Next Previous Contents

5. Before the compromise

5.1 Follow Debian security updates

It is by far not sufficient to make a security update after installation and you are done. You really need to do this on regular basis not to fall in the pit of having insecure software installed on your system.

5.2 Exchange software

You should try to avoid any network service which sends and receives passwords in cleartext over a net like FTP/Telnet/NIS/RPC. The author recommends the use of ssh instead of telnet and ftp to everybody.

Also you should not use NIS, the Network Information Service, if it is possible, because it allows password sharing. This can be highly insecure if your setup is broken.

Last, but not least, disable RPC wherever possible. Many security holes for this service are known and can be easily exploited. On the other hand NFS services are quite important in some networks, so find a balance of security and usability in a network. Most of the DDoS (distributed denial of service) attacks use rpc exploits to get into the system and act as a so called agent/handler.

Disabling portmap is quite simple. There are different methods. The simplest one in a Debian system is to do update-rc.d portmap remove. This in fact removes every symlink relating to portmap in /etc/rc${runlevel}.d/, what could also be done manually. Another possibility is to chmod 644 /etc/init.d/portmap, but that gives an error message when booting. You can also strip off the start-stop-daemon part in /etc/init.d/portmap shell script. Keep in mind that migrating from telnet to ssh, but using other cleartext protocols does not increase your security in ANY way! Best would be to remove ftp, telnet, pop, imap, http and to supersede them with their respective crypted services. You should consider moving from this services to their SSL versions, ftp-ssl, telnet-ssl, pop-ssl, https ...

Most of these above listed hints apply to every Unix system.

5.3 Useful kernel patches

Some kernel patches exist, which significantly enhance system security. Here are a few of them:

5.4 Genius/Paranoia Ideas, what you could do

This is probably the most unstable and funny section, since I hope that some of the "duh. that sounds crazy"-ideas might be realized. Following here you will find some - well, it depends on the point of view whether you say they are genius, paranoid, crazy or secure - ideas to increase your security rapidly but you will not come unscathed out of it.

Next Previous Contents