This document has yet to be updated based on the latest Debian releases. The default configuration of some packages need to be adapted as they have been modified since this document was written.
Write about remote monitoring tools (to check for system availability) such as
monit,
daemontools and
mon. See
Sysamin Guide.
考虑添加关于如何构建基于 Debian 的网络应用的部分(以及如基本系统, equivs 和 FAI 一类的信息).
Check if
this site has relevant info not yet covered here.
Add information on how to set up a laptop with Debian,
look here.
增加使用 Debian GNU/Linux 配置防火墙的内容. 此部分假定要保护的是单系统(不保护其他...)并就如何测试设定进行讨论.
Add information on setting up a proxy firewall with Debian GNU/Linux stating specifically which packages provide proxy services (like xfwp, ftp-proxy, redir, smtpd, dnrd, jftpgw, oops, pdnsd, perdition, transproxy, tsocks). Should point to the manual for any other info. Note that zorp is now available as a Debian package and is a proxy firewall (they also provide Debian packages upstream).
Information on service configuration with file-rc.
检查所有参考 URL, 删除/修正不再可用的部分.
增加关于对一般服务器进行功能限制性替换方面的内容(Debian)。例如:
Debian 中更多有关内核安全补丁的内容, 包括上边提到的和具体如何使用这些补丁应用到 Debian 系统中的内容.
禁用不必要的网络服务(包括 inetd
)的内容, 这属于程序安全化部分, 但可以涉及的更广一点.
有关口令转换的内容,这与策略关系更密切.
策略,和用户培训策略.
更多关于 tcpwrappers, 和 wrappers 的内容?
hosts.equiv
以及其它主要安全漏洞.
文件共享服务方面的问题如 Samba 和 NFS?
suidmanager/dpkg-statoverrides.
lpr 和 lprng.
Switching off the GNOME IP things.
Talk about programs to make chroot jails. compartment and chrootuid are waiting in incoming. Some others (makejail, jailer) could also be introduced.
更多关于日志分析软件的内容 (即 logcheck 和 logcolorise).
'advanced' routing (traffic policing is security related).
限制 ssh
对于某些运行命令的访问.
dpkg-statoverride 的使用.
对用户共享 CD 刻录机的安全方法.
secure ways of providing networked sound in addition to network display capabilities (so that X clients' sounds are played on the X server's sound hardware).
安全的网络浏览器.
在 ssh
上设置 ftp.
使用加密回环文件系统.
ncrypting the entire file system.
steganographic 工具.
为一个组织设置 PKA .
using LDAP to manage users. There is a HOWTO of ldap+kerberos for Debian at
http://www.bayour.com written by Turbo Fredrikson.
How to remove information of reduced utility in production systems such as /usr/share/doc
, /usr/share/man
(yes, security by obscurity).
Add information on running multiple snort
sensors in a given system (check bug reports sent to snort).
Add information on setting up a honeypot (honeyd).
Describe situation wrt to FreeSwan (orphaned) and OpenSwan. VPN section needs to be rewritten.
Add a specific section about databases, current installation defaults and how to secure access.
Add a section about the usefulness of virtual servers (Xen et al).
Explain how to use some integrity checkers (AIDE, integrit or samhain). The basics are simple and could even explain some configuration improvements.