[ previous ] [ Contents ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ G ] [ H ] [ next ]
FIXME: More content needed.
Debian provides also a number of security tools that can make a Debian box suited for security purposes. These purposes include protection of information systems through firewalls (either packet or application-level), intrusion detection (both network and host based), vulnerability assessment, antivirus, private networks, etc.
Since Debian 3.0 (woody), the distribution features cryptographic software integrated into the main distribution. OpenSSH and GNU Privacy Guard are included in the default install, and strong encryption is now present in web browsers and web servers, databases, and so forth. Further integration of cryptography is planned for future releases. This software, due to export restrictions in the US, was not distributed along with the main distribution but included only in non-US sites.
The tools provided by Debian to perform remote vulnerability assessment are: [59]
nessus
raccess
nikto (whisker's replacement)
By far, the most complete and up-to-date tools is nessus which is
composed of a client (nessus) used as a GUI and a server
(nessusd) which launches the programmed attacks. Nessus includes
remote vulnerabilities for quite a number of systems including network
appliances, ftp servers, www servers, etc. The latest security plugins are
able even to parse a web site and try to discover which interactive pages are
available which could be attacked. There are also Java and Win32 clients (not
included in Debian) which can be used to contact the management server.
nikto is a web-only vulnerability assessment scanner including
anti-IDS tactics (most of which are not anti-IDS anymore). It is one
of the best cgi-scanners available, being able to detect a WWW server and
launch only a given set of attacks against it. The database used for scanning
can be easily modified to provide for new information.
Debian does provide some tools used for remote scanning of hosts (but not vulnerability assessment). These tools are, in some cases, used by vulnerability assessment scanners as the first type of "attack" run against remote hosts in an attempt to determine remote services available. Currently Debian provides:
nmap
xprobe
p0f
knocker
isic
hping2
icmpush
nbtscan (for SMB /NetBIOS audits)
fragrouter
strobe (in the netdiag package)
irpas
While xprobe provide only remote operating system detection (using
TCP/IP fingerprinting, nmap and knocker do both
operating system detection and port scanning of the remote hosts. On the other
hand, hping2 and icmpush can be used for remote ICMP
attack techniques.
Designed specifically for SMB networks, nbtscan can be used to
scan IP networks and retrieve name information from SMB-enabled servers,
including: usernames, network names, MAC addresses...
On the other hand, fragrouter can be used to test network
intrusion detection systems and see if the NIDS can be eluded by fragmentation
attacks.
FIXME: Check Bug
#153117 (ITP fragrouter) to see if it's included.
FIXME add information based on Debian
Linux Laptop for Road Warriors which describes how to use Debian and
a laptop to scan for wireless (803.1) networks (link not there any more).
Currently, only the tiger tool used in Debian can be used to
perform internal (also called white box) audit of hosts in order to determine
if the file system is properly set up, which processes are listening on the
host, etc.
Debian provides several packages that can be used to audit C/C++ source code programs and find programming errors that might lead to potential security flaws:
flawfinder
rats
splint
pscan
A virtual private network (VPN) is a group of two or more computer systems, typically connected to a private network with limited public network access, that communicate securely over a public network. VPNs may connect a single computer to a private network (client-server), or a remote LAN to a private network (server-server). VPNs often include the use of encryption, strong authentication of remote users or hosts, and methods for hiding the private network's topology.
Debian provides quite a few packages to set up encrypted virtual private networks:
vtun
tunnelv (non-US section)
cipe-source, cipe-common
tinc
secvpn
pptpd
openvpn
openswan (http://www.openswan.org/)
FIXME: Update the information here since it was written with FreeSWAN in mind. Check Bug #237764 and Message-Id: <200412101215.04040.rmayr@debian.org>.
The OpenSWAN package is probably the best choice overall, since it promises to interoperate with almost anything that uses the IP security protocol, IPsec (RFC 2411). However, the other packages listed above can also help you get a secure tunnel up in a hurry. The point to point tunneling protocol (PPTP) is a proprietary Microsoft protocol for VPN. It is supported under Linux, but is known to have serious security issues.
For more information see the VPN-Masquerade
HOWTO (covers IPsec and PPTP), VPN HOWTO (covers
PPP over SSH), Cipe
mini-HOWTO, and PPP and SSH
mini-HOWTO.
Also worth checking out is Yavipin, but no Debian
packages seem to be available yet.
If you want to provide a tunneling server for a mixed environment (both
Microsoft operating systems and Linux clients) and IPsec is not an option
(since it's only provided for Windows 2000 and Windows XP), you can use
PoPToP (Point to Point Tunneling Server), provided in the
pptpd package.
If you want to use Microsoft's authentication and encryption with the server
provided in the ppp package, note the following from the FAQ:
It is only necessary to use PPP 2.3.8 if you want Microsoft compatible
MSCHAPv2/MPPE authentication and encryption. The reason for this is that
the MSCHAPv2/MPPE patch currently supplied (19990813) is against PPP
2.3.8. If you don't need Microsoft compatible authentication/encryption
any 2.3.x PPP source will be fine.
However, you also have to apply the kernel patch provided by the
kernel-patch-mppe package, which provides the pp_mppe module for
pppd.
Take into account that the encryption in ppptp forces you to store user
passwords in clear text, and that the MS-CHAPv2 protocol contains known security
holes.
Public Key Infrastructure (PKI) is a security architecture introduced to provide an increased level of confidence for exchanging information over insecure networks. It makes use of the concept of public and private cryptographic keys to verify the identity of the sender (signing) and to ensure privacy (encryption).
When considering a PKI, you are confronted with a wide variety of issues:
a Certificate Authority (CA) that can issue and verify certificates, and that can work under a given hierarchy.
a Directory to hold user's public certificates.
a Database (?) to maintain Certificate Revocation Lists (CRL).
devices that interoperate with the CA in order to print out smart cards/USB tokens/whatever to securely store certificates.
certificate-aware applications that can use certificates issued by a CA to enroll in encrypted communication and check given certificates against CRL (for authentication and full Single Sign On solutions).
a Time stamping authority to digitally sign documents.
a management console from which all of this can be properly used (certificate generation, revocation list control, etc...).
Debian GNU/Linux has software packages to help you with some of these PKI
issues. They include OpenSSL (for certificate generation),
OpenLDAP (as a directory to hold the certificates),
gnupg and openswan (with X.509 standard support).
However, as of the Woody release (Debian 3.0), Debian does not have any of the
freely available Certificate Authorities such as pyCA, OpenCA or the CA samples from OpenSSL.
For more information read the Open PKI book.
Debian does provide some SSL certificates with the distribution so that they
can be installed locally. They are found in the ca-certificates
package. This package provides a central repository of certificates that have
been submitted to Debian and approved (that is, verified) by the package
maintainer, useful for any OpenSSL applications which verify SSL connections.
FIXME: read debian-devel to see if there was something added to this.
There are not many anti-virus tools included with Debian GNU/Linux, probably because GNU/Linux users are not plagued by viruses. The Unix security model makes a distinction between privileged (root) processes and user-owned processes, therefore a "hostile" executable that a non-root user receives or creates and then executes cannot "infect" or otherwise manipulate the whole system. However, GNU/Linux worms and viruses do exist, although there has not (yet, hopefully) been any that has spread in the wild over any Debian distribution. In any case, administrators might want to build up anti-virus gateways that protect against viruses arising on other, more vulnerable systems in their network.
Debian GNU/Linux currently provides the following tools for building antivirus environments:
Clam Antivirus, provided since
Debian sarge (3.1 release). Packages are provided both for the virus
scanner (clamav) for the scanner daemon
(clamav-daemon) and for the data files needed for the scanner.
Since keeping an antivirus up-to-date is critical for it to work properly there
are two different ways to get this data: clamav-freshclam provides
a way to update the database through the Internet automatically and
clamav-data which provides the data files directly. [60]
mailscanner an e-mail gateway virus scanner and spam detector.
Using sendmail or exim as its basis, it can use more
than 17 different virus scanning engines (including clamav).
libfile-scan-perl which provides File::Scan, a Perl extension for
scanning files for viruses. This modules can be used to make platform
independent virus scanners.
Amavis Next
Generation, provided in the package amavis-ng and
available in sarge, which is a mail virus scanner which integrates
with different MTA (Exim, Sendmail, Postfix, or Qmail) and supports over 15
virus scanning engines (including clamav, File::Scan and openantivirus).
sanitizer, a
tool that uses the procmail package, which can scan email
attachments for viruses, block attachments based on their filenames, and more.
amavis-postfix, a
script that provides an interface from a mail transport agent to one or more
commercial virus scanners (this package is built with support for the
postfix MTA only).
exiscan, an e-mail virus scanner written in Perl that works with
Exim.
blackhole-qmail a spam filter for Qmail with built-in support for
Clamav.
Some gateway daemons support already tools extensions to build antivirus
environments including exim4-daemon-heavy (the heavy
version of the Exim MTA), frox (a transparent caching ftp proxy
server), messagewall (an SMTP proxy daemon) and
pop3vscan (a transparent POP3 proxy).
Debian currently provide clamav as the only antivirus scanning
software in the main official distribution and it also provides multiple
interfaces to build gateways with antivirus capabilities for different
protocols.
Some other free software antivirus projects which might be included in future Debian GNU/Linux releases:
FIXME: Is there a package that provides a script to download the latest virus
signatures from http://www.openantivirus.org/latest.php?
FIXME: Check if scannerdaemon is the same as the open antivirus scanner daemon (read ITPs).
However, Debian will never provide propietary (non-free and
undistributable) antivirus software such as: Panda Antivirus, NAI Netshield,
Sophos Sweep, TrendMicro Interscan, or RAV. For more pointers see the
Linux
antivirus software mini-FAQ. This does not mean that this software
cannot be installed properly in a Debian system[61].
For more information on how to set up a virus detection system read Dave Jones'
article Building an E-mail
Virus Detection System for Your Network.
It is very common nowadays to digitally sign (and sometimes encrypt) e-mail. You might, for example, find that many people participating on mailing lists sign their list e-mail. Public key signatures are currently the only means to verify that an e-mail was sent by the sender and not by some other person.
Debian GNU/Linux provides a number of e-mail clients with built-in e-mail
signing capabilities that interoperate either with gnupg or
pgp:
evolution.
mutt.
kmail.
icedove (rebranded version of Mozilla's Thunderbird) through the
Enigmail plugin. This
plugin is provided by the enigmail package.
sylpheed. Depending on how the stable version of this package
evolves, you may need to use the bleeding edge version,
sylpheed-claws.
gnus, which when installed with the mailcrypt
package, is an emacs interface to gnupg.
kuvert, which provides this functionality independently of your
chosen mail user agent (MUA) by interacting with the mail transport agent
(MTA).
Key servers allow you to download published public keys so that you may verify
signatures. One such key server is http://wwwkeys.pgp.net.
gnupg can automatically fetch public keys that are not already in
your public keyring. For example, to configure gnupg to use the
above key server, edit the file ~/.gnupg/options and add the
following line: [62]
keyserver wwwkeys.pgp.net
Most key servers are linked, so that when your public key is added to one
server, the addition is propagated to all the other public key servers. There
is also a Debian GNU/Linux package debian-keyring, that provides
all the public keys of the Debian developers. The gnupg keyrings
are installed in /usr/share/keyrings/.
For more information:
[ previous ] [ Contents ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ G ] [ H ] [ next ]
Securing Debian Manual
Version: 3.13, Sun, 08 Apr 2012 02:48:09 +0000jfs@debian.org