[ previous ] [ Contents ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ G ] [ H ] [ next ]

Securing Debian Manual
Chapter 8 - Security tools in Debian

FIXME: More content needed.

Debian provides also a number of security tools that can make a Debian box suited for security purposes. This purposes include protection of information systems through firewalls (either packet or application-level), intrusion detection (both network and host based), vulnerability assesment, antivirus, private networks, etc.

Since Debian 3.0 (woody), the distribution features cryptographic software integrated into the main distribution. OpenSSH and GNU Privacy Guard are included in the default install, and strong encryption is now present in web browsers and web servers, databases, and so forth. Further integration of cryptography is planned for future releases. This software, due to export restrictions in the US, was not distributed along with the main distribution but included only in non-US sites.

8.1 Remote vulnerability assesment tools

The tools provided by Debian to perform remote vulnerability assesment are: [37]

By far, the most complete and up-to-date tools is nessus which is composed of a client (nessus) used as a GUI and a server (nessusd) which launches the programmed attacks. Nessus includes remote vulnerabilities for quite a number of systems including network appliances, ftp servers, www servers, etc. The latest security plugins are able even to parse a web site and try to discover which interactive pages are available which could be attacked. There are also Java and Win32 clients (not included in Debian) which can be used to contact the management server.

Notice that if you are using woody, the Nessus packages are really out of date (see bug #183524. It is not difficult to backport the packages available in unstable for woody, but if you find it difficult to do so you might want to consider using the backported packages provided by one of the co-maintainers and available at http://people.debian.org/~jfs/nessus/ (these versions might not be as up-to-date as the versions available at unstable).

Whisker is a web-only vulnerability assessment scanner including anti-IDS tactics (most of which are not anti-IDS anymore). It is one of the best cgi-scanners available, being able to detect WWW servers and launch only a given set of attacks against it. The database used for scanning can be easily modified to provide for new information.

Bass (Bulk Auditing Security Scanner) and Satan (Security Auditing Tool for Analysing Networks) must be thought of more like "proof of concept" programs than as tools to be used while performing audits. Both are quite ancient and are not kept up-to-date. However, SATAN was the first tool to provide vulnerability assesment in a simple (GUI) way and Bass is still a very high-perfomance assesment tool.

8.2 Network scanner tools

Debian does provide some tools used for remote scanning of hosts (but not vulnerability assesment). These tools are, in some cases, used by vulnerability assesment scanners as the first type of "attack" run against remote hosts in an attempt to determine remote services available. Currently Debian provides:

Whileas queso and xprobe provide only remote operating system detection (using TCP/IP fingerprinting), nmap and knocker do both operating system detection and port scanning of the remote hosts. On the other hand, hping2 and icmpush can be used for remote ICMP attack techniques.

Designed specifically for Netbios networks, nbtscan can be used to scan IP networks and retrieve name information from SMB-enabled servers, including: usernames, network names, MAC addresses...

On the other hand, fragrouter can be used to test network intrusion detection systems and see if the NIDS can be eluded by fragmentation attacks.

FIXME: Check Bug #153117 (ITP fragrouter) to see if it's included.

FIXME add information based on Debian Linux Laptop for Road Warriors which describes how to use Debian and a laptop to scan for wireless (803.1) networks.

8.3 Internal audits

Currently, only the tiger tool used in Debian can be used to perform internal (also called white box) audit of hosts in order to determine if the file system is properly set up, which processes are listening on the host, etc.

8.4 Auditing source code

Debian provides three packages that can be used to audit C/C++ source code programs and find programming errors that might lead to potential security flaws:

8.5 Virtual Private Networks

A virtual private network (VPN) is a group of two or more computer systems, typically connected to a private network with limited public network access, that communicate securely over a public network. VPNs may connect a single computer to a private network (client-server), or a remote LAN to a private network (server-server). VPNs often include the use of encryption, strong authentication of remote users or hosts, and methods for hiding the private network's topology.

Debian provides quite a few packages to set up encrypted virtual private networks:

The FreeSWAN package is probably the best choice overall, since it promises to interoperate with almost anything that uses the IP security protocol, IPsec (RFC 2411). However, the other packages listed above can also help you get a secure tunnel up in a hurry. The point to point tunneling protocol (PPTP) is a proprietary Microsoft protocol for VPN. It is supported under Linux, but is known to have serious security issues.

For more information see the VPN-Masquerade HOWTO (covers IPsec and PPTP), VPN HOWTO (covers PPP over SSH), and Cipe mini-HOWTO, and PPP and SSH mini-HOWTO.

8.5.1 Point to Point tunneling

If you want to provide a tunneling server for a mixed environment (both Microsoft operating systems and Linux clients) and IPsec is not an option (since it's only provided for Windows 2000 and Windows XP), you can use PoPToP (Point to Point Tunneling Server), provided in the pptpd package.

If you want to use Microsoft's authentication and encryption with the server provided in the ppp package, note the following from the FAQ:

     It is only necessary to use PPP 2.3.8 if you want Microsoft compatible
     MSCHAPv2/MPPE authentication and encryption. The reason for this is that
     the MSCHAPv2/MPPE patch currently supplied (19990813) is against PPP
     2.3.8. If you don't need Microsoft compatible authentication/encryption
     any 2.3.x PPP source will be fine.

However, you also have to apply the kernel patch provided by the kernel-patch-mppe package, which provides the pp_mppe module for pppd.

Take into account that the encryption in ppptp forces you to store user passwords in clear text, and that the MS-CHAPv2 protocol contains known security holes.

8.6 Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI) is a security architecture introduced to provide an increased level of confidence for exchanging information over insecure networks. It makes use of the concept of public and private cryptographic keys to verify the identity of the sender (signing) and to ensure privacy (encryption).

When considering a PKI, you are confronted with a wide variety of issues:

Debian GNU/Linux has software packages to help you with some of these PKI issues. They include OpenSSL (for certificate generation), OpenLDAP (as a directory to hold the certificates), gnupg and freeswan (with X.509 standard support). However, as of the Woody release (Debian 3.0), Debian does not have any of the freely available Certificate Authorities such as pyCA, OpenCA or the CA samples from OpenSSL. For more information read the Open PKI book.

8.7 SSL Infrastructure

Debian does provide some SSL certificates with the distribution so that they can be installed locally. They are found in the ca-certificates package. This package provides a central repository of certificates that have been submitted to Debian and approved (that is, verified) by the package maintainer, useful for any OpenSSL applications which verify SSL connections.

FIXME: read debian-devel to see if there was something added to this.

8.8 Antivirus tools

There are not many anti-virus tools included with Debian GNU/Linux, probably because GNU/Linux users are not plagued by viruses. The UN*X security model makes a distinction between privileged (root) processes and user-owned processes, therefore a "hostile" executable that a non-root user receives or creates and then executes cannot "infect" or otherwise manipulate the whole system. However, GNU/Linux worms and viruses do exist, although there has not (yet, hopefully) been any that has spread in the wild over any Debian distribution. In any case, administrators might want to build up anti-virus gateways that protect against viruses arising on other, more vulnerable systems in their network.

Debian GNU/Linux currently provides the following tools for building antivirus environments:

Some gateway daemons support already tools extensions to build antivirus environments including exim4-daemon-heavy (the heavy version of the Exim MTA), frox (a transparent caching ftp proxy server), messagewall (an SMTP proxy daemon) and pop3vscan (a transparent POP3 proxy).

As you can see, Debian does not currently provide antivirus scanning software in the main official distribution (3.0 at the time of this writting) but it does provide multiple interfaces to build gateway antivirus. The Clamav scanner will be provided in the next official release.

Some other free software antivirus projects which might be included in future Debian GNU/Linux releases:

There is also a virussignatures package, which provides signatures for all packages, this package provides a script to download the latest virus signatures from http://www.openantivirus.org/latest.php.

FIXME: Check to determine which packages are available for antivirus. Is clamav available? (there seem to be Debian packages for it).

FIXME: check if scannerdaemon is the same as the open antivirus scanner daemon (read ITPs).

However, Debian will never provide commercial antivirus software such as: Panda Antivirus, NAI Netshield (uvscan), Sophos Sweep, TrendMicro Interscan, or RAV. For more pointers see the Linux antivirus software mini-FAQ. This does not mean that this software can be installed properly in a Debian system.

For more information on how to set up an a virus detection system read Dave Jones' article Building an E-mail Virus Detection System for Your Network.

8.9 GPG agent

It is very common nowadays to digitally sign (and sometimes encrypt) e-mail. You might, for example, find that many people participating on mailing lists sign their list e-mail. Public key signatures are currently the only means to verify that an e-mail was sent by the sender and not by some other person.

Debian GNU/Linux provides a number of e-mail clients with built-in e-mail signing capabilities that interoperate either with gnupg or pgp:

Key servers allow you to download published public keys so that you may verify signatures. One such key server is http://wwwkeys.pgp.net. gnupg can automatically fetch public keys that are not already in your public keyring. For example, to configure gnupg to use the above key server, edit the file ~/.gnupg/options and add the following line: [39]

     keyserver wwwkeys.pgp.net

Most key servers are linked, so that when your public key is added to one server, the addition is propagated to all the other public key servers. There is also a Debian GNU/Linux package debian-keyring, that provides all the public keys of the Debian developers. The gnupg keyrings are installed in /usr/share/keyrings/.

For more information:

[ previous ] [ Contents ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ G ] [ H ] [ next ]

Securing Debian Manual

2.99 18 April 2004Wed, 3 Mar 2004 09:18:54 +0100

Javier Fernández-Sanguino Peña jfs@computer.org