This document has yet to be updated based on the latest Debian releases. The default configuration of some packages need to be adapted as they have been modified since this document was written.
Write about remote monitoring tools (to check for system availability) such as
monit,
daemontools and
mon. See
Sysamin Guide.
Consider writing a section on how to build Debian-based network appliances (with information such as the base system, equivs and FAI).
Check if
this site has relevant info not yet covered here.
Add information on how to set up a laptop with Debian,
look here.
Add information on how to set up a firewall using Debian GNU/Linux. The section regarding firewalling is oriented currently towards a single system (not protecting others...) also talk on how to test the setup.
Add information on setting up a proxy firewall with Debian GNU/Linux stating specifically which packages provide proxy services (like xfwp, ftp-proxy, redir, smtpd, dnrd, jftpgw, oops, pdnsd, perdition, transproxy, tsocks). Should point to the manual for any other info. Note that zorp is now available as a Debian package and is a proxy firewall (they also provide Debian packages upstream).
Information on service configuration with file-rc.
Check all the reference URLs and remove/fix those no longer available.
Add information on available replacements (in Debian) for common servers which are useful for limited functionality. Examples:
local lpr with cups (package)?
remote lrp with lpr
bind with dnrd/maradns
apache with dhttpd/thttpd/wn (tux?)
exim/sendmail with ssmtpd/smtpd/postfix
squid with tinyproxy
ftpd with oftpd/vsftp
...
More information regarding security-related kernel patches in Debian, including the ones shown above and specific information on how to enable these patches in a Debian system.
Details of turning off unnecessary network services (besides inetd
), it is partly in the hardening procedure but could be broadened a bit.
Information regarding password rotation which is closely related to policy.
Policy, and educating users about policy.
More about tcpwrappers, and wrappers in general?
hosts.equiv
and other major security holes.
Issues with file sharing servers such as Samba and NFS?
suidmanager/dpkg-statoverrides.
lpr and lprng.
Switching off the GNOME IP things.
Talk about programs to make chroot jails. compartment and chrootuid are waiting in incoming. Some others (makejail, jailer) could also be introduced.
More information regarding log analysis software (i.e. logcheck and logcolorise).
'advanced' routing (traffic policing is security related).
limiting ssh
access to running certain commands.
using dpkg-statoverride.
secure ways to share a CD burner among users.
secure ways of providing networked sound in addition to network display capabilities (so that X clients' sounds are played on the X server's sound hardware).
securing web browsers.
setting up ftp over ssh
.
using crypto loopback file systems.
ncrypting the entire file system.
steganographic tools.
setting up a PKA for an organization.
using LDAP to manage users. There is a HOWTO of ldap+kerberos for Debian at
http://www.bayour.com written by Turbo Fredrikson.
How to remove information of reduced utility in production systems such as /usr/share/doc
, /usr/share/man
(yes, security by obscurity).
Add information on running multiple snort
sensors in a given system (check bug reports sent to snort).
Add information on setting up a honeypot (honeyd).
Describe situation wrt to FreeSwan (orphaned) and OpenSwan. VPN section needs to be rewritten.
Add a specific section about databases, current installation defaults and how to secure access.
Add a section about the usefulness of virtual servers (Xen et al).
Explain how to use some integrity checkers (AIDE, integrit or samhain). The basics are simple and could even explain some configuration improvements.