[ 上一页 ] [ 目录 ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ G ] [ H ] [ 下一页 ]
撰写安全文档, 最难莫过于每个案例都是相互独立的. 需要着重考虑站点, 主机, 或网络所处环境和安全需求. 例如, 家庭用户的安全需求则与网络银行完全不同. 家庭用户所要面对的主要威胁来自骇客的脚本陷阱. 网络银行所必须担心的则是直接攻击. 另外, 银行必须保证其用户数据的精确性. 简而言之, 用户必须在安全性和易用性之间作出妥协.
注意本手册只涉及与软件相关部分. 即使是世界上最好的软件也无法保护可以物理接触的计算机. 您可以把计算机置于工作台下, 或者重兵把守的堡垒里. 然而一个正确配置的台式计算机可能比被重兵保护的充满安全漏洞的计算机更安(从软件观点来看). 很明显, 这两个方面您都要考虑.
本手册仅仅在增加 Debian GNU/Linux 系统的安全方面作简要介绍. 如果您浏览过有关 Linux 安全的其它文档, 会发现一些通用性问题可能与本手册重复. 当然, 本手册并不试图作为您的最后信息源, 而只是设法在同样的问题上提供更适合 Debian GNU/Linux 系统的信息. 不同的发行版处理问题的方式不同(守护进程的启动就是一例); 您将发现本手册是针对 Debian 程序和工具的.
本手册的当前维护者是 Javier Fernández-Sanguino Peña jfs@computer.org.
有关本手册任何的评论, 添加或建议, 请和他联系, 他们将会考虑添加到本手册.
本手册最初只是 Alexander Reelsen
撰写的一篇 HOWTO. 在互联网上发布后, Javier Fernández-Sanguino
Peña jfs@debian.org
将其合并到 Debian 文献项目
中. 许多人为手册作出了贡献(所有贡献都在更新记录中列出),
需要特别指出以下人员做出了重要的贡献(完成了部分、章节或附录):
Stefano Canepa
Era Eriksson
Carlo Perassi
Alexandre Ratti
Jaime Robles
Yotam Rubin
Frederic Schutz
Pedro Zorzenon Neto
Oohara Yuuma
Davor Ocelic
你可以从 Debian
文献项目 下载或浏览最新版本的 Debian 安全手册.
如果您正在阅读的是从其他站点获取的版本, 主站点, 以获取最新信息.
如果是翻译版本, 请参阅最新的原始版本. 如果版本较老, 建议使用原始版本, 或参阅
更新记录/历史, 第 1.6 节 看看做了哪些修改.
您也可以从 Debian 文献项目站点下载 文本版
或PDF
version. 如果您打算在便携设备上浏览文档, 这些版本可能对您更有用.
注意, 本手册有两百多页, 并包含一些代码片段. 由于所用浏览工具的原故, 可能打印
PDF 版本会出现不换行的现象
本文档还提供其他一些文档格式, 比如text, html, 和 PDF, 您可以通过 harden-doc软件包获取.
注意,
包中提供的文档版本和互联网上的相比可能稍旧(但是可以通过下载源码包进行构建和更新您的版本!).
这是手册的正式部分. 此时,我(Alexander Reelsen)撰写了本手册的主要部分, 但是就我看来不应该停滞于此. 自由软件伴随我成长与生活, 它是我日常使用的一部分,我猜您也如此. 任何人都可以将其反馈, 附加提示或任何其它建议寄发给我.
如果您认为您能更好的维护某个部分或章节,请与维护者联系, 您将受到欢迎. 特别是如果您发现某个部分被标记为FIXME, 这意味着作者没有时间或关于这部分所需的知识, 请马上发邮件给他们.
本手册的主题清楚的表明及时更新相当重要, 如果您可以做到. 请贡献.
Debian GNU/Linux 的安装并不是特别困难, 您应该可以搞定. 如果您已经有一些关于 Linux 或其它 Unix 的知识, 并对基本安全有点熟悉, 理解本手册将更加容易, 因为本文档无法对每个细节作详细的解释(否则将是一本书, 而不是手册). 如果您不是太熟, 那么, 您也许希望能查看一下 应当知道的一般性安全问题, 第 2.2 节 有找到更加详细的信息。
本部分描述手册中需要修正部分的相关内容. 包含 FIXME 或 TODO 标记的一些段落说明内容(或 所需做的什么样的工作)欠缺, 本部分的目的是列举将在新的版本涉及的内容或改进版中需要做的(或可能添加的)工作。
如果您觉得能为完成列表中的任何条目提供帮助(或注释), 请与主作者联系 (作者, 第 1.1 节
详述事件响应信息,也许可以从 RedHat 安全指南的 事件响应章节
获取一些想法.
添加关于远程监控工具(检查系统可利用率)譬如 monit,
daemontools 和 mon 的内容. 参见 http://linux.oreillynet.com/pub/a/linux/2002/05/09/sysadminguide.html
.
考虑添加关于如何构建基于 Debian 的网络应用的部分(以及如基本系统,
equivs 和 FAI 一类的信息).
检查是否有 http://www.giac.org/practical/gsec/Chris_Koutras_GSEC.pdf
提及而这里未涉及的信息.
增加关于如何在便携式电脑上设置 Debian 的内容 http://www.giac.org/practical/gcux/Stephanie_Thomas_GCUX.pdf.
增加使用 Debian GNU/Linux 配置防火墙的内容. 此部分假定要保护的是单系统(不保护其他...)并就如何测试设定进行讨论.
增加使用 Debian GNU/Linux 配置代理防火墙的内容,
以及提供代理服务的相应软件包的信息 (如 xfwp,
ftp-proxy, redir, smtpd,
dnrd, jftpgw, oops, pnsd,
perdition, transproxy, tsocks).
应当在手册中指出其它信息来源. 注意, Debian 现提供的是 zorp
软件包是一款代理防火墙(他们也向上游提供 Debian 包).
使用 file-rc 进行服务配置的内容
检查所有参考 URL, 删除/修正不再可用的部分.
增加关于对一般服务器进行功能限制性替换方面的内容(Debian)。例如:
用 cups(软件包)本地打印?
用 lpr 远程打印
用 dnrd/maradns 替代 bind
用 dhttpd/thttpd/wn(tux?) 替代 apache
用 ssmtpd/smtpd/postfix 替代 exim/sendmail
用 tinyproxy 替代 squid
用 oftpd/vsftp 替代 ftpd
...
Debian 中更多有关内核安全补丁的内容, 包括上边提到的和具体如何使用这些补丁应用到 Debian 系统中的内容.
Linux 入侵检测 (kernel-patch-2.4-lids)
Linux Trustees (在 trustees 软件包中)
kernel-patch-freeswan, kernel-patch-int
禁用不必要的网络服务(包括 inetd )的内容, 这属于程序安全化部分,
但可以涉及的更广一点.
有关口令转换的内容,这与策略关系更密切.
策略,和用户培训策略.
更多关于 tcpwrappers, 和 wrappers 的内容?
hosts.equiv 以及其它主要安全漏洞.
文件共享服务方面的问题如 Samba 和 NFS?
suidmanager/dpkg-statoverrides.
lpr 和 lprng.
Switching off the gnome IP things.
讨论 pam_chroot (参阅 http://lists.debian.org/debian-security/2002/debian-security-200205/msg00011.html)
以及其在限制用户方面的应用. 介绍有关 http://online.securityfocus.com/infocus/1575
的信息. 例如, 在 Debian(while as flash is not) 中提供 pdmenu.
有关 pam_chroot 的讨论, 更多信息参见 http://www.linuxfocus.org/English/January2002/aritcle225.shtml,
http://www.networkdweebs.com/chroot.html
和 http://www.linuxsecurity.com/feature_stories/feature_story-99.html
关于程序 chroot jails 的讨论. 增加 compartment 和
chrootuid 的内容,同时也介绍一些其他软件 (makejail, jailer)
的内容.
增加由 Pedro Zornenon 提供的关于 potato 中 chrooting Bind 8 的内容:(, 参见
http://people.debian.org/~pzn/howto/chroot-bind.sh.txt
(包括所有脚本?).
更多关于日志分析软件的内容 (即 logcheck 和 logcolorise).
'高级'路由(安全相关的通讯规则)
限制 ssh 对于某些运行命令的访问.
dpkg-statoverride 的使用.
对用户共享 CD 刻录机的安全方法.
为网络显示提供网络声音的安全方法(以便使用 X 服务器的硬件运行 X 客户端的声音)
安全的网络浏览器.
在 ssh 上设置 ftp.
使用加密回环文件系统.
加密整个文件系统.
steganographic 工具.
为一个组织设置 PKA .
使用 LDAP 管理用户. 在 www.bayour.com 处有 Turbo Fredrikson 撰写的 Debian 下的 ldap+kerberos HOWTO.
如何删除降低生成系统效能的信息,譬如 /usr/share/doc
,/usr/share/man (是的,不太安全).
更多有关 lcap 基于软件包的 README 文件(不仅如此, Bug
#169465) 和源自LWN的文章: 内核开发.
增加 Colin 的关于如何为整个 Sid 系统设定一个 chroot 环境的内容(http://people.debian.org/~walters/chroot.html)
增加有关在一个给定系统上运行多功能 snort 嗅探器的内容(查看向 snort 提交的问题报告)
增减有关配置蜜罐的内容 (honeyd)
有关描述 FreeSwan (orphaned) 和 OpenSwan 的内容. VPN 部分需要重写.
Changes by Javier Fernández-Sanguino Peña
Note on the SSH section that the chroot will not work if using the nodev option in the partition and point to the latest ssh packages with the chroot patch, thanks to Lutz Broedel for pointing these issues out.
Fix typo spotted by Marcos Roberto Greiner (md5sum should be sha1sum in code snippet)
Included Jens Seidel's patch fixing a number of package names and typos.
Slightly update of the tools section, removed tools no longer available and added some new ones.
Rewrite parts of the section related to where to find this document and what formats are available (the website does provide a PDF version). Also note that copies on other sites and translations might be obsolete (many of the Google hits for the manual in other sites are actually out of date).
Changes by Javier Fernández-Sanguino Peña
Improved the after installation security enhancements related to kernel configuration for network level protection with a sysctl.conf file provided by Will Moy.
Improved the gdm section, thanks to Simon Brandmair.
Typo fixes spotted by Frederic Bothamy and Simon Brandmair.
Improvements in the after installation sections related to how to generate the MD5 (or SHA-1) sums of binaries for periodic review.
Updated the after installation sections regarding checksecurity configuration (was out of date).
Changes by Javier Fernández-Sanguino Peña
Added a code snippet to use grep-available to generate the list of packages depending on Perl. As requested in #302470.
Rewrite of the section on network services (which ones are installed and how to disable them)
Added more information to the honeypot deployment section mentioning useful Debian packages.
Changes by Javier Fernández-Sanguino Peña
Expanded the PAM configuration limits section.
Added information on how to use pam_chroot for openssh (based on pam_chroot's README)
Fixed some minor issues reported by Dan Jacobson.
Updated the kernel patches information partially based on a patch from Carlo Perassi and also by adding deprecation notes and new kernel patches available (adamantix)
Included patch from Simon Brandmair that fixes a sentence related to login failures in terminal.
Added Mozilla/Thunderbird to the valid GPG agents as suggested by Kapolnai Richard.
Expanded the section on security updates mentioning library and kernel updates and how to detect when services need to be restarted.
Rewrote the firewall section, moved the information that applies to woody down and expand the other sections including some information on how to manually set the firewall (with a sample script) and how to test the firewall configuration.
Added some information preparing for the 3.1 release.
Added more detailed information on kernel upgrades, specifically targeted at those that used the old installation system.
Added a small section on the experimental apt 0.6 release which provides package signing checks.oved old content to the section and also added a pointer to changes made in aptitude.
Typo fixes spotted by Frederic Bothamy
Changes by Javier Fernández-Sanguino Peña
Added clarification to ro /usr with patch from Joost van Baal
Apply patch from Jens Seidel fixing many typos.
FreeSWAN is dead, long live OpenSWAN.
Added information on restricting access to RPC services (when they cannot be disabled) also included patch provided by Aarre Laakso.
Update aj's apt-check-sigs script.
Apply patch Carlo Perassi fixing URLs.
Apply patch from Davor Ocelic fixing many errors, typos, urls, grammar and FIXMEs. Also adds some additional information to some sections.
Rewrote the section on user auditing, highlight the usage of script which does not have some of the issues associated to shell history.
Changes by Javier Fernández-Sanguino Peña
Rewrote the user-auditing information and include examples on how to use script.
Changes by Javier Fernández-Sanguino Peña
Added information on refernences in DSAs and CVE-Compatibility.
Added information on apt 0.6 (apt-secure merge in experimental)
Fixed location of Chroot daemons HOWTO as suggested by Shuying Wang.
Changed APACHECTL line in the Apache chroot example (even if its not used at all) as suggested by Leonard Norrgard.
Added a footnote regarding hardlink attacks if partitions are not setup properly.
Added some missing steps in order to run bind as named as provided by Jeffrey Prosa.
Added notes about Nessus and Snort out-of-dateness in woody and availability of backported packages.
Added a chapter regarding periodic integrity test checks.
Clarified the status of testing regarding security updates. (Debian bug 233955)
Added more information regarding expected contents in securetty (since it's kernel specific).
Added pointer to snoopylogger (Debian bug 179409)
Added reference to guarddog (Debian bug 170710)
apt-ftparchive is in apt-utils, not in apt (thanks to
Emmanuel Chantreau for pointing this out)
Removed jvirus from AV list.
Changes by Javier Fernández-Sanguino Peña
Fixed URL as suggested by Frank Lichtenheld.
Fixed PermitRootLogin typo as suggested by Stefan Lindenau.
Changes by Javier Fernández-Sanguino Peña
Added those that have made the most significant contributions to this manual (please mail me if you think you should be in the list and are not).
Added some blurb about FIXME/TODOs
Moved the information on security updates to the beginning of the section as suggested by Elliott Mitchell.
Added grsecurity to the list of kernel-patches for security but added a footnote on the current issues with it as suggested by Elliott Mitchell.
Removed loops (echo to 'all') in the kernel's network security script as suggested by Elliott Mitchell.
Added more (up-to-date) information in the antivirus section.
Rewrote the buffer overflow protection section and added more information on patches to the compiler to enable this kind of protection.
Changes by Javier Fernández-Sanguino Peña
Removed (and then readded) appendix on chrooting Apache. The appendix is now dual-licensed.
Changes by Javier Fernández-Sanguino Peña
Fixed typos spotted by Leonard Norrgard.
Added a section on how to contact CERT for incident handling (#after-compromise)
More information on setting up a Squid proxy.
Added a pointer and removed a FIXME thanks to Helge H. F.
Fixed a typo (save_inactive) spotted by Philippe Faes.
Fixed several typos spotted by Jaime Robles.
Changes by Javier Fernández-Sanguino Peña
Following Maciej Stachura's suggestions I've expanded the section on limiting users.
Fixed typo spotted by Wolfgang Nolte.
Fixed links with patch contributed by Ruben Leote Mendes.
Added a link to David Wheeler's excellent document on the footnote about counting security vulnerabilities.
Changes made by Frederic Schutz.
rewrote entirely the section of ext2 attributes (lsattr/chattr)
Changes by Javier Fernández-Sanguino Peña and Frédéric Schütz.
Merge section 9.3 ("useful kernel patches") into section 4.13 ("Adding kernel patches"), and added some content.
Added a few more TODOs
Added information on how to manually check for updates and also about cron-apt. That way Tiger is not perceived as the only way to do automatic update checks.
Slightly rewrite of the section on executing a security updates due to Jean-Marc Ranger comments.
Added a note on Debian's installation (which will suggest the user to execute a security update right after installation)
Changes by Javier Fernández-Sanguino Peña (me).
Added a patch contributed by Frédéric Schütz.
Added a few more references on capabilities thanks to Frédéric.
Slight changes in the bind section adding a reference to BIND's 9 online documentation and proper references in the first area (Hi Pedro!)
Fixed the changelog date - new year :-)
Added a reference to Colin's articles for the TODOs.
Removed reference to old ssh+chroot patches.
More patches from Carlo Perassi.
Typo fixes (recursive in Bind is recursion), pointed out by Maik Holtkamp.
Changes by Javier Fernández-Sanguino Peña (me).
Reorganised the information on chroot (merged two sections, it didn't make much sense to have them separated)
Added the notes on chrooting Apache provided by Alexandre Raitti.
Applied patches contributed by Guillermo Jover.
Changes by Javier Fernández-Sanguino Peña (me).
Applied patches from Carlo Perassi, fixes include: re-wrapping the lines, url fixes, and fixed some FIXMEs
Updated the contents of the Debian security team FAQ.
Added a link to the Debian security team FAQ and the Debian Developer's reference, the duplicated sections might (just might) be removed in the future.
Fixed the hand-made auditing section with comments from Michal Zielinski.
Added links to wordlists (contributed by Carlo Perassi)
Fixed some typos (still many around).
Fixed TDP links as suggested by John Summerfield.
Changes by Javier Fernández-Sanguino Peña (me). Note: I still have a lot of pending changes in my mailbox (which is currently about 5 Mbs in size).
Some typo fixes contributed by Tuyen Dinh, Bartek Golenko and Daniel K. Gebhart.
Note regarding /dev/kmem rootkits contributed by Laurent Bonnaud
Fixed typos and FIXMEs contributed by Carlo Perassi.
Changes by Chris Tillman, tillman@voicetrak.com.
Changed around to improve grammar/spelling.
s/host.deny/hosts.deny/ (1 place)
Applied Larry Holish's patch (quite big, fixes a lot of FIXMEs)
Changes by Javier Fernández-Sanguino Peña (me).
Fixed minor typos submitted by Thiemo Nagel.
Added a footnote suggested by Thiemo Nagel.
Fixed an URL link.
Changes by Javier Fernández-Sanguino Peña (me). There were many things waiting on my inbox (as far back as February) to be included, so I'm going to tag this the back from honeymoon release :)
Applied a patch contributed by Philipe Gaspar regarding the Squid which also kills a FIXME.
Yet another FAQ item regarding service banners taken from the debian-security mailing list (thread "Telnet information" started 26th July 2002).
Added a note regarding use of CVE cross references in the How much time does the Debian security team... FAQ item.
Added a new section regarding ARP attacks contributed by Arnaud "Arhuman" Assad.
New FAQ item regarding dmesg and console login by the kernel.
Small tidbits of information to the signature-checking issues in packages (it seems to not have gotten past beta release).
New FAQ item regarding vulnerability assessment tools false positives.
Added new sections to the chapter that contains information on package signatures and reorganised it as a new Debian Security Infrastructure chapter.
New FAQ item regarding Debian vs. other Linux distributions.
New section on mail user agents with GPG/PGP functionality in the security tools chapter.
Clarified how to enable MD5 passwords in woody, added a pointer to PAM as well as a note regarding the max definition in PAM.
Added a new appendix on how to create chroot environments (after fiddling a bit with makejail and fixing, as well, some of its bugs), integrated duplicate information in all the appendix.
Added some more information regarding SSH chrooting and its impact
on secure file transfers. Some information has been retrieved from the
debian-security mailing list (June 2002 thread: secure file
transfers).
New sections on how to do automatic updates on Debian systems as well as the caveats of using testing or unstable regarding security updates.
New section regarding keeping up to date with security patches in the Before compromise section as well as a new section about the debian-security-announce mailing list.
Added information on how to automatically generate strong passwords.
New section regarding login of idle users.
Reorganised the securing mail server section based on the Secure/hardened/minimal Debian (or "Why is the base system the way it is?") thread on the debian-security mailing list (May 2002).
Reorganised the section on kernel network parameters, with information provided in the debian-security mailing list (May 2002, syn flood attacked? thread) and added a new FAQ item as well.
New section on how to check users passwords and which packages to install for this.
New section on PPTP encryption with Microsoft clients discussed in the debian-security mailing list (April 2002).
Added a new section describing what problems are there when binding any given service to a specific IP address, this information was written based on the bugtraq mailing list in the thread: Linux kernel 2.4 "weak end host" issue (previously discussed on debian-security as "arp problem") (started on May 9th 2002 by Felix von Leitner).
Added information on ssh protocol version 2.
Added two subsections related to Apache secure configuration (the things specific to Debian, that is).
Added a new FAQ related to raw sockets, one related to /root, an item related to users' groups and another one related to log and configuration files permissions.
Added a pointer to a bug in libpam-cracklib that might still be open... (need to check)
Added more information regarding forensics analysis (pending more information
on packet inspection tools such as tcpflow).
Changed the "what should I do regarding compromise" into a bullet list and included some more stuff.
Added some information on how to set up the Xscreensaver to lock the screen automatically after the configured timeout.
Added a note related to the utilities you should not install in the system. Included a note regarding Perl and why it cannot be easily removed in Debian. The idea came after reading Intersect's documents regarding Linux hardening.
Added information on lvm and journalling file systems, ext3 recommended. The information there might be too generic, however.
Added a link to the online text version (check).
Added some more stuff to the information on firewalling the local system, triggered by a comment made by Hubert Chan in the mailing list.
Added more information on PAM limits and pointers to Kurt Seifried's documents (related to a post by him to bugtraq on April 4th 2002 answering a person that had ``discovered'' a vulnerability in Debian GNU/Linux related to resource starvation).
As suggested by Julian Munoz, provided more information on the default Debian umask and what a user can access if he has been given a shell in the system (scary, huh?)
Included a note in the BIOS password section due to a comment from Andreas Wohlfeld.
Included patches provided by Alfred E. Heggestad fixing many of the typos still present in the document.
Added a pointer to the changelog in the Credits section since most people who contribute are listed here (and not there).
Added a few more notes to the chattr section and a new section after installation talking about system snapshots. Both ideas were contributed by Kurt Pomeroy.
Added a new section after installation just to remind users to change the boot-up sequence.
Added some more TODO items provided by Korn Andras.
Added a pointer to the NIST's guidelines on how to secure DNS provided by Daniel Quinlan.
Added a small paragraph regarding Debian's SSL certificates infrastructure.
Added Daniel Quinlan's suggestions regarding ssh authentication
and exim's relay configuration.
Added more information regarding securing bind including changes suggested by Daniel Quinlan and an appendix with a script to make some of the changes commented on in that section.
Added a pointer to another item regarding Bind chrooting (needs to be merged).
Added a one liner contributed by Cristian Ionescu-Idbohrn to retrieve packages with tcpwrappers support.
Added a little bit more info on Debian's default PAM setup.
Included a FAQ question about using PAM to provide services without shell accounts.
Moved two FAQ items to another section and added a new FAQ regarding attack detection (and compromised systems).
Included information on how to set up a bridge firewall (including a sample Appendix). Thanks go to Francois Bayar who sent this to me in March.
Added a FAQ regarding the syslogd's MARK heartbeat from a question answered by Noah Meyerhans and Alain Tesio in December 2001.
Included information on buffer overflow protection as well as some information on kernel patches.
Added more information (and reorganised) the firewall section. Updated the information regarding the iptables package and the firewall generators available.
Reorganized the information regarding log checking, moved logcheck information from host intrusion detection to that section.
Added some information on how to prepare a static package for bind for chrooting (untested).
Added a FAQ item regarding some specific servers/services (could be expanded with some of the recommendations from the debian-security list).
Added some information on RPC services (and when it's necessary).
Added some more information on capabilities (and what lcap does). Is there any good documentation on this? I haven't found any documentation on my 2.4 kernel.
Fixed some typos.
Changes by Javier Fernández-Sanguino Peña.
Rewritten part of the BIOS section.
Changes by Javier Fernández-Sanguino Peña.
Wrapped most file locations with the file tag.
Fixed typo noticed by Edi Stojicevi.
Slightly changed the remote audit tools section.
Added some todo items.
Added more information regarding printers and cups config file (taken from a thread on debian-security).
Added a patch submitted by Jesus Climent regarding access of valid system users to Proftpd when configured as anonymous server.
Small change on partition schemes for the special case of mail servers.
Added Hacking Linux Exposed to the books section.
Fixed directory typo noticed by Eduardo Pérez Ureta.
Fixed /etc/ssh typo in checklist noticed by Edi Stojicevi.
Changes by Javier Fernández-Sanguino Peña.
Fixed location of dpkg conffile.
Remove Alexander from contact information.
Added alternate mail address.
Fixed Alexander mail address (even if commented out).
Fixed location of release keys (thanks to Pedro Zorzenon for pointing this out).
Changes by Javier Fernández-Sanguino Peña.
Fixed typos, thanks to Jamin W. Collins.
Added a reference to apt-extracttemplate manpage (documents the APT::ExtractTemplate config).
Added section about restricted SSH. Information based on that posted by Mark Janssen, Christian G. Warden and Emmanuel Lacour on the debian-security mailing list.
Added information on antivirus software.
Added a FAQ: su logs due to the cron running as root.
Changes by Javier Fernández-Sanguino Peña.
Changed FIXME from lshell thanks to Oohara Yuuma.
Added package to sXid and removed comment since it *is* available.
Fixed a number of typos discovered by Oohara Yuuma.
ACID is now available in Debian (in the acidlab package) thanks to Oohara Yuuma for noticing.
Fixed LinuxSecurity links (thanks to Dave Wreski for telling).
Changes by Javier Fernández-Sanguino Peña. I wanted to change to 2.0 when all the FIXMEs were, er, fixed but I ran out of 1.9X numbers :(
Converted the HOWTO into a Manual (now I can properly say RTFM)
Added more information regarding tcp wrappers and Debian (now many services are
compiled with support for them so it's no longer an inetd issue).
Clarified the information on disabling services to make it more consistent (rpc info still referred to update-rc.d)
Added small note on lprng.
Added some more info on compromised servers (still very rough)
Fixed typos reported by Mark Bucciarelli.
Added some more steps in password recovery to cover the cases when the admin has set paranoid-mode=on.
Added some information to set paranoid-mode=on when login in console.
New paragraph to introduce service configuration.
Reorganised the After installation section so it is more broken up into several issues and it's easier to read.
Wrote information on how to set up firewalls with the standard Debian 3.0 setup (iptables package).
Small paragraph explaining why installing connected to the Internet is not a good idea and how to avoid this using Debian tools.
Small paragraph on timely patching referencing to IEEE paper.
Appendix on how to set up a Debian snort box, based on what Vladimir sent to the debian-security mailing list (September 3rd 2001)
Information on how logcheck is set up in Debian and how it can be used to set up HIDS.
Information on user accounting and profile analysis.
Included apt.conf configuration for read-only /usr copied from Olaf Meeuwissen's post to the debian-security mailing list
New section on VPN with some pointers and the packages available in Debian (needs content on how to set up the VPNs and Debian-specific issues), based on Jaroslaw Tabor's and Samuli Suonpaa's post to debian-security.
Small note regarding some programs to automatically build chroot jails
New FAQ item regarding identd based on a discussion in the debian-security mailing list (February 2002, started by Johannes Weiss).
New FAQ item regarding inetd based on a discussion in the
debian-security mailing list (February 2002).
Introduced note on rcconf in the "disabling services" section.
Varied the approach regarding LKM, thanks to Philipe Gaspar
Added pointers to CERT documents and Counterpane resources
Changes by Javier Fernández-Sanguino Peña.
Added a new FAQ item regarding time to fix security vulnerabilities.
Reorganised FAQ sections.
Started writing a section regarding firewalling in Debian GNU/Linux (could be broadened a bit)
Fixed typos sent by Matt Kraai
Fixed DNS information
Added information on whisker and nbtscan to the auditing section.
Fixed some wrong URLs
Changes by Javier Fernández-Sanguino Peña.
Added a new section regarding auditing using Debian GNU/Linux.
Added info regarding finger daemon taken from the security mailing list.
Changes by Javier Fernández-Sanguino Peña.
Fixed link for Linux Trustees
Fixed typos (patches from Oohara Yuuma and Pedro Zorzenon)
Changes by Javier Fernández-Sanguino Peña.
Reorganized service installation and removal and added some new notes.
Added some notes regarding using integrity checkers as intrusion detection tools.
Added a chapter regarding package signatures.
Changes by Javier Fernández-Sanguino Peña.
Added notes regarding Squid security sent by Philipe Gaspar.
Fixed rootkit links thanks to Philipe Gaspar.
Changes by Javier Fernández-Sanguino Peña.
Added some notes regarding Apache and Lpr/lpng.
Added some information regarding noexec and read-only partitions.
Rewrote how users can help in Debian security issues (FAQ item).
Changes by Javier Fernández-Sanguino Peña.
Fixed location of mail program.
Added some new items to the FAQ.
Changes by Javier Fernández-Sanguino Peña.
Added a small section on how Debian handles security
Clarified MD5 passwords (thanks to `rocky')
Added some more information regarding harden-X from Stephen van Egmond
Added some new items to the FAQ
Changes by Javier Fernández-Sanguino Peña.
Added some forensics information sent by Yotam Rubin.
Added information on how to build a honeynet using Debian GNU/Linux.
Added some more TODOS.
Fixed more typos (thanks Yotam!)
Changes by Javier Fernández-Sanguino Peña.
Added patch to fix misspellings and some new information (contributed by Yotam Rubin)
Added references to other online (and offline) documentation both in a section (see 应当知道的一般性安全问题, 第 2.2 节) by itself and inline in some sections.
Added some information on configuring Bind options to restrict access to the DNS server.
Added information on how to automatically harden a Debian system (regarding the harden package and bastille).
Removed some done TODOs and added some new ones.
Changes by Javier Fernández-Sanguino Peña.
Added the default user/group list provided by Joey Hess to the debian-security mailing list.
Added information on LKM root-kits (可加载内核模块 (LKM), 第 9.4.1 节) contributed by Philipe Gaspar.
Added information on Proftp contributed by Emmanuel Lacour.
Recovered the checklist Appendix from Era Eriksson.
Added some new TODO items and removed other fixed ones.
Manually included Era's patches since they were not all included in the previous version.
Changes by Era Eriksson.
Typo fixes and wording changes
Changes by Javier Fernández-Sanguino Peña.
Minor changes to tags in order to keep on removing the tt tags and substitute prgn/package tags for them.
Changes by Javier Fernández-Sanguino Peña.
Added pointer to document as published in the DDP (should supersede the original in the near future)
Started a mini-FAQ (should be expanded) with some questions recovered from my mailbox.
Added general information to consider while securing.
Added a paragraph regarding local (incoming) mail delivery.
Added some pointers to more information.
Added information regarding the printing service.
Added a security hardening checklist.
Reorganized NIS and RPC information.
Added some notes taken while reading this document on my new Visor :)
Fixed some badly formatted lines.
Fixed some typos.
Added a Genius/Paranoia idea contributed by Gaby Schilders.
Changes by Josip Rodin and Javier Fernández-Sanguino Peña.
Added paragraphs related to BIND and some FIXMEs.
Small setuid check paragraph
Various minor cleanups
Found out how to use sgml2txt -f for the txt version
Added a security update after installation paragraph
Added a proftpd paragraph
This time really wrote something about XDM, sorry for last time
Lots of grammar corrections by James Treacy, new XDM paragraph
Typo fixes, miscellaneous additions
Initial release
Alexander Reelsen 撰写了原始文档.
Javier Fernández-Sanguino 为原始文档增加了更多信息.
Robert van der Meulen 提供了 quota 章节和很多好主意.
Ethan Benson 校正了 PAM 章节和一些好的建议.
Dariusz Puchalak 为一些章节提供一些信息.
Gaby Schilders 提供了一个很棒的 Genius/Paranoia 主意.
Era Eriksson 弄顺了许多地方的语法并提供附录清单.
Philipe Gaspar 撰写了 LKM 部分.
Yotam Rubin 对很多拼写错误进行了修正, 并为 bind 的版本和 md5 密码提供了参考信息.
这里包括所有为文档改善提供建议的名单(参见 更新记录/历史, 第 1.6 节)
(Alexander) 所有鼓励我撰写本 HOWTO 的朋友 (这后来变成了手册).
整个 Debian 项目.
[ 上一页 ] [ 目录 ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ G ] [ H ] [ 下一页 ]
Debian 安全手册
v3.5, Thu, 24 Nov 2005 21:25:43 +0800jfs@debian.orgetony@tom.com