Added some more info on compromised servers (still very rough)
-
Fixed typos reported by Mark Bucciarelli.
-
Added some more steps in password recovery to cover the cases when the admin
has set paranoid-mode=on.
-
Added some information to set paranoid-mode=on when login in console.
-
New paragraph to introduce service configuration.
-
Reorganised the After installation section so it is more broken up
into several issues and it's easier to read.
-
Wrote information on how to set up firewalls with the standard Debian 3.0 setup
(iptables package).
-
Small paragraph explaining why installing connected to the Internet is not a
good idea and how to avoid this using Debian tools.
-
Small paragraph on timely patching referencing to IEEE paper.
-
Appendix on how to set up a Debian snort box, based on what Vladimir sent to
the debian-security mailing list (September 3rd 2001)
-
Information on how logcheck is set up in Debian and how it can be used to set
up HIDS.
-
Information on user accounting and profile analysis.
-
Included apt.conf configuration for read-only /usr copied from Olaf
Meeuwissen's post to the debian-security mailing list
-
New section on VPN with some pointers and the packages available in Debian
(needs content on how to set up the VPNs and Debian-specific issues), based on
Jaroslaw Tabor's and Samuli Suonpaa's post to debian-security.
-
Small note regarding some programs to automatically build chroot jails
-
New FAQ item regarding identd based on a discussion in the debian-security
mailing list (February 2002, started by Johannes Weiss).
-
New FAQ item regarding
inetd
based on a discussion in the
debian-security mailing list (February 2002).
-
Introduced note on rcconf in the "disabling services" section.
-
Varied the approach regarding LKM, thanks to Philipe Gaspar
-
Added pointers to CERT documents and Counterpane resources
1.6.21 Version 1.99
Changes by Javier Fernández-Sanguino Peña.
-
Added a new FAQ item regarding time to fix security vulnerabilities.
-
Reorganised FAQ sections.
-
Started writing a section regarding firewalling in Debian GNU/Linux (could be
broadened a bit)
-
Fixed typos sent by Matt Kraai
-
Added information on whisker and nbtscan to the auditing section.
1.6.22 Version 1.98
Changes by Javier Fernández-Sanguino Peña.
-
Added a new section regarding auditing using Debian GNU/Linux.
-
Added info regarding finger daemon taken from the security mailing list.
1.6.23 Version 1.97
Changes by Javier Fernández-Sanguino Peña.
-
Fixed link for Linux Trustees
-
Fixed typos (patches from Oohara Yuuma and Pedro Zorzenon)
1.6.24 Version 1.96
Changes by Javier Fernández-Sanguino Peña.
-
Reorganized service installation and removal and added some new notes.
-
Added some notes regarding using integrity checkers as intrusion detection
tools.
-
Added a chapter regarding package signatures.
1.6.25 Version 1.95
Changes by Javier Fernández-Sanguino Peña.
-
Added notes regarding Squid security sent by Philipe Gaspar.
-
Fixed rootkit links thanks to Philipe Gaspar.
1.6.26 Version 1.94
Changes by Javier Fernández-Sanguino Peña.
-
Added some notes regarding Apache and Lpr/lpng.
-
Added some information regarding noexec and read-only partitions.
-
Rewrote how users can help in Debian security issues (FAQ item).
1.6.27 Version 1.93
Changes by Javier Fernández-Sanguino Peña.
-
Fixed location of mail program.
-
Added some new items to the FAQ.
1.6.28 Version 1.92
Changes by Javier Fernández-Sanguino Peña.
-
Added a small section on how Debian handles security
-
Clarified MD5 passwords (thanks to `rocky')
-
Added some more information regarding harden-X from Stephen van Egmond
-
Added some new items to the FAQ
1.6.29 Version 1.91
Changes by Javier Fernández-Sanguino Peña.
-
Added some forensics information sent by Yotam Rubin.
-
Added information on how to build a honeynet using Debian GNU/Linux.
-
Fixed more typos (thanks Yotam!)
1.6.30 Version 1.9
Changes by Javier Fernández-Sanguino Peña.
-
Added patch to fix misspellings and some new information (contributed by Yotam
Rubin)
-
Added some information on configuring Bind options to restrict access to the
DNS server.
-
Added information on how to automatically harden a Debian system (regarding the
harden package and bastille).
-
Removed some done TODOs and added some new ones.
1.6.31 Version 1.8
Changes by Javier Fernández-Sanguino Peña.
-
Added the default user/group list provided by Joey Hess to the debian-security
mailing list.
-
Added information on Proftp contributed by Emmanuel Lacour.
-
Recovered the checklist Appendix from Era Eriksson.
-
Added some new TODO items and removed other fixed ones.
-
Manually included Era's patches since they were not all included in the
previous version.
1.6.32 Version 1.7
Changes by Era Eriksson.
-
Typo fixes and wording changes
Changes by Javier Fernández-Sanguino Peña.
-
Minor changes to tags in order to keep on removing the tt tags and substitute
prgn/package tags for them.
1.6.33 Version 1.6
Changes by Javier Fernández-Sanguino Peña.
-
Added pointer to document as published in the DDP (should supersede the
original in the near future)
-
Started a mini-FAQ (should be expanded) with some questions recovered from my
mailbox.
-
Added general information to consider while securing.
-
Added a paragraph regarding local (incoming) mail delivery.
-
Added some pointers to more information.
-
Added information regarding the printing service.
-
Added a security hardening checklist.
-
Reorganized NIS and RPC information.
-
Added some notes taken while reading this document on my new Visor :)
-
Fixed some badly formatted lines.
-
Added a Genius/Paranoia idea contributed by Gaby Schilders.
1.6.34 Version 1.5
Changes by Josip Rodin and Javier Fernández-Sanguino Peña.
-
Added paragraphs related to BIND and some FIXMEs.
1.6.35 Version 1.4
-
Small setuid check paragraph
-
Found out how to use sgml2txt -f for the txt version
1.6.36 Version 1.3
-
Added a security update after installation paragraph
-
Added a proftpd paragraph
-
This time really wrote something about XDM, sorry for last time
1.6.37 Version 1.2
-
Lots of grammar corrections by James Treacy, new XDM paragraph
1.6.38 Version 1.1
-
Typo fixes, miscellaneous additions
1.6.39 Version 1.0
1.7 Crediti e ringraziamenti!
-
Alexander Reelsen ha scritto il documento originale.
-
Javier Fernández-Sanguino ha aggiunto maggiori informazioni al documento
originale.
-
Robert van der Meulen ha fornito i paragrafi su quota e molte altre ottime
idee.
-
Ethan Benson ha corretto il paragrafo su PAM ed ha avuto alcune buone idee.
-
Dariusz Puchalak ha contribuito con informazioni in diversi capitoli.
-
Gaby Schilders ha contribuito con una simpatica idea su Genius/Paranoia.
-
Era Eriksson ha raffinato il linguaggio in un gran numero di sezioni ed ha
contribuito all'appendice checklist.
-
Philipe Gaspar ha scritto le informazioni su LKM.
-
Yotam Rubin ha contribuito correggendo molti errori di battitura e anche
fornendo le informazioni riguardanti le versioni di bind e le password md5.
-
(Alexander) Tutte le persone che mi hanno incoraggiato a scrivere questo HOWTO
(che successivamente si è trasformato in un manuale).
-
L'intero progetto Debian.
[ precedente ]
[ Contenuti ]
[ 1 ]
[ 2 ]
[ 3 ]
[ 4 ]
[ 5 ]
[ 6 ]
[ 7 ]
[ 8 ]
[ 9 ]
[ 10 ]
[ 11 ]
[ A ]
[ B ]
[ C ]
[ D ]
[ E ]
[ F ]
[ G ]
[ H ]
[ I ]
[ successivo ]
Securing Debian Manual
2.97 31 mayo 2004Ven, 3 Ott 2003 22:23:28 +0200
Javier Fernández-Sanguino Peña jfs@computer.org
Per la traduzione si veda l'Appendice I