hi all,
in the next days (weeks) i will post everything i did to secure my debian system for use as server in an isp environment. i'd like you to post your comments, questions and suggestions so we can all benefit from it.
the securing process starts at the installation level already. you could go with kernel 2.2 and with 2.4 ... 2.4 is well known for it's iptables (netfilter) software firewall ... well I prefer a 2.4 system ... we will build a customized kernel later anyways using the grsecurity kernel patches :-)
so after the install i decided to purge packages i do not require:
- base-config (no need to modificate config!)
- dhcp-client (no DHCP required)
- ed (don't like that editor :-P)
- fdutils (no floppy stuff required)
- ipchains (iptables since Kernel 2.4+)
- lilo (will install grub)
- mbr (not required)
- modconf (I know my modules :-))
- pciutils (not required)
- ppp (permanent connection)
- pppconfig (permanent connection)
- pppoe (permanent connection)
- pppoeconf (permanent connection)
- setserial (not required)
- tasksel (I prefer apt-get and dpkg :-))
So after this step we have a few packets less on the system. Which ones you remove is all up to you of course. I just remove stuff I do not need at all since there is no benefit of keeping it and wasting disk space, etc.
next thing is to seperate the partitions. this has several reasons. for one you could fine tune your partition setting (like later for the postfix spool directory) and you can always adjust the mount flags, etc.
how do you seperate the partitions on an already installed system ?
Code:
x create the partitions using fdisk
x format those using mkfs.ext3
x edit /etc/fstab so you can follow my instructions
each of the following will get it's own partition:
/boot
/home
/tmp
/usr
/usr/local
/var/log
/var/spool/postfix
/var/tmp
/boot
mv /boot /boot.old
mkdir /boot
mount /boot
mv /boot.old/* /boot
rm -r /boot.old
/home (directory is empty)
mount /home
chmod g+sw /home
chown root:staff /home
/tmp (directory is empty)
mount /tmp
chmod 777 /tmp
chmod +t /tmp
/usr
mv /usr /usr.old
mkdir /usr
mount /usr
mv /usr.old/* /usr
rm -r /usr.old
/usr/local
mv /usr/local /usr/local.old
mkdir /usr/local
mount /usr/local
chmod g+sw /usr/local
chown root:staff /usr/local
mv /usr/local.old/* /usr/local
rm -r /usr/local.old
/var/log
mv /var/log /var/log.old
mkdir /var/log
mount /var/log
mv /var/log.old/* /var/log
rm -r /var/log.old
/var/tmp
mount /var/tmp
chmod 777 /var/tmp
chmod +t /var/tmp
of course you have to choose a suitable size for those partitions. i've chosen:
/dev/hdd5 1.1G 141M 899M 14% /
/dev/hdd6 45M 6.1M 37M 14% /boot
/dev/hdd7 76M 4.1M 67M 6% /home
/dev/hdd8 281M 8.1M 258M 4% /tmp
/dev/hdd9 556M 75M 453M 15% /usr
/dev/hdd10 281M 8.1M 258M 4% /usr/local
/dev/hdd11 1.6G 33M 1.4G 3% /var/log
/dev/hdd13 556M 17M 511M 4% /var/tmp
Now you are ready for
switching to grub
What are your comments, questions or suggestions so far ?