securing a debian system for use as a server

markus1982 · 04-10-2003, 03:51 AM

hi all,

in the next days (weeks) i will post everything i did to secure my debian system for use as server in an isp environment. i'd like you to post your comments, questions and suggestions so we can all benefit from it.

the securing process starts at the installation level already. you could go with kernel 2.2 and with 2.4 ... 2.4 is well known for it's iptables (netfilter) software firewall ... well I prefer a 2.4 system ... we will build a customized kernel later anyways using the grsecurity kernel patches :-)

so after the install i decided to purge packages i do not require:
- base-config (no need to modificate config!)
- dhcp-client (no DHCP required)
- ed (don't like that editor :-P)
- fdutils (no floppy stuff required)
- ipchains (iptables since Kernel 2.4+)
- lilo (will install grub)
- mbr (not required)
- modconf (I know my modules :-))
- pciutils (not required)
- ppp (permanent connection)
- pppconfig (permanent connection)
- pppoe (permanent connection)
- pppoeconf (permanent connection)
- setserial (not required)
- tasksel (I prefer apt-get and dpkg :-))

So after this step we have a few packets less on the system. Which ones you remove is all up to you of course. I just remove stuff I do not need at all since there is no benefit of keeping it and wasting disk space, etc.

next thing is to seperate the partitions. this has several reasons. for one you could fine tune your partition setting (like later for the postfix spool directory) and you can always adjust the mount flags, etc.

how do you seperate the partitions on an already installed system ?

Code:

x create the partitions using fdisk
x format those using mkfs.ext3
x edit /etc/fstab so you can follow my instructions

each of the following will get it's own partition:
        /boot
        /home
        /tmp
        /usr
        /usr/local
        /var/log
        /var/spool/postfix
        /var/tmp

/boot
        mv /boot /boot.old
        mkdir /boot
        mount /boot
        mv /boot.old/* /boot
        rm -r /boot.old

/home (directory is empty)
        mount /home
        chmod g+sw /home
        chown root:staff /home

/tmp (directory is empty)
        mount /tmp
        chmod 777 /tmp
        chmod +t /tmp

/usr
        mv /usr /usr.old
        mkdir /usr
        mount /usr
        mv /usr.old/* /usr
        rm -r /usr.old

/usr/local
        mv /usr/local /usr/local.old
        mkdir /usr/local
        mount /usr/local
        chmod g+sw /usr/local
        chown root:staff /usr/local
        mv /usr/local.old/* /usr/local
        rm -r /usr/local.old

/var/log
        mv /var/log /var/log.old
        mkdir /var/log
        mount /var/log
        mv /var/log.old/* /var/log
        rm -r /var/log.old

/var/tmp
        mount /var/tmp
        chmod 777 /var/tmp
        chmod +t /var/tmp


of course you have to choose a suitable size for those partitions. i've chosen:

/dev/hdd5             1.1G  141M  899M  14% /
/dev/hdd6              45M  6.1M   37M  14% /boot
/dev/hdd7              76M  4.1M   67M   6% /home
/dev/hdd8             281M  8.1M  258M   4% /tmp
/dev/hdd9             556M   75M  453M  15% /usr
/dev/hdd10            281M  8.1M  258M   4% /usr/local
/dev/hdd11            1.6G   33M  1.4G   3% /var/log
/dev/hdd13            556M   17M  511M   4% /var/tmp

Now you are ready for switching to grub

What are your comments, questions or suggestions so far ?

footfrisbee · 04-10-2003, 11:52 PM

You might also check out a utility called "bastille". It systematically locks down your system to your specifications. It's pretty neat.

markus1982 · 04-12-2003, 05:38 AM

Bastille looks like a nice tool but it doesn't cover all aspects. It mostly does permission changes ... I'm not yet finished posting all of the security related and performance related changes I did so far. This is just the post for day 1.