Below is a post-installation, step-by-step procedure for hardening a Debian 2.2 GNU/Linux system. This is one possible approach to such a procedure and is oriented toward the hardening of network services. It is included to show the entire process you might use during configuration. Also, see Configuration checklist, Appendix B.
dselect, remove all unneeded but selected packages before doing [I]nstall. Keep the bare minimum of packages for the system.
$ ps -aux $ netstat -pn -l -A inet # /usr/sbin/lsof -i | grep LISTEN
You will need to install
lsof-2.2 for the third command to work
(run it as root). You should be aware that
lsof can translate the
word LISTEN to your locale settings.
dpkg, does just that:
#!/bin/sh # FIXME: this is quick and dirty; replace with a more robust script snippet for i in `sudo lsof -i | grep LISTEN | cut -d " " -f 1 |sort -u` ; do pack=`dpkg -S $i |grep bin |cut -f 1 -d : | uniq` echo "Service $i is installed by $pack"; init=`dpkg -L $pack |grep init.d/ ` if [ ! -z "$init" ]; then echo "and is run by $init" fi done
dpkg --purge), or disable the service from starting automatically at boot time using
update-rc.d(see Disabling daemon services, Section 3.6.1).
$ grep -v "^#" /etc/inetd.conf | sort -u
Then disable those services that are not needed by commenting out the line that
includes them in
/etc/inetd.conf, removing the package, or using
/usr/sbin/tcpd), check that the files
/etc/hosts.denyare configured according to your service policy.
$ init 1 (....) $ init 2
$ for i in `/usr/sbin/lsof -i |grep LISTEN |cut -d " " -f 1 |sort -u`; \ > do user=`ps -ef |grep $i |grep -v grep |cut -f 1 -d " "` ; \ > echo "Service $i is running as user $user"; done
Consider changing these services to a specific user/group and maybe
chroot'ing them for increased security. You can do this by
/etc/init.d scripts which start the service. Most
services in Debian use
start-stop-daemon, which has options
(--change-uid and --chroot) for accomplishing this.
A word of warning regarding the
chroot'ing of services: you may
need to put all the files installed by the package (use dpkg -L) providing the
service, as well as any packages it depends on, in the
environment. Information about setting up a
ssh program can be found in
Chroot environment for
SSH, Appendix G.
nessus), in order to determine vulnerabilities in the system (i.e., misconfigurations, old services or unneeded services).
For the truly paranoid, also consider the following:
FIXME: this procedure considers service hardening but not system hardening at the user level, include information regarding checking user permissions, SETUID files and freezing changes in the system using the ext2 file system.
Securing Debian Manual2.99 18 April 2004Wed, 3 Mar 2004 09:18:54 +0100