[ 上一页 ]
[ 目录 ]
[ 1 ]
[ 2 ]
[ 3 ]
[ 4 ]
[ 5 ]
[ 6 ]
[ 7 ]
[ 8 ]
[ 9 ]
[ 10 ]
[ 11 ]
[ A ]
[ B ]
[ C ]
[ D ]
[ E ]
[ F ]
[ G ]
[ H ]
[ 下一页 ]
Securing Debian Manual
第 1 章 - 介绍
撰写安全文档, 最难莫过于每个案例都是相互独立的. 需要着重考虑站点, 主机,
或网络所处环境和安全需求. 例如, 家庭用户的安全需求则与网络银行完全不同.
家庭用户所要面对的主要威胁来自骇客的脚本陷阱.
网络银行所必须担心的则是直接攻击. 另外, 银行必须保证其用户数据的精确性.
简而言之, 用户必须在安全性和易用性之间作出妥协.
注意本手册只涉及与软件相关部分.
即使是世界上最好的软件也无法保护可以物理接触的计算机.
您可以把计算机置于工作台下, 或者重兵把守的堡垒里.
然而一个正确配置的台式计算机可能比被重兵保护的充满安全漏洞的计算机更安(从软件观点来看).
很明显, 这两个方面您都要考虑.
本手册仅仅在增加 Debian GNU/Linux 系统的安全方面作简要介绍. 如果您浏览过有关
Linux 安全的其它文档, 会发现一些通用性问题可能与本手册重复. 当然,
本手册并不试图作为您的最后信息源, 而只是设法在同样的问题上提供更适合 Debian
GNU/Linux 系统的信息. 不同的发行版处理问题的方式不同(守护进程的启动就是一例);
您将发现本手册是针对 Debian 程序和工具的.
1.1 作者
本手册的当前维护者是 Javier Fernández-Sanguino Peña jfs@computer.org
.
有关本手册任何的评论, 添加或建议, 请和他联系, 他们将会考虑添加到本手册.
本手册最初只是 Alexander Reelsen
撰写的一篇 HOWTO. 在互联网上发布后, Javier Fernández-Sanguino
Peña jfs@debian.org
将其合并到 Debian 文献项目
中. 许多人为手册作出了贡献(所有贡献都在更新记录中列出),
需要特别指出以下人员做出了重要的贡献(完成了部分、章节或附录):
1.2 手册下载
你可以从 Debian
文献项目
下载或浏览最新版本的 Debian 安全手册. 或从其版本控制系统
CVS
服务器
更加方便的检出.
您也可以从 Debian 文献项目站点下载 文本版
.
其他格式,如PDF,(仍)还没有提供. 然而, 您可以下载或安装提供 HTML, txt 和 PDF
格式文档的 harden-doc
软件包.
注意,
包中提供的文档版本和互联网上的相比可能稍旧(但是可以通过下载源码包进行构建和更新您的版本!).
1.3 组织信息与反馈
这是手册的正式部分. 此时,我(Alexander Reelsen)撰写了本手册的主要部分,
但是就我看来不应该停滞于此. 自由软件伴随我成长与生活,
它是我日常使用的一部分,我猜您也如此. 任何人都可以将其反馈,
附加提示或任何其它建议寄发给我.
如果您认为您能更好的维护某个部分或章节,请与维护者联系, 您将受到欢迎.
特别是如果您发现某个部分被标记为FIXME,
这意味着作者没有时间或关于这部分所需的知识, 请马上发邮件给他们.
本手册的主题清楚的表明及时更新相当重要, 如果您可以做到. 请贡献.
1.4 预备知识
Debian GNU/Linux 的安装并不是特别困难, 您应该可以搞定. 如果您已经有一些关于
Linux 或其它 Unix 的知识, 并对基本安全有点熟悉, 理解本手册将更加容易,
因为本文档无法对每个细节作详细的解释(否则将是一本书, 而不是手册).
如果您不是太熟, 那么, 您也许希望能查看一下 应当知道的一般性安全问题, 第 2.2 节
有找到更加详细的信息。
1.5 需要添加一些内容(FIXME/TODO)
本部分描述手册中需要修正部分的相关内容. 包含 FIXME 或 TODO
标记的一些段落说明内容(或 所需做的什么样的工作)欠缺,
本部分的目的是列举将在新的版本涉及的内容或改进版中需要做的(或可能添加的)工作。
如果您觉得能为完成列表中的任何条目提供帮助(或注释), 请与主作者联系 (作者, 第 1.1 节
-
详述事件响应信息,也许可以从 RedHat 安全指南的
事件响应章节
获取一些想法.
-
考虑添加关于如何构建基于 Debian 的网络应用的部分(以及如基本系统,
equivs
和 FAI 一类的信息).
-
增加使用 Debian GNU/Linux 配置防火墙的内容.
此部分假定要保护的是单系统(不保护其他...)并就如何测试设定进行讨论.
-
增加使用 Debian GNU/Linux 配置代理防火墙的内容,
以及提供代理服务的相应软件包的信息 (如
xfwp
, xproxy
,
ftp-proxy
, redir
, smtpd
,
nntp-cache
, dnrd
, jftpgw
,
oops
, pnsd
, perdition
,
transproxy
, tsocks
). 应当在手册中指出其它信息来源.
注意, Debian 现提供的是 zorp
软件包是一款代理防火墙(他们也向上游提供 Debian 包).
-
检查所有参考 URL, 删除/修正不再可用的部分.
-
增加关于对一般服务器进行功能限制性替换方面的内容(Debian)。例如:
-
用 dhttpd/thttpd/wn(tux?) 替代 apache
-
用 ssmtpd/smtpd/postfix 替代 exim/sendmail
-
Debian 中更多有关内核安全补丁的内容, 包括上边提到的和具体如何使用这些补丁应用到
Debian 系统中的内容.
-
Linux Trustees (在
trustees
软件包中)
-
kernel-patch-2.2.19-harden
-
kernel-patch-freeswan, kernel-patch-int
-
禁用不必要的网络服务(包括
inetd
)的内容, 这属于程序安全化部分,
但可以涉及的更广一点.
-
更多关于 tcpwrappers, 和 wrappers 的内容?
-
文件共享服务方面的问题如 Samba 和 NFS?
-
suidmanager/dpkg-statoverrides.
-
Switching off the gnome IP things.
-
关于程序 chroot jails 的讨论. 增加
Compartment
和
chrootuid
的内容,同时也介绍一些其他软件 (makejail, jailer)
的内容.
-
更多关于日志分析软件的内容 (即 logcheck 和 logcolorise).
-
为网络显示提供网络声音的安全方法(以便使用 X 服务器的硬件运行 X 客户端的声音)
-
使用 LDAP 管理用户. 在 www.bayour.com 处有 Turbo Fredrikson 撰写的 Debian 下的
ldap+kerberos HOWTO.
-
如何删除降低生成系统效能的信息,譬如 /usr/share/doc ,/usr/share/man
(是的,不太安全).
-
增加有关在一个给定系统上运行多功能 snort 嗅探器的内容(查看向 snort
提交的问题报告)
-
有关描述 FreeSwan (orphaned) 和 OpenSwan 的内容. VPN 部分需要重写.
1.6 更新记录/历史
1.6.1 Version 3.1版 (2005年1月)
Changes by Javier Fernández-Sanguino Peña
-
Added clarification to ro /usr with patch from Joost van Baal
-
Apply patch from Jens Seidel fixing many typos.
-
FreeSWAN is dead, long live OpenSWAN.
-
Added information on restricting access to RPC services (when they cannot be
disabled) also included patch provided by Aarre Laakso.
-
Update aj's apt-check-sigs script.
-
Apply patch Carlo Perassi fixing URLs.
-
Apply patch from Davor Ocelic fixing many errors, typos, urls, grammar and
FIXMEs. Also adds some additional information to some sections.
-
Rewrote the section on user auditing, highlight the usage of script which does
not have some of the issues associated to shell history.
1.6.2 3.0 版(2004年12月)
Changes by Javier Fernández-Sanguino Peña
-
Rewrote the user-auditing information and include examples on how to use
script.
1.6.3 2.99 版(2004年3月)
Changes by Javier Fernández-Sanguino Peña
-
Added information on references in DSAs and CVE-Compatibility.
-
Added information on apt 0.6 (apt-secure merge in experimental)
-
Fixed location of Chroot daemons HOWTO as suggested by Shuying Wang.
-
Changed APACHECTL line in the Apache chroot example (even if its not used at
all) as suggested by Leonard Norrgard.
-
Added a footnote regarding hardlink attacks if partitions are not setup
properly.
-
Added some missing steps in order to run bind as named as provided by Jeffrey
Prosa.
-
Added notes about Nessus and Snort out-of-dateness in woody and availability of
backported packages.
-
Added a chapter regarding periodic integrity test checks.
-
Clarified the status of testing regarding security updates. (Debian bug
233955)
-
Added more information regarding expected contents in securetty (since it's
kernel specific).
-
Added pointer to snoopylogger (Debian bug 179409)
-
Added reference to guarddog (Debian bug 170710)
-
Apt-ftparchive is in apt-utils, not in apt (thanks to Emmanuel Chantreau for
pointing this out)
-
Removed jvirus from AV list.
1.6.4 2.98版 (2003年12月)
Changes by Javier Fernández-Sanguino Peña
-
Fixed URL as suggested by Frank Lichtenheld.
-
Fixed PermitRootLogin typo as suggested by Stefan Lindenau.
1.6.5 Version 2.97 (september 2003)
Changes by Javier Fernández-Sanguino Peña
-
Added those that have made the most significant contributions to this manual
(please mail me if you think you should be in the list and are not).
-
Added some blurb about FIXME/TODOs
-
Moved the information on security updates to the beginning of the section as
suggested by Elliott Mitchell.
-
Added grsecurity to the list of kernel-patches for security but added a
footnote on the current issues with it as suggested by Elliott Mitchell.
-
Removed loops (echo to 'all') in the kernel's network security script as
suggested by Elliott Mitchell.
-
Added more (up-to-date) information in the antivirus section.
-
Rewrote the buffer overflow protection section and added more information on
patches to the compiler to enable this kind of protection.
1.6.6 2.96版 (2003年8月)
Changes by Javier Fernández-Sanguino Peña
-
Removed (and then readded) appendix on chrooting Apache. The appendix is now
dual-licensed.
1.6.7 2.95版 (2003年6月)
Changes by Javier Fernández-Sanguino Peña
-
Fixed typos spotted by Leonard Norrgard.
-
More information on setting up a Squid proxy.
-
Added a pointer and removed a FIXME thanks to Helge H. F.
-
Fixed a typo (save_inactive) spotted by Philippe Faes.
-
Fixed several typos spotted by Jaime Robles.
1.6.8 2.94版 (2003年4月)
Changes by Javier Fernández-Sanguino Peña
-
Following Maciej Stachura's suggestions I've expanded the section on limiting
users.
-
Fixed typo spotted by Wolfgang Nolte.
-
Fixed links with patch contributed by Ruben Leote Mendes.
-
Added a link to David Wheeler's excellent document on the footnote about
counting security vulnerabilities.
1.6.9 2.93版 (2003年3月)
Changes made by Frederic Schutz.
-
rewrote entirely the section of ext2 attributes (lsattr/chattr)
1.6.10 2.92版 (february 2003年2月)
Changes by Javier Fernández-Sanguino Peña and Frédéric Schütz.
-
Merge section 9.3 ("useful kernel patches") into section 4.13
("Adding kernel patches"), and added some content.
-
Added information on how to manually check for updates and also about cron-apt.
That way Tiger is not perceived as the only way to do automatic update checks.
-
Slightly rewrite of the section on executing a security updates due to
Jean-Marc Ranger comments.
-
Added a note on Debian's installation (which will suggest the user to execute a
security update right after installation)
1.6.11 2.91版 (2003年1月/2月)
Changes by Javier Fernández-Sanguino Peña (me).
-
Added a patch contributed by Frédéric Schütz.
-
Added a few more references on capabilities thanks to Frédéric.
-
Slight changes in the bind section adding a reference to BIND's 9 online
documentation and proper references in the first area (Hi Pedro!)
-
Fixed the changelog date - new year :-)
-
Added a reference to Colin's articles for the TODOs.
-
Removed reference to old ssh+chroot patches.
-
More patches from Carlo Perassi.
-
Typo fixes (recursive in Bind is recursion), pointed out by Maik Holtkamp.
1.6.12 2.9版 (2002年12月)
Changes by Javier Fernández-Sanguino Peña (me).
-
Reorganised the information on chroot (merged two sections, it didn't make much
sense to have them separated)
-
Added the notes on chrooting Apache provided by Alexandre Raitti.
-
Applied patches contributed by Guillermo Jover.
1.6.13 Version 2.8 (november 2002)
Changes by Javier Fernández-Sanguino Peña (me).
-
Applied patches from Carlo Perassi, fixes include: re-wrapping the lines, url
fixes, and fixed some FIXMEs
-
Updated the contents of the Debian security team FAQ.
-
Added a link to the Debian security team FAQ and the Debian Developer's
reference, the duplicated sections might (just might) be removed in the future.
-
Fixed the hand-made auditing section with comments from Michal Zielinski.
-
Added links to wordlists (contributed by Carlo Perassi)
-
Fixed some typos (still many around).
-
Fixed TDP links as suggested by John Summerfield.
1.6.14 Version 2.7 (october 2002)
Changes by Javier Fernández-Sanguino Peña (me). Note: I still
have a lot of pending changes in my mailbox (which is currently about 5 Mbs in
size).
-
Some typo fixes contributed by Tuyen Dinh, Bartek Golenko and Daniel K.
Gebhart.
-
Note regarding /dev/kmem rootkits contributed by Laurent Bonnaud
-
Fixed typos and FIXMEs contributed by Carlo Perassi.
1.6.15 Version 2.6 (september 2002)
Changes by Chris Tillman, tillman@voicetrak.com.
-
Changed around to improve grammar/spelling.
-
s/host.deny/hosts.deny/ (1 place)
-
Applied Larry Holish's patch (quite big, fixes a lot of FIXMEs)
1.6.16 Version 2.5 (september 2002)
Changes by Javier Fernández-Sanguino Peña (me).
-
Fixed minor typos submitted by Thiemo Nagel.
-
Added a footnote suggested by Thiemo Nagel.
1.6.17 Version 2.5 (august 2002)
Changes by Javier Fernández-Sanguino Peña (me). There were many
things waiting on my inbox (as far back as February) to be included, so I'm
going to tag this the back from honeymoon release :)
-
Applied a patch contributed by Philipe Gaspar regarding the Squid which also
kills a FIXME.
-
Yet another FAQ item regarding service banners taken from the debian-security
mailing list (thread "Telnet information" started 26th July 2002).
-
Added a note regarding use of CVE cross references in the How much time
does the Debian security team... FAQ item.
-
Added a new section regarding ARP attacks contributed by Arnaud
"Arhuman" Assad.
-
New FAQ item regarding dmesg and console login by the kernel.
-
Small tidbits of information to the signature-checking issues in packages (it
seems to not have gotten past beta release).
-
New FAQ item regarding vulnerability assessment tools false positives.
-
Added new sections to the chapter that contains information on package
signatures and reorganised it as a new Debian Security Infrastructure
chapter.
-
New FAQ item regarding Debian vs. other Linux distributions.
-
New section on mail user agents with GPG/PGP functionality in the security
tools chapter.
-
Clarified how to enable MD5 passwords in woody, added a pointer to PAM as well
as a note regarding the max definition in PAM.
-
Added a new appendix on how to create chroot environments (after fiddling a bit
with makejail and fixing, as well, some of its bugs), integrated duplicate
information in all the appendix.
-
Added some more information regarding
SSH
chrooting and its impact
on secure file transfers. Some information has been retrieved from the
debian-security mailing list (June 2002 thread: secure file
transfers).
-
New sections on how to do automatic updates on Debian systems as well as the
caveats of using testing or unstable regarding security updates.
-
New section regarding keeping up to date with security patches in the
Before compromise section as well as a new section about the
debian-security-announce mailing list.
-
Added information on how to automatically generate strong passwords.
-
New section regarding login of idle users.
-
Reorganised the securing mail server section based on the
Secure/hardened/minimal Debian (or "Why is the base system the way it
is?") thread on the debian-security mailing list (May 2002).
-
Reorganised the section on kernel network parameters, with information provided
in the debian-security mailing list (May 2002, syn flood attacked?
thread) and added a new FAQ item as well.
-
New section on how to check users passwords and which packages to install for
this.
-
New section on PPTP encryption with Microsoft clients discussed in the
debian-security mailing list (April 2002).
-
Added a new section describing what problems are there when binding any given
service to a specific IP address, this information was written based on the
bugtraq mailing list in the thread: Linux kernel 2.4 "weak end
host" issue (previously discussed on debian-security as "arp
problem") (started on May 9th 2002 by Felix von Leitner).
-
Added information on
ssh
protocol version 2.
-
Added two subsections related to Apache secure configuration (the things
specific to Debian, that is).
-
Added a new FAQ related to raw sockets, one related to /root, an item related
to users' groups and another one related to log and configuration files
permissions.
-
Added a pointer to a bug in libpam-cracklib that might still be open... (need
to check)
-
Added more information regarding forensics analysis (pending more information
on packet inspection tools such as
tcpflow
).
-
Changed the "what should I do regarding compromise" into a bullet
list and included some more stuff.
-
Added some information on how to set up the Xscreensaver to lock the screen
automatically after the configured timeout.
-
Added a note related to the utilities you should not install in the system.
Included a note regarding Perl and why it cannot be easily removed in Debian.
The idea came after reading Intersect's documents regarding Linux hardening.
-
Added information on lvm and journalling file systems, ext3 recommended. The
information there might be too generic, however.
-
Added a link to the online text version (check).
-
Added some more stuff to the information on firewalling the local system,
triggered by a comment made by Hubert Chan in the mailing list.
-
Added more information on PAM limits and pointers to Kurt Seifried's documents
(related to a post by him to bugtraq on April 4th 2002 answering a person that
had ``discovered'' a vulnerability in Debian GNU/Linux related to resource
starvation).
-
As suggested by Julian Munoz, provided more information on the default Debian
umask and what a user can access if he has been given a shell in the system
(scary, huh?)
-
Included a note in the BIOS password section due to a comment from Andreas
Wohlfeld.
-
Included patches provided by Alfred E. Heggestad fixing many of the typos
still present in the document.
-
Added a pointer to the changelog in the Credits section since most people who
contribute are listed here (and not there).
-
Added a few more notes to the chattr section and a new section after
installation talking about system snapshots. Both ideas were contributed by
Kurt Pomeroy.
-
Added a new section after installation just to remind users to change the
boot-up sequence.
-
Added some more TODO items provided by Korn Andras.
-
Added a pointer to the NIST's guidelines on how to secure DNS provided by
Daniel Quinlan.
-
Added a small paragraph regarding Debian's SSL certificates infrastructure.
-
Added Daniel Quinlan's suggestions regarding
ssh
authentication
and exim's relay configuration.
-
Added more information regarding securing bind including changes suggested by
Daniel Quinlan and an appendix with a script to make some of the changes
commented on in that section.
-
Added a pointer to another item regarding Bind chrooting (needs to be merged).
-
Added a one liner contributed by Cristian Ionescu-Idbohrn to retrieve packages
with tcpwrappers support.
-
Added a little bit more info on Debian's default PAM setup.
-
Included a FAQ question about using PAM to provide services without shell
accounts.
-
Moved two FAQ items to another section and added a new FAQ regarding attack
detection (and compromised systems).
-
Included information on how to set up a bridge firewall (including a sample
Appendix). Thanks go to Francois Bayar who sent this to me in March.
-
Added a FAQ regarding the syslogd's MARK heartbeat from a
question answered by Noah Meyerhans and Alain Tesio in December 2001.
-
Included information on buffer overflow protection as well as some information
on kernel patches.
-
Added more information (and reorganised) the firewall section. Updated the
information regarding the iptables package and the firewall generators
available.
-
Reorganized the information regarding log checking, moved logcheck information
from host intrusion detection to that section.
-
Added some information on how to prepare a static package for bind for
chrooting (untested).
-
Added a FAQ item regarding some specific servers/services (could be expanded
with some of the recommendations from the debian-security list).
-
Added some information on RPC services (and when it's necessary).
-
Added some more information on capabilities (and what lcap does). Is there any
good documentation on this? I haven't found any documentation on my 2.4
kernel.
1.6.18 Version 2.4
Changes by Javier Fernández-Sanguino Peña.
-
Rewritten part of the BIOS section.
1.6.19 Version 2.3
Changes by Javier Fernández-Sanguino Peña.
-
Wrapped most file locations with the file tag.
-
Fixed typo noticed by Edi Stojicevi.
-
Slightly changed the remote audit tools section.
-
Added more information regarding printers and cups config file (taken from a
thread on debian-security).
-
Added a patch submitted by Jesus Climent regarding access of valid system users
to Proftpd when configured as anonymous server.
-
Small change on partition schemes for the special case of mail servers.
-
Added Hacking Linux Exposed to the books section.
-
Fixed directory typo noticed by Eduardo Pérez Ureta.
-
Fixed /etc/ssh typo in checklist noticed by Edi Stojicevi.
1.6.20 Version 2.3
Changes by Javier Fernández-Sanguino Peña.
-
Fixed location of dpkg conffile.
-
Remove Alexander from contact information.
-
Added alternate mail address.
-
Fixed Alexander mail address (even if commented out).
-
Fixed location of release keys (thanks to Pedro Zorzenon for pointing this
out).
1.6.21 Version 2.2
Changes by Javier Fernández-Sanguino Peña.
-
Fixed typos, thanks to Jamin W. Collins.
-
Added a reference to apt-extracttemplate manpage (documents the
APT::ExtractTemplate config).
-
Added section about restricted SSH. Information based on that posted by Mark
Janssen, Christian G. Warden and Emmanuel Lacour on the debian-security
mailing list.
-
Added information on antivirus software.
-
Added a FAQ: su logs due to the cron running as root.
1.6.22 Version 2.1
Changes by Javier Fernández-Sanguino Peña.
-
Changed FIXME from lshell thanks to Oohara Yuuma.
-
Added package to sXid and removed comment since it *is* available.
-
Fixed a number of typos discovered by Oohara Yuuma.
-
ACID is now available in Debian (in the acidlab package) thanks to Oohara Yuuma
for noticing.
-
Fixed LinuxSecurity links (thanks to Dave Wreski for telling).
1.6.23 Version 2.0
Changes by Javier Fernández-Sanguino Peña. I wanted to change to
2.0 when all the FIXMEs were, er, fixed but I ran out of 1.9X numbers :(
-
Converted the HOWTO into a Manual (now I can properly say RTFM)
-
Added more information regarding tcp wrappers and Debian (now many services are
compiled with support for them so it's no longer an
inetd
issue).
-
Clarified the information on disabling services to make it more consistent (rpc
info still referred to update-rc.d)
-
Added small note on lprng.
-
Added some more info on compromised servers (still very rough)
-
Fixed typos reported by Mark Bucciarelli.
-
Added some more steps in password recovery to cover the cases when the admin
has set paranoid-mode=on.
-
Added some information to set paranoid-mode=on when login in console.
-
New paragraph to introduce service configuration.
-
Reorganised the After installation section so it is more broken up
into several issues and it's easier to read.
-
Wrote information on how to set up firewalls with the standard Debian 3.0 setup
(iptables package).
-
Small paragraph explaining why installing connected to the Internet is not a
good idea and how to avoid this using Debian tools.
-
Small paragraph on timely patching referencing to IEEE paper.
-
Appendix on how to set up a Debian snort box, based on what Vladimir sent to
the debian-security mailing list (September 3rd 2001)
-
Information on how logcheck is set up in Debian and how it can be used to set
up HIDS.
-
Information on user accounting and profile analysis.
-
Included apt.conf configuration for read-only /usr copied from Olaf
Meeuwissen's post to the debian-security mailing list
-
New section on VPN with some pointers and the packages available in Debian
(needs content on how to set up the VPNs and Debian-specific issues), based on
Jaroslaw Tabor's and Samuli Suonpaa's post to debian-security.
-
Small note regarding some programs to automatically build chroot jails
-
New FAQ item regarding identd based on a discussion in the debian-security
mailing list (February 2002, started by Johannes Weiss).
-
New FAQ item regarding
inetd
based on a discussion in the
debian-security mailing list (February 2002).
-
Introduced note on rcconf in the "disabling services" section.
-
Varied the approach regarding LKM, thanks to Philipe Gaspar
-
Added pointers to CERT documents and Counterpane resources
1.6.24 Version 1.99
Changes by Javier Fernández-Sanguino Peña.
-
Added a new FAQ item regarding time to fix security vulnerabilities.
-
Reorganised FAQ sections.
-
Started writing a section regarding firewalling in Debian GNU/Linux (could be
broadened a bit)
-
Fixed typos sent by Matt Kraai
-
Added information on whisker and nbtscan to the auditing section.
1.6.25 Version 1.98
Changes by Javier Fernández-Sanguino Peña.
-
Added a new section regarding auditing using Debian GNU/Linux.
-
Added info regarding finger daemon taken from the security mailing list.
1.6.26 Version 1.97
Changes by Javier Fernández-Sanguino Peña.
-
Fixed link for Linux Trustees
-
Fixed typos (patches from Oohara Yuuma and Pedro Zorzenon)
1.6.27 Version 1.96
Changes by Javier Fernández-Sanguino Peña.
-
Reorganized service installation and removal and added some new notes.
-
Added some notes regarding using integrity checkers as intrusion detection
tools.
-
Added a chapter regarding package signatures.
1.6.28 Version 1.95
Changes by Javier Fernández-Sanguino Peña.
-
Added notes regarding Squid security sent by Philipe Gaspar.
-
Fixed rootkit links thanks to Philipe Gaspar.
1.6.29 Version 1.94
Changes by Javier Fernández-Sanguino Peña.
-
Added some notes regarding Apache and Lpr/lpng.
-
Added some information regarding noexec and read-only partitions.
-
Rewrote how users can help in Debian security issues (FAQ item).
1.6.30 Version 1.93
Changes by Javier Fernández-Sanguino Peña.
-
Fixed location of mail program.
-
Added some new items to the FAQ.
1.6.31 Version 1.92
Changes by Javier Fernández-Sanguino Peña.
-
Added a small section on how Debian handles security
-
Clarified MD5 passwords (thanks to `rocky')
-
Added some more information regarding harden-X from Stephen van Egmond
-
Added some new items to the FAQ
1.6.32 Version 1.91
Changes by Javier Fernández-Sanguino Peña.
-
Added some forensics information sent by Yotam Rubin.
-
Added information on how to build a honeynet using Debian GNU/Linux.
-
Fixed more typos (thanks Yotam!)
1.6.33 Version 1.9
Changes by Javier Fernández-Sanguino Peña.
-
Added patch to fix misspellings and some new information (contributed by Yotam
Rubin)
-
Added references to other online (and offline) documentation both in a section
(see 应当知道的一般性安全问题, 第 2.2
节) by itself and inline in some sections.
-
Added some information on configuring Bind options to restrict access to the
DNS server.
-
Added information on how to automatically harden a Debian system (regarding the
harden package and bastille).
-
Removed some done TODOs and added some new ones.
1.6.34 Version 1.8
Changes by Javier Fernández-Sanguino Peña.
-
Added the default user/group list provided by Joey Hess to the debian-security
mailing list.
-
Added information on Proftp contributed by Emmanuel Lacour.
-
Recovered the checklist Appendix from Era Eriksson.
-
Added some new TODO items and removed other fixed ones.
-
Manually included Era's patches since they were not all included in the
previous version.
1.6.35 Version 1.7
Changes by Era Eriksson.
-
Typo fixes and wording changes
Changes by Javier Fernández-Sanguino Peña.
-
Minor changes to tags in order to keep on removing the tt tags and substitute
prgn/package tags for them.
1.6.36 Version 1.6
Changes by Javier Fernández-Sanguino Peña.
-
Added pointer to document as published in the DDP (should supersede the
original in the near future)
-
Started a mini-FAQ (should be expanded) with some questions recovered from my
mailbox.
-
Added general information to consider while securing.
-
Added a paragraph regarding local (incoming) mail delivery.
-
Added some pointers to more information.
-
Added information regarding the printing service.
-
Added a security hardening checklist.
-
Reorganized NIS and RPC information.
-
Added some notes taken while reading this document on my new Visor :)
-
Fixed some badly formatted lines.
-
Added a Genius/Paranoia idea contributed by Gaby Schilders.
1.6.37 Version 1.5
Changes by Josip Rodin and Javier Fernández-Sanguino Peña.
-
Added paragraphs related to BIND and some FIXMEs.
1.6.38 Version 1.4
-
Small setuid check paragraph
-
Found out how to use sgml2txt -f for the txt version
1.6.39 Version 1.3
-
Added a security update after installation paragraph
-
Added a proftpd paragraph
-
This time really wrote something about XDM, sorry for last time
1.6.40 Version 1.2
-
Lots of grammar corrections by James Treacy, new XDM paragraph
1.6.41 Version 1.1
-
Typo fixes, miscellaneous additions
1.6.42 Version 1.0
1.7 荣誉与感谢!
-
Alexander Reelsen 撰写了原始文档.
-
Javier Fernández-Sanguino 为原始文档增加了更多信息.
-
Robert van der Meulen 提供了 quota 章节和很多好主意.
-
Ethan Benson 校正了 PAM 章节和一些好的建议.
-
Dariusz Puchalak 为一些章节提供一些信息.
-
Gaby Schilders 提供了一个很棒的 Genius/Paranoia 主意.
-
Era Eriksson 弄顺了许多地方的语法并提供附录清单.
-
Philipe Gaspar 撰写了 LKM 部分.
-
Yotam Rubin 对很多拼写错误进行了修正, 并为 bind 的版本和 md5
密码提供了参考信息.
-
(Alexander) 所有鼓励我撰写本 HOWTO 的朋友 (这后来变成了手册).
[ 上一页 ]
[ 目录 ]
[ 1 ]
[ 2 ]
[ 3 ]
[ 4 ]
[ 5 ]
[ 6 ]
[ 7 ]
[ 8 ]
[ 9 ]
[ 10 ]
[ 11 ]
[ A ]
[ B ]
[ C ]
[ D ]
[ E ]
[ F ]
[ G ]
[ H ]
[ 下一页 ]
Securing Debian Manual
v3.2, Mon, 20 Jun 2005 08:01:11 +0000
Javier Fernández-Sanguino Peña jfs@debian.org
Translator: eTony etony@tom.com
作者, 第 1.1 节