<chapt><heading>Introduzione</heading>
<p>
Una delle cose pi difficili nello scrivere documenti riguardanti la
sicurezza  che ogni caso  unico. Due cose a cui va prestata
attenzione sono l'ambiente minaccioso e le necessit di sicurezza del
singolo sito, host o rete. Per esempio, le necessit di sicurezza di un
utente domestico sono completamente differenti da quelle di una rete
bancaria. Mentre il rischio principale che un utente domestico deve
affrontare sono i cracker tipo script kiddie, una rete bancaria deve
preoccuparsi degli attacchi diretti. Inoltre, la banca deve
proteggere i dati dei propri clienti con precisione matematica.
In breve, ogni utente deve considerare il compromesso tra usabilit e
sicurezza/paranoia.
<!-- Is this metaphor really appropriate? Sounds like rounding errors to me,
era --></p>

<p>
Occorre tenere presente che questo manuale copre soltanto argomenti
relativi al software. Il miglior software del mondo non vi pu
proteggere se qualcuno ha accesso fisico alla macchina.  Si pu
metterla sotto la scrivania, oppure in un bunker protetto da un
esercito.  Tuttavia un desktop computer pu essere maggiormente sicuro
(da un punto di vista software) che uno protetto fisicamente se il
desktop computer  configurato correttamente e il software sulla
macchina protetta  pieno di falle di sicurezza. Naturalmente, vanno
considerate ambedue le situazioni.</p>

<p>
Questo documento d soltanto uno sguardo a quanto si pu fare per
incrementare la sicurezza del proprio sistema Debian GNU/Linux.  Se
avete letto altri documenti riguardanti la sicurezza in Linux, vedrete
come argomenti comuni possono sovrapporsi a questo documento.
In ogni caso, questo documento non cerca di essere l'ultima risorsa
di informazioni di cui si possa avere bisogno, cerca soltanto di
adattare queste stesse informazioni cos che siano utilizzabili in un
sistema Debian GNU/Linux. Distribuzioni diverse 
fanno alcune cose in modi differenti (per esempio l'avvio dei demoni); 
qui troverete materiale appropriato per gli strumenti e le procedure
di Debian.

<!--
# Does this approximate the intent of the original author? (FIXME: check)
# Original text said: "you will find here [sic] a different approach,
# using Debian's tools, regarding security." era
-->
<!-- IMHO yes, jfs --></p>

<sect id="author">Autore
<p>L'attuale manutentore di questo documento &egrave;: <url name="Javier
 Fernndez-Sanguino" id="mailto:jfs@debian.org"> Mandate a lui ogni commento,
 aggiunta o suggerimento e questi verranno considerate per essere incluse nelle
future versioni di questo manuale.

<p>Questo manuale &egrave; stato iniziato con un <em>HOWTO</em> da <url 
name="Alexander Reelsen" id="mailto:ar@rhwd.de">. Dopo la sua pubblicazione su 
Internet <url name="Javier Fernndez-Sanguino" id="mailto:jfs@debian.org"> lo
ha incorporato nel <url name="Debian Documentation Project" 
id="http://www.debian.org/doc">. Un buon numero di persone hanno contribuito a
questo manuale (tutti coloro che hanno contribuito sono elencati nel changelog)
ma le seguenti persone devono avere una menzione speciale dato che hanno 
fornito in contributo significativo (intere sezioni, capitoli o appendici):

<list>
 <item>Stefano Canepa
 <item>Era Eriksson
 <item>Carlo Perassi
 <item>Alexandre Ratti
 <item>Jaime Robles
 <item>Yotam Rubin
 <item>Frederic Schutz
 <item>Pedro Zorzenon Neto
 <item>Oohara Yuuma
</list>

<sect><heading>Scaricare il manuale</heading>

<p>
Potete scaricare o visionare l'ultima versione del Securing Debian
Manual dal <url id="http://www.debian.org/doc/manuals/securing-debian-howto/" name="Debian Documentation Project">.
Potete controllare l'ultima versione attraverso il
<url id="http://cvs.debian.org/ddp/manuals.sgml/securing-howto/?cvsroot=debian-doc" name="server CVS">
Debian.</p>

<p>
&Egrave; disponibile anche una versione in
<url id="http://www.debian.org/doc/manuals/securing-debian-howto/securing-debian-howto.txt" name="puro testo">
dal sito del progetto di documentazione Debian. Altri formati, come il PDF,
non sono (ancora) disponibili. In ogni caso, potete installare il
pacchetto <url id="http://packages.debian.org/harden-doc" name="harden-doc">
che fornisce lo stesso documento nei formati HTML, txt e PDF. Controllate
per che il pacchetto sia aggiornato rispetto al documento fornito
su Internet (potete comunque utilizzare il pacchetto sorgente per
costruirvi una vostra versione aggiornata!).


<!-- 
<p>
Previous (out of date) versions of this HOWTO can be found here:

<list>
<item><url name="Text-only"
id="http://joker.rhwd.de/doc/Securing-Debian-HOWTO/Securing-Debian-HOWTO.txt">
<item><url name="HTML"
id="http://joker.rhwd.de/doc/Securing-Debian-HOWTO/Securing-Debian-HOWTO.html">
<item><url name="HTML, tarred and gzipped"
id="http://joker.rhwd.de/doc/Securing-Debian-HOWTO/Securing-Debian-HOWTO.tar.gz">
<item><url name="SGML"
id="http://joker.rhwd.de/doc/Securing-Debian-HOWTO/Securing-Debian-HOWTO.sgml">
</list>
-->
<!-- TODO: remove these stale links rather than leave references to -->
<!-- the old versions hanging around? era --></p></sect>


<sect><heading>Note/Feedback organizzativi</heading>

<p>
Ed ora la parte ufficiale. Fino ad ora io (Alexander Reelsen) ho 
scritto la maggioranza dei paragrafi di questo manuale, ma  mia 
opinione che non dovrebbe continuare cos.  Sono cresciuto e vivo con 
il software libero,  parte del mio uso quotidiano e immagino anche 
del vostro. Incoraggio tutti a spedirmi feedback, 
aggiunte od ogni altro tipo di suggerimento che possiate fornirmi.</p>

<p>
Se ritenete di poter mantenere un certo capitolo o meglio una
sezione, allora scrivete al manutentore del documento e sarete i
benvenuti.  Specificatamente, se trovate in una sezione dei contrassegni
come "FIXME", questo significa che l'autore non ha il tempo o
la conoscenza necessaria sull'argomento, inviate un'email immediatamente.</p>

<p>
L'argomento di questo manuale rende abbastanza chiara l'importanza
di mantenerlo aggiornato e ognuno pu fare la propria parte. 
Per favore, contribuite.</p></sect>


<sect><heading>Conoscenze preliminari</heading>


<p>
L'installazione di Debian GNU/Linux non  molto difficile e 
dovreste essere in grado di eseguirla. Se avete gi alcune
conoscenze di Linux o di altri sistemi Unix e un po' di familiarit
con gli aspetti base della sicurezza, risulter semplice
comprendere questo manuale, dal momento che questo documento non
pu entrare in ogni piccolo dettaglio di ogni caratteristica presa 
in considerazione (altrimenti sarebbe stato un libro 
e non un manuale). Se non avete questa
familiarit con la materia, in ogni caso, potete dare uno sguardo a
<ref id="references">, per trovare dove reperire informazioni
pi dettagliate.</p></sect>



<sect><heading>Argomenti da scrivere</heading> 

<p>Questo paragrafo descrive tutte le cose che devone essere sistemate in questo manuale. Alcuni paragrafi includono i tag <em>FIXME</em> o <em>TODO</em> per
descrivere quale contenuto manca (o quale tipo di lavoro deve essere fatto). Lo
scopo di questo paragrafo &egrave; di descrivere tutte quelle cose che 
potrebbero essere incluse nel Manuale o miglioramenti che devono essere fatti
(o dovrebbero essere aggiunti).

<p>Se pensate di poter fornire aiuto nel contribuire contenuti per 
sistemare alcuni degli elementi della lista (o le note incluse) contattate 
l'autore principale (<ref id="author">)
  
<list>

<item><p>Aumentare le informazioni sulla "reazione agli incidenti", magari
aggiungendo qualche idea tratta dal RedHat Security Guide
<url id="http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/ch-response.html" name="capitolo sulla reazione agli incidenti">.</p></item>

<item>
<p>Scrivere in merito agli strumenti di monitoraggio remoto
(per controllare la disponibilit del sistema)
come monit, daemontools e mon. Vedete
<url id="http://linux.oreillynet.com/pub/a/linux/2002/05/09/sysadminguide.html">.</p></item>

<item>
<p>Considerare l'opportunit di scrivere una sezione riguardante la
costruzione di applicazioni di rete basate su Debian (completa di
informazioni su sistema di base, <package>equivs</package> e FAI).</p></item>

<item>
<p>Controllare se <url id="http://rr.sans.org/linux/hardening.php">
contiene informazioni rilevanti non ancora trattate qui.</p></item>

<item>
<p>Aggiungere informazioni su come configurare un laptop con
Debian <url id="http://rr.sans.org/linux/debian_laptop.php">.</p></item>

<item>
<p>Aggiungere informazioni su come installare un firewall usando
Debian GNU/Linux. La sezione riguardante il firewalling 
attualmente orientata verso un singolo sistema (non
proteggendo gli altri...) e inoltre scrivere su come testare
l'installazione.</p></item>

<item>
<p>Aggiungere informazioni su come configurare un proxy firewall
con Debian GNU/Linux partendo specificatamente da pacchetti
che forniscono servizi di proxy (come 
<package>xfwp</package>, <package>xproxy</package>,
<package>ftp-proxy</package>, <package>redir</package>,
<package>smtpd</package>, <package>nntp-cache</package>,
<package>dnrd</package>, <package>jftpgw</package>, <package>oops</package>,
<package>pdnsd</package>, <package>perdition</package>,
<package>transproxy</package>, <package>tsocks</package>). 
Si dovrebbe puntare al manuale per ogni altra informazione. Si
noti che <package>zorp</package>  ora disponibile come pacchetto Debian ed
<em></em> un proxy firewall (vengono anche forniti pacchetti Debian upstream).</p></item>


<item><p>Informazioni sulla configurazione dei servizi con i file-rc.</p></item>

<item><p>Controllare tutte le URL di riferimento e
rimuovere/correggere quelle non pi disponibili.</p></item>

<item><p>Aggiungere informazioni sui sostituti disponibili (in
Debian) per i server comuni, utili per le limitate funzionalit. 
Per esempio:

	<list>
	<item><p>lpr locale con cups (pacchetto)?</p></item>
	<item><p>lrp remoto con lpr</p></item>
	<item><p>bind con dnrd/maradns</p></item>
	<item><p>apache con dhttpd/thttpd/wn (tux?)</p></item>
	<item><p>exim/sendmail con ssmtpd/smtpd/postfix</p></item>
	<item><p>squid con tinyproxy</p></item>
	<item><p>ftpd con oftpd/vsftp</p></item>
	<item><p>...</p></item>
	</list></p></item>

<item>
<p>Maggiori informazioni riguardanti le patch per il kernel
riguardanti la sicurezza in Debian, incluse quelle mostrate
sopra e informazioni specifiche su come rendere
attive queste patch in un sistema Debian.

<list>
<item><p>Linux Intrusion Detection (<package>lids-2.2.19</package>)</p></item>
<item><p>Linux Trustees (nel pacchetto <package>trustees</package>)</p></item>
<item><p><url id="http://www.coker.com.au/selinux/" name="NSA Enhanced Linux"></p></item>
<item><p><url id="http://packages.debian.org/kernel-patch-2.2.18-openwall" name="kernel-patch-2.2.18-openwall"></p></item>
<item><p><package>kernel-patch-2.2.19-harden</package></p></item>
<item><p><package>kernel-patch-freeswan, kernel-patch-int</package></p></item>
</list></p></item>

<item>
<p>Dettagli su come disattivare servizi di rete non necessari (a
parte <prgn>inetd</prgn>), sono trattati in parte nelle procedure di
irrobustimento ma potrebbero essere estesi un po'.</p></item>

<item>
<p>Informazioni riguardanti la rotazione delle password che 
strettamente collegato alle policy (convenzioni adottate in Debian).</p></item>

<item><p>Politica ed educazione degli utenti al riguardo.</p></item>

<item><p>Maggior dettagli per i tcpwrapper e i wrapper in generale?</p></item>

<item><p><file>hosts.equiv</file> e altri importanti buchi di sicurezza.</p></item>

<item><p>Informazioni sui server di condivisione dei file come Samba ed NFS?</p></item>

<item><p>suidmanager/dpkg-statoverrides.</p></item>

<item><p>lpr e lprng.</p></item>

<item><p>Disabilitare le "cose" IP di GNOME</p></item>

<item>
<p>Scrivere su pam_chroot (vedete in
<url id="http://lists.debian.org/debian-security/2002/debian-security-200205/msg00011.html">
e la sua utilit per limitare gli utenti. Introdurre
informazioni relative a 
<url id="http://online.securityfocus.com/infocus/1575">.
<package>Pdmenu</package>, per esempio  disponibile in Debian (mentre
flash non lo ).</p></item>

<item>
<p>Scrivere sui servizi di chrooting, alcune informazioni sono presso:
<url id="http://www.linuxfocus.org/English/January2002/aritcle225.shtml">,
<url id="http://www.networkdweebs.com/chroot.html"> e
<url id="http://www.linuxsecurity.com/feature_stories/feature_story-99.html"></p></item>

<item>
<p>Scrivere sui programmi per realizzare gabbie chroot. <package>Compartment</package> e
<package>chrootuid</package> sono in attesa per l'ingresso. Anche alcuni altri
(makejail, jailer) potrebbero essere introdotti.</p></item>

<item>
<p>Aggiungere le informazioni fornite da Karl Hegbloom al
riguardo di Bind 9 in ambiente chrooted, vedete in
<url id="http://people.pdxlinux.org/~karlheg/Secure_Bind9_uHOWTO/Secure_Bind_9_uHOWTO.xhtml">.</p></item>

<item>
<p>Aggiungere le informazioni fornite da Pedro Zornenon per il chrooting
con Bind 8 solo per i sistemi potato, vedete in 
<url id="http://people.debian.org/~pzn/howto/chroot-bind.sh.txt"> (includere
l'intero script?).</p></item>

<item>
<p>Maggiori informazioni al riguardo del software per l'analisi dei
log (per esempio logcheck e logcolorise).</p></item>

<item>
<p>Routing "avanzato" (le politiche di traffico sono connesse con
la sicurezza).</p></item>

<item>
<p>Limitare l'accesso con <prgn>ssh</prgn> per eseguire solo alcuni comandi.</p></item>

<item>
<p>Usare dpkg-statoverride.</p></item>

<item>
<p>Un modo sicuro per condividere un masterizzatore tra gli
utenti.</p></item>

<item>
<p>Modi sicuri per fornire suoni sulla rete in aggiunta alle
capacit di display di rete (cos che i suoni dei client X
siano eseguiti sull'hardware del server X).</p></item>

<item><p>Rendere sicuri i web browser.</p></item>

<item><p>Impostare ftp su <prgn>ssh</prgn>.</p></item>

<item><p>Usare un loopback file system crittografato.</p></item>

<item><p>Crittografare l'intero file system.</p></item>

<item><p>Strumenti steganografici.</p></item>

<item><p>Impostare un PKA per un'organizzazione.</p></item>

<item>
<p>Utilizzare LDAP per gestire gli utenti. Esiste un HOWTO di
ldap+kerberos per Debian presso www.bayour.com scritto da Turbo
Fredrikson.</p></item>

<item>
<p>Come rimuovere le informazioni di scarsa utilit nei sistemi
in produzione come /usr/share/doc, /usr/share/man (s,
sicurezza tramite riservatezza).</p></item>

<item>
<p>Maggiori informazioni su lcap basate sul file README dei
pacchetti (bene, non ancora, vedete il
<url id="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=169465" name="Bug #169465">)
e dall'articolo da LWN: <url id="http://lwn.net/1999/1202/kernel.php3" name="Kernel development">.</p></item>

<item>
<p>Aggiungere l'articolo di Add Colin's su come configurare un ambiente 
in chroot per un sistema Sid completo
(<url id="http://people.debian.org/~walters/chroot.html">)</p></item>

<item>
<p>Aggiungere informazioni su come attivare pi sensori snort in un 
dato sistema (controllare i rapporti sui bachi spediti da snort)</p></item>

<item><p>Aggiungere informazioni su come configurare una 
honeypot (<package>honeyd</package>)</p></item>

</list></p></sect>

<sect id="changelog"><heading>Changelog/History</heading>

<sect1>Version 2.97 (september 2003)
  	 <p>Changes by Javier Fernndez-Sanguino Pea
  	 <list>
  	 
  	 <item>Added those that have made the most significant contributions to
  	 this manual (please mail me if you think you should be in the list and
  	 are not).
  	 
  	 <item>Added some blurb about FIXME/TODOs
  	 
  	 <item>Moved the information on security updates to the beginning of
  	 the section as suggested by Elliott Mitchell.
  	 
  	 <item>Added grsecurity to the list of kernel-patches for security but
  	 added a footnote on the current issues with it as suggested by Elliott
  	 Mitchell.
  	 
  	 <item>Removed loops (echo to 'all') in the kernel's network security
  	 script as suggested by Elliott Mitchell.


	 <item>Added more (up-to-date) information in the antivirus section.
  	 
  	 <item>Rewrote the buffer overflow protection section and added more
  	 information on patches to the compiler to enable this kind of
  	 protection.

</list>

<sect1>Version 2.96 (august 2003)
  	 <p>Changes by Javier Fernndez-Sanguino Pea
  	 <list>
  	 <item>Removed (and then readded) appendix on chrooting Apache. The appendix	 is now dual-licensed.
	 </list>

<sect1><heading>Version 2.95 (june 2003)</heading>
<p>Changes by Javier Fernndez-Sanguino Pea
<list>
<item>Fixed typos spotted by Leonard Norrgard
<item><p>Added a section on how to contact CERT for incident handling
(<url id="#after-compromise">)</p></item>
<item><p>More information on setting up a Squid proxy.</p></item>
<item>Added a pointer and removed a FIXME thanks to Helge H. F.
<item>Fixed a typo (save_inactive) spotted by  Philippe Faes.
<item>Fixed several typos spotted by Jaime Robles.
</list></p></sect1>

<sect1><heading>Version 2.94 (april 2003)</heading>
<p>Changes by Javier Fernndez-Sanguino Pea
<list>
<item><p>Following Maciej Stachura's suggestions I've expanded the section on
limiting users.</p></item>
<item><p>Fixed typo spotted by Wolfgang Nolte.</p></item>
<item><p>Fixed links with patch contributed by Ruben Leote Mendes.</p></item>
<item><p>Added a link to David Wheeler's excellent document on the footnote
about counting security vulnerabilities.</p></item>
</list></p></sect1>

<sect1><heading>Version 2.93 (march 2003)</heading>
<p>Changes made by  Frdric Schtz.
<list>
<item><p>rewrote entirely the section of ext2 attributes
(lsattr/chattr)</p></item>
</list></p></sect1>

<sect1><heading>Version 2.92 (february 2003)</heading>
<p>Changes by Javier Fernndez-Sanguino Pea and
Frdric Schtz.
<list>
<item><p>Merge section 9.3 ("useful kernel patches") into section 4.13 ("Adding
   kernel patches"), and added some content.</p></item>
<item><p>Added a few more TODOs</p></item>
<item><p>Added information on how to manually check for updates and also about
cron-apt. That way Tiger is not perceived as the only way to do automatic
update checks.</p></item>
<item><p>Slightly rewrite of the section on executing a security updates due
to Jean-Marc Ranger comments.</p></item>
<item><p>Added a note on Debian's installation (which will suggest the user
to execute a security update right after installation)</p></item>
</list></p></sect1>

<sect1><heading>Version 2.91 (january/february 2003)</heading>
<p>Changes by Javier Fernndez-Sanguino Pea (me).
<list>
<item><p>Added a patch contributed by Frdric Schtz.</p></item>
<item><p>Added a few more references on capabilities thanks to Frdric.</p></item>
<item><p>Slight changes in the bind section adding a reference to BIND's 9
online documentation and proper references in the first area (Hi Pedro!)</p></item>
<item><p>Fixed the changelog date - new year :-)</p></item>
<item><p>Added a reference to Colin's articles for the TODOs.</p></item>
<item><p>Removed reference to old ssh+chroot patches.</p></item>
<item><p>More patches from Carlo Perassi.</p></item>
<item><p>Typo fixes (recursive in Bind is recursion), pointed out by
Maik Holtkamp.</p></item>
</list></p></sect1>

<sect1><heading>Version 2.91 (january 2002)</heading>
<p>Changes by Javier Fernndez-Sanguino Pea (me).
<list>
<item><p>Added a patch contributed by Frederic Schutz.</p></item>
<item><p>Added a few more references on capabilities thanks to Frederic.</p></item>
</list></p></sect1>

<sect1><heading>Version 2.9 (december 2002)</heading>
<p>Changes by Javier Fernndez-Sanguino Pea (me).
<list>
<item><p>Reorganised the information on chroot (merged two sections, it didn't make much sense to have them separated)</p></item>
<item><p>Added the notes on chrooting Apache provided by Alexandre Raitti.</p></item>
<item><p>Applied patches contributed by Guillermo Jover.</p></item>
</list></p></sect1>

<sect1><heading>Version 2.8 (november 2002)</heading>
<p>Changes by Javier Fernndez-Sanguino Pea (me).
<list>
<item><p>Applied patches from Carlo Perassi, fixes include: re-wrapping the
lines, url fixes, and fixed some FIXMEs</p></item>
<item><p>Updated the contents of the Debian security team FAQ.</p></item>
<item><p>Added a link to the Debian security team FAQ and the Debian Developer's
reference, the duplicated sections might (just might) be removed in the future.</p></item>
<item><p>Fixed the hand-made auditing section with comments from Michal Zielinski.</p></item>
<item><p>Added links to wordlists (contributed by Carlo Perassi)</p></item>
<item><p>Fixed some typos (still many around).</p></item>
<item><p>Fixed TDP links as suggested by John Summerfield.</p></item>
</list></p></sect1>

<sect1><heading>Version 2.7 (october 2002)</heading>
<p>Changes by Javier Fernndez-Sanguino Pea (me).  Note: I still
have a lot of pending changes in my mailbox (which is currently
about 5 Mbs in size).
<list>
<item><p>Some typo fixes contributed by Tuyen Dinh, Bartek Golenko and 
Daniel K. Gebhart.</p></item>
<item><p>Note regarding /dev/kmem rootkits contributed by Laurent Bonnaud</p></item> 
<item><p>Fixed typos and FIXMEs contributed by Carlo Perassi.</p></item>
</list></p></sect1>

<sect1><heading>Version 2.6 (september 2002)</heading>
<p>Changes by Chris Tillman, tillman@voicetrak.com. 
<list>
<item><p>Changed around to improve grammar/spelling.</p></item>
<item><p>s/host.deny/hosts.deny/ (1 place)</p></item>
<item><p>Applied Larry Holish's patch (quite big, fixes a lot of FIXMEs)</p></item>
</list></p></sect1>

<sect1><heading>Version 2.5 (september 2002)</heading>
<p>Changes by Javier Fernndez-Sanguino Pea (me). 
<list>
<item><p>Fixed minor typos submitted by Thiemo Nagel.</p></item>
<item><p>Added a footnote suggested by Thiemo Nagel.</p></item>
<item><p>Fixed an URL link.</p></item>
</list></p></sect1>

<sect1><heading>Version 2.5 (august 2002)</heading>

<p>Changes by Javier Fernndez-Sanguino Pea (me). There were many
things waiting on my inbox (as far back as February) to be included,
so I'm going to tag this the <em>back from honeymoon</em> release :)

<list>

<item><p>Applied a patch contributed by Philipe Gaspar regarding the
Squid which also kills a FIXME.</p></item>

<item><p>Yet another FAQ item regarding service banners taken from the
debian-security mailing list (thread "Telnet information" started 26th
July 2002).</p></item>

<item><p>Added a note regarding use of CVE cross references in the
<em>How much time does the Debian security team...</em> FAQ item.</p></item>


<item><p>Added a new section regarding ARP attacks contributed by Arnaud
"Arhuman" Assad.</p></item>

<item><p>New FAQ item regarding dmesg and console login by the kernel.</p></item> 

<item><p>Small tidbits of information to the signature-checking issues in
packages (it seems to not have gotten past beta release).</p></item>

<item><p>New FAQ item regarding vulnerability assessment tools false
positives.</p></item>

<item><p>Added new sections to the chapter that contains information on
package signatures and reorganised it as a new <em>Debian Security
Infrastructure</em> chapter.</p></item>

<item><p>New FAQ item regarding Debian vs. other Linux distributions.</p></item>

<item><p>New section on mail user agents with GPG/PGP functionality in the
security tools chapter.</p></item>

<item><p>Clarified how to enable MD5 passwords in woody, added a pointer
to PAM as well as a note regarding the max definition in PAM.</p></item>

<item><p>Added a new appendix on how to create chroot environments (after
fiddling a bit with makejail and fixing, as well, some of its bugs),
integrated duplicate information in all the appendix.</p></item> 

<item><p>Added some more information regarding <prgn>SSH</prgn> chrooting and its
impact on secure file transfers.  Some information has been retrieved
from the debian-security mailing list (June 2002 thread: <em>secure
file transfers</em>).</p></item>

<item><p>New sections on how to do automatic updates on Debian systems as
well as the caveats of using testing or unstable regarding security updates.</p></item>

<item><p>New section regarding keeping up to date with security patches
in the <em>Before compromise</em> section as well as a new section
about the debian-security-announce mailing list.</p></item>

<item><p>Added information on how to automatically generate strong passwords.</p></item>

<item><p>New section regarding login of idle users.</p></item>

<item><p>Reorganised the securing mail server section based on the
<em>Secure/hardened/minimal Debian (or "Why is the base system the way
it is?")</em> thread on the debian-security mailing list (May 2002).</p></item>

<item><p>Reorganised the section on kernel network parameters, with
information provided in the debian-security mailing list (May 2002,
<em>syn flood attacked?</em> thread) and added a new FAQ item as well.</p></item>

<item><p>New section on how to check users passwords and which packages
to install for this.</p></item>

<item><p>New section on PPTP encryption with Microsoft clients discussed
in the debian-security mailing list (April 2002).</p></item>

<item><p>Added a new section describing what problems are there when binding any 
given service to a specific IP address, this information was written based on 
the bugtraq mailing list in the thread: <em>Linux kernel 2.4 "weak end host" 
issue (previously discussed on debian-security as "arp problem")</em> (started 
on May 9th 2002 by Felix von Leitner).</p></item>

<item><p>Added information on <prgn>ssh</prgn> protocol version 2.</p></item>

<item><p>Added two subsections related to Apache secure configuration
(the things specific to Debian, that is).</p></item>

<item><p>Added a new FAQ related to raw sockets, one related to /root, an
item related to users' groups and another one related to log and
configuration files permissions.</p></item>

<item><p>Added a pointer to a bug in libpam-cracklib that might still be
open... (need to check)</p></item>

<item><p>Added more information regarding forensics analysis (pending more 
information on packet inspection tools such as <prgn>tcpflow</prgn>).</p></item>

<item><p>Changed the "what should I do regarding compromise" into a bullet
list and included some more stuff.</p></item>

<item><p>Added some information on how to set up the Xscreensaver to lock
the screen automatically after the configured timeout.</p></item>

<item><p>Added a note related to the utilities you should not install in
the system. Included a note regarding Perl and why it cannot be
easily removed in Debian. The idea came after reading Intersect's
documents regarding Linux hardening.</p></item>

<item><p>Added information on lvm and journalling file systems, ext3
recommended. The information there might be too generic, however.</p></item> 

<item><p>Added a link to the online text version (check).</p></item>

<item><p>Added some more stuff to the information on firewalling the
local system, triggered by a comment made by Hubert Chan in the mailing list.</p></item>

<item><p>Added more information on PAM limits and pointers to Kurt
Seifried's documents (related to a post by him to bugtraq on April 4th
2002 answering a person that had ``discovered'' a vulnerability in
Debian GNU/Linux related to resource starvation).</p></item>

<item><p>As suggested by Julin Muoz, provided more information on the
default Debian umask and what a user can access if he has been given a
shell in the system (scary, huh?)</p></item>

<item><p>Included a note in the BIOS password section due to a comment
from Andreas Wohlfeld.</p></item>

<item><p>Included patches provided by Alfred E. Heggestad fixing many of
the typos still present in the document.</p></item>

<item><p>Added a pointer to the changelog in the Credits section since
most people who contribute are listed here (and not there).</p></item>

<item><p>Added a few more notes to the chattr section and a new section
after installation talking about system snapshots. Both ideas were
contributed by Kurt Pomeroy.</p></item>

<item><p>Added a new section after installation just to remind users to
change the boot-up sequence.</p></item>

<item><p>Added some more TODO items provided by Korn Andras.</p></item>

<item><p>Added a pointer to the NIST's guidelines on how to secure DNS
provided by Daniel Quinlan.</p></item>

<item><p>Added a small paragraph regarding Debian's SSL certificates
infrastructure.</p></item>

<item><p>Added Daniel Quinlan's suggestions regarding <prgn>ssh</prgn> 
authentication and exim's relay configuration.</p></item>

<item><p>Added more information regarding securing bind including changes
suggested by Daniel Quinlan and an appendix with a script to make some of the
changes commented on in that section.</p></item>

<item><p>Added a pointer to another item regarding Bind chrooting (needs to be 
merged).</p></item>

<item><p>Added a one liner contributed by Cristian Ionescu-Idbohrn to
retrieve packages with tcpwrappers support.</p></item>

<item><p>Added a little bit more info on Debian's default PAM setup.</p></item>

<item><p>Included a FAQ question about using PAM to provide services without
shell accounts.</p></item>

<item><p>Moved two FAQ items to another section and added a new FAQ
regarding attack detection (and compromised systems).</p></item>

<item><p>Included information on how to set up a bridge firewall
(including a sample Appendix). Thanks go to Francois Bayart who sent
this to me in March.</p></item>

<item><p>Added a FAQ regarding the syslogd's <em>MARK</em>
<em>heartbeat</em> from a question answered by Noah Meyerhans and
Alain Tesio in December 2001.</p></item>

<item><p>Included information on buffer overflow protection as well as
some information on kernel patches.</p></item>

<item><p>Added more information (and reorganised) the firewall
section. Updated the information regarding the iptables package and
the firewall generators available.</p></item>

<item><p>Reorganized the information regarding log checking, moved
logcheck information from host intrusion detection to that section.</p></item>

<item><p>Added some information on how to prepare a static package for
bind for chrooting (untested).</p></item>

<item><p>Added a FAQ item regarding some specific servers/services 
(could be expanded with some of the
recommendations from the debian-security list).</p></item>

<item><p>Added some information on RPC services (and when it's necessary).</p></item>

<item><p>Added some more information on capabilities (and what lcap does). 
Is there any good documentation on this? I haven't found any documentation on 
my 2.4 kernel.</p></item>

<item><p>Fixed some typos.</p></item>

</list></p></sect1>

<sect1><heading>Version 2.4</heading>
<p>Changes by Javier Fernndez-Sanguino Pea.
<list>
<item><p>Rewritten part of the BIOS section.</p></item>
</list></p></sect1>

<sect1><heading>Version 2.3</heading>
<p>Changes by Javier Fernndez-Sanguino Pea.
<list>
<item><p>Wrapped most file locations with the file tag.</p></item>
<item><p>Fixed typo noticed by Edi Stojicevi.</p></item>
<item><p>Slightly changed the remote audit tools section.</p></item>
<item><p>Added some todo items.</p></item>
<item><p>Added more information regarding printers and cups config file
(taken from a thread on debian-security).</p></item>
<item><p>Added a patch submitted by Jesus Climent regarding access of
valid system users to Proftpd when configured as anonymous server.</p></item>
<item><p>Small change on partition schemes for the special case of mail
servers.</p></item>
<item><p>Added Hacking Linux Exposed to the books section.</p></item>
<item><p>Fixed directory typo noticed by Eduardo Prez Ureta.</p></item>
<item><p>Fixed /etc/ssh typo in checklist noticed by Edi Stojicevi.</p></item>
</list></p></sect1>
<sect1><heading>Version 2.3</heading>
<p>Changes by Javier Fernndez-Sanguino Pea.
<list>
<item><p>Fixed location of dpkg conffile.</p></item>
<item><p>Remove Alexander from contact information.</p></item>
<item><p>Added alternate mail address.</p></item>
<item><p>Fixed Alexander mail address (even if commented out).</p></item>
<item><p>Fixed location of release keys (thanks to Pedro Zorzenon for pointing 
this out).</p></item>
</list></p></sect1>
<sect1><heading>Version 2.2</heading>
<p>Changes by Javier Fernndez-Sanguino Pea.
<list>
<item><p>Fixed typos, thanks to Jamin W. Collins.</p></item>
<item><p>Added a reference to apt-extracttemplate manpage
(documents the APT::ExtractTemplate config).</p></item>
<item><p>Added section about restricted SSH. Information based on that
posted by  Mark Janssen, Christian G. Warden and Emmanuel Lacour on
the debian-security mailing list.</p></item>
<item><p>Added information on antivirus software.</p></item>
<item><p>Added a FAQ: su logs due to the cron running as root.</p></item>
</list></p></sect1>
<sect1><heading>Version 2.1</heading>
<p>Changes by Javier Fernndez-Sanguino Pea.
<list>
<item><p>Changed FIXME from lshell thanks to Oohara Yuuma.</p></item>
<item><p>Added package to sXid and removed comment since it *is* available.</p></item>
<item><p>Fixed a number of typos discovered by Oohara Yuuma.</p></item>
<item><p>ACID is now available in Debian (in the acidlab package)
 thanks to Oohara Yuuma for noticing.</p></item>
<item><p>Fixed LinuxSecurity links (thanks to Dave Wreski for telling).</p></item>
</list></p></sect1>
<sect1><heading>Version 2.0</heading>
<p>Changes by Javier Fernndez-Sanguino Pea. I wanted to 
change to 2.0 when all the FIXMEs were, er, fixed but I ran out
of 1.9X numbers :(
<list>
<item><p>Converted the HOWTO into a Manual (now I can properly say RTFM)</p></item>

<item><p>Added more information regarding tcp wrappers and Debian (now
many services are compiled with support for them so it's no longer
an <prgn>inetd</prgn> issue).</p></item>

<item><p>Clarified the information on disabling services to make it more
consistent (rpc info still referred to update-rc.d)</p></item>

<item><p>Added small note on lprng.</p></item>

<item><p>Added some more info on compromised servers (still very rough)</p></item>

<item><p>Fixed typos reported by Mark Bucciarelli.</p></item>

<item><p>Added some more steps in password recovery to cover the cases
when the admin has set paranoid-mode=on.</p></item>

<item><p>Added some information to set paranoid-mode=on when login in
console.</p></item>

<item><p>New paragraph to introduce service configuration.</p></item>

<item><p>Reorganised the <em>After installation</em> section so it is
more broken up into several issues and it's easier to read.</p></item>

<item><p>Wrote information on how to set up firewalls with the standard
Debian 3.0 setup (iptables package).</p></item>

<item><p>Small paragraph explaining why installing connected to the
Internet is not a good idea and how to avoid this using Debian tools.</p></item>

<item><p>Small paragraph on timely patching referencing to IEEE paper.</p></item>

<item><p>Appendix on how to set up a Debian snort box, based on what Vladimir
sent to the debian-security mailing list (September 3rd 2001)</p></item>

<item><p>Information on how logcheck is set up in Debian and how it can be
used to set up HIDS.</p></item>

<item><p>Information on user accounting and profile analysis.</p></item>

<item><p>Included apt.conf configuration for read-only /usr copied from Olaf
Meeuwissen's post to the debian-security mailing list</p></item>

<item><p>New section on VPN with some pointers and the packages available
in Debian (needs content on how to set up the VPNs and Debian-specific
issues), based on Jaroslaw Tabor's and Samuli Suonpaa's post to
debian-security.</p></item>

<item><p>Small note regarding some programs to automatically build chroot jails</p></item>

<item><p>New FAQ item regarding identd based on a discussion in the
debian-security mailing list (February 2002, started by Johannes Weiss).</p></item>

<item><p>New FAQ item regarding <prgn>inetd</prgn> based on a discussion in the
debian-security mailing list (February 2002).</p></item>

<item><p>Introduced note on rcconf in the "disabling services" section.</p></item>

<item><p>Varied the approach regarding LKM, thanks to Philipe Gaspar</p></item> 

<item><p>Added pointers to CERT documents and Counterpane resources</p></item>
</list></p></sect1>

<sect1><heading>Version 1.99</heading>
<p>Changes by Javier Fernndez-Sanguino Pea.
<list>
<item><p>Added a new FAQ item regarding time to fix security vulnerabilities.</p></item>
<item><p>Reorganised FAQ sections.</p></item>
<item><p>Started writing a section regarding firewalling in Debian GNU/Linux
(could be broadened a bit)</p></item>
<item><p>Fixed typos sent by Matt Kraai</p></item>
<item><p>Fixed DNS information</p></item>
<item><p>Added information on whisker and nbtscan to the auditing section.</p></item>
<item><p>Fixed some wrong URLs</p></item>
</list></p></sect1>
<sect1><heading>Version 1.98</heading>
<p>Changes by Javier Fernndez-Sanguino Pea.
<list>
<item><p>Added a new section regarding auditing using Debian GNU/Linux.</p></item>
<item><p>Added info regarding finger daemon taken from the security mailing list.</p></item>
</list></p></sect1>
<sect1><heading>Version 1.97</heading>
<p>Changes by Javier Fernndez-Sanguino Pea.
<list>
<item><p>Fixed link for Linux Trustees</p></item>
<item><p>Fixed typos (patches from Oohara Yuuma and Pedro Zorzenon)</p></item>
</list></p></sect1>

<sect1><heading>Version 1.96</heading>
<p>Changes by Javier Fernndez-Sanguino Pea.
<list>

<item><p>Reorganized service installation and removal and added some new notes.</p></item>

<item><p>Added some notes regarding using integrity checkers as intrusion
detection tools.</p></item>

<item><p>Added a chapter regarding package signatures.</p></item>

</list></p></sect1>

<sect1><heading>Version 1.95</heading>
<p>Changes by Javier Fernndez-Sanguino Pea.
<list>

<item><p>Added notes regarding Squid security sent by Philipe Gaspar.</p></item>

<item><p>Fixed rootkit links thanks to Philipe Gaspar.</p></item>

</list></p></sect1>

<sect1><heading>Version 1.94</heading>
<p>Changes by Javier Fernndez-Sanguino Pea.
<list>

<item><p>Added some notes regarding Apache and Lpr/lpng.</p></item>

<item><p>Added some information regarding noexec and read-only partitions.</p></item>

<item><p>Rewrote how users can help in Debian security issues (FAQ item).</p></item>
</list></p></sect1>

<sect1><heading>Version 1.93</heading>
<p>Changes by Javier Fernndez-Sanguino Pea.
<list>

<item><p>Fixed location of mail program.</p></item>

<item><p>Added some new items to the FAQ.</p></item>
</list></p></sect1>

<sect1><heading>Version 1.92</heading>
<p>Changes by Javier Fernndez-Sanguino Pea.
<list>

<item><p>Added a small section on how Debian handles security</p></item>

<item><p>Clarified MD5 passwords (thanks to `rocky')</p></item>

<item><p>Added some more information regarding harden-X from Stephen van Egmond</p></item>

<item><p>Added some new items to the FAQ</p></item>

</list></p></sect1>

<sect1><heading>Version 1.91</heading>
<p>Changes by Javier Fernndez-Sanguino Pea.
<list>

<item><p>Added some forensics information sent by Yotam Rubin.</p></item>

<item><p>Added information on how to build a honeynet using Debian GNU/Linux.</p></item>

<item><p>Added some more TODOS.</p></item>

<item><p>Fixed more typos (thanks Yotam!)</p></item>

</list></p></sect1>

<sect1><heading>Version 1.9</heading>
<p>Changes by Javier Fernndez-Sanguino Pea.
<list>

<item><p>Added patch to fix misspellings and some new information (contributed
by Yotam Rubin)</p></item>

<item><p>Added references to other online (and offline) documentation both in a 
section (see <ref id="references">) by itself and inline in some sections.</p></item>

<item><p>Added some information on configuring Bind options to restrict
access to the DNS server.</p></item>

<item><p>Added information on how to automatically harden a Debian system
(regarding the harden package and bastille).</p></item>

<item><p>Removed some done TODOs and added some new ones.</p></item>

</list></p></sect1>

<sect1><heading>Version 1.8</heading>
<p>Changes by Javier Fernndez-Sanguino Pea.
<list>

<item><p>Added the default user/group list provided by Joey Hess to the
debian-security mailing list.</p></item>

<item><p>Added information on LKM root-kits (<ref id="LKM">)
 contributed by Philipe Gaspar.</p></item>

<item><p>Added information on Proftp contributed by Emmanuel Lacour.</p></item> 

<item><p>Recovered the checklist Appendix from Era Eriksson.</p></item>

<item><p>Added some new TODO items and removed other fixed ones.</p></item>

<item><p>Manually included Era's patches since they were not all included in 
the previous version.</p></item>

</list></p></sect1>
<sect1><heading>Version 1.7</heading>
<p>Changes by Era Eriksson.
<list>
<item><p>Typo fixes and wording changes</p></item>
</list></p>
<p>Changes by Javier Fernndez-Sanguino Pea.
<list>
<item><p>Minor changes to tags in order to keep on removing the tt tags
and substitute prgn/package tags for them.</p></item>
</list></p></sect1>

<sect1><heading>Version 1.6</heading> 
<p>Changes by Javier Fernndez-Sanguino Pea.
<list>
<item><p>Added pointer to document as published in the DDP (should
supersede the original in the near future)</p></item> 
<item><p>Started a mini-FAQ
(should be expanded) with some questions recovered from my mailbox.</p></item>
<item><p>Added general information to consider while securing.</p></item>
<item><p>Added a paragraph regarding local (incoming) mail delivery.</p></item>
<item><p>Added some pointers to more information.</p></item>  
<item><p>Added information regarding the printing service.</p></item>  
<item><p>Added a security hardening checklist.</p></item>  
<item><p>Reorganized NIS and RPC information.</p></item>
<item><p>Added some notes taken while reading this document on my new
Visor :)</p></item> 
<item><p>Fixed some badly formatted lines.</p></item>  
<item><p>Fixed some typos.</p></item>  
<item><p>Added a Genius/Paranoia idea contributed by Gaby
Schilders.</p></item>
</list></p></sect1>
<sect1><heading>Version 1.5</heading> 

<p>Changes by Josip Rodin and Javier Fernndez-Sanguino Pea.

<list>
<item><p>Added paragraphs related to BIND and some FIXMEs.  <!-- Removed
this because I found no evidence for it in the diffs. // era Rewrote
style in order to make it more formal.  --></p></item>
</list></p></sect1>
<sect1><heading>Version 1.4</heading>
    <p>
    <list>
    <item><p>Small setuid check paragraph</p></item> <item><p>Various minor cleanups</p></item>
    <item><p>Found out how to use <tt>sgml2txt -f</tt> for the txt
    version</p></item>
    </list></p></sect1>
<sect1><heading>Version 1.3</heading>
    <p>
    <list>
    <item><p>Added a security update after installation paragraph</p></item>
    <item><p>Added a proftpd paragraph</p></item> 
    <item><p>This time really wrote something about XDM, sorry for last time</p></item>
    </list></p></sect1>
<sect1><heading>Version 1.2</heading>
    <p>
    <list>
    <item><p>Lots of grammar corrections by James Treacy, new XDM
    paragraph</p></item>
    </list></p></sect1>
<sect1><heading>Version 1.1</heading>
    <p>
    <list>
    <item><p>Typo fixes, miscellaneous additions</p></item>
    </list></p></sect1>
<sect1><heading>Version 1.0</heading>
    <p>
    <list>
    <item><p>Initial release</p></item>
    </list></p></sect1></sect>



<sect><heading>Crediti e ringraziamenti!</heading>



<p>
<list>
<item><p>Alexander Reelsen ha scritto il documento originale.</p></item>



<item>
<p>Javier Fernndez-Sanguino ha aggiunto maggiori informazioni
al documento originale.</p></item>

<item>
<p>Robert van der Meulen ha fornito i paragrafi su quota e molte
altre ottime idee.</p></item>

<item>
<p>Ethan Benson ha corretto il paragrafo su PAM ed ha avuto alcune
buone idee.</p></item>

<item>
<p>Dariusz Puchalak ha contribuito con informazioni in diversi
capitoli.</p></item>

<item>
<p>Gaby Schilders ha contribuito con una simpatica idea su
Genius/Paranoia.</p></item>

<item>
<p>Era Eriksson ha raffinato il linguaggio in un gran numero di
sezioni ed ha contribuito all'appendice checklist.</p></item>

<item>
<p>Philipe Gaspar ha scritto le informazioni su LKM.</p></item>

<item>
<p>Yotam Rubin ha contribuito correggendo molti errori di
battitura e anche fornendo le informazioni riguardanti le
versioni di bind e le password md5.</p></item>

<item>
<p>Tutte le persone che hanno fornito suggerimenti per
miglioramenti che (alla fine) sono state incluse qui
(vedete in <ref id="changelog">).</p></item>

<item>
<p>(Alexander) Tutte le persone che mi hanno incoraggiato a
scrivere questo HOWTO (che successivamente si  trasformato in
un manuale).</p></item>

<item><p>L'intero progetto Debian.</p></item>

</list></p></sect></chapt>