[ previous ] [ Contents ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ G ] [ H ] [ next ]


Securing Debian Manual
Chapter 1 - Introduction


One of the hardest things about writing security documents is that every case is unique. Two things you have to pay attention to are the threat environment and the security needs of the individual site, host, or network. For instance, the security needs of a home user are completely different from a network in a bank. While the primary threat a home user needs to face is the script kiddie type of cracker, a bank network has to worry about directed attacks. Additionally, the bank has to protect their customer's data with arithmetic precision. In short, every user has to consider the trade-off between usability and security/paranoia.

Note that this manual only covers issues relating to software. The best software in the world can't protect you if someone can physically access the machine. You can place it under your desk, or you can place it in a hardened bunker with an army in front of it. Nevertheless the desktop computer can be much more secure (from a software point of view) than a physically protected one if the desktop is configured properly and the software on the protected machine is full of security holes. Obviously, you must consider both issues.

This document just gives an overview of what you can do to increase the security of your Debian GNU/Linux system. If you have read other documents regarding Linux security, you will find that there are common issues which might overlap with this document. However, this document does not try to be the ultimate source of information you will be using, it only tries to adapt this same information so that it is meaningful to a Debian GNU/Linux system. Different distributions do some things in different ways (startup of daemons is one example); here, you will find material which is appropriate for Debian's procedures and tools.


1.1 Authors

The current maintainer of this document is Javier Fernández-Sanguino Peña. Please forward him any comments, additions or suggestions, and they will be considered for inclusion in future releases of this manual.

This manual was started as a HOWTO by Alexander Reelsen. After it was published on the Internet, Javier Fernández-Sanguino Peña incorporated it into the Debian Documentation Project. A number of people have contributed to this manual (all contributions are listed in the changelog) but the following deserve special mention since they have provided significant contributions (full sections, chapters or appendices):


1.2 Where to get the manual (and available formats)

You can download or view the latest version of the Securing Debian Manual from the Debian Documentation Project. If you are reading a copy from another site, please check the primary copy in case it provides new information. If you are reading a translation, please review the version the translation refers to to the latest version available. If you find that the version is behind please consider using the original copy or review the Changelog/History, Section 1.6 to see what has changed.

If you want a full copy of the manual you can either download the text version or the PDF version from the Debian Documentation Project's site. These versions might be more useful if you intend to copy the document over to a portable device for offline reading or you want to print it out. Be forewarned, the manual is over two hundred pages long and some of the code fragments, due to the formatting tools used, are not wrapped in the PDF version and might be printed incomplete.

The document is also provided in text, html and PDF formats in the harden-doc package. Notice, however, that the package maybe not be completely up to date with the document provided on the Debian site (but you can always use the source package to build an updated version yourself).

This document is part of the documents distributed by the Debian Documentation Project. You can review the changes introduced in the document using a web browser and obtaining information from the version control logs online. You can also checkout the code using SVN with the following call in the command line:

     svn co svn://svn.debian.org/svn/ddp/manuals/trunk/securing-howto/

1.3 Organizational notes/feedback

Now to the official part. At the moment I (Alexander Reelsen) wrote most paragraphs of this manual, but in my opinion this should not stay the case. I grew up and live with free software, it is part of my everyday use and I guess yours, too. I encourage everybody to send me feedback, hints, additions or any other suggestions you might have.

If you think, you can maintain a certain section or paragraph better, then write to the document maintainer and you are welcome to do it. Especially if you find a section marked as FIXME, that means the authors did not have the time yet or the needed knowledge about the topic. Drop them a mail immediately.

The topic of this manual makes it quite clear that it is important to keep it up to date, and you can do your part. Please contribute.


1.4 Prior knowledge

The installation of Debian GNU/Linux is not very difficult and you should have been able to install it. If you already have some knowledge about Linux or other Unices and you are a bit familiar with basic security, it will be easier to understand this manual, as this document cannot explain every little detail of a feature (otherwise this would have been a book instead of a manual). If you are not that familiar, however, you might want to take a look at Be aware of general security problems, Section 2.2 for where to find more in-depth information.


1.5 Things that need to be written (FIXME/TODO)

This section describes all the things that need to be fixed in this manual. Some paragraphs include FIXME or TODO tags describing what content is missing (or what kind of work needs to be done). The purpose of this section is to describe all the things that could be included in the future in the manual, or enhancements that need to be done (or would be interesting to add).

If you feel you can provide help in contributing content fixing any element of this list (or the inline annotations), contact the main author (Authors, Section 1.1).


1.6 Changelog/History


1.6.1 Version 3.16 (March 2011)

Changes by Javier Fernández-Sanguino Peña.


1.6.2 Version 3.15 (December 2010)

Changes by Javier Fernández-Sanguino Peña.


1.6.3 Version 3.14 (March 2009)

Changes by Javier Fernández-Sanguino Peña.


1.6.4 Version 3.13 (Februrary 2008)

Changes by Javier Fernández-Sanguino Peña.


1.6.5 Version 3.12 (August 2007)

Changes by Javier Fernández-Sanguino Peña.


1.6.6 Version 3.11 (January 2007)

Changes by Javier Fernández-Sanguino Peña. Thanks go to Francesco Poli for his extensive review of the document.


1.6.7 Version 3.10 (November 2006)

Changes by Javier Fernández-Sanguino Peña.


1.6.8 Version 3.9 (October 2006)

Changes by Javier Fernández-Sanguino Peña.


1.6.9 Version 3.8 (July 2006)

Changes by Javier Fernández-Sanguino Peña.


1.6.10 Version 3.7 (April 2006)

Changes by Javier Fernández-Sanguino Peña.


1.6.11 Version 3.6 (March 2006)

Changes by Javier Fernández-Sanguino Peña.


1.6.12 Version 3.5 (November 2005)

Changes by Javier Fernández-Sanguino Peña.


1.6.13 Version 3.4 (August-September 2005)

Changes by Javier Fernández-Sanguino Peña.


1.6.14 Version 3.3 (June 2005)

Changes by Javier Fernández-Sanguino Peña.


1.6.15 Version 3.2 (March 2005)

Changes by Javier Fernández-Sanguino Peña.


1.6.16 Version 3.1 (January 2005)

Changes by Javier Fernández-Sanguino Peña.


1.6.17 Version 3.0 (December 2004)

Changes by Javier Fernández-Sanguino Peña.


1.6.18 Version 2.99 (March 2004)

Changes by Javier Fernández-Sanguino Peña.


1.6.19 Version 2.98 (December 2003)

Changes by Javier Fernández-Sanguino Peña.


1.6.20 Version 2.97 (September 2003)

Changes by Javier Fernández-Sanguino Peña.


1.6.21 Version 2.96 (August 2003)

Changes by Javier Fernández-Sanguino Peña.


1.6.22 Version 2.95 (June 2003)

Changes by Javier Fernández-Sanguino Peña.


1.6.23 Version 2.94 (April 2003)

Changes by Javier Fernández-Sanguino Peña.


1.6.24 Version 2.93 (March 2003)

Changes made by Frédéric Schütz.


1.6.25 Version 2.92 (February 2003)

Changes by Javier Fernández-Sanguino Peña and Frédéric Schütz.


1.6.26 Version 2.91 (January/February 2003)

Changes by Javier Fernández-Sanguino Peña (me).


1.6.27 Version 2.9 (December 2002)

Changes by Javier Fernández-Sanguino Peña (me).


1.6.28 Version 2.8 (November 2002)

Changes by Javier Fernández-Sanguino Peña (me).


1.6.29 Version 2.7 (October 2002)

Changes by Javier Fernández-Sanguino Peña (me). Note: I still have a lot of pending changes in my mailbox (which is currently about 5 Mbs in size).


1.6.30 Version 2.6 (September 2002)

Changes by Chris Tillman, [email protected].


1.6.31 Version 2.5 (September 2002)

Changes by Javier Fernández-Sanguino Peña (me).


1.6.32 Version 2.5 (August 2002)

Changes by Javier Fernández-Sanguino Peña (me). There were many things waiting on my inbox (as far back as February) to be included, so I'm going to tag this the back from honeymoon release :).


1.6.33 Version 2.4

Changes by Javier Fernández-Sanguino Peña.


1.6.34 Version 2.3

Changes by Javier Fernández-Sanguino Peña.


1.6.35 Version 2.3

Changes by Javier Fernández-Sanguino Peña.


1.6.36 Version 2.2

Changes by Javier Fernández-Sanguino Peña.


1.6.37 Version 2.1

Changes by Javier Fernández-Sanguino Peña.


1.6.38 Version 2.0

Changes by Javier Fernández-Sanguino Peña. I wanted to change to 2.0 when all the FIXMEs were fixed but I ran out of 1.9X numbers :(.


1.6.39 Version 1.99

Changes by Javier Fernández-Sanguino Peña.


1.6.40 Version 1.98

Changes by Javier Fernández-Sanguino Peña.


1.6.41 Version 1.97

Changes by Javier Fernández-Sanguino Peña.


1.6.42 Version 1.96

Changes by Javier Fernández-Sanguino Peña.


1.6.43 Version 1.95

Changes by Javier Fernández-Sanguino Peña.


1.6.44 Version 1.94

Changes by Javier Fernández-Sanguino Peña.


1.6.45 Version 1.93

Changes by Javier Fernández-Sanguino Peña.


1.6.46 Version 1.92

Changes by Javier Fernández-Sanguino Peña.


1.6.47 Version 1.91

Changes by Javier Fernández-Sanguino Peña.


1.6.48 Version 1.9

Changes by Javier Fernández-Sanguino Peña.


1.6.49 Version 1.8

Changes by Javier Fernández-Sanguino Peña.


1.6.50 Version 1.7

Changes by Era Eriksson.

Changes by Javier Fernández-Sanguino Peña.


1.6.51 Version 1.6

Changes by Javier Fernández-Sanguino Peña.


1.6.52 Version 1.5

Changes by Josip Rodin and Javier Fernández-Sanguino Peña.


1.6.53 Version 1.4


1.6.54 Version 1.3


1.6.55 Version 1.2


1.6.56 Version 1.1


1.6.57 Version 1.0


1.7 Credits and thanks!


[ previous ] [ Contents ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ G ] [ H ] [ next ]


Securing Debian Manual

Version: 3.13, Sun, 08 Apr 2012 02:48:09 +0000

Javier Fernández-Sanguino Peña [email protected]
Authors, Section 1.1