FIXME: More content needed.
Debian provides also a number of security tools that can make a Debian box suited for security purposes. This purposes include protection of information systems through firewalls (either packet or application-level), intrusion detection (both network and host based), vulnerability assesment, antivirus, private networks, etc.
Since Debian 3.0 (woody), the distribution features cryptographic software integrated into the main distribution. OpenSSH and GNU Privacy Guard are included in the default install, and strong encryption is now present in web browsers and web servers, databases, and so forth. Further integration of cryptography is planned for future releases. This software, due to export restrictions in the US, was not distributed along with the main distribution but included only in non-US sites.
The tools provided by Debian to perform remote vulnerability assesment are: 
By far, the most complete and up-to-date tools is
nessus which is
composed of a client (
nessus) used as a GUI and a server
nessusd) which launches the programmed attacks. Nessus includes
remote vulnerabilities for quite a number of systems including network
appliances, ftp servers, www servers, etc. The latest security plugins are
able even to parse a web site and try to discover which interactive pages are
available which could be attacked. There are also Java and Win32 clients (not
included in Debian) which can be used to contact the management server.
Notice that if you are using woody, the Nessus packages are really out of date
is not difficult to backport the packages available in unstable for woody, but
if you find it difficult to do so you might want to consider using the
backported packages provided by one of the co-maintainers and available at
(these versions might not be as up-to-date as the versions available at
Whisker is a web-only vulnerability assessment scanner including
anti-IDS tactics (most of which are not anti-IDS anymore). It is one
of the best cgi-scanners available, being able to detect WWW servers and launch
only a given set of attacks against it. The database used for scanning can be
easily modified to provide for new information.
Bass (Bulk Auditing Security Scanner) and
(Security Auditing Tool for Analysing Networks) must be thought of more like
"proof of concept" programs than as tools to be used while performing
audits. Both are quite ancient and are not kept up-to-date. However, SATAN
was the first tool to provide vulnerability assesment in a simple (GUI) way and
Bass is still a very high-perfomance assesment tool.
Debian does provide some tools used for remote scanning of hosts (but not vulnerability assesment). These tools are, in some cases, used by vulnerability assesment scanners as the first type of "attack" run against remote hosts in an attempt to determine remote services available. Currently Debian provides:
xprobe provide only remote
operating system detection (using TCP/IP fingerprinting),
knocker do both operating system detection and port scanning of
the remote hosts. On the other hand,
icmpush can be used for remote ICMP attack techniques.
Designed specifically for Netbios networks,
nbtscan can be used to
scan IP networks and retrieve name information from SMB-enabled servers,
including: usernames, network names, MAC addresses...
On the other hand,
fragrouter can be used to test network
intrusion detection systems and see if the NIDS can be eluded by fragmentation
#153117 (ITP fragrouter) to see if it's included.
FIXME add information based on
Debian Linux Laptop for Road
Warriors which describes how to use Debian and a laptop to scan for
wireless (803.1) networks.
Currently, only the
tiger tool used in Debian can be used to
perform internal (also called white box) audit of hosts in order to determine
if the file system is properly set up, which processes are listening on the
Debian provides three packages that can be used to audit C/C++ source code programs and find programming errors that might lead to potential security flaws:
A virtual private network (VPN) is a group of two or more computer systems, typically connected to a private network with limited public network access, that communicate securely over a public network. VPNs may connect a single computer to a private network (client-server), or a remote LAN to a private network (server-server). VPNs often include the use of encryption, strong authentication of remote users or hosts, and methods for hiding the private network's topology.
Debian provides quite a few packages to set up encrypted virtual private networks:
The FreeSWAN package is probably the best choice overall, since it promises to interoperate with almost anything that uses the IP security protocol, IPsec (RFC 2411). However, the other packages listed above can also help you get a secure tunnel up in a hurry. The point to point tunneling protocol (PPTP) is a proprietary Microsoft protocol for VPN. It is supported under Linux, but is known to have serious security issues.
For more information see the
HOWTO (covers IPsec and PPTP),
VPN HOWTO (covers
PPP over SSH), and
PPP and SSH
If you want to provide a tunneling server for a mixed environment (both
Microsoft operating systems and Linux clients) and IPsec is not an option
(since it's only provided for Windows 2000 and Windows XP), you can use
PoPToP (Point to Point Tunneling Server), provided in the
If you want to use Microsoft's authentication and encryption with the server
provided in the
ppp package, note the following from the FAQ:
It is only necessary to use PPP 2.3.8 if you want Microsoft compatible MSCHAPv2/MPPE authentication and encryption. The reason for this is that the MSCHAPv2/MPPE patch currently supplied (19990813) is against PPP 2.3.8. If you don't need Microsoft compatible authentication/encryption any 2.3.x PPP source will be fine.
However, you also have to apply the kernel patch provided by the
kernel-patch-mppe package, which provides the pp_mppe module for
Take into account that the encryption in ppptp forces you to store user
passwords in clear text, and that the MS-CHAPv2 protocol contains
Public Key Infrastructure (PKI) is a security architecture introduced to provide an increased level of confidence for exchanging information over insecure networks. It makes use of the concept of public and private cryptographic keys to verify the identity of the sender (signing) and to ensure privacy (encryption).
When considering a PKI, you are confronted with a wide variety of issues:
Debian GNU/Linux has software packages to help you with some of these PKI
issues. They include
OpenSSL (for certificate generation),
OpenLDAP (as a directory to hold the certificates),
freeswan (with X.509 standard support).
However, as of the Woody release (Debian 3.0), Debian does not have any of the
freely available Certificate Authorities such as pyCA,
OpenCA or the CA samples from OpenSSL.
For more information read the
Open PKI book.
Debian does provide some SSL certificates with the distribution so that they
can be installed locally. They are found in the
package. This package provides a central repository of certificates that have
been submitted to Debian and approved (that is, verified) by the package
maintainer, useful for any OpenSSL applications which verify SSL connections.
FIXME: read debian-devel to see if there was something added to this.
There are not many anti-virus tools included with Debian GNU/Linux, probably because GNU/Linux users are not plagued by viruses. The UN*X security model makes a distinction between privileged (root) processes and user-owned processes, therefore a "hostile" executable that a non-root user receives or creates and then executes cannot "infect" or otherwise manipulate the whole system. However, GNU/Linux worms and viruses do exist, although there has not (yet, hopefully) been any that has spread in the wild over any Debian distribution. In any case, administrators might want to build up anti-virus gateways that protect against viruses arising on other, more vulnerable systems in their network.
Debian GNU/Linux currently provides the following tools for building antivirus environments:
Clam Antivirus, provided in Debian sarge (future 3.1 release). Packages are provided both for the virus scanner (
clamav) for the scanner daemon (
clamav-daemon) and for the data files needed for the scanner. Since keeping an antivirus up-to-date is critical for it to work properly there are two different ways to get this data:
clamav-freshclamprovides a way to update the database through the Internet automatically and
clamav-datawhich provides the data files directly 
mailscanneran e-mail gateway virus scanner and spam detector. Using
Eximas its basis, it can use more than 17 different virus scanning engines (including
libfile-scan-perlwhich provides File::Scan, a Perl extension for scanning files for viruses. This modules can be used to make plataform independent virus scanners.
Amavis Next Generation, provided in the package
amavis-ngand available in sarge, which is a mail virus scanner which integrates with different MTA (Exim, Sendmail, Postfix, or Qmail) and supports over fiveteen virus scanning engines (including clamav, File::Scan and openantivirus).
sanitizer, a tool that uses the
procmailpackage, which can scan email attachments for viruses, block attachments based on their filenames, and more.
amavis-postfix, a script that provides an interface from a mail transport agent to one or more commercial virus scanners (this package is built with support for the
exiscan, an e-mail virus scanner written in Perl that works with Exim.
sanitizer, a scanner for mail that can remove potentially dangerous attachments.
blackhole-qmaila spam filter for Qmail with built-in support for Clamav.
Some gateway daemons support already tools extensions to build antivirus
exim4-daemon-heavy (the heavy
version of the Exim MTA),
frox (a transparent caching ftp proxy
messagewall (an SMTP proxy daemon) and
pop3vscan (a transparent POP3 proxy).
As you can see, Debian does not currently provide antivirus scanning software
in the main official distribution (3.0 at the time of this writting) but it
does provide multiple interfaces to build gateway antivirus. The
Clamav scanner will be provided in the next official release.
Some other free software antivirus projects which might be included in future Debian GNU/Linux releases:
There is also a
virussignatures package, which provides signatures
for all packages, this package provides a script to download the latest virus
FIXME: Check to determine which packages are available for antivirus. Is clamav available? (there seem to be Debian packages for it).
FIXME: check if scannerdaemon is the same as the open antivirus scanner daemon (read ITPs).
However, Debian will never provide commercial antivirus software such
RAV. For more pointers see the
antivirus software mini-FAQ. This does not mean that this software
can be installed properly in a Debian system.
For more information on how to set up an a virus detection system read Dave
Building an E-mail
Virus Detection System for Your Network.
It is very common nowadays to digitally sign (and sometimes encrypt) e-mail. You might, for example, find that many people participating on mailing lists sign their list e-mail. Public key signatures are currently the only means to verify that an e-mail was sent by the sender and not by some other person.
Debian GNU/Linux provides a number of e-mail clients with built-in e-mail
signing capabilities that interoperate either with
sylpheed. Depending on how the stable version of this package evolves, you may need to use the bleeding edge version,
gnus, which when installed with the
mailcryptpackage, is an
kuvert, which provides this functionality independently of your chosen mail user agent (MUA) by interacting with the mail transport agent (MTA).
Key servers allow you to download published public keys so that you may verify
signatures. One such key server is
gnupg can automatically fetch public keys that are not already in
your public keyring. For example, to configure
gnupg to use the
above key server, edit the file
~/.gnupg/options and add the
following line: 
Most key servers are linked, so that when your public key is added to one
server, the addition is propagated to all the other public key servers. There
is also a Debian GNU/Linux package
debian-keyring, that provides
all the public keys of the Debian developers. The
are installed in
For more information:
Securing Debian Manual2.99 18 April 2004Wed, 3 Mar 2004 09:18:54 +0100