1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479 1480 1481 1482 1483 1484 1485 1486 1487 1488 1489 1490 1491 1492 1493 1494 1495 1496 1497 1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597 1598 1599 1600 1601 1602 1603 1604 1605 1606 1607 1608 1609 1610 1611 1612 1613 1614 1615 1616 1617 1618 1619 1620 1621 1622 1623 1624 1625 1626 1627 1628 1629 1630 1631 1632 1633 1634 1635 1636 1637 1638 1639 1640 1641 1642 1643 1644 1645 1646 1647 1648 1649 1650 1651 1652 1653 1654 1655 1656 1657 1658 1659 1660 1661 1662 1663 1664 1665 1666 1667 1668 1669 1670 1671 1672 1673 1674 1675 1676 1677 1678 1679 1680 1681 1682 1683 1684 1685 1686 1687 1688 1689 1690 1691 1692 1693 1694 1695 1696 1697 1698 1699 1700 1701 1702 1703 1704 1705 1706 1707 1708 1709 1710 1711 1712 1713 1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764 1765 1766 1767 1768 1769 1770 1771 1772 1773 1774 1775 1776 1777 1778 1779 1780 1781 1782 1783 1784 1785 1786 1787 1788 1789 1790 1791 1792 1793 1794 1795 1796 1797 1798 1799 1800 1801 1802 1803 1804 1805 1806 1807 1808 1809 1810 1811 1812 1813 1814 1815 1816 1817 1818 1819 1820 1821 1822 1823 1824 1825 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 1836 1837 1838 1839 1840 1841 1842 1843 1844 1845 1846 1847 1848 1849 1850 1851 1852 1853 1854 1855 1856 1857 1858 1859 1860 1861 1862 1863 1864 1865 1866 1867 1868 1869 1870 1871 1872 1873 1874 1875 1876 1877 1878 1879 1880 1881 1882 1883 1884 1885 1886 1887 1888 1889 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 1900 1901 1902 1903 1904 1905 1906 1907
|
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2018-03-19 00:26+0100\n"
"PO-Revision-Date: 2018-03-19 00:26+0100\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"Language: en-US \n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Generator: Publican v4.3.2\n"
msgid "After installation"
msgstr ""
msgid "Once the system is installed you can still do more to secure the system; some of the steps described in this chapter can be taken. Of course this really depends on your setup but for physical access prevention you should read <xref linkend=\"bios-boot\" />,<xref linkend=\"lilo-passwd\" />, <xref linkend=\"kernel-root-prompt\" />, <xref linkend=\"restrict-console-login\" />, and <xref linkend=\"restrict-reboots\" />."
msgstr ""
msgid "Before connecting to any network, especially if it's a public one you should, at the very least, execute a security update (see <xref linkend=\"security-update\" />). Optionally, you could take a snapshot of your system (see <xref linkend=\"snapshot\" />)."
msgstr ""
msgid "Subscribe to the Debian Security Announce mailing list"
msgstr ""
msgid "In order to receive information on available security updates you should subscribe yourself to the debian-security-announce mailing list in order to receive the Debian Security Advisories (DSAs). See <xref linkend=\"debian-sec-team\" /> for more information on how the Debian security team works. For information on how to subscribe to the Debian mailing lists read <ulink url=\"http://lists.debian.org\" />."
msgstr ""
msgid "DSAs are signed with the Debian Security Team's signature which can be retrieved from <ulink url=\"http://security.debian.org\" />."
msgstr ""
msgid "You should consider, also, subscribing to the <ulink url=\"http://lists.debian.org/debian-security\" /> for general discussion on security issues in the Debian operating system. You will be able to contact other fellow system administrators in the list as well as Debian developers and upstream developers of security tools who can answer your questions and offer advice."
msgstr ""
msgid "FIXME: Add the key here too?"
msgstr ""
msgid "Execute a security update"
msgstr ""
msgid "As soon as new security bugs are detected in packages, Debian maintainers and upstream authors generally patch them within days or even hours. After the bug is fixed, a new package is provided on <ulink url=\"http://security.debian.org\" />."
msgstr ""
msgid "If you are installing a Debian release you must take into account that since the release was made there might have been security updates after it has been determined that a given package is vulnerable. Also, there might have been minor releases (there have been four for the Debian 3.0 <emphasis>sarge</emphasis> release) which include these package updates."
msgstr ""
msgid "During installation security updates are configured for your system and pending updates downloaded and applied, unless you specifically opt out of this or the system was not connected to the Internet. The updates are applied even before the first boot, so the new system starts its life as up to date as possible."
msgstr ""
msgid "To manually update the system, put the following line in your <filename>sources.list</filename> and you will get security updates automatically, whenever you update your system. Replace <replaceable>[CODENAME]</replaceable> with the release codename, e.g. <emphasis>squeeze</emphasis>."
msgstr ""
msgid "\n"
" deb http://security.debian.org/ [CODENAME]/updates main contrib non-free"
msgstr ""
msgid "<emphasis>Note</emphasis>: If you are using the <emphasis>testing</emphasis> branch use the security testing mirror sources as described in <xref linkend=\"security-support-testing\" />."
msgstr ""
msgid "Once you've done this you can use multiple tools to upgrade your system. If you are running a desktop system you will have<footnote><para>In <emphasis>Etch</emphasis> and later releases</para></footnote> an application called <command>update-notifier</command> that will make it easy to check if new updates are available, by selecting it you can make a system upgrade from the desktop (using <command>update-manager</command>). For more information see <xref linkend=\"update-desktop\" />. In desktop environments you can also use <application>synaptic</application> (GNOME), <application>kpackage</application> or <application>adept</application> (KDE) for more advanced interfaces. If you are running a text-only terminal you can use <application>aptitude</application>, <application>apt</application> or <application>dselect</application> (deprecated) to upgrade:"
msgstr ""
msgid "If you want to use <application>aptitude</application>'s text interface you just have to press <emphasis>u</emphasis> (update) followed by <emphasis>g</emphasis> (to upgrade). Or just do the following from the command line (as root):"
msgstr ""
msgid ""
"\n"
"# aptitude update\n"
"# aptitude upgrade"
msgstr ""
msgid "If you want to use <application>apt</application> do just like with aptitude but substitute the <command>aptitude</command> lines above with <command>apt-get</command>."
msgstr ""
msgid "If you want to use <application>dselect</application> then first [U]pdate, then [I]nstall and finally, [C]onfigure the installed/upgraded packages."
msgstr ""
msgid "If you like, you can add the deb-src lines to <filename>/etc/apt/sources.list</filename> as well. See <citerefentry><refentrytitle>apt</refentrytitle><manvolnum>8</manvolnum></citerefentry> for further details."
msgstr ""
msgid "Security update of libraries"
msgstr ""
msgid "Once you have executed a security update you might need to restart some of the system services. If you do not do this, some services might still be vulnerable after a security upgrade. The reason for this is that daemons that are running before an upgrade might still be using the old libraries before the upgrade <footnote><para>Even though the libraries have been removed from the filesystem the inodes will not be cleared up until no program has an open file descriptor pointing to them.</para></footnote>."
msgstr ""
msgid "From Debian <emphasis>Jessie</emphasis> and up, you can install the <application>needrestart</application> package, which will run automatically after each APT upgrade and prompt you to restart services that are affected by the just-installed updates. In earlier releases, you can run the <command>checkrestart</command> program (available in the <application>debian-goodies</application> package) manually after your APT upgrade."
msgstr ""
msgid "Some packages (like <application>libc6</application>) will do this check in the postinst phase for a limited set of services specially since an upgrade of essential libraries might break some applications (until restarted)<footnote><para>This happened, for example, in the upgrade from libc6 2.2.x to 2.3.x due to NSS authentication issues, see <ulink url=\"http://lists.debian.org/debian-glibc/2003/debian-glibc-200303/msg00276.html\" />.</para></footnote>."
msgstr ""
msgid "Bringing the system to run level 1 (single user) and then back to run level 3 (multi user) should take care of the restart of most (if not all) system services. But this is not an option if you are executing the security upgrade from a remote connection (like ssh) since it will be severed."
msgstr ""
msgid "Excercise caution when dealing with security upgrades if you are doing them over a remote connection like ssh. A suggested procedure for a security upgrade that involves a service restart is to restart the SSH daemon and then, immediately, attempt a new ssh connection without breaking the previous one. If the connection fails, revert the upgrade and investigate the issue."
msgstr ""
msgid "Security update of the kernel"
msgstr ""
msgid "First, make sure your kernel is being managed through the packaging system. If you have installed using the installation system from Debian 3.0 or previous releases, your kernel is <emphasis>not</emphasis> integrated into the packaging system and might be out of date. You can easily confirm this by running:"
msgstr ""
msgid ""
"\n"
"$ dpkg -S `readlink -f /vmlinuz`\n"
"linux-image-2.6.18-4-686: /boot/vmlinuz-2.6.18-4-686"
msgstr ""
msgid "If your kernel is not being managed you will see a message saying that the package manager did not find the file associated to any package instead of the message above, which says that the file associated to the current running kernel is being provided by the <application>linux-image-2.6.18-4-686</application>. So first, you will need to manually install a kernel image package. The exact kernel image you need to install depends on your architecture and your prefered kernel version. Once this is done, you will be able to manage the security updates of the kernel just like those of any other package. In any case, notice that the kernel updates will <emphasis>only</emphasis> be done for kernel updates of the same kernel version you are using, that is, <command>apt</command> will not automatically upgrade your kernel from the 2.4 release to the 2.6 release (or from the 2.4.26 release to the 2.4.27 release<footnote><para>Unless you have installed a kernel metapackage like <application>linux-image-2.6-686</application> which will always pull in the latest kernel minor revision for a kernel release and a given architecture.</para></footnote>)."
msgstr ""
msgid "The installation system of recent Debian releases will handle the selected kernel as part of the package system. You can review which kernels you have installed by running:"
msgstr ""
msgid "\n"
"$ COLUMNS=150 dpkg -l 'linux-image*' | awk '$1 ~ /ii/ { print $0 }'"
msgstr ""
msgid "To see if your kernel needs to be updated run:"
msgstr ""
msgid ""
"\n"
"$ kernfile=`readlink -f /vmlinuz`\n"
"$ kernel=`dpkg -S $kernfile | awk -F : '{print $1}'`\n"
"$ apt-cache policy $kernel\n"
"linux-image-2.6.18-4-686:\n"
" Installed: 2.6.18.dfsg.1-12\n"
" Candidate: 2.6.18.dfsg.1-12\n"
" Version table:\n"
" *** 2.6.18.dfsg.1-12 0\n"
" 100 /var/lib/dpkg/status"
msgstr ""
msgid "If you are doing a security update which includes the kernel image you <emphasis>need</emphasis> to reboot the system in order for the security update to be useful. Otherwise, you will still be running the old (and vulnerable) kernel image."
msgstr ""
msgid "If you need to do a system reboot (because of a kernel upgrade) you should make sure that the kernel will boot up correctly and network connectivity will be restored, specially if the security upgrade is done over a remote connection like ssh. For the former you can configure your boot loader to reboot to the original kernel in the event of a failure (for more detailed information read <ulink url=\"http://www.debian-administration.org/?article=70\">Remotely rebooting Debian GNU/Linux machines</ulink>). For the latter you have to introduce a network connectivity test script that will check if the kernel has started up the network subsystem properly and reboot the system if it did not<footnote><para>A sample script called <ulink url=\"http://www.debian-administration.org/articles/70/testnet\">testnet</ulink> is available in the <ulink url=\"http://www.debian-administration.org/?article=70\"> Remotely rebooting Debian GNU/Linux machines</ulink> article. A more elaborate network connectivity testing script is available in this <ulink url=\"http://www.debian-administration.org/?article=128\"> Testing network connectivity article.</ulink></para></footnote>. This should prevent nasty surprises like updating the kernel and then realizing, after a reboot, that it did not detect or configure the network hardware properly and you need to travel a long distance to bring the system up again. Of course, having the system serial console <footnote><para>Setting up a serial console is beyond the scope of this document, for more information read the <ulink url=\"http://www.tldp.org/HOWTO/Serial-HOWTO.html\">Serial HOWTO</ulink> and the <ulink url=\"http://www.tldp.org/HOWTO/Remote-Serial-Console-HOWTO/index.html\"> Remote Serial Console HOWTO</ulink>.</para></footnote> in the system connected to a console or terminal server should also help debug reboot issues remotely."
msgstr ""
msgid "Change the BIOS (again)"
msgstr ""
msgid "Remember <xref linkend=\"bios-passwd\" />? Well, then you should now, once you do not need to boot from removable media, to change the default BIOS setup so that it <emphasis>only</emphasis> boots from the hard drive. Make sure you will not lose the BIOS password, otherwise, in the event of a hard disk failure you will not be able to return to the BIOS and change the setup so you can recover it using, for example, a CD-ROM."
msgstr ""
msgid "Another less secure but more convenient way is to change the setup to have the system boot up from the hard disk and, if it fails, try removable media. By the way, this is often done because most people don't use the BIOS password that often; it's easily forgotten."
msgstr ""
msgid "Set a LILO or GRUB password"
msgstr ""
msgid "Anybody can easily get a root-shell and change your passwords by entering"
msgstr ""
msgid "<userinput><name-of-your-bootimage> init=/bin/sh</userinput>"
msgstr ""
msgid "at the boot prompt. After changing the passwords and rebooting the system, the person has unlimited root-access and can do anything he/she wants to the system. After this procedure you will not have root access to your system, as you do not know the root password."
msgstr ""
msgid "To make sure that this cannot happen, you should set a password for the boot loader. You can choose between a global password or a password for a certain image."
msgstr ""
msgid "For LILO you need to edit the config file <filename>/etc/lilo.conf</filename> and add a <userinput>password</userinput> and <userinput>restricted</userinput> line as in the example below."
msgstr ""
msgid ""
"\n"
" image=/boot/2.2.14-vmlinuz\n"
" label=Linux\n"
" read-only\n"
" password=hackme\n"
" restricted"
msgstr ""
msgid "Then, make sure that the configuration file is not world readable to prevent local users from reading the password. When done, rerun lilo. Omitting the <literal>restricted</literal> line causes lilo to always prompt for a password, regardless of whether LILO was passed parameters. The default permissions for <filename>/etc/lilo.conf</filename> grant read and write permissions to root, and enable read-only access for <filename>lilo.conf</filename>'s group, root."
msgstr ""
msgid "If you use GRUB instead of LILO, edit <filename>/boot/grub/menu.lst</filename> and add the following two lines at the top (substituting, of course <userinput>hackme</userinput> with the desired password). This prevents users from editing the boot items. <userinput>timeout 3</userinput> specifies a 3 second delay before <command>grub</command> boots the default item."
msgstr ""
msgid ""
"\n"
" timeout 3\n"
" password hackme"
msgstr ""
msgid "To further harden the integrity of the password, you may store the password in an encrypted form. The utility <command>grub-md5-crypt</command> generates a hashed password which is compatible with GRUB's encrypted password algorithm (MD5). To specify in <command>grub</command> that an MD5 format password will be used, use the following directive:"
msgstr ""
msgid ""
"\n"
" timeout 3\n"
" password --md5 $1$bw0ez$tljnxxKLfMzmnDVaQWgjP0"
msgstr ""
msgid "The --md5 parameter was added to instruct <command>grub</command> to perform the MD5 authentication process. The provided password is the MD5 encrypted version of hackme. Using the MD5 password method is preferable to choosing its clear-text counterpart. More information about <command>grub</command> passwords may be found in the <application>grub-doc</application> package."
msgstr ""
msgid "Disable root prompt on the initramfs"
msgstr ""
msgid "Note: This applies to the default kernels provided for releases after Debian 3.1"
msgstr ""
msgid "Linux 2.6 kernels provide a way to access a root shell while booting which will be presented during loading the initramfs on error. This is helpful to permit the administrator to enter a rescue shell with root permissions. This shell can be used to manually load modules when autodetection fails. This behavior is the default for <command>initramfs-tools</command> generated initramfs. The following message will appear:"
msgstr ""
msgid "\n"
" \"ALERT! /dev/sda1 does not exist. Dropping to a shell!"
msgstr ""
msgid "In order to remove this behavior you need to set the following boot argument:<emphasis>panic=0</emphasis>. Add this to the variable <varname>GRUB_CMDLINE_LINUX</varname> in <filename>/etc/default/grub</filename> and issue <command>update-grub</command> or to the append section of <filename>/etc/lilo.conf</filename>."
msgstr ""
msgid "Remove root prompt on the kernel"
msgstr ""
msgid "Note: This does not apply to the kernels provided for Debian 3.1 as the timeout for the kernel delay has been changed to 0."
msgstr ""
msgid "Linux 2.4 kernels provide a way to access a root shell while booting which will be presented just after loading the cramfs file system. A message will appear to permit the administrator to enter an executable shell with root permissions, this shell can be used to manually load modules when autodetection fails. This behavior is the default for <command>initrd</command>'s <filename>linuxrc</filename>. The following message will appear:"
msgstr ""
msgid "\n"
" Press ENTER to obtain a shell (waits 5 seconds)"
msgstr ""
msgid "In order to remove this behavior you need to change <filename>/etc/mkinitrd/mkinitrd.conf</filename> and set:"
msgstr ""
msgid ""
"\n"
" # DELAY The number of seconds the linuxrc script should wait to\n"
" # allow the user to interrupt it before the system is brought up\n"
" DELAY=0"
msgstr ""
msgid "Then regenerate your ramdisk image. You can do this for example with:"
msgstr ""
msgid ""
"\n"
" # cd /boot\n"
" # mkinitrd -o initrd.img-2.4.18-k7 /lib/modules/2.4.18-k7"
msgstr ""
msgid "or (preferred):"
msgstr ""
msgid "\n"
" # dpkg-reconfigure -plow kernel-image-2.4.x-yz"
msgstr ""
msgid "Restricting console login access"
msgstr ""
msgid "Some security policies might force administrators to log in to the system through the console with their user/password and then become superuser (with <command>su</command> or <command>sudo</command>). This policy is implemented in Debian by editing the <filename>/etc/pam.d/login</filename> and the <filename>/etc/securetty</filename> when using PAM:"
msgstr ""
msgid "<filename>/etc/pam.d/login</filename> In older Debian releases you would need to edit <filename>login.defs</filename>, and use the CONSOLE variable which defines a file or list of terminals on which root logins are allowed. enables the pam_securetty.so module. This module, when properly configured will not ask for a password when the root user tries to login on an insecure console, rejecting access as this user."
msgstr ""
msgid "<filename>securetty</filename> The <filename>/etc/securetty</filename> is a configuration file that belongs to the <application>login</application> package. by adding/removing the terminals to which root access will be allowed. If you wish to allow only local console access then you need <emphasis>console</emphasis>, <emphasis>ttyX</emphasis> Or <emphasis>ttyvX</emphasis> in GNU/FreeBSD, and <emphasis>ttyE0</emphasis> in GNU/KNetBSD. and <emphasis>vc/X</emphasis> (if using <emphasis>devfs</emphasis> devices), you might want to add also <emphasis>ttySX</emphasis> Or <emphasis>comX</emphasis> in GNU/Hurd, <emphasis>cuaaX</emphasis> in GNU/FreeBSD, and <emphasis>ttyXX</emphasis> in GNU/KNetBSD. if you are using a serial console for local access (where X is an integer, you might want to have multiple instances. The default configuration for <emphasis>Wheezy</emphasis> The default configuration in <emphasis>woody</emphasis> includes 12 local tty and vc consoles, as well as the <emphasis>console</emphasis> device but does not allow remote logins. In <emphasis>sarge</emphasis> the default configuration provides 64 consoles for tty and vc consoles. includes many tty devices, serial ports, vc consoles as well as the X server and the <emphasis>console</emphasis> device. You can safely adjust this if you are not using that many consoles. You can confirm the virtual consoles and the tty devices you have by reviewing <filename>/etc/inittab</filename> Look for the <emphasis>getty</emphasis> calls. . For more information on terminal devices read the <ulink url=\"http://tldp.org/HOWTO/Text-Terminal-HOWTO-6.html\">Text-Terminal-HOWTO </ulink>"
msgstr ""
msgid "When using PAM, other changes to the login process, which might include restrictions to users and groups at given times, can be configured in <filename>/etc/pam.d/login</filename>. An interesting feature that can be disabled is the possibility to login with null (blank) passwords. This feature can be limited by removing <emphasis>nullok</emphasis> from the line:"
msgstr ""
msgid "\n"
" auth required pam_unix.so nullok"
msgstr ""
msgid "Restricting system reboots through the console"
msgstr ""
msgid "If your system has a keyboard attached to it anyone (yes <emphasis>anyone</emphasis>) with physical access to the system can reboot the system through it without login in just pressing the <emphasis>Ctrl+Alt+Delete</emphasis> keyboard combination, also known as the <emphasis>three finger salute</emphasis>. This might, or might not, adhere to your security policy."
msgstr ""
msgid "This is aggravated in environments in which the operating system is running virtualised. In these environments, the possibility extends to users that have access to the virtual console (which might be accessed over the network). Also note that, in these environments, this keyboard combination is used constantly (to open a login shell in some GUI operating systems) and an administrator might <emphasis>virtually</emphasis> send it and force a system reboot."
msgstr ""
msgid "There are two ways to restrict this:"
msgstr ""
msgid "configure it so that only <emphasis>allowed</emphasis> users can reboot the system,"
msgstr ""
msgid "disable this feature completely."
msgstr ""
msgid "If you want to restrict this, you must check the <filename>/etc/inittab</filename> so that the line that includes <userinput>ctrlaltdel</userinput> calls <command>shutdown</command> with the <userinput>-a</userinput> switch."
msgstr ""
msgid "The default in Debian includes this switch:"
msgstr ""
msgid "\n"
" ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now"
msgstr ""
msgid "The <userinput>-a</userinput> switch, as the <citerefentry><refentrytitle>shutdown</refentrytitle><manvolnum>8</manvolnum></citerefentry> manpage describes,makes it possible to allow <emphasis>some</emphasis> users to shutdown the system. For this the file <filename>/etc/shutdown.allow</filename> must be created and the administrator has to include there the name of users which can boot the system. When the <emphasis>three finger salute</emphasis> combination is pressed in a console the program will check if any of the users listed in the file are logged in. If none of them is, <command>shutdown</command> will <emphasis>not</emphasis> reboot the system."
msgstr ""
msgid "If you want to disable the Ctrl+Alt+Del combination you just need to comment the line with the <emphasis>ctrlaltdel</emphasis> definition in the <filename>/etc/inittab</filename>."
msgstr ""
msgid "Remember to run <userinput>init q</userinput> after making any changes to the <filename>/etc/inittab</filename> file for the changes to take effect."
msgstr ""
msgid "Restricting the use of the Magic SysRq key"
msgstr ""
msgid "The <emphasis>Magic SysRq key</emphasis> is a key combination that allows users connected to the system console of a Linux kernel to perform some low-level commands. These low-level commands are sent by pressing simultaneously <emphasis>Alt+SysRq</emphasis> and a command key. The SysRq key in many keyboards is labeled as the <emphasis>Print Screen</emphasis> key."
msgstr ""
msgid "Since the Etch release, the Magic SysRq key feature is enabled in the Linux kernel to allow console users certain privileges. You can confirm this by checking if the <filename>/proc/sys/kernel/sysrq</filename> exists and reviewing its value:"
msgstr ""
msgid ""
"\n"
"$ cat /proc/sys/kernel/sysrq \n"
"438"
msgstr ""
msgid "The default value shown above allows all of the SysRq functions except for the possibility of sending signals to processes. For example, it allow users connected to the console to remount all systems read-only, reboot the system or cause a kernel panic. In all the features are enabled, or in older kernels (earlier than 2.6.12) the value will be just 1."
msgstr ""
msgid "You should disable this functionality ifaccess to the console is not restricted to authorised users: the console is connected to a modem line, there is easy physical access to the system or it is running in a virtualised environment and other users access the console. To do this edit the <filename>/etc/sysctl.conf</filename> and add the following lines:"
msgstr ""
msgid ""
"\n"
"# Disables the magic SysRq key\n"
"kernel.sysrq = 0"
msgstr ""
msgid "For more information, read <ulink url=\"http://tldp.org/HOWTO/Remote-Serial-Console-HOWTO/security-sysrq.html\">security chapter in the Remote Serial Console HOWTO</ulink>, <ulink url=\"http://kernel.org/doc/Documentation/sysrq.txt\">Kernel SysRQ documentation</ulink>. and the <ulink url=\"http://en.wikipedia.org/wiki/Magic_SysRq_key\">Magic_SysRq_key wikipedia entry</ulink>."
msgstr ""
msgid "Mounting partitions the right way"
msgstr ""
msgid "When mounting an <literal>Ext</literal> file system (<literal>ext2</literal>, <literal>ext3</literal> or <literal>ext4</literal>), there are several additional options you can apply to the mount call or to <filename>/etc/fstab</filename>. For instance, this is my fstab entry for the <filename>/tmp</filename> partition:"
msgstr ""
msgid "\n"
" /dev/hda7 /tmp ext2 defaults,nosuid,noexec,nodev 0 2"
msgstr ""
msgid "You see the difference in the options sections. The option <literal>nosuid</literal> ignores the setuid and setgid bits completely, while <literal>noexec</literal> forbids execution of any program on that mount point, and <literal>nodev</literal> ignores device files. This sounds great, but it:"
msgstr ""
msgid "only applies to <literal>ext2</literal> or <literal>ext3</literal> file systems"
msgstr ""
msgid "can be circumvented easily"
msgstr ""
msgid "The <literal>noexec</literal> option prevents binaries from being executed directly, but was easily circumvented in earlier versions of the kernel:"
msgstr ""
msgid ""
"\n"
" alex@joker:/tmp# mount | grep tmp\n"
" /dev/hda7 on /tmp type ext2 (rw,noexec,nosuid,nodev)\n"
" alex@joker:/tmp# ./date\n"
" bash: ./date: Permission denied\n"
" alex@joker:/tmp# /lib/ld-linux.so.2 ./date\n"
" Sun Dec 3 17:49:23 CET 2000"
msgstr ""
msgid "Newer versions of the kernel do however handle the <literal>noexec</literal> flag properly:"
msgstr ""
msgid ""
"\n"
" angrist:/tmp# mount | grep /tmp\n"
" /dev/hda3 on /tmp type ext3 (rw,noexec,nosuid,nodev)\n"
" angrist:/tmp# ./date\n"
" bash: ./tmp: Permission denied \n"
" angrist:/tmp# /lib/ld-linux.so.2 ./date \n"
" ./date: error while loading shared libraries: ./date: failed to map segment \n"
" from shared object: Operation not permitted"
msgstr ""
msgid "However, many script kiddies have exploits which try to create and execute files in <filename>/tmp</filename>. If they do not have a clue, they will fall into this pit. In other words, a user cannot be tricked into executing a trojanized binary in <filename>/tmp</filename> e.g. when <filename>/tmp</filename> is accidentally added into the local PATH."
msgstr ""
msgid "Also be forewarned, some script might depend on <filename>/tmp</filename> being executable. Most notably, Debconf has (had?) some issues regarding this, for more information see <ulink name=\"Debian Bug nº116448\" url=\"http://bugs.debian.org/116448\" />."
msgstr ""
msgid "The following is a more thorough example. A note, though: <filename>/var</filename> could be set noexec, but some software <footnote><para>Some of this includes the package manager <application>dpkg</application> since the installation (post,pre) and removal (post,pre) scripts are at <filename>/var/lib/dpkg/</filename> and Smartlist</para></footnote> keeps its programs under in <filename>/var</filename>. The same applies to the nosuid option."
msgstr ""
msgid ""
"\n"
"/dev/sda6 /usr ext3 defaults,ro,nodev 0 2\n"
"/dev/sda12 /usr/share ext3 defaults,ro,nodev,nosuid 0 2\n"
"/dev/sda7 /var ext3 defaults,nodev,usrquota,grpquota 0 2\n"
"/dev/sda8 /tmp ext3 defaults,nodev,nosuid,noexec,usrquota,grpquota 0 2\n"
"/dev/sda9 /var/tmp ext3 defaults,nodev,nosuid,noexec,usrquota,grpquota 0 2\n"
"/dev/sda10 /var/log ext3 defaults,nodev,nosuid,noexec 0 2\n"
"/dev/sda11 /var/account ext3 defaults,nodev,nosuid,noexec 0 2\n"
"/dev/sda13 /home ext3 rw,nosuid,nodev,exec,auto,nouser,async,usrquota,grpquota 0 2\n"
"/dev/fd0 /mnt/fd0 ext3 defaults,users,nodev,nosuid,noexec 0 0\n"
"/dev/fd0 /mnt/floppy vfat defaults,users,nodev,nosuid,noexec 0 0\n"
"/dev/hda /mnt/cdrom iso9660 ro,users,nodev,nosuid,noexec 0 0"
msgstr ""
msgid "Setting <filename>/tmp</filename> noexec"
msgstr ""
msgid "Be careful if setting <filename>/tmp</filename> noexec when you want to install new software, since some programs might use it for installation. <application>apt</application> is one such program (see <ulink name=\"Debian Bug nº116448\" url=\"http://bugs.debian.org/116448\" />) if not configured properly <varname>APT::ExtractTemplates::TempDir</varname> (see <citerefentry><refentrytitle>apt-extracttemplates</refentrytitle><manvolnum>1</manvolnum></citerefentry>). You can set this variable in <filename>/etc/apt/apt.conf</filename> to another directory with exec privileges other than <filename>/tmp</filename>."
msgstr ""
msgid "Setting /usr read-only"
msgstr ""
msgid "If you set <filename>/usr</filename> read-only you will not be able to install new packages on your Debian GNU/Linux system. You will have to first remount it read-write, install the packages and then remount it read-only. <application>apt</application> can be configured to run commands before and after installing packages, so you might want to configure it properly."
msgstr ""
msgid "To do this modify <filename>/etc/apt/apt.conf</filename> and add:"
msgstr ""
msgid ""
"\n"
" DPkg\n"
" {\n"
" Pre-Invoke { \"mount /usr -o remount,rw\" };\n"
" Post-Invoke { \"mount /usr -o remount,ro\" };\n"
" };"
msgstr ""
msgid "Note that the Post-Invoke may fail with a \"/usr busy\" error message. This happens mainly when you are using files during the update that got updated. You can find these programs by running"
msgstr ""
msgid "\n"
"# lsof +L1"
msgstr ""
msgid "Stop or restart these programs and run the Post-Invoke manually. <emphasis>Beware!</emphasis> This means you'll likely need to restart your X session (if you're running one) every time you do a major upgrade of your system. You might want to reconsider whether a read-only <filename>/usr</filename> is suitable for your system. See also this <ulink url=\"http://lists.debian.org/debian-devel/2001/11/threads.html#00212\"> discussion on debian-devel about read-only</ulink>."
msgstr ""
msgid "Providing secure user access"
msgstr ""
msgid "User authentication: PAM"
msgstr ""
msgid "PAM (Pluggable Authentication Modules) allows system administrators to choose how applications authenticate users. Note that PAM can do nothing unless an application is compiled with support for PAM. Most of the applications that are shipped with Debian have this support built in (Debian did not have PAM support before 2.2). The current default configuration for any PAM-enabled service is to emulate UNIX authentication (read <filename>/usr/share/doc/libpam0g/Debian-PAM-MiniPolicy.gz</filename> for more information on how PAM services <emphasis>should</emphasis> work in Debian)."
msgstr ""
msgid "Each application with PAM support provides a configuration file in <filename>/etc/pam.d/</filename> which can be used to modify its behavior:"
msgstr ""
msgid "what backend is used for authentication."
msgstr ""
msgid "what backend is used for sessions."
msgstr ""
msgid "how do password checks behave."
msgstr ""
msgid "The following description is far from complete, for more information you might want to read the <ulink url=\"http://www.linux-pam.org/Linux-PAM-html/\"> Linux-PAM Guides</ulink> as a reference. This documentation is available in the system if you install the <application>libpam-doc</application> at <filename>/usr/share/doc/libpam-doc/html/</filename>."
msgstr ""
msgid "PAM offers you the possibility to go through several authentication steps at once, without the user's knowledge. You could authenticate against a Berkeley database and against the normal <filename>passwd</filename> file, and the user only logs in if the authentication succeeds in both. You can restrict a lot with PAM, just as you can open your system doors very wide. So be careful. A typical configuration line has a control field as its second element. Generally it should be set to <literal>requisite</literal>, which returns a login failure if one module fails."
msgstr ""
msgid "Password security in PAM"
msgstr ""
msgid "Review the <filename>/etc/pam.d/common-password</filename>, included by <filename>/etc/pam.d/passwd</filename> <footnote><para>In old Debian releases the configuration of the modules was defined directly in <filename>/etc/pam.d/passwd</filename>.</para></footnote> This file is included by other files in <filename>/etc/pam.d/</filename> to define the behaviour of password use in subsystems that grant access to services in the machine, like the console login (<application>login</application>), graphical login managers (such as <application>gdm</application> or <application>lightdm</application>), and remote login (such as <application>sshd</application>). This definition is"
msgstr ""
msgid "You have to make sure that the pam_unix.so module uses the \"sha512\" option to use encrypted passwords. This is the default in Debian Squeeze."
msgstr ""
msgid "The line with the definition of the pam_unix module will look something like:"
msgstr ""
msgid ""
"\n"
" password [success=1 default=ignore] pam_unix.so nullok obscure minlen=8 sha512 \n"
" "
msgstr ""
msgid "This definition:"
msgstr ""
msgid "Enforces password encryption when storing passwords, using the SHA-512 hash function (option <emphasis>sha512</emphasis>),"
msgstr ""
msgid "Enables password complexity checks (option <emphasis>obscure</emphasis>) as defined in the <citerefentry><refentrytitle>pam_unix</refentrytitle><manvolnum>8</manvolnum></citerefentry> manpage,"
msgstr ""
msgid "Imposes a minimum password length (option <emphasis>min</emphasis>) of 8."
msgstr ""
msgid "You have to ensure that encrypted passwords are used in PAM applications, since this helps protect against dictionary cracks. Using encryption also makes it possible to use passwords longer than 8 characters."
msgstr ""
msgid "Since this module is also used to define how passwords are changed (it is included by <command>chpasswd</command>) you can strengthen the password security in the system by installing <application>libpam-cracklib</application> and introducing this definition in the <filename>/etc/pam.d/common-password</filename> configuration file:"
msgstr ""
msgid ""
"\n"
" # Be sure to install libpam-cracklib first or you will not be able to log in\n"
" password required pam_cracklib.so retry=3 minlen=12 difok=3\n"
" password [success=1 default=ignore] pam_unix.so obscure minlen=8 sha512 use_authok"
msgstr ""
msgid "So, what does this incantation do? The first line loads the cracklib PAM module, which provides password strength-checking, prompts for a new password with a minimum size <footnote><para>The minlen option is not entirely straightforward and is not exactly the number of characters in the password. A tradeoff can be defined between complexity and length by adjusting the \"credit\" parameters of different character classes. For more information read the <citerefentry><refentrytitle>pam_cracklib</refentrytitle><manvolnum>8</manvolnum></citerefentry> manpage.</para></footnote> of 12 characters, and difference of at least 3 characters from the old password, and allows 3 retries. Cracklib depends on a wordlist package (such as <application>wenglish</application>, <application>wspanish</application>, <application>wbritish</application>, ...), so make sure you install one that is appropriate for your language or cracklib might not be useful to you at all."
msgstr ""
msgid "The second line (using the pam_unix.so module) is the default configuration in Debian, as described above, save for the <emphasis>use_authok</emphasis> option. The <emphasis>use_authok</emphasis> option is required if pam_unix.so is stacked after pam_cracklib.so, and is used to hand over the password from the previous module. Otherwise, the user would be prompted for the password twice."
msgstr ""
msgid "For more information about setting up Cracklib, read the <citerefentry><refentrytitle>pam_cracklib</refentrytitle><manvolnum>8</manvolnum></citerefentry> manpage and the article <ulink url=\"http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html\">Linux Password Security with pam_cracklib</ulink> by Hal Pomeranz."
msgstr ""
msgid "By enabling the cracklib PAM module you setup a policy that forces uses to use strong passwords."
msgstr ""
msgid "Alternatively, you can setup and configure PAM modules to use double factor authentication such as: <application>libpam-barada</application>, <application>libpam-google-authenticator</application>, <application>libpam-oath</application>, <application>libpam-otpw</application>, <application>libpam-poldi</application>, <application>libpam-usb</application> or <application>libpam-yubico</application>. The configuration of these modules would make it possible to access the system using external authentication mechanisms such as smartcards, external USB keys, or One-Time-Passwords generated by external applications running, for example, in the user's mobile phone."
msgstr ""
msgid "Please note that these restrictions apply to all users but <emphasis>not</emphasis> to the password changes done by the root user. The root user will be able to set up any password (any length or complexity) for personal use or others regardless of the restrictions defined here."
msgstr ""
msgid "User access control in PAM"
msgstr ""
msgid "To make sure that the user root can only log into the system from local terminals, the following line should be enabled in <filename>/etc/pam.d/login</filename>:"
msgstr ""
msgid "\n"
" auth requisite pam_securetty.so"
msgstr ""
msgid "Then you should modify the list of terminals on which direct root login is allowed in <filename>/etc/securetty</filename> (as described in <xref linkend=\"restrict-console-login\" />). Alternatively, you could enable the <application>pam_access</application> module and modify <filename>/etc/security/access.conf</filename> which allows for a more general and fine-tuned access control, but (unfortunately) lacks decent log messages (logging within PAM is not standardized and is particularly unrewarding problem to deal with). We'll return to <filename>access.conf</filename> a little later."
msgstr ""
msgid "User limits in PAM"
msgstr ""
msgid "The following line should be enabled in <filename>/etc/pam.d/login</filename> to set up user resource limits."
msgstr ""
msgid "\n"
" session required pam_limits.so"
msgstr ""
msgid "This restricts the system resources that users are allowed (see below in <xref linkend=\"user-limits\" />). For example, you could restrict the number of concurrent logins (of a given group of users, or system-wide), number of processes, memory size etc."
msgstr ""
msgid "Control of su in PAM"
msgstr ""
msgid "If you want to protect <command>su</command>, so that only some people can use it to become root on your system, you need to add a new group \"wheel\" to your system (that is the cleanest way, since no file has such a group permission yet). Add root and the other users that should be able to <command>su</command> to the root user to this group. Then add the following line to <filename>/etc/pam.d/su</filename>:"
msgstr ""
msgid "\n"
" auth requisite pam_wheel.so group=wheel debug"
msgstr ""
msgid "This makes sure that only people from the group \"wheel\" can use <command>su</command> to become root. Other users will not be able to become root. In fact they will get a denied message if they try to become root."
msgstr ""
msgid "If you want only certain users to authenticate at a PAM service, this is quite easy to achieve by using files where the users who are allowed to login (or not) are stored. Imagine you only want to allow users 'ref' to log in via <command>ssh</command>. So you put them into <filename>/etc/sshusers-allowed</filename> and write the following into <filename>/etc/pam.d/ssh</filename>:"
msgstr ""
msgid "\n"
" auth required pam_listfile.so item=user sense=allow file=/etc/sshusers-allowed onerr=fail"
msgstr ""
msgid "Temporary directories in PAM"
msgstr ""
msgid "Since there have been a number of so called insecure tempfile vulnerabilities, thttpd is one example (see <ulink url=\"http://www.debian.org/security/2005/dsa-883\">DSA-883-1</ulink>), the <application>libpam-tmpdir</application> is a good package to install. All you have to do is add the following to <filename>/etc/pam.d/common-session</filename>:"
msgstr ""
msgid "\n"
" session optional pam_tmpdir.so"
msgstr ""
msgid "There has also been a discussion about adding this by default in Debian configuration, but it s. See <ulink url=\"http://lists.debian.org/debian-devel/2005/11/msg00297.html\" /> for more information."
msgstr ""
msgid "Configuration for undefined PAM applications"
msgstr ""
msgid "Finally, but not least, create <filename>/etc/pam.d/other</filename> and enter the following lines:"
msgstr ""
msgid ""
"\n"
" auth required pam_securetty.so\n"
" auth required pam_unix_auth.so\n"
" auth required pam_warn.so\n"
" auth required pam_deny.so\n"
" account required pam_unix_acct.so\n"
" account required pam_warn.so\n"
" account required pam_deny.so\n"
" password required pam_unix_passwd.so\n"
" password required pam_warn.so\n"
" password required pam_deny.so\n"
" session required pam_unix_session.so\n"
" session required pam_warn.so\n"
" session required pam_deny.so"
msgstr ""
msgid "These lines will provide a good default configuration for all applications that support PAM (access is denied by default)."
msgstr ""
msgid "Limiting resource usage: the <filename>limits.conf</filename> file"
msgstr ""
msgid "You should really take a serious look into this file. Here you can define user resource limits. In old releases this configuration file was <filename>/etc/limits.conf</filename>, but in newer releases (with PAM) the <filename>/etc/security/limits.conf</filename> configuration file should be used instead."
msgstr ""
msgid "If you do not restrict resource usage, <emphasis>any</emphasis> user with a valid shell in your system (or even an intruder who compromised the system through a service or a daemon going awry) can use up as much CPU, memory, stack, etc. as the system can provide. This <emphasis>resource exhaustion</emphasis> problem can be fixed by the use of PAM."
msgstr ""
msgid "There is a way to add resource limits to some shells (for example, <command>bash</command> has <command>ulimit</command>, see <citerefentry><refentrytitle>bash</refentrytitle><manvolnum>1</manvolnum></citerefentry>), but since not all of them provide the same limits and since the user can change shells (see <citerefentry><refentrytitle>chsh</refentrytitle><manvolnum>1</manvolnum></citerefentry>) it is better to place the limits on the PAM modules as they will apply regardless of the shell used and will also apply to PAM modules that are not shell-oriented."
msgstr ""
msgid "Resource limits are imposed by the kernel, but they need to be configured through the <filename>limits.conf</filename> and the PAM configuration of the different services need to load the appropriate PAM. You can check which services are enforcing limits by running:"
msgstr ""
msgid "\n"
"$ find /etc/pam.d/ \\! -name \"*.dpkg*\" | xargs -- grep limits |grep -v \":#\""
msgstr ""
msgid "Commonly, <filename>login</filename>, <filename>ssh</filename> and the graphic session managers (<filename>gdm</filename>, <filename>kdm</filename> or <filename>xdm</filename>) should enforce user limits but you might want to do this in other PAM configuration files, such as <filename>cron</filename>, to prevent system daemons from taking over all system resources."
msgstr ""
msgid "The specific limits settings you might want to enforce depend on your system's resources, that's one of the main reasons why no limits are enforced in the default installation."
msgstr ""
msgid "For example, the configuration example below enforces a 100 process limit for all users (to prevent <emphasis>fork bombs</emphasis>) as well as a limit of 10MB of memory per process and a limit of 10 simultaneous logins. Users in the <literal>adm</literal> group have higher limits and can produce core files if they want to (there is only a <emphasis>soft</emphasis> limit)."
msgstr ""
msgid ""
"\n"
"* soft core 0\n"
"* hard core 0\n"
"* hard rss 1000\n"
"* hard memlock 1000\n"
"* hard nproc 100\n"
"* - maxlogins 1\n"
"* hard data 102400\n"
"* hard fsize 2048\n"
"@adm hard core 100000\n"
"@adm hard rss 100000\n"
"@adm soft nproc 2000\n"
"@adm hard nproc 3000\n"
"@adm hard fsize 100000\n"
"@adm - maxlogins 10"
msgstr ""
msgid "These would be the limits a default user (including system daemons) would have:"
msgstr ""
msgid ""
"\n"
"$ ulimit -a\n"
"core file size (blocks, -c) 0\n"
"data seg size (kbytes, -d) 102400\n"
"file size (blocks, -f) 2048\n"
"max locked memory (kbytes, -l) 10000\n"
"max memory size (kbytes, -m) 10000\n"
"open files (-n) 1024\n"
"pipe size (512 bytes, -p) 8\n"
"stack size (kbytes, -s) 8192\n"
"cpu time (seconds, -t) unlimited\n"
"max user processes (-u) 100\n"
"virtual memory (kbytes, -v) unlimited"
msgstr ""
msgid "And these are the limits for an administrative user:"
msgstr ""
msgid ""
"\n"
"$ ulimit -a\n"
"core file size (blocks, -c) 0\n"
"data seg size (kbytes, -d) 102400\n"
"file size (blocks, -f) 100000\n"
"max locked memory (kbytes, -l) 100000\n"
"max memory size (kbytes, -m) 100000\n"
"open files (-n) 1024\n"
"pipe size (512 bytes, -p) 8\n"
"stack size (kbytes, -s) 8192\n"
"cpu time (seconds, -t) unlimited\n"
"max user processes (-u) 2000\n"
"virtual memory (kbytes, -v) unlimited"
msgstr ""
msgid "For more information read:"
msgstr ""
msgid "<ulink url=\"http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html\"> PAM reference guide for available modules</ulink>"
msgstr ""
msgid "<ulink url=\"http://www.samag.com/documents/s=1161/sam0009a/0009a.htm\">PAM configuration article</ulink>."
msgstr ""
msgid "<ulink url=\"http://seifried.org/security/os/linux/20020324-securing-linux-step-by-step.html\"> Seifried's Securing Linux Step by Step</ulink> on the <emphasis>Limiting users overview</emphasis> section."
msgstr ""
msgid "<ulink url=\"http://seifried.org/lasg/users/\">LASG</ulink> in the <emphasis>Limiting and monitoring users</emphasis> section."
msgstr ""
msgid "User login actions: edit <filename>/etc/login.defs</filename>"
msgstr ""
msgid "The next step is to edit the basic configuration and action upon user login. Note that this file is not part of the PAM configuration, it's a configuration file honored by <application>login</application> and <command>su</command> programs, so it doesn't make sense tuning it for cases where neither of the two programs are at least indirectly called (the <command>getty</command> program which sits on the consoles and offers the initial login prompt <emphasis>does</emphasis> invoke <command>login</command>)."
msgstr ""
msgid "\n"
" FAILLOG_ENAB yes"
msgstr ""
msgid "If you enable this variable, failed logins will be logged. It is important to keep track of them to catch someone who tries a brute force attack."
msgstr ""
msgid "\n"
" LOG_UNKFAIL_ENAB no"
msgstr ""
msgid "If you set this variable to 'yes' it will record unknown usernames if the login failed. It is best if you use 'no' (the default) since, otherwise, user passwords might be inadvertenly logged here (if a user mistypes and they enter their password as the username). If you set it to 'yes', make sure the logs have the proper permissions (640 for example, with an appropriate group setting such as adm)."
msgstr ""
msgid "\n"
" SYSLOG_SU_ENAB yes"
msgstr ""
msgid "This one enables logging of <command>su</command> attempts to <filename>syslog</filename>. Quite important on serious machines but note that this can create privacy issues as well."
msgstr ""
msgid "\n"
" SYSLOG_SG_ENAB yes"
msgstr ""
msgid "The same as <varname>SYSLOG_SU_ENAB</varname> but applies to the <command>sg</command> program."
msgstr ""
msgid "\n"
" ENCRYPT_METHOD SHA512"
msgstr ""
msgid "As stated above, encrypted passwords greatly reduce the problem of dictionary attacks, since you can use longer passwords. This definition has to be consistent with the value defined in <filename>/etc/pam.d/common-password</filename>."
msgstr ""
msgid "User login actions: edit <filename>/etc/pam.d/login</filename>"
msgstr ""
msgid "You can adjust the login configuration file to implement an stricter policy. For example, you can change the default configuration and increase the delay time between login prompts. The default configuration sets a 3 seconds delay:"
msgstr ""
msgid "\n"
"auth optional pam_faildelay.so delay=3000000"
msgstr ""
msgid "Increasing the <emphasis>delay</emphasis> value to a higher value to make it harder to use the terminal to log in using brute force. If a wrong password is typed in, the possible attacker (or normal user!) has to wait longer seconds to get a new login prompt, which is quite time consuming when you test passwords. For example, if you set <emphasis>delay=10000000</emphasis>, users will have to wait 10 seconds if they type a wrong password."
msgstr ""
msgid "In this file you can also set the system to present a message to users before a user logs in. The default is disabled, as shown below:"
msgstr ""
msgid "\n"
"# auth required pam_issue.so issue=/etc/issue"
msgstr ""
msgid "If required by your security policy, this file can be used to show a standard message indicating that access to the system is restricted and user acess is logged. This kind of disclaimer might be required in some environments and jurisdictions. To enable it, just include the relevant information in the <filename>/etc/issue</filename> <footnote><para>The default content of this file provides information about the operating system and version run by the system, which you might not want to provide to anonymous users.</para></footnote> file and uncomment the line enabling the pam_issue.so module in <filename>/etc/pam.d/login</filename>. In this file you can also enable additional features which might be relevant to apply local security policies such as:"
msgstr ""
msgid "setting rules for which users can access at which times, by enabling the <emphasis>pam_time.so</emphasis> module and configuring <filename>/etc/security/time.conf</filename> accordingly (disabled by default),"
msgstr ""
msgid "setup login sessions to use user limits as defined in <filename>/etc/security/limits.conf</filename> (enabled by default),"
msgstr ""
msgid "present the user with the information of previous login information (enabled by default),"
msgstr ""
msgid "print a message (<filename>/etc/motd</filename> and <filename>/run/motd.dynamic</filename>) to users after login in (enabled by default),"
msgstr ""
msgid "Restricting ftp: editing <filename>/etc/ftpusers</filename>"
msgstr ""
msgid "The <filename>/etc/ftpusers</filename> file contains a list of users who are not allowed to log into the host using ftp. Only use this file if you really want to allow ftp (which is not recommended in general, because it uses clear-text passwords). If your daemon supports PAM, you can also use that to allow and deny users for certain services."
msgstr ""
msgid "FIXME (BUG): Is it a bug that the default <filename>ftpusers</filename> in Debian does <emphasis>not</emphasis> include all the administrative users (in <application>base-passwd</application>)."
msgstr ""
msgid "A convenient way to add all system accounts to the <filename>/etc/ftpusers</filename> is to run"
msgstr ""
msgid "\n"
"$ awk -F : '{if ($3<1000) print $1}' /etc/passwd > /etc/ftpusers"
msgstr ""
msgid "Using su"
msgstr ""
msgid "If you really need users to become the super user on your system, e.g. for installing packages or adding users, you can use the command <command>su</command> to change your identity. You should try to avoid any login as user root and instead use <command>su</command>. Actually, the best solution is to remove <command>su</command> and switch to the <command>sudo</command> mechanism which has a broader logic and more features than <command>su</command>. However, <command>su</command> is more common as it is used on many other Unices."
msgstr ""
msgid "Using sudo"
msgstr ""
msgid "<command>sudo</command> allows the user to execute defined commands under another user's identity, even as root. If the user is added to <filename>/etc/sudoers</filename> and authenticates correctly, the commands defined in <filename>/etc/sudoers</filename> get enabled. Violations, such as incorrect passwords or trying to run a program you don't have permission for, are logged and mailed to root."
msgstr ""
msgid "Disallow remote administrative access"
msgstr ""
msgid "You should also modify <filename>/etc/security/access.conf</filename> to disallow remote logins to administrative accounts. This way users need to invoke <command>su</command> (or <command>sudo</command>) to use any administrative powers and the appropriate audit trace will always be generated."
msgstr ""
msgid "You need to add the following line to <filename>/etc/security/access.conf</filename>, the default Debian configuration file has a sample line commented out:"
msgstr ""
msgid "\n"
" -:wheel:ALL EXCEPT LOCAL"
msgstr ""
msgid "Remember to enable the <application>pam_access</application> module for every service (or default configuration) in <filename>/etc/pam.d/</filename> if you want your changes to <filename>/etc/security/access.conf</filename> honored."
msgstr ""
msgid "Restricting users's access"
msgstr ""
msgid "Sometimes you might think you need to have users created in your local system in order to provide a given service (pop3 mail service or ftp). Before doing so, first remember that the PAM implementation in Debian GNU/Linux allows you to validate users with a wide variety of external directory services (radius, ldap, etc.) provided by the libpam packages."
msgstr ""
msgid "If users need to be created and the system can be accessed remotely take into account that users will be able to log in to the system. You can fix this by giving users a null (<filename>/dev/null</filename>) shell (it would need to be listed in <filename>/etc/shells</filename>). If you want to allow users to access the system but limit their movements, you can use the <filename>/bin/rbash</filename>, equivalent to adding the <literal>-r</literal> option in <command>bash</command> (<emphasis>RESTRICTED SHELL</emphasis> see <citerefentry><refentrytitle>bash</refentrytitle><manvolnum>1</manvolnum></citerefentry> ). Please note that even with restricted shell, a user that access an interactive program (that might allow execution of a subshell) could be able to bypass the limits of the shell."
msgstr ""
msgid "Debian currently provides in the unstable release (and might be included in the next stable releases) the <filename>pam_chroot</filename> module (in the <application> libpam-chroot</application>). An alternative to it is to <command>chroot</command> the service that provides remote logging (<command>ssh</command>, <command>telnet</command>). <footnote><para><application>libpam-chroot</application> has not been yet thoroughly tested, it does work for <command>login</command> but it might not be easy to set up the environment for other programs</para></footnote>"
msgstr ""
msgid "If you wish to restrict <emphasis>when</emphasis> users can access the system you will have to customize <filename>/etc/security/access.conf</filename> for your needs."
msgstr ""
msgid "Information on how to <command>chroot</command> users accessing the system through the <command>ssh</command> service is described in <xref linkend=\"chroot-ssh-env\" />."
msgstr ""
msgid "User auditing"
msgstr ""
msgid "If you are really paranoid you might want to add a system-wide configuration to audit what the users are doing in your system. This sections presents some tips using diverse utilities you can use."
msgstr ""
msgid "Input and output audit with script"
msgstr ""
msgid "You can use the <command>script</command> command to audit both what the users run and what are the results of those commands. You cannot setup <command>script</command> as a shell (even if you add it to <filename>/etc/shells</filename>). But you can have the shell initialization file run the following:"
msgstr ""
msgid ""
"\n"
"umask 077\n"
"exec script -q -a \"/var/log/sessions/$USER\""
msgstr ""
msgid "Of course, if you do this system wide it means that the shell would not continue reading personal initialization files (since the shell gets overwritten by <command>script</command>). An alternative is to do this in the user's initialization files (but then the user could remove this, see the comments about this below)"
msgstr ""
msgid "You also need to setup the files in the audit directory (in the example <filename>/var/log/sessions/</filename>) so that users can write to it but cannot remove the file. This could be done, for example, by creating the user session files in advance and setting them with the <emphasis>append-only</emphasis> flag using <command>chattr</command>."
msgstr ""
msgid "A useful alternative for sysadmins, which includes date information would be:"
msgstr ""
msgid ""
"\n"
"umask 077\n"
"exec script -q -a \"/var/log/sessions/$USER-`date +%Y%m%d`\""
msgstr ""
msgid "Using the shell history file"
msgstr ""
msgid "If you want to review what does the user type in the shell (but not what the result of that is) you can setup a system-wide <filename>/etc/profile</filename> that configures the environment so that all commands are saved into a history file. The system-wide configuration needs to be setup in such a way that users cannot remove audit capabilities from their shell. This is somewhat shell specific so make sure that all users are using a shell that supports this."
msgstr ""
msgid "For example, for bash, the <filename>/etc/profile</filename> could be set as follows <footnote><para> Setting HISTSIZE to a very large number can cause issues under some shells since the history is kept in memory for every user session. You might be safer if you set this to a high-enough value and backup user's history files (if you need all of the user's history for some reason)</para></footnote> :"
msgstr ""
msgid ""
"\n"
" HISTFILE=~/.bash_history\n"
" HISTSIZE=10000\n"
" HISTFILESIZE=999999\n"
" # Don't let the users enter commands that are ignored\n"
" # in the history file\n"
" HISTIGNORE=\"\"\n"
" HISTCONTROL=\"\"\n"
" readonly HISTFILE\n"
" readonly HISTSIZE\n"
" readonly HISTFILESIZE\n"
" readonly HISTIGNORE\n"
" readonly HISTCONTROL\n"
" export HISTFILE HISTSIZE HISTFILESIZE HISTIGNORE HISTCONTROL"
msgstr ""
msgid "For this to work, the user can only append information to <filename>.bash_history</filename> file. You need <emphasis>also</emphasis> to set the <emphasis>append-only</emphasis> option using <command>chattr</command> program for <filename>.bash_history</filename> for all users. <footnote><para> Without the append-only flag users would be able to empty the contents of the history file running <filename> > .bash_history</filename></para></footnote>."
msgstr ""
msgid "Note that you could introduce the configuration above in the user's <filename>.profile</filename>. But then you would need to setup permissions properly in such a way that prevents the user from modifying this file. This includes: having the user's home directories <emphasis>not</emphasis> belong to the user (since the user would be able to remove the file otherwise) but at the same time allow the user to read the <filename>.profile</filename> configuration file and write on the <filename>.bash_history</filename>. It would be good to set the <emphasis>immutable</emphasis> flag (also using <command>chattr</command>) for <filename>.profile</filename> too if you do it this way."
msgstr ""
msgid "Complete user audit with accounting utilities"
msgstr ""
msgid "The previous example is a simple way to configure user auditing but might be not useful for complex systems or for those in which users do not run shells at all (or exclusively). If this is your case, you need to look at <application>acct</application>, the accounting utilities. These utilities will log all the commands run by users or processes in the system, at the expense of disk space."
msgstr ""
msgid "When activating accounting, all the information on processes and users is kept under <filename>/var/account/</filename>, more specifically in the <filename>pacct</filename>. The accounting package includes some tools (<command>sa</command>, <command>ac</command> and <command>lastcomm</command>) to analyse this data."
msgstr ""
msgid "Other user auditing methods"
msgstr ""
msgid "If you are completely paranoid and want to audit every user's command, you could take <command>bash</command> source code, edit it and have it send all that the user typed into another file. Or have <application>ttysnoop</application> constantly monitor any new ttys <footnote><para>Ttys are spawned for local logins and remote logins through ssh and telnet</para></footnote> and dump the output into a file. Other useful program is <application>snoopy</application> (see also <ulink name=\"the project page\" url=\"http://sourceforge.net/projects/snoopylogger/\" />) which is a user-transparent program that hooks in as a library providing a wrapper around <varname>execve()</varname> calls, any command executed is logged to <command>syslogd</command> using the <literal>authpriv</literal> facility (usually stored at <filename>/var/log/auth.log</filename>)."
msgstr ""
msgid "Reviewing user profiles"
msgstr ""
msgid "If you want to <emphasis>see</emphasis> what users are actually doing when they logon to the system you can use the <filename>wtmp</filename> database that includes all login information. This file can be processed with several utilities, amongst them <command>sac</command> which can output a profile on each user showing in which timeframe they usually log on to the system."
msgstr ""
msgid "In case you have accounting activated, you can also use the tools provided by it in order to determine when the users access the system and what do they execute."
msgstr ""
msgid "Setting users umasks"
msgstr ""
msgid "Depending on your user policy you might want to change how information is shared between users, that is, what the default permissions of new files created by users are."
msgstr ""
msgid "Debian's default <literal>umask</literal> setting is <emphasis>022</emphasis> this means that files (and directories) can be read and accessed by the user's group and by any other users in the system. This definition is set in the standard configuration file <filename>/etc/profile</filename> which is used by all shells."
msgstr ""
msgid "If Debian's default value is too permissive for your system you will have to change the umask setting for all the shells. More restrictive umask settings include 027 (no access is allowed to new files for the <emphasis>other</emphasis> group, i.e. to other users in the system) or 077 (no access is allowed to new files to the members the user's group). Debian (by default<footnote><para>As defined in <filename>/etc/adduser.conf</filename> (USERGROUPS=yes). You can change this behaviour if you set this value to no, although it is not recommended</para></footnote>) creates one group per user so that only the user is included in its group. Consequently 027 and 077 are equivalent as the user's group contains only the user."
msgstr ""
msgid "This change is set by defining a proper <literal>umask</literal> setting for all users. You can change this by introducing an <command>umask</command> call in the shell configuration files: <filename>/etc/profile</filename> (source by all Bourne-compatible shells), <filename>/etc/csh.cshrc</filename>, <filename>/etc/csh.login</filename>, <filename>/etc/zshrc</filename> and probably some others (depending on the shells you have installed on your system). You can also change the <varname>UMASK</varname> setting in <filename>/etc/login.defs</filename>, Of all of these the last one that gets loaded by the shell takes precedence. The order is: the default system configuration for the user's shell (i.e. <filename>/etc/profile</filename> and other system-wide configuration files) and then the user's shell (his <filename>~/.profile</filename>, <filename>~/.bash_profile</filename>, etc...). Some shells, however, can be executed with a <emphasis>nologin</emphasis> value which might skip sourcing some of those files. See your shell's manpage for additional information."
msgstr ""
msgid "For connections that make use of <command>login</command> the UMASK definition in <filename>/etc/login.defs</filename> is used before any of the others. However, that value does not apply to user executed programs that do not use <command>login</command> such as those run through <command>su</command>, <command>cron</command> or <command>ssh</command>."
msgstr ""
msgid "Don't forget to review and maybe modify the dotfiles under <filename>/etc/skel/</filename> since these will be new user's defaults when created with the <command>adduser</command> command. Debian default dotfiles do not include any <command>umask</command> call but if there is any in the dotfiles newly created users might a different value."
msgstr ""
msgid "Note, however that users can modify their own <literal>umask</literal> setting if they want to, making it more permissive or more restricted, by changing their own dotfiles."
msgstr ""
msgid "The <application>libpam-umask</application> package adjusts the users' default <literal>umask</literal> using PAM. Add the following, after installing the package, to <filename>/etc/pam.d/common-session</filename>:"
msgstr ""
msgid "\n"
"session optional pam_umask.so umask=077"
msgstr ""
msgid "Finally, you should consider changing root's default 022 umask (as defined in <filename>/root/.bashrc</filename>) to a more strict umask. That will prevent the system administrator from inadvertenly dropping sensitive files when working as root to world-readable directories (such as <filename>/tmp</filename>) and having them available for your average user."
msgstr ""
msgid "Limiting what users can see/access"
msgstr ""
msgid "FIXME: Content needed. Describe the consequences of changing packages permissions when upgrading (an admin this paranoid should <command>chroot</command> his users BTW) if not using <command>dpkg-statoverride</command>."
msgstr ""
msgid "If you need to grant users access to the system with a shell think about it very carefully. A user can, by default unless in a severely restricted environment (like a <literal>chroot</literal> jail), retrieve quite a lot of information from your system including:"
msgstr ""
msgid "some configuration files in <filename>/etc</filename>. However, Debian's default permissions for some sensitive files (which might, for example, contain passwords), will prevent access to critical information. To see which files are only accessible by the root user for example"
msgstr ""
msgid "<userinput>find /etc -type f -a -perm 600 -a -uid 0</userinput>"
msgstr ""
msgid "as superuser."
msgstr ""
msgid "your installed packages, either by looking at the package database, at the <filename>/usr/share/doc</filename> directory or by guessing by looking at the binaries and libraries installed in your system."
msgstr ""
msgid "some log files at <filename>/var/log</filename>. Note also that some log files are only accessible to root and the <literal>adm</literal> group (try"
msgstr ""
msgid "<userinput>find /var/log -type f -a -perm 640</userinput>"
msgstr ""
msgid ") and some are even only available to the root user (try"
msgstr ""
msgid "<userinput>find /var/log -type f -a -perm\n"
" 600 -a -uid 0</userinput>"
msgstr ""
msgid ")."
msgstr ""
msgid "What can a user see in your system? Probably quite a lot of things, try this (take a deep breath):"
msgstr ""
msgid ""
"\n"
" find / -type f -a -perm +006 2>/dev/null \n"
" find / -type d -a -perm +007 2>/dev/null "
msgstr ""
msgid "The output is the list of files that a user can <emphasis>see</emphasis> and the accessable directories."
msgstr ""
msgid "Limiting access to other user's information"
msgstr ""
msgid "If you still grant shell access to users you might want to limit what information they can view from other users. Users with shell access have a tendency to create quite a number of files under their $HOMEs: mailboxes, personal documents, configuration of X/GNOME/KDE applications..."
msgstr ""
msgid "In Debian each user is created with one associated group, and no two users belong to the same group. This is the default behavior: when an user account is created, a group of the same name is created too, and the user is assigned to it. This avoids the concept of a common <emphasis>users</emphasis> group which might make it more difficult for users to hide information from other users."
msgstr ""
msgid "However, users' <varname>$HOME</varname> directories are created with 0755 permissions (group-readable and world-readable). The group permissions is not an issue since only the user belongs to the group, however the world permissions might (or might not) be an issue depending on your local policy."
msgstr ""
msgid "You can change this behavior so that user creation provides different <varname>$HOME</varname> permissions. To change the behavior for <emphasis>new</emphasis> users when they get created, change <emphasis>DIR_MODE</emphasis> in the configuration file <filename>/etc/adduser.conf</filename> to 0750 (no world-readable access)."
msgstr ""
msgid "Users can still share information, but not directly in their <varname>$HOME</varname> directories unless they change its permissions."
msgstr ""
msgid "Note that disabling world-readable home directories will prevent users from creating their personal web pages in the <filename>~/public_html</filename> directory, since the web server will not be able to read one component in the path - namely their <varname>$HOME</varname> directory. If you want to permit users to publish HTML pages in their <filename>~/public_html</filename>, then change <emphasis>DIR_MODE</emphasis> to 0751. This will allow the web server to access the final <filename>public_html</filename> directory (which itself should have a mode of 0755) and provide the content published by users. Of course, we are only talking about a default configuration here; users can generally tune modes of their own files completely to their liking, or you could keep content intended for the web in a separate location which is not a subdirectory of user's <varname>$HOME</varname> directory."
msgstr ""
msgid "Generating user passwords"
msgstr ""
msgid "There are many cases when an administrator needs to create many user accounts and provide passwords for all of them. Of course, the administrator could easily just set the password to be the same as the user's account name, but that would not be very sensitive security-wise. A better approach is to use a password generating program. Debian provides <application>makepasswd</application>, <application>apg</application> and <application>pwgen</application> packages which provide programs (the name is the same as the package) that can be used for this purpose. <command>Makepasswd</command> will generate true random passwords with an emphasis on security over pronounceability while <command>pwgen</command> will try to make meaningless but pronounceable passwords (of course this might depend on your mother language). <command>Apg</command> has algorithms to provide for both (there is a client/server version for this program but it is not included in the Debian package)."
msgstr ""
msgid "<command>Passwd</command> does not allow non-interactive assignation of passwords (since it uses direct tty access). If you want to change passwords when creating a large number of users you can create them using <command>adduser</command> with the <literal>--disabled-login</literal> option and then use <command>usermod</command> or <command>chpasswd</command> <footnote><para> <command>Chpasswd</command> cannot handle MD5 password generation so it needs to be given the password in encrypted form before using it, with the <screen><userinput>-e</userinput></screen> option. </para></footnote> (both from the <application>passwd</application> package so you already have them installed). If you want to use a file with all the information to make users as a batch process you might be better off using <command>newusers</command>."
msgstr ""
msgid "Checking user passwords"
msgstr ""
msgid "User passwords can sometimes become the <emphasis>weakest link</emphasis> in the security of a given system. This is due to some users choosing weak passwords for their accounts (and the more of them that have access to it the greater the chances of this happening). Even if you established checks with the cracklib PAM module and password limits as described in <xref linkend=\"auth-pam\" /> users will still be able to use weak passwords. Since user access might include remote shell access (over <command>ssh</command>, hopefully) it's important to make password guessing as hard as possible for the remote attackers, especially if they were somehow able to collect important information such as usernames or even the <filename>passwd</filename> and <filename>shadow</filename> files themselves."
msgstr ""
msgid "A system administrator must, given a big number of users, check if the passwords they have are consistent with the local security policy. How to check? Try to crack them as an attacker would if having access to the hashed passwords (the <filename>/etc/shadow</filename> file)."
msgstr ""
msgid "An administrator can use <application>john</application> or <application>crack</application> (both are brute force password crackers) together with an appropriate wordlist to check users' passwords and take appropriate action when a weak password is detected. You can search for Debian GNU packages that contain word lists using <command>apt-cache search wordlist</command>, or visit the classic Internet wordlist sites such as <ulink url=\"ftp://ftp.ox.ac.uk/pub/wordlists\" /> or <ulink url=\"ftp://ftp.cerias.purdue.edu/pub/dict\" />."
msgstr ""
msgid "Logging off idle users"
msgstr ""
msgid "Idle users are usually a security problem, a user might be idle maybe because he's out to lunch or because a remote connection hung and was not re-established. For whatever the reason, idle users might lead to a compromise:"
msgstr ""
msgid "because the user's console might be unlocked and can be accessed by an intruder."
msgstr ""
msgid "because an attacker might be able to re-attach to a closed network connection and send commands to the remote shell (this is fairly easy if the remote shell is not encrypted as in the case of <command>telnet</command>)."
msgstr ""
msgid "Some remote systems have even been compromised through an idle (and detached) <command>screen</command>."
msgstr ""
msgid "Automatic disconnection of idle users is usually a part of the local security policy that must be enforced. There are several ways to do this:"
msgstr ""
msgid "If <application>bash</application> is the user shell, a system administrator can set a default <varname>TMOUT</varname> value (see <citerefentry><refentrytitle>bash</refentrytitle><manvolnum>1</manvolnum></citerefentry>) which will make the shell automatically log off remote idle users. Note that it must be set with the <literal>-o</literal> option or users will be able to change (or unset) it."
msgstr ""
msgid "Install <application>timeoutd</application> and configure <filename>/etc/timeouts</filename> according to your local security policy. The daemon will watch for idle users and time out their shells accordingly."
msgstr ""
msgid "Install <application>autolog</application> and configure it to remove idle users."
msgstr ""
msgid "The <command>timeoutd</command> or <command>autolog</command> daemons are the preferred method since, after all, users can change their default shell or can, after running their default shell, switch to another (uncontrolled) shell."
msgstr ""
msgid "Using tcpwrappers"
msgstr ""
msgid "TCP wrappers were developed when there were no real packet filters available and access control was needed. Nevertheless, they're still very interesting and useful. The TCP wrappers allow you to allow or deny a service for a host or a domain and define a default allow or deny rule (all performed on the application level). If you want more information take a look at <citerefentry><refentrytitle>hosts_access</refentrytitle> <manvolnum>5</manvolnum></citerefentry> manual page."
msgstr ""
msgid "Many services installed in Debian are either:"
msgstr ""
msgid "launched through the tcpwrapper service (<filename>tcpd</filename>)"
msgstr ""
msgid "compiled with libwrapper support built-in."
msgstr ""
msgid "On the one hand, for services configured in <filename>/etc/inetd.conf</filename> (this includes <command>telnet</command>, <command>ftp</command>, <command>netbios</command>, <command>swat</command> and <command>finger</command>) you will see that the configuration file executes <command>/usr/sbin/tcpd</command> first. On the other hand, even if a service is not launched by the <command>inetd</command> superdaemon, support for the tcp wrappers rules can be compiled into it. Services compiled with tcp wrappers in Debian include <command>ssh</command>, <command>portmap</command>, <command>in.talk</command>, <command>rpc.statd</command>, <command>rpc.mountd</command>, <command>gdm</command>, <command>oaf</command> (the GNOME activator daemon), <command>nessus</command> and many others."
msgstr ""
msgid "To see which packages use tcpwrappers <footnote><para> On older Debian releases you might need to do this: <screen> $ apt-cache showpkg libwrap0 | egrep '^[[:space:]]' | sort -u | \\ sed 's/,libwrap0$//;s/^[[:space:]]\\+//' </screen> </para></footnote> try:"
msgstr ""
msgid "\n"
" $ apt-cache rdepends libwrap0"
msgstr ""
msgid "Take this into account when running <command>tcpdchk</command> (a very useful TCP wrappers config file rule and syntax checker). When you add stand-alone services (that are directly linked with the wrapper library) into the <filename>hosts.deny</filename> and <filename>hosts.allow</filename> files, <command>tcpdchk</command> will warn you that it is not able to find the mentioned services since it only looks for them in <filename>/etc/inetd.conf</filename> (the manpage is not totally accurate here)."
msgstr ""
msgid "Now, here comes a small trick, and probably the smallest intrusion detection system available. In general, you should have a decent firewall policy as a first line, and tcp wrappers as the second line of defense. One little trick is to set up a <varname>SPAWN</varname> <footnote><para>be sure to use uppercase here since <emphasis>spawn</emphasis> will not work</para></footnote> command in <filename>/etc/hosts.deny</filename> that sends mail to root whenever a denied service triggers wrappers:"
msgstr ""
msgid ""
"\n"
" ALL: ALL: SPAWN ( \\\n"
" echo -e \"\\n\\\n"
" TCP Wrappers\\: Connection refused\\n\\\n"
" By\\: $(uname -n)\\n\\\n"
" Process\\: %d (pid %p)\\n\\\n"
" User\\: %u\\n\\\n"
" Host\\: %c\\n\\\n"
" Date\\: $(date)\\n\\\n"
" \" | /usr/bin/mail -s \"Connection to %d blocked\" root) &"
msgstr ""
msgid "<emphasis>Beware</emphasis>: The above printed example is open to a DoS attack by making many connections in a short period of time. Many emails mean a lot of file I/O by sending only a few packets."
msgstr ""
msgid "The importance of logs and alerts"
msgstr ""
msgid "It is easy to see that the treatment of logs and alerts is an important issue in a secure system. Suppose a system is perfectly configured and 99% secure. If the 1% attack occurs, and there are no security measures in place to, first, detect this and, second, raise alarms, the system is not secure at all."
msgstr ""
msgid "Debian GNU/Linux provides some tools to perform log analysis, most notably <application>swatch</application>, <footnote><para>there's a very good article on it written by <ulink name=\"Lance Spitzner\" url=\"http://www.spitzner.net/swatch.html\" /> </para></footnote> <application>logcheck</application> or <application>log-analysis</application> (all will need some customisation to remove unnecessary things from the report). It might also be useful, if the system is nearby, to have the system logs printed on a virtual console. This is useful since you can (from a distance) see if the system is behaving properly. Debian's <filename>/etc/syslog.conf</filename> comes with a commented default configuration; to enable it uncomment the lines and restart <command>syslogd</command> (<userinput>/etc/init.d/syslogd restart</userinput>):"
msgstr ""
msgid ""
"\n"
" daemon,mail.*;\\\n"
" news.=crit;news.=err;news.=notice;\\\n"
" *.=debug;*.=info;\\\n"
" *.=notice;*.=warn /dev/tty8"
msgstr ""
msgid "To colorize the logs, you could take a look at <application>colorize</application>, <application>ccze</application> or <application>glark</application>. There is a lot to log analysis that cannot be fully covered here, so a good information resource would be books should as <ulink name=\"Security log management: identifying patterns in the chaos\" url=\"http://books.google.com/books?id=UyktqN6GnWEC\" />. In any case, even automated tools are no match for the best analysis tool: your brain."
msgstr ""
msgid "Using and customizing <command>logcheck</command>"
msgstr ""
msgid "The <command>logcheck</command> package in Debian is divided into the three packages <application>logcheck</application> (the main program), <application>logcheck-database</application> (a database of regular expressions for the program) and <application>logtail</application> (prints loglines that have not yet been read). The Debian default (in <filename>/etc/cron.d/logcheck</filename>) is that <command>logcheck</command> is run every hour and after reboots."
msgstr ""
msgid "This tool can be quite useful if properly customized to alert the administrator of unusual system events. <command>Logcheck</command> can be fully customized so that it sends mails based on events found in the logs and worthy of attention. The default installation includes profiles for ignored events and policy violations for three different setups (workstation, server and paranoid). The Debian package includes a configuration file <filename>/etc/logcheck/logcheck.conf</filename>, sourced by the program, that defines which user the checks are sent to. It also provides a way for packages that provide services to implement new policies in the directories: <filename>/etc/logcheck/cracking.d/_packagename_</filename>, <filename>/etc/logcheck/violations.d/_packagename_</filename>, <filename>/etc/logcheck/violations.ignore.d/_packagename_</filename>, <filename>/etc/logcheck/ignore.d.paranoid/_packagename_</filename>, <filename>/etc/logcheck/ignore.d.server/_packagename_</filename>, and <filename>/etc/logcheck/ignore.d.workstation/_packagename_</filename>. However, not many packages currently do so. If you have a policy that can be useful for other users, please send it as a bug report for the appropriate package (as a <emphasis>wishlist</emphasis> bug). For more information read <filename>/usr/share/doc/logcheck/README.Debian</filename>."
msgstr ""
msgid "The best way to configure <command>logcheck</command> is to edit its main configuration file <filename>/etc/logcheck/logcheck.conf</filename> after installation. Change the default user (root) to whom reports should be mailed. You should set the reportlevel in there, too. <application>logcheck-database</application> has three report levels of increasing verbosity: workstation, server, paranoid. \"server\" being the default level, paranoid is only recommended for high-security machines running as few services as possible and workstation for relatively sheltered, non-critical machines. If you wish to add new log files just add them to <filename>/etc/logcheck/logcheck.logfiles</filename>. It is tuned for default syslog install."
msgstr ""
msgid "Once this is done you might want to check the mails that are sent, for the first few days/weeks/months. If you find you are sent messages you do not wish to receive, just add the regular expressions (see <citerefentry><refentrytitle>regex</refentrytitle><manvolnum>7</manvolnum></citerefentry> and <citerefentry><refentrytitle>egrep</refentrytitle><manvolnum>1</manvolnum></citerefentry>) that correspond to these messages to the <filename>/etc/logcheck/ignore.d.<varname>reportlevel</varname>/local</filename>. Try to match the whole logline. Details on howto write rules are explained in <filename>/usr/share/doc/logcheck-database/README.logcheck-database.gz</filename>. It's an ongoing tuning process; once the messages that are sent are always relevant you can consider the tuning finished. Note that if <command>logcheck</command> does not find anything relevant in your system it will not mail you even if it does run (so you might get a mail only once a week, if you are lucky)."
msgstr ""
msgid "Configuring where alerts are sent"
msgstr ""
msgid "Debian comes with a standard <application>syslog</application> configuration (in <filename>/etc/syslog.conf</filename>) that logs messages to the appropriate files depending on the system facility. You should be familiar with this; have a look at the <filename>syslog.conf</filename> file and the documentation if not. If you intend to maintain a secure system you should be aware of where log messages are sent so they do not go unnoticed."
msgstr ""
msgid "For example, sending messages to the console also is an interesting setup useful for many production-level systems. But for many such systems it is also important to add a new machine that will serve as loghost (i.e. it receives logs from all other systems)."
msgstr ""
msgid "Root's mail should be considered also, many security controls (like <application>snort</application>) send alerts to root's mailbox. This mailbox usually points to the first user created in the system (check <filename>/etc/aliases</filename>). Take care to send root's mail to some place where it will be read (either locally or remotely)."
msgstr ""
msgid "There are other role accounts and aliases on your system. On a small system, it's probably simplest to make sure that all such aliases point to the root account, and that mail to root is forwarded to the system administrator's personal mailbox."
msgstr ""
msgid "FIXME: It would be interesting to tell how a Debian system can send/receive SNMP traps related to security problems (jfs). Check: <application>snmptrapfmt</application>, <application>snmp</application> and <application>snmpd</application>."
msgstr ""
msgid "Using a loghost"
msgstr ""
msgid "A loghost is a host which collects syslog data remotely over the network. If one of your machines is cracked, the intruder is not able to cover the tracks, unless hacking the loghost as well. So, the loghost should be especially secure. Making a machine a loghost is simple. Just start the <command>syslogd</command> with"
msgstr ""
msgid "<userinput>syslogd -r</userinput>"
msgstr ""
msgid "and a new loghost is born. In order to do this permanently in Debian, edit <filename>/etc/default/syslogd</filename> and change the line"
msgstr ""
msgid "\n"
"SYSLOGD=\"\""
msgstr ""
msgid "to"
msgstr ""
msgid "\n"
"SYSLOGD=\"-r\""
msgstr ""
msgid "Next, configure the other machines to send data to the loghost. Add an entry like the following to <filename>/etc/syslog.conf</filename>:"
msgstr ""
msgid "\n"
" facility.level @your_loghost"
msgstr ""
msgid "See the documentation for what to use in place of <emphasis>facility</emphasis> and <emphasis>level</emphasis> (they should not be entered verbatim like this). If you want to log everything remotely, just write:"
msgstr ""
msgid "\n"
" *.* @your_loghost"
msgstr ""
msgid "into your <filename>syslog.conf</filename>. Logging remotely as well as locally is the best solution (the attacker might presume to have covered his tracks after deleting the local log files). See the <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>, <citerefentry><refentrytitle>syslogd</refentrytitle><manvolnum>8</manvolnum></citerefentry> and <citerefentry><refentrytitle>syslog.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> manpages for additional information."
msgstr ""
msgid "Log file permissions"
msgstr ""
msgid "It is not only important to decide how alerts are used, but also who has read/modify access to the log files (if not using a remote loghost). Security alerts which the attacker can change or disable are not worth much in the event of an intrusion. Also, you have to take into account that log files might reveal quite a lot of information about your system to an intruder who has access to them."
msgstr ""
msgid "Some log file permissions are not perfect after the installation (but of course this really depends on your local security policy). First <filename>/var/log/lastlog</filename> and <filename>/var/log/faillog</filename> do not need to be readable by normal users. In the <filename>lastlog</filename> file you can see who logged in recently, and in the <filename>faillog</filename> you see a summary of failed logins. The author recommends <command>chmod 660</command> for both. Take a brief look at your log files and decide very carefully which log files to make readable/writable for a user with a UID other than 0 and a group other than 'adm' or 'root'. You can easily check this in your system with:"
msgstr ""
msgid ""
"\n"
" # find /var/log -type f -exec ls -l {} \\; | cut -c 17-35 |sort -u\n"
" (see to what users do files in /var/log belong)\n"
" # find /var/log -type f -exec ls -l {} \\; | cut -c 26-34 |sort -u\n"
" (see to what groups do files in /var/log belong)\n"
" # find /var/log -perm +004\n"
" (files which are readable by any user)\n"
" # find /var/log \\! -group root \\! -group adm -exec ls -ld {} \\;\n"
" (files which belong to groups not root or adm)"
msgstr ""
msgid "To customize how log files are created you will probably have to customize the program that generates them. If the log file gets rotated, however, you can customize the behavior of creation and rotation."
msgstr ""
msgid "Adding kernel patches"
msgstr ""
msgid "Debian GNU/Linux provides some of the patches for the Linux kernel that enhance its security. These include:"
msgstr ""
msgid "<ulink url=\"http://www.lids.org\">Linux Intrusion Detection</ulink> provided in the <application>kernel-patch-2.4-lids</application> package. This kernel patch makes the process of hardening your Linux system easier by allowing you to restrict, hide and protect processes, even from root. It implements mandatory access control capabilities."
msgstr ""
msgid "<ulink url=\"http://trustees.sourceforge.net/\">Linux Trustees</ulink>, provided in package <application>trustees</application>. This patch adds a decent advanced permissions management system to your Linux kernel. Special objects (called trustees) are bound to every file or directory, and are stored in kernel memory, which allows fast lookup of all permissions."
msgstr ""
msgid "NSA Enhanced Linux (in package <application>selinux</application>). Backports of the SElinux-enabled packages are available at <ulink url=\"http://selinux.alioth.debian.org/\" />. More information available at <ulink url=\"http://wiki.debian.org/SELinux\">SElinux in Debian Wiki page</ulink>, at <ulink url=\"http://www.golden-gryphon.com/software/security/selinux.xhtml\">Manoj Srivastava's</ulink> and <ulink url=\"http://www.coker.com.au/selinux/\">Russell Cookers's</ulink> SElinux websites."
msgstr ""
msgid "The kernel patch <ulink url=\"http://people.redhat.com/mingo/exec-shield\" /> provided in the <application>kernel-patch-exec-shield</application> package. This patch provides protection against some buffer overflows (stack smashing attacks)."
msgstr ""
msgid "The <ulink url=\"http://www.grsecurity.net/\">Grsecurity patch</ulink>, provided by the <application>kernel-patch-2.4-grsecurity</application> and <application>kernel-patch-grsecurity2</application> packages <footnote><para> Notice that this patch conflicts with patches already included in Debian's 2.4 kernel source package. You will need to use the stock vanilla kernel. You can do this with the following steps: <screen> # apt-get install kernel-source-2.4.22 kernel-patch-debian-2.4.22 # tar xjf /usr/src/kernel-source-2.4.22.tar.bz2 # cd kernel-source-2.4.22 # /usr/src/kernel-patches/all/2.4.22/unpatch/debian </screen> For more information see <ulink name=\"#194225\" url=\"http://bugs.debian.org/194225\" />, <ulink name=\"#199519\" url=\"http://bugs.debian.org/199519\" />, <ulink name=\"#206458\" url=\"http://bugs.debian.org/206458\" />, <ulink name=\"#203759\" url=\"http://bugs.debian.org/203759\" />, <ulink name=\"#204424\" url=\"http://bugs.debian.org/204424\" />, <ulink name=\"#210762\" url=\"http://bugs.debian.org/210762\" />, <ulink name=\"#211213\" url=\"http://bugs.debian.org/211213\" />, and the <ulink name=\"discussion at debian-devel\" url=\"http://lists.debian.org/debian-devel/2003/debian-devel-200309/msg01133.html\" /> </para></footnote> implements Mandatory Access Control through RBAC, provides buffer overflow protection through PaX, ACLs, network randomness (to make OS fingerprinting more difficult) and <ulink url=\"http://www.grsecurity.net/features.php\">many more features</ulink>."
msgstr ""
msgid "The <application>kernel-patch-adamantix</application> provides the patches developed for <ulink url=\"http://www.adamantix.org/\">Adamantix</ulink>, a Debian-based distribution. This kernel patch for the 2.4.x kernel releases introduces some security features such as a non-executable stack through the use of <ulink name=\"PaX\" url=\"http://pageexec.virtualave.net/\" /> and mandatory access control based on <ulink name=\"RSBAC\" url=\"http://www.rsbac.org/\" />. Other features include: <ulink name=\"the Random PID patch\" url=\"http://www.vanheusden.com/Linux/sp/\" />, AES encrypted loop device, MPPE support and an IPSEC v2.6 backport."
msgstr ""
msgid "<application>cryptoloop-source</application>. This patches allows you to use the functions of the kernel crypto API to create encrypted filesystems using the loopback device."
msgstr ""
msgid "IPSEC kernel support (in package <application>linux-patch-openswan</application>). If you want to use the IPsec protocol with Linux, you need this patch. You can create VPNs with this quite easily, even to Windows machines, as IPsec is a common standard. IPsec capabilities have been added to the 2.5 development kernel, so this feature will be present by default in the future Linux Kernel 2.6. Homepage: <ulink url=\"http://www.openswan.org\" />. <emphasis>FIXME</emphasis>: The latest 2.4 kernels provided in Debian include a backport of the IPSEC code from 2.5. Comment on this."
msgstr ""
msgid "The following security kernel patches are only available for old kernel versions in woody and are deprecated:"
msgstr ""
msgid "<ulink name=\"POSIX Access Control Lists\" url=\"http://acl.bestbits.at/\" /> (ACLs) for Linux provided in the package <application>kernel-patch-acl</application>. This kernel patch adds access control lists, an advanced method for restricting access to files. It allows you to control fine-grain access to files and directory."
msgstr ""
msgid "The <ulink name=\"Openwall\" url=\"http://www.openwall.com/linux/\" /> linux kernel patch by Solar Designer, provided in the <application>kernel-patch-2.2.18-openwall</application> package. This is a useful set of kernel restrictions, like restricted links, FIFOs in <filename>/tmp</filename>, a restricted <filename>/proc</filename> file system, special file descriptor handling, non-executable user stack area and other features. Note: This package applies to the 2.2 release, no packages are available for the 2.4 release patches provided by Solar."
msgstr ""
msgid "<application>kernel-patch-int</application>. This patch also adds cryptographic capabilities to the Linux kernel, and was useful with Debian releases up to Potato. It doesn't work with Woody, and if you are using Sarge or a newer version, you should use a more recent kernel which includes these features already."
msgstr ""
msgid "However, some patches have not been provided in Debian yet. If you feel that some of these should be included please ask for it at the <ulink name=\"Work Needing and Prospective Packages\" url=\"http://www.debian.org/devel/wnpp/\" />."
msgstr ""
msgid "Protecting against buffer overflows"
msgstr ""
msgid "<emphasis>Buffer overflow</emphasis> is the name of a common attack to software <footnote><para>So common, in fact, that they have been the basis of 20% of the reported security vulnerabilities every year, as determined by <ulink name=\"statistics from ICAT's vulnerability database\" url=\"http://icat.nist.gov/icat.cfm?function=statistics\" /></para></footnote> which makes use of insufficient boundary checking (a programming error, most commonly in the C language) in order to execute machine code through program inputs. These attacks, against server software which listen to connections remotely and against local software which grant higher privileges to users (<literal>setuid</literal> or <literal>setgid</literal>) can result in the compromise of any given system."
msgstr ""
msgid "There are mainly four methods to protect against buffer overflows:"
msgstr ""
msgid "patch the kernel to prevent stack execution. You can use either: Exec-shield, OpenWall or PaX (included in the Grsecurity and Adamantix patches)."
msgstr ""
msgid "fix the source code by using tools to find fragments of it that might introduce this vulnerability."
msgstr ""
msgid "recompile the source code to introduce proper checks that prevent overflows, using the <ulink name=\"Stack Smashing Protector (SSP)\" url=\"http://www.research.ibm.com/trl/projects/security/ssp/\" /> patch for GCC (which is used by <ulink name=\"Adamantix\" url=\"http://www.adamantix.org\" />)"
msgstr ""
msgid "Debian GNU/Linux, as of the 3.0 release, provides software to introduce all of these methods except for the protection on source code compilation (but this has been requested in <ulink name=\"Bug #213994\" url=\"http://bugs.debian.org/213994\" />)."
msgstr ""
msgid "Notice that even if Debian provided a compiler which featured stack/buffer overflow protection all packages would need to be recompiled in order to introduce this feature. This is, in fact, what the Adamantix distribution does (among other features). The effect of this new feature on the stability of software is yet to be determined (some programs or some processor architectures might break due to it)."
msgstr ""
msgid "In any case, be aware that even these workarounds might not prevent buffer overflows since there are ways to circumvent these, as described in phrack's magazine <ulink name=\"issue 58\" url=\"http://packetstorm.linuxsecurity.com/mag/phrack/phrack58.tar.gz\" /> or in CORE's Advisory <ulink name=\"Multiple vulnerabilities in stack smashing protection technologies\" url=\"http://online.securityfocus.com/archive/1/269246\" />."
msgstr ""
msgid "If you want to test out your buffer overflow protection once you have implemented it (regardless of the method) you might want to install the <application>paxtest</application> and run the tests it provides."
msgstr ""
msgid "Kernel patch protection for buffer overflows"
msgstr ""
msgid "Kernel patches related to buffer overflows include the Openwall patch provides protection against buffer overflows in 2.2 linux kernels. For 2.4 or newer kernels, you need to use the Exec-shield implementation, or the PaX implementation (provided in the grsecurity patch, <application>kernel-patch-2.4-grsecurity</application>, and in the Adamantix patch, <application>kernel-patch-adamantix</application>). For more information on using these patches read the the section <xref linkend=\"kernel-patches\" />."
msgstr ""
msgid "Testing programs for overflows"
msgstr ""
msgid "The use of tools to detect buffer overflows requires, in any case, of programming experience in order to fix (and recompile) the code. Debian provides, for example: <application>bfbtester</application> (a buffer overflow tester that brute-forces binaries through command line and environment overflows). Other packages of interest would also be <application>rats</application>, <application>pscan</application>, <application>flawfinder</application> and <application>splint</application>."
msgstr ""
msgid "Secure file transfers"
msgstr ""
msgid "During normal system administration one usually needs to transfer files in and out from the installed system. Copying files in a secure manner from a host to another can be achieved by using the <application>ssh</application> server package. Another possibility is the use of <application>ftpd-ssl</application>, a ftp server which uses the <emphasis>Secure Socket Layer</emphasis> to encrypt the transmissions."
msgstr ""
msgid "Any of these methods need special clients. Debian does provide client software, such as <command>scp</command> from the <application>ssh</application> package, which works like <command>rcp</command> but is encrypted completely, so the <emphasis>bad guys</emphasis> cannot even find out WHAT you copy. There is also a <application>ftp-ssl</application> package for the equivalent server. You can find clients for these software even for other operating systems (non-UNIX), <command>putty</command> and <command>winscp</command> provide secure copy implementations for any version of Microsoft's operating system."
msgstr ""
msgid "Note that using <command>scp</command> provides access to the users to all the file system unless <command>chroot</command>'ed as described in <xref linkend=\"ssh-chroot\" />. FTP access can be <command>chroot</command>'ed, probably easier depending on you chosen daemon, as described in <xref linkend=\"ftp-secure\" />. If you are worried about users browsing your local files and want to have encrypted communication you can either use an ftp daemon with SSL support or combine clear-text ftp and a VPN setup (see <xref linkend=\"vpn\" />)."
msgstr ""
msgid "File system limits and control"
msgstr ""
msgid "Using quotas"
msgstr ""
msgid "Having a good quota policy is important, as it keeps users from filling up the hard disk(s)."
msgstr ""
msgid "You can use two different quota systems: user quota and group quota. As you probably figured out, user quota limits the amount of space a user can take up, group quota does the equivalent for groups. Keep this in mind when you're working out quota sizes."
msgstr ""
msgid "There are a few important points to think about in setting up a quota system:"
msgstr ""
msgid "Keep the quotas small enough, so users do not eat up your disk space."
msgstr ""
msgid "Keep the quotas big enough, so users do not complain or their mail quota keeps them from accepting mail over a longer period."
msgstr ""
msgid "Use quotas on all user-writable areas, on <filename>/home</filename> as well as on <filename>/tmp</filename>."
msgstr ""
msgid "Every partition or directory to which users have full write access should be quota enabled. Calculate and assign a workable quota size for those partitions and directories which combines usability and security."
msgstr ""
msgid "So, now you want to use quotas. First of all you need to check whether you enabled quota support in your kernel. If not, you will need to recompile it. After this, control whether the package <application>quota</application> is installed. If not you will need this one as well."
msgstr ""
msgid "Enabling quota for the respective file systems is as easy as modifying the <literal>defaults</literal> setting to <literal>defaults,usrquota</literal> in your <filename>/etc/fstab</filename> file. If you need group quota, substitute <literal>usrquota</literal> to <literal>grpquota</literal>. You can also use them both. Then create empty quota.user and quota.group files in the roots of the file systems you want to use quotas on (e.g."
msgstr ""
msgid "<userinput>touch\n"
"/home/quota.user /home/quota.group</userinput>"
msgstr ""
msgid "for a <filename>/home</filename> file system)."
msgstr ""
msgid "Restart <command>quota</command> by doing"
msgstr ""
msgid "<userinput>/etc/init.d/quota stop;/etc/init.d/quota\n"
" start</userinput>"
msgstr ""
msgid ". Now quota should be running, and quota sizes can be set."
msgstr ""
msgid "Editing quotas for a specific user can be done by"
msgstr ""
msgid "<userinput>edquota -u <user></userinput>"
msgstr ""
msgid ". Group quotas can be modified with"
msgstr ""
msgid "<userinput>edquota -g <group></userinput>"
msgstr ""
msgid ". Then set the soft and hard quota and/or inode quotas as needed."
msgstr ""
msgid "For more information about quotas, read the quota man page, and the quota mini-howto (<filename>/usr/share/doc/HOWTO/en-html/mini/Quota.html</filename>). You may also want to look at <filename>pam_limits.so</filename>."
msgstr ""
msgid "The ext2 filesystem specific attributes (<command>chattr</command>/<command>lsattr</command>)"
msgstr ""
msgid "In addition to the usual Unix permissions, the ext2 and ext3 filesystems offer a set of specific attributes that give you more control over the files on your system. Unlike the basic permissions, these attributes are not displayed by the usual <command>ls -l</command> command or changed using <command>chmod</command>, and you need two other utilities, <command>lsattr</command> and <command>chattr</command> (in package <application>e2fsprogs</application>) to manage them. Note that this means that these attributes will usually not be saved when you backup your system, so if you change any of them, it may be worth saving the successive <command>chattr</command> commands in a script so that you can set them again later if you have to restore a backup."
msgstr ""
msgid "Among all available attributes, the two that are most important for increasing security are referenced by the letters 'i' and 'a', and they can only be set (or removed) by the superuser:"
msgstr ""
msgid "The 'i' attribute ('immutable'): a file with this attribute can neither be modified nor deleted or renamed and no link can be created to it, even by the superuser."
msgstr ""
msgid "The 'a' attribute ('append'): this attribute has the same effect that the immutable attribute, except that you can still open the file in append mode. This means that you can still add more content to it but it is impossible to modify previous content. This attribute is especially useful for the log files stored in <filename>/var/log/</filename>, though you should consider that they get moved sometimes due to the log rotation scripts."
msgstr ""
msgid "These attributes can also be set for directories, in which case everyone is denied the right to modify the contents of a directory list (e.g. rename or remove a file, ...). When applied to a directory, the append attribute only allows file creation."
msgstr ""
msgid "It is easy to see how the 'a' attribute improves security, by giving to programs that are not running as the superuser the ability to add data to a file without modifying its previous content. On the other hand, the 'i' attribute seems less interesting: after all, the superuser can already use the basic Unix permissions to restrict access to a file, and an intruder that would get access to the superuser account could always use the <command>chattr</command> program to remove the attribute. Such an intruder may first be confused when noticing not being able to remove a file, but you should not assume blindness - after all, the intruder got into your system! Some manuals (including a previous version of this document) suggest to simply remove the <command>chattr</command> and <command>lsattr</command> programs from the system to increase security, but this kind of strategy, also known as \"security by obscurity\", is to be absolutely avoided, since it provides a false sense of security."
msgstr ""
msgid "A secure way to solve this problem is to use the capabilities of the Linux kernel, as described in <xref linkend=\"proactive\" />. The capability of interest here is called <literal>CAP_LINUX_IMMUTABLE</literal>: if you remove it from the capabilities bounding set (using for example the command <command>lcap <varname>CAP_LINUX_IMMUTABLE</varname></command>) it won't be possible to change any 'a' or 'i' attribute on your system anymore, even by the superuser ! A complete strategy could be as follows:"
msgstr ""
msgid "Set the attributes 'a' and 'i' on any file you want;"
msgstr ""
msgid "Add the command <command>lcap <varname>CAP_LINUX_IMMUTABLE</varname></command> (as well as <command>lcap <varname>CAP_SYS_MODULE</varname></command>, as suggested in <xref linkend=\"proactive\" />) to one of the startup scripts;"
msgstr ""
msgid "Set the 'i' attribute on this script and other startup files, as well as on the <command>lcap</command> binary itself;"
msgstr ""
msgid "Execute the above command manually (or reboot your system to make sure everything works as planned)."
msgstr ""
msgid "Now that the capability has been removed from the system, an intruder cannot change any attribute on the protected files, and thus cannot change or remove the files. If the machine is forced to reboot (which is the only way to restore the capabilities bounding set), it will easily be detected, and the capability will be removed again as soon as the system restarts anyway. The only way to change a protected file would be to boot the system in single-user mode or using another bootdisk, two operations that require physical access to the machine !"
msgstr ""
msgid "Checking file system integrity"
msgstr ""
msgid "Are you sure <filename>/bin/login</filename> on your hard drive is still the binary you installed there some months ago? What if it is a hacked version, which stores the entered password in a hidden file or mails it in clear-text version all over the Internet?"
msgstr ""
msgid "The only method to have some kind of protection is to check your files every hour/day/month (I prefer daily) by comparing the actual and the old md5sum of this file. Two files cannot have the same md5sum (the MD5 digest is 128 bits, so the chance that two different files will have the same md5sum is roughly one in 3.4e3803), so you're on the safe site here, unless someone has also hacked the algorithm that creates md5sums on that machine. This is, well, extremely difficult and very unlikely. You really should consider this auditing of your binaries as very important, since it is an easy way to recognize changes at your binaries."
msgstr ""
msgid "Common tools used for this are <application>sxid</application>, <application>aide</application> (Advanced Intrusion Detection Environment), <application>tripwire</application>, <application>integrit</application> and <application>samhain</application>. Installing <command>debsums</command> will also help you to check the file system integrity, by comparing the md5sums of every file against the md5sums used in the Debian package archive. But beware: those files can easily be changed by an attacker and not all packages provide md5sums listings for the binaries they provided. For more information please read <xref linkend=\"periodic-integrity\" /> and <xref linkend=\"snapshot\" />."
msgstr ""
msgid "You might want to use <command>locate</command> to index the whole filesystem, if so, consider the implications of that. The Debian <application>findutils</application> package contains <command>locate</command> which runs as user nobody, and so it only indexes files which are visible to everybody. However, if you change it's behaviour you will make all file locations visible to all users. If you want to index all the filesystem (not the bits that the user nobody can see) you can replace <command>locate</command> with the package <application>slocate</application>. slocate is labeled as a security enhanced version of GNU locate, but it actually provides additional file-locating functionality. When using <command>slocate</command>, the user only sees the actually accessible files and you can exclude any files or directories on the system. The <application>slocate</application> package runs its update process with higher privledges than locate, and indexes every file. Users are then able to quickly search for every file which they are able to see. <command>slocate</command> doesn't let them see new files; it filters the output based on your UID."
msgstr ""
msgid "You might want to use <application>bsign</application> or <application>elfsign</application>. <application>elfsign</application> provides an utility to add a digital signature to an ELF binary and a second utility to verify that signature. The current implementation uses PKI to sign the checksum of the binary. The benefits of doing this are that it enables one to determine if a binary has been modified and who created it. <application>bsign</application> uses GPG, <application>elfsign</application> uses PKI (X.509) certificates (OpenSSL)."
msgstr ""
msgid "Setting up setuid check"
msgstr ""
msgid "The Debian <application>checksecurity</application> package provides a <command>cron</command> job that runs daily in <filename>/etc/cron.daily/checksecurity</filename> <footnote><para>In previous releases, checksecurity was integrated into cron and the file was <filename>/etc/cron.daily/standard</filename></para></footnote>. This <command>cron</command> job will run the <command>/usr/sbin/checksecurity</command> script that will store information of this changes."
msgstr ""
msgid "The default behavior does not send this information to the superuser but, instead keeps daily copies of the changes in <filename>/var/log/setuid.changes</filename>. You should set the MAILTO variable (in <filename>/etc/checksecurity.conf</filename>) to 'root' to have this information mailed to the superuser. See <citerefentry><refentrytitle>checksecurity</refentrytitle> <manvolnum>8</manvolnum></citerefentry> manual page for more configuration info."
msgstr ""
msgid "Securing network access"
msgstr ""
msgid "FIXME: More (Debian-specific) content needed."
msgstr ""
msgid "Configuring kernel network features"
msgstr ""
msgid "Many features of the kernel can be modified while running by echoing something into the <filename>/proc</filename> file system or by using <command>sysctl</command>. By entering <command>/sbin/sysctl</command> <literal>-A</literal> you can see what you can configure and what the options are, and it can be modified running"
msgstr ""
msgid "<userinput>/sbin/sysctl -w variable=value</userinput>"
msgstr ""
msgid "(see <citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>). Only in rare cases do you need to edit something here, but you can increase security that way as well. For example:"
msgstr ""
msgid "\n"
"net/ipv4/icmp_echo_ignore_broadcasts = 1"
msgstr ""
msgid "This is a <emphasis>Windows emulator</emphasis> because it acts like Windows on broadcast ping if this option is set to 1. That is, ICMP echo requests sent to the broadcast address will be ignored. Otherwise, it does nothing."
msgstr ""
msgid "If you want to prevent you system from answering ICMP echo requests, just enable this configuration option:"
msgstr ""
msgid "\n"
"net/ipv4/icmp_echo_ignore_all = 1"
msgstr ""
msgid "To log packets with impossible addresses (due to wrong routes) on your network use:"
msgstr ""
msgid "\n"
"/proc/sys/net/ipv4/conf/all/log_martians = 1"
msgstr ""
msgid "For more information on what things can be done with <filename>/proc/sys/net/ipv4/*</filename> read <filename>/usr/src/linux/Documentation/filesystems/proc.txt</filename>. All the options are described thoroughly under <filename>/usr/src/linux/Documentation/networking/ip-sysctl.txt</filename> <footnote><para>In Debian the <application>kernel-source-<varname>version</varname></application> packages copy the sources to <filename>/usr/src/kernel-source-<varname>version</varname>.tar.bz2</filename>, just substitute <varname>version</varname> to whatever kernel version sources you have installed</para></footnote>."
msgstr ""
msgid "Configuring syncookies"
msgstr ""
msgid "This option is a double-edged sword. On the one hand it protects your system against syn packet flooding; on the other hand it violates defined standards (RFCs)."
msgstr ""
msgid "\n"
"net/ipv4/tcp_syncookies = 1"
msgstr ""
msgid "If you want to change this option each time the kernel is working you need to change it in <filename>/etc/network/options</filename> by setting <literal>syncookies=yes</literal>. This will take effect when ever <filename>/etc/init.d/networking</filename> is run (which is typically done at boot time) while the following will have a one-time effect until the reboot:"
msgstr ""
msgid "\n"
"echo 1 > /proc/sys/net/ipv4/tcp_syncookies "
msgstr ""
msgid "This option will only be available if the kernel is compiled with the <literal>CONFIG_SYNCOOKIES</literal>. All Debian kernels are compiled with this option builtin but you can verify it running:"
msgstr ""
msgid ""
"\n"
"$ sysctl -A |grep syncookies\n"
"net/ipv4/tcp_syncookies = 1"
msgstr ""
msgid "For more information on TCP syncookies read <ulink url=\"http://cr.yp.to/syncookies.html\" />."
msgstr ""
msgid "Securing the network on boot-time"
msgstr ""
msgid "When setting configuration options for the kernel networking you need configure it so that it's loaded every time the system is restarted. The following example enables many of the previous options as well as other useful options."
msgstr ""
msgid "There are actually two ways to configure your network at boot time. You can configure <filename>/etc/sysctl.conf</filename> (see: <citerefentry><refentrytitle>sysctl.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>) or introduce a script that is called when the interface is enabled. The first option will be applied to all interfaces, whileas the second option allows you to configure this on a per-interface basis."
msgstr ""
msgid "An example of a <filename>/etc/sysctl.conf</filename> configuration that will secure some network options at the kernel level is shown below. Notice the comment in it, <filename>/etc/network/options</filename> might override some values if they contradict those in this file when the <filename>/etc/init.d/networking</filename> is run (which is later than <filename>procps</filename> on the startup sequence)."
msgstr ""
msgid ""
"\n"
"#\n"
"# /etc/sysctl.conf - Configuration file for setting system variables\n"
"# See sysctl.conf (5) for information. Also see the files under\n"
"# Documentation/sysctl/, Documentation/filesystems/proc.txt, and\n"
"# Documentation/networking/ip-sysctl.txt in the kernel sources \n"
"# (/usr/src/kernel-$version if you have a kernel-package installed)\n"
"# for more information of the values that can be defined here.\n"
"\n"
"#\n"
"# Be warned that /etc/init.d/procps is executed to set the following\n"
"# variables. However, after that, /etc/init.d/networking sets some\n"
"# network options with builtin values. These values may be overridden\n"
"# using /etc/network/options.\n"
"#\n"
"#kernel.domainname = example.com\n"
"\n"
"# Additional settings - adapted from the script contributed\n"
"# by Dariusz Puchala (see below)\n"
"# Ignore ICMP broadcasts\n"
"net/ipv4/icmp_echo_ignore_broadcasts = 1\n"
"#\n"
"# Ignore bogus ICMP errors\n"
"net/ipv4/icmp_ignore_bogus_error_responses = 1\n"
"# \n"
"# Do not accept ICMP redirects (prevent MITM attacks)\n"
"net/ipv4/conf/all/accept_redirects = 0\n"
"# _or_\n"
"# Accept ICMP redirects only for gateways listed in our default\n"
"# gateway list (enabled by default)\n"
"# net/ipv4/conf/all/secure_redirects = 1\n"
"#\n"
"# Do not send ICMP redirects (we are not a router)\n"
"net/ipv4/conf/all/send_redirects = 0\n"
"#\n"
"# Do not forward IP packets (we are not a router)\n"
"# Note: Make sure that /etc/network/options has 'ip_forward=no'\n"
"net/ipv4/conf/all/forwarding = 0\n"
"#\n"
"# Enable TCP Syn Cookies\n"
"# Note: Make sure that /etc/network/options has 'syncookies=yes'\n"
"net/ipv4/tcp_syncookies = 1\n"
"#\n"
"# Log Martian Packets\n"
"net/ipv4/conf/all/log_martians = 1\n"
"#\n"
"# Turn on Source Address Verification in all interfaces to\n"
"# prevent some spoofing attacks\n"
"# Note: Make sure that /etc/network/options has 'spoofprotect=yes'\n"
"net/ipv4/conf/all/rp_filter = 1\n"
"#\n"
"# Do not accept IP source route packets (we are not a router)\n"
"net/ipv4/conf/all/accept_source_route = 0"
msgstr ""
msgid "To use the script you need to first create the script, for example, in <filename>/etc/network/interface-secure</filename> (the name is given as an example) and call it from <filename>/etc/network/interfaces</filename> like this:"
msgstr ""
msgid ""
"\n"
"auto eth0\n"
"iface eth0 inet static\n"
" address xxx.xxx.xxx.xxx\n"
" netmask 255.255.255.xxx\n"
" broadcast xxx.xxx.xxx.xxx\n"
" gateway xxx.xxx.xxx.xxx\n"
" pre-up /etc/network/interface-secure"
msgstr ""
msgid "In this example, before the interface eth0 is enabled the script will be called to secure all network interfaces as shown below."
msgstr ""
msgid ""
"\n"
"#!/bin/sh -e\n"
"# Script-name: /etc/network/interface-secure\n"
"#\n"
"# Modifies some default behavior in order to secure against \n"
"# some TCP/IP spoofing & attacks for all interfaces.\n"
"#\n"
"# Contributed by Dariusz Puchalak.\n"
"#\n"
"echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts \n"
" # Broadcast echo protection enabled.\n"
"echo 0 > /proc/sys/net/ipv4/conf/all/forwarding\n"
" # IP forwarding disabled.\n"
"echo 1 > /proc/sys/net/ipv4/tcp_syncookies # TCP syn cookies protection enabled.\n"
"echo 1 >/proc/sys/net/ipv4/conf/all/log_martians # Log strange packets.\n"
"# (this includes spoofed packets, source routed packets, redirect packets)\n"
"# but be careful with this on heavy loaded web servers.\n"
"echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses \n"
" # Bad error message protection enabled.\n"
"\n"
"# IP spoofing protection.\n"
"echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter\n"
"\n"
"# Disable ICMP redirect acceptance.\n"
"echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects\n"
"echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects\n"
"\n"
"# Disable source routed packets.\n"
"echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route\n"
"\n"
"exit 0"
msgstr ""
msgid "Notice that you can actually have per-interface scripts that will enable different network options for different interfaces (if you have more than one), just change the pre-up line to:"
msgstr ""
msgid "\n"
"pre-up /etc/network/interface-secure $IFACE"
msgstr ""
msgid "And use a script which will only apply changes to a specific interface, not to all of the interfaces available. Notice that some networking options can only be enabled globally, however. A sample script is this one:"
msgstr ""
msgid ""
"\n"
"#!/bin/sh -e\n"
"# Script-name: /etc/network/interface-secure\n"
"#\n"
"# Modifies some default behavior in order to secure against \n"
"# some TCP/IP spoofing & attacks for a given interface.\n"
"#\n"
"# Contributed by Dariusz Puchalak.\n"
"#\n"
"\n"
"IFACE=$1\n"
"if [ -z \"$IFACE\" ] ; then\n"
" echo \"$0: Must give an interface name as argument!\"\n"
" echo \"Usage: $0 <interface>\"\n"
" exit 1\n"
"fi\n"
"\n"
"if [ ! -e /proc/sys/net/ipv4/conf/$IFACE/ ]; then\n"
" echo \"$0: Interface $IFACE does not exit (cannot find /proc/sys/net/ipv4/conf/)\"\n"
" exit 1\n"
"fi\n"
"\n"
"echo 0 > /proc/sys/net/ipv4/conf/$IFACE/forwarding # IP forwarding disabled.\n"
"echo 1 >/proc/sys/net/ipv4/conf/$IFACE/log_martians # Log strange packets.\n"
"# (this includes spoofed packets, source routed packets, redirect packets)\n"
"# but be careful with this on heavy loaded web servers.\n"
"\n"
"# IP spoofing protection.\n"
"echo 1 > /proc/sys/net/ipv4/conf/$IFACE/rp_filter\n"
"\n"
"# Disable ICMP redirect acceptance.\n"
"echo 0 > /proc/sys/net/ipv4/conf/$IFACE/accept_redirects\n"
"echo 0 > /proc/sys/net/ipv4/conf/$IFACE/send_redirects\n"
"\n"
"# Disable source routed packets.\n"
"echo 0 > /proc/sys/net/ipv4/conf/$IFACE/accept_source_route\n"
"\n"
"exit 0"
msgstr ""
msgid "An alternative solution is to create an <filename>init.d</filename> script and have it run on bootup (using <command>update-rc.d</command> to create the appropriate <filename>rc.d</filename> links)."
msgstr ""
msgid "Configuring firewall features"
msgstr ""
msgid "In order to have firewall capabilities, either to protect the local system or others <emphasis>behind</emphasis> it, the kernel needs to be compiled with firewall capabilities. The standard Debian 2.2 kernel (Linux 2.2) provides the packet filter <command>ipchains</command> firewall, Debian 3.0 standard kernel (Linux 2.4) provides the <emphasis>stateful</emphasis> packet filter <command>iptables</command> (netfilter) firewall."
msgstr ""
msgid "In any case, it is pretty easy to use a kernel different from the one provided by Debian. You can find pre-compiled kernels as packages you can easily install in the Debian system. You can also download the kernel sources using the <application>kernel-source-<varname>X</varname></application> and build custom kernel packages using <command>make-kpkg</command> from the <application>kernel-package</application> package."
msgstr ""
msgid "Setting up firewalls in Debian is discussed more thoroughly in <xref linkend=\"firewall-setup\" />."
msgstr ""
msgid "Disabling weak-end hosts issues"
msgstr ""
msgid "Systems with more than one interface on different networks can have services configured so that they will bind only to a given IP address. This usually prevents access to services when requested through any other address. However, this does not mean (although it is a common misconception) that the service is bound to a given <emphasis>hardware</emphasis> address (interface card). <footnote><para> To reproduce this (example provided by Felix von Leitner on the Bugtraq mailing list): <screen> host a (eth0 connected to eth0 of host b): ifconfig eth0 10.0.0.1 ifconfig eth1 23.0.0.1 tcpserver -RHl localhost 23.0.0.1 8000 echo fnord host b: ifconfig eth0 10.0.0.2 route add 23.0.0.1 gw 10.0.0.1 telnet 23.0.0.1 8000 </screen></para></footnote>"
msgstr ""
msgid "It seems, however, not to work with services bound to 127.0.0.1, you might need to write the tests using raw sockets."
msgstr ""
msgid "This is not an ARP issue and it's not an RFC violation (it's called <emphasis>weak end host</emphasis> in <ulink url=\"ftp://ftp.isi.edu/in-notes/rfc1122.txt\">RFC1122</ulink>, (in the section 3.3.4.2). Remember, IP addresses have nothing to do with physical interfaces."
msgstr ""
msgid "On 2.2 (and previous) kernels this can be fixed with:"
msgstr ""
msgid ""
"\n"
"# echo 1 > /proc/sys/net/ipv4/conf/all/hidden\n"
"# echo 1 > /proc/sys/net/ipv4/conf/eth0/hidden\n"
"# echo 1 > /proc/sys/net/ipv4/conf/eth1/hidden\n"
"....."
msgstr ""
msgid "On later kernels this can be fixed either with:"
msgstr ""
msgid "iptables rules."
msgstr ""
msgid "properly configured routing. <footnote><para> The fact that this behavior can be changed through routing was described by Matthew G. Marsh in the Bugtraq thread: <screen> eth0 = 1.1.1.1/24 eth1 = 2.2.2.2/24 ip rule add from 1.1.1.1/32 dev lo table 1 prio 15000 ip rule add from 2.2.2.2/32 dev lo table 2 prio 16000 ip route add default dev eth0 table 1 ip route add default dev eth1 table 2 </screen> </para></footnote>"
msgstr ""
msgid "kernel patching. <footnote><para> There are some patches available for this behavior as described in Bugtraq's thread at <ulink url=\"http://www.linuxvirtualserver.org/~julian/#hidden\" /> and <ulink url=\"http://www.fefe.de/linux-eth-forwarding.diff\" />. </para></footnote>"
msgstr ""
msgid "Along this text there will be many occasions in which it is shown how to configure some services (sshd server, apache, printer service...) in order to have them listening on any given address, the reader should take into account that, without the fixes given here, the fix would not prevent accesses from within the same (local) network. <footnote><para> An attacker might have many problems pulling the access through after configuring the IP-address binding while not being on the same broadcast domain (same network) as the attacked host. If the attack goes through a router it might be quite difficult for the answers to return somewhere. </para></footnote>"
msgstr ""
msgid "FIXME: Comments on Bugtraq indicate there is a Linux specific method to bind to a given interface."
msgstr ""
msgid "FIXME: Submit a bug against netbase so that the routing fix is standard behavior in Debian?"
msgstr ""
msgid "Protecting against ARP attacks"
msgstr ""
msgid "When you don't trust the other boxes on your LAN (which should always be the case, because it's the safest attitude) you should protect yourself from the various existing ARP attacks."
msgstr ""
msgid "As you know the ARP protocol is used to link IP addresses to MAC addresses (see <ulink name=\"RFC826\" url=\"ftp://ftp.isi.edu/in-notes/rfc826.txt\" /> for all the details). Every time you send a packet to an IP address an ARP resolution is done (first by looking into the local ARP cache then if the IP isn't present in the cache by broadcasting an ARP query) to find the target's hardware address. All the ARP attacks aim to fool your box into thinking that box B's IP address is associated to the intruder's box's MAC address; Then every packet that you want to send to the IP associated to box B will be send to the intruder's box..."
msgstr ""
msgid "Those attacks (ARP cache poisoning, ARP spoofing...) allow the attacker to sniff the traffic even on switched networks, to easily hijack connections, to disconnect any host from the network... ARP attacks are powerful and simple to implement, and several tools exists, such as <command>arpspoof</command> from the <application>dsniff</application> package or <ulink name=\"arpoison\" url=\"http://arpoison.sourceforge.net/\" />."
msgstr ""
msgid "However, there is always a solution:"
msgstr ""
msgid "Use a static ARP cache. You can set up \"static\" entries in your ARP cache with:"
msgstr ""
msgid ""
"\n"
" arp -s host_name hdwr_addr \n"
" "
msgstr ""
msgid "By setting static entries for each important host in your network you ensure that nobody will create/modify a (fake) entry for these hosts (static entries don't expire and can't be modified) and spoofed ARP replies will be ignored."
msgstr ""
msgid "Detect suspicious ARP traffic. You can use <application>arpwatch</application>, <application>karpski</application> or more general IDS that can also detect suspicious ARP traffic (<application>snort</application>, <ulink name=\"prelude\" url=\"http://www.prelude-ids.org\" />...)."
msgstr ""
msgid "Implement IP traffic filtering validating the MAC address."
msgstr ""
msgid "Taking a snapshot of the system"
msgstr ""
msgid "Before putting the system into production system you could take a snapshot of the whole system. This snapshot could be used in the event of a compromise (see <xref linkend=\"after-compromise\" />). You should remake this upgrade whenever the system is upgraded, especially if you upgrade to a new Debian release."
msgstr ""
msgid "For this you can use a writable removable-media that can be set up read-only, this could be a floppy disk (read protected after use), a CD on a CD-ROM unit (you could use a rewritable CD-ROM so you could even keep backups of md5sums in different dates), or a USB disk or MMC card (if your system can access those and they can be write protected)."
msgstr ""
msgid "The following script creates such a snapshot:"
msgstr ""
msgid ""
"\n"
"#!/bin/bash\n"
"/bin/mount /dev/fd0 /mnt/floppy\n"
"trap \"/bin/umount /dev/fd0\" 0 1 2 3 9 13 15\n"
"if [ ! -f /usr/bin/md5sum ] ; then\n"
" echo \"Cannot find md5sum. Aborting.\"\n"
" exit 1\n"
"fi\n"
"/bin/cp /usr/bin/md5sum /mnt/floppy\n"
"echo \"Calculating md5 database\"\n"
">/mnt/floppy/md5checksums.txt\n"
"for dir in /bin/ /sbin/ /usr/bin/ /usr/sbin/ /lib/ /usr/lib/\n"
"do\n"
" find $dir -type f | xargs /usr/bin/md5sum >>/mnt/floppy/md5checksums-lib.txt\n"
"done\n"
"echo \"post installation md5 database calculated\"\n"
"if [ ! -f /usr/bin/sha1sum ] ; then\n"
" echo \"Cannot find sha1sum\"\n"
" echo \"WARNING: Only md5 database will be stored\"\n"
"else\n"
" /bin/cp /usr/bin/sha1sum /mnt/floppy\n"
" echo \"Calculating SHA-1 database\"\n"
" >/mnt/floppy/sha1checksums.txt\n"
" for dir in /bin/ /sbin/ /usr/bin/ /usr/sbin/ /lib/ /usr/lib/\n"
" do\n"
" find $dir -type f | xargs /usr/bin/sha1sum >>/mnt/floppy/sha1checksums-lib.txt\n"
" done\n"
" echo \"post installation sha1 database calculated\"\n"
"fi\n"
"exit 0"
msgstr ""
msgid "Note that the md5sum binary (and sha1sum, if available) is placed on the floppy drive so it can be used later on to check the binaries of the system (just in case it gets trojaned). However, if you want to make sure that you are running a legitimate binary, you might want to either compile a static copy of the md5sum binary and use that one (to prevent a trojaned libc library from interfering with the binary) or to use the snapshot of md5sums only from a clean environment such as a rescue CD-ROM or a Live-CD (to prevent a trojaned kernel from interfering). I cannot stress this enough: if you are on a compromised system you cannot trust its output, see <xref linkend=\"after-compromise\" />."
msgstr ""
msgid "The snapshot does not include the files under <filename>/var/lib/dpkg/info</filename> which includes the MD5 hashes of installed packages (in files ending with <filename>.md5sums</filename>). You could copy this information along too, however you should notice:"
msgstr ""
msgid "the md5sums files include the md5sum of all files provided by the Debian packages, not just system binaries. As a consequence, that database is bigger (5 Mb versus 600 Kb in a Debian GNU/Linux system with a graphical system and around 2.5 Gb of software installed) and will not fit in small removable media (like a single floppy disk, but would probably fit in a removable USB memory)."
msgstr ""
msgid "not all Debian packages provide md5sums for the files installed since it is not (currently) mandated policy. Notice, however, that you can generate the md5sums for all packages using <application>debsums</application> after you've finished the system installation:"
msgstr ""
msgid "\n"
"# debsums --generate=missing,keep"
msgstr ""
msgid "Once the snapshot is done you should make sure to set the medium read-only. You can then store it for backup or place it in the drive and use it to drive a <command>cron</command> check nightly comparing the original md5sums against those on the snapshot."
msgstr ""
msgid "If you do not want to setup a manual check you can always use any of the integrity systems available that will do this and more, for more information please read <xref linkend=\"periodic-integrity\" />."
msgstr ""
msgid "Other recommendations"
msgstr ""
msgid "Do not use software depending on svgalib"
msgstr ""
msgid "SVGAlib is very nice for console lovers like me, but in the past it has been proven several times that it is very insecure. Exploits against <command>zgv</command> were released, and it was simple to become root. Try to prevent using SVGAlib programs wherever possible."
msgstr ""
|