Protecting Debian during installation and securing network services.
- This manual describes the security of the Debian GNU/Linux operating system and within the Debian project. It starts with the process of securing and hardening the.
- Package: www.debian.org Version: N/A; reported 2002-04-30 Severity: important Tags: security In the Securing Debian Manual, this no mention on how to desactivate the.
- 5.1 Securing ssh. If you are still running telnet instead of ssh, you should take a break from this manual and change this. Ssh should be used for all remote logins.
11.1.1 Is Debian more secure than X? A system is as secure as its administrator is capable of making it. Debian tries to install services in a secure by default way.
Securing Debian Manual - After the compromise (incident response). General behavior. If you are physically present when an attack is happening, your first response. Disabling the. network at layer 1 is the only true way to keep the attacker out of the. Phillip Hofmeister's wise advice). However, some tools installed by rootkits, trojans and, even, a rogue user. Seeing a rm - rf / executed when you unplug the.
Securing debian manual español For F-Secure Policy Manager Console installation instructions, see the F-Secure Policy.Today, his official position is as a Security. 11.1 General behavior. If you are physically present when an attack is happening, your first response should be to remove the machine from the network by unplugging. Securing Debian Manual 2.5 (beta) 29 augusti 2002Sat, 12:23:36 +0200 Javier Fernández-Sanguino Peña [email protected].
If you are unwilling to take. This may be extreme but, in fact, will avoid any logic- bomb that the. In this case, the compromised system. Either the hard disks should be moved to. CD- ROM) to boot. You should not use Debian's rescue disks.
Alt+F2 will take you to it) to analyze [7. The most recommended method for recovering a compromised system is to use a. CD- ROM with all the tools (and kernel modules) you might. You can use the. mkinitrd- cd package to build such a CD- ROM[7.
You might find the FIRE (previously called Biatchux). CD- ROM useful here too, since it's also a live CD- ROM with forensic tools. There is not (yet) a Debian- based tool such as. CD- ROM using your own selection of Debian.
CD- ROMs). If you really want to fix the compromise quickly, you should remove the. Of course, this may not be effective because you will not learn how. For that case, you must check. For more. information on what to do following a break- in, see CERT's Steps for. Recovering from a UNIX or NT System Compromise or SANS's Incident Handling.
Some common questions on how to handle a compromised Debian GNU/Linux system. My system is. vulnerable! Are you sure?), Section 1. Backing up the system. Remember that if you are sure the system has been compromised you cannot trust. Applications might have been trojanized, kernel modules might be installed. The best thing to do is a complete file system backup copy (using.
Debian GNU/Linux CD- ROMs. Alt+2 and pressing Enter). From this. shell, backup the information to another host if possible (maybe a network file. NFS/FTP). Then any analysis of the compromise or.
If you are sure that the only compromise is a Trojan kernel module, you can try. Debian CD- ROM in rescue mode. Make. sure to startup in single user mode, so no other Trojan processes run. Contact your local CERT. The CERT (Computer and Emergency Response Team) is an organization that can. There are CERTs worldwide [7.
CERT in the event of a security incident which has lead to a system. The people at your local CERT can help you recover from it. Providing your local CERT (or the CERT coordination center) with information on. This information is used in order to. Internet community with information on the current security incidents. For. more detailed information read on how (and why) to report an incident read.
Incident Reporting Guidelines. You can also use less formal mechanisms if you need help for recovering from a. This includes the incidents mailing. Intrusions mailing. Forensic analysis.
If you wish to gather more information, the tct (The Coroner's. Toolkit from Dan Farmer and Wietse Venema) package contains utilities which. See the included documentation for more information. These same. utilities and some others can be found in Sleuthkit and Autopsy by Brian.
Carrier, which provides a web front- end for forensic analysis of disk images. In Debian you can find both sleuthkit (the tools) and.
Remember that forensics analysis should be done always on the backup copy of. You will find more information on forensic analysis in Dan Farmer's and Wietse. Venema's Forensic.
Discovery book (available online), as well as in their Computer Forensics. Column and their Computer Forensic. Analysis Class handouts. Brian Carrier's newsletter The Sleuth Kit. Informer is also a very good resource on forensic analysis tips. Finally, the Honeynet. Challenges are an excellent way to hone your forensic analysis.
FIXME: This paragraph will hopefully provide more information about forensics. Debian system in the coming future. FIXME: Talk on how to do a debsums on a stable system with the MD5sums on CD. FIXME: Add pointers to forensic analysis papers (like the Honeynet's reverse. David. Dittrich's papers). Analysis of malware.
Some other tools that can be used for forensic analysis provided in the Debian. Any of these packages can be used to analyze rogue binaries (such as back. Some other common tools include ldd (in libc. If you try to do forensic analysis with back doors or suspected binaries. Otherwise your own system. If you are interested in malware analysis then you should read the Malware. Analysis Basics chapter of Dan Farmer's and Wietse Venema's.
Securing Debian Manual. Version: 3. 1. 3, Sun, 0. Apr 2. 01. 2 0. 2: 4. Javier Fernández- Sanguino Peña jfs@debian. Authors, Section 1.