Security Administration With Debian GNU/Linux

Develop dynamic, data driven, mobile applications quickly and correctly -
Click for a free download

^ click above ^

06.03.03

By Jose Salvador Gonzalez Rivera

Debian has a package manager (DPKG) that resolves dependency problems automatically. It help us to automatically keep up to date programs looking for new versions on the internet, resolving and completing the files and libraries dependencies which a package requires, making system administration easy and keeping us up to date with the new security changes. It also shows some important and substantial security features: it doesn't have commercial goals, also doesn't obey mercantile urgencies, It has a good pursuit of errors, problems are fixed in less than 48 hours and it's priority is to develop a complete and reliable operating system.

Before Installing

From a security and reliability standpoint, it's better to have separate hard disk partitions for directories that are large, and especially to separate those which are frequently-changing (/tmp and /var) from those that can be mounted read-only except when installing software (/usr). Some people also make separate partitions for /home and /usr/local. Separate partitions mean that if one gets corrupted, the others won't be affected. It also means you can mount some partitions (especially /usr and /boot) read-only except when doing system administration: this decreases the likelihood of corruption or mistakes dramatically. Don't do the distribution default, which is usually to put everything in one partition. Of course, you can go overboard if you use too many partitions, and if you don't anticipate your sizes correctly you may end up with wasted space in some partitions and not enough space in others. In that case you'll either have to back up the files and repartition, or use symbolic links to steal space from another partition. Both strategies are undesirable, so think beforehand about how many partitions are appropriate for this machine, which directories contain irreplaceable data, and leave some extra space for unexpected additions later.

Resources for Linux Programmers
Trials, Software, Downloads, and More.

Installing Debian
The Debian installation, text mode, consists of two phases. The first one consists of installing the base system and the second one allows us to configure several details and the installation of additional packages. It is also necessary to identify those services that the system will offer. It doesn't make sense to install packages that could open ports and offer unnecessary services, so we will begin installing just the base system and after that the services our system will offer.

Vulnerability Analysis
There are some software tools to perform vulnerability verification or security auditing in our servers; these tools are intended to detect well-known security problems and also to offer detailed information in how to solve almost any problem you find. This kind of analysis is also called "ethical hacking" because we can check the way our servers can be penetrated as an intruder would do it. Nessus audits insecurity. Its main advantage is that it is totally modernized with the latest attacks, with the possibility to include them in plug-ins form. It is available for any UNIX flavor from its Web site: www.nessus.org It is composed of two programs:

Nessusd

The server performs the exploration. It should be started with root privileges and uses the ports 1241 and 3001 to listen to nessus client's requests. To install it is necessary to type the following command:

# apt-get install nessusd
It only runs in UNIX and the client should be authenticated by means of a login and a password that has to be activated in the system with the different options offered by nessus-adduser command.

Nessus Client

It is the client who communicates with nessusd. This program has its own graphical front end for administrative purposes. It's not just for UNIX but for Windows too. Also one of its tasks is report generation at the end of the exploration, showing the vulnerabilities found and their possible solutions. To install it we have to type:

# apt-get install nessus
Nessus uses a couple of keys stored in the .nessus.keys directory located in user's HOME. They are used to communicate with nessusd.

Security Administration
I do not want to repeat the HOWTO and manuals information so I will focus on specific points and situations not considered frequently, the use of limits and files attributes.

Permissions and Attributes

The Linux permissions and attributes system allows us to restrict file access to non authorized users. The basic permissions are read (r), writ (w) and execute (x).

To visualize a directory permission structure we type ls -l

The permission column has 10 characters divided in 4 groups:

- rw- rw- r--

Click Here to Read the Full Article

About the Author:
Currently I'm an active member of the Puebla Linux User Group (GULP) in México. I frequently participate in events to promove the use of Free Software and Linux mainly. I accept any questions, comments or suggestions by email.