Version 2.5 (August 2002)

Changes by Javier Fernández-Sanguino Peña (me). There were many things waiting on my inbox (as far back as February) to be included, so I’m going to tag this the back from honeymoon release :).

• Applied a patch contributed by Philipe Gaspar regarding the Squid which also kills a FIXME.

• Yet another FAQ item regarding service banners taken from the debian-security mailing list (thread “Telnet information” started 26th July 2002).

• Added a note regarding use of CVE cross references in the How much time does the Debian security team. . . FAQ item.

• Added a new section regarding ARP attacks contributed by Arnaud “Arhuman” Assad.

• New FAQ item regarding dmesg and console login by the kernel.

• Small tidbits of information to the signature-checking issues in packages (it seems to not have gotten past beta release).

• New FAQ item regarding vulnerability assessment tools false positives.

• Added new sections to the chapter that contains information on package signatures and reorganized it as a new Debian Security Infrastructure chapter.

• New FAQ item regarding Debian vs. other Linux distributions.

• New section on mail user agents with GPG/PGP functionality in the security tools chap-ter.

• Clarified how to enable MD5 passwords in woody, added a pointer to PAM as well as a note regarding the max definition in PAM.

• Added a new appendix on how to create chroot environments (after fiddling a bit with makejail and fixing, as well, some of its bugs), integrated duplicate information in all the appendix.

• Added some more information regarding SSH chrooting and its impact on secure file transfers. Some information has been retrieved from the debian-security mailing list (June 2002 thread: secure file transfers).

• New sections on how to do automatic updates on Debian systems as well as the caveats of using testing or unstable regarding security updates.

• New section regarding keeping up to date with security patches in the Before compromise section as well as a new section about the debian-security-announce mailing list.

• Added information on how to automatically generate strong passwords.

• New section regarding login of idle users.

• Reorganized the securing mail server section based on the Secure/hardened/minimal Debian (or “Why is the base system the way it is?”) thread on the debian-security mailing list (May 2002).

• Reorganized the section on kernel network parameters, with information provided in the debian-security mailing list (May 2002, syn flood attacked? thread) and added a new FAQ item as well.

• New section on how to check users passwords and which packages to install for this.

• New section on PPTP encryption with Microsoft clients discussed in the debian-security mailing list (April 2002).

• Added a new section describing what problems are there when binding any given service to a specific IP address, this information was written based on the Bugtraq mailing list in the thread: Linux kernel 2.4 “weak end host” issue (previously discussed on debian-security as

“arp problem”) (started on May 9th 2002 by Felix von Leitner).

• Added information on ssh protocol version 2.

• Added two subsections related to Apache secure configuration (the things specific to Debian, that is).

• Added a new FAQ related to raw sockets, one related to /root, an item related to users’

groups and another one related to log and configuration files permissions.

• Added a pointer to a bug in libpam-cracklib that might still be open. . . (need to check).

• Added more information regarding forensics analysis (pending more information on packet inspection tools such as tcpflow).

• Changed the “what should I do regarding compromise” into a bullet list and included some more stuff.

• Added some information on how to set up the Xscreensaver to lock the screen automati-cally after the configured timeout.

• Added a note related to the utilities you should not install in the system. Included a note regarding Perl and why it cannot be easily removed in Debian. The idea came after reading Intersect’s documents regarding Linux hardening.

• Added information on lvm and journalling file systems, ext3 recommended. The infor-mation there might be too generic, however.

• Added a link to the online text version (check).

• Added some more stuff to the information on firewalling the local system, triggered by a comment made by Hubert Chan in the mailing list.

• Added more information on PAM limits and pointers to Kurt Seifried’s documents (re-lated to a post by him to Bugtraq on April 4th 2002 answering a person that had “discov-ered” a vulnerability in Debian GNU/Linux related to resource starvation).

• As suggested by Julián Muñoz, provided more information on the default Debian umask and what a user can access if he has been given a shell in the system (scary, huh?).

• Included a note in the BIOS password section due to a comment from Andreas Wohlfeld.

• Included patches provided by Alfred E. Heggestad fixing many of the typos still present in the document.

• Added a pointer to the changelog in the Credits section since most people who contribute are listed here (and not there).

• Added a few more notes to the chattr section and a new section after installation talking about system snapshots. Both ideas were contributed by Kurt Pomeroy.

• Added a new section after installation just to remind users to change the boot-up se-quence.

• Added some more TODO items provided by Korn Andras.

• Added a pointer to the NIST’s guidelines on how to secure DNS provided by Daniel Quinlan.

• Added a small paragraph regarding Debian’s SSL certificates infrastructure.

• Added Daniel Quinlan’s suggestions regarding ssh authentication and exim’s relay con-figuration.

• Added more information regarding securing bind including changes suggested by Daniel Quinlan and an appendix with a script to make some of the changes commented on in that section.

• Added a pointer to another item regarding Bind chrooting (needs to be merged).

• Added a one liner contributed by Cristian Ionescu-Idbohrn to retrieve packages with tcpwrappers support.

• Added a little bit more info on Debian’s default PAM setup.

• Included a FAQ question about using PAM to provide services without shell accounts.

• Moved two FAQ items to another section and added a new FAQ regarding attack detec-tion (and compromised systems).

• Included information on how to set up a bridge firewall (including a sample Appendix).

Thanks to Francois Bayart who sent this to me in March.

• Added a FAQ regarding the syslogd’s MARK heartbeat from a question answered by Noah Meyerhans and Alain Tesio in December 2001.

• Included information on buffer overflow protection as well as some information on ker-nel patches.

• Added more information (and reorganized) the firewall section. Updated the informa-tion regarding the iptables package and the firewall generators available.

• Reorganized the information regarding log checking, moved logcheck information from host intrusion detection to that section.

• Added some information on how to prepare a static package for bind for chrooting (untested).

• Added a FAQ item regarding some specific servers/services (could be expanded with some of the recommendations from the debian-security list).

• Added some information on RPC services (and when it’s necessary).

• Added some more information on capabilities (and what lcap does). Is there any good documentation on this? I haven’t found any documentation on my 2.4 kernel.

• Fixed some typos.