FIXME: More content needed.
Debian provides also a number of security tools that can make a Debian box suited for security purposes. This purposes include protection of information systems through firewalls (either packet or application-level), intrusion detection (both network and host based), vulnerability assesment, antivirus, private networks, etc.
Since Debian 3.0 (woody), the distribution features cryptographic software integrated into the main distribution. OpenSSH and GNU Privacy Guard are included in the default install, and strong encryption is now present in web browsers and web servers, databases, and so forth. Further integration of cryptography is planned for future releases. This software, due to export restrictions in the US, was not distributed along with the main distribution but included only in non-US sites.
The tools provided by Debian to perform remote vulnerability assesment are: [19]
By far, the most complete and up-to-date tools is nessus which is
composed of a client (nessus) used as a GUI and a server
(nessusd) which launches the programmed attacks. Nessus includes
remote vulnerabilities for quite a number of systems including network
appliances, ftp servers, www servers, etc. The latest releases are able even
to parse a web site and try to discover which interactive pages are available
which could be attacked. There are also Java and Win32 clients (not included
in Debian) which can be used to contact the management server.
Whisker is a web-only vulnerability assessment scanner including
anti-IDS tactics (most of which are not anti-IDS anymore). It is one
of the best cgi-scanners available, being able to detect WWW servers and launch
only a given set of attacks against it. The database used for scanning can be
easily modified to provide for new information.
Bass (Bulk Auditing Security Scanner) and Satan
(Security Auditing Tool for Analysing Networks) must be thought of more like
"proof of concept" programs than as tools to be used while performing
audits. Both are quite ancient and are not kept up-to-date. However, SATAN
was the first tool to provide vulnerability assesment in a simple (GUI) way and
Bass is still a very high-perfomance assesment tool.
Debian does provide some tools used for remote scanning of hosts (but not vulnerability assesment). These tools are, in some cases, used by vulnerability assesment scanners as the first type of "attack" run against remote hosts in an attempt to determine remote services available. Currently Debian provides:
Whileas queso and xprobe provide only remote
operating system detection (using TCP/IP fingerprinting), nmap and
knocker do both operating system detection and port scanning of
the remote hosts. On the other hand, hping2 and
icmpush can be used for remote ICMP attack techniques.
Designed specifically for Netbios networks, nbtscan can be used to
scan IP networks and retrieve name information from SMB-enabled servers,
including: usernames, network names, MAC addresses...
On the other hand, fragrouter can be used to test network
intrusion detection systems and see if the NIDS can be eluded by fragmentation
attacks.
FIXME: Check Bug
#153117 (ITP fragrouter) to see if it's included.
FIXME add information based on Debian Linux Laptop for Road
Warriors which describes how to use Debian and a laptop to scan for
wireless (803.1) networks.
Currently, only the tiger tool used in Debian can be used to
perform internal (also called white box) audit of hosts in order to determine
if the file system is properly set up, which processes are listening on the
host, etc.
Debian provides two packages that can be used to audit C/C++ source code programs and find programming errors that might lead to potential security flaws:
A virtual private network (VPN) is a group of two or more computer systems, typically connected to a private network with limited public network access, that communicate securely over a public network. VPNs may connect a single computer to a private network (client-server), or a remote LAN to a private network (server-server). VPNs often include the use of encryption, strong authentication of remote users or hosts, and methods for hiding the private network's topology.
Debian provides quite a few packages to set up encrypted virtual private networks:
vtun
tunnelv
cipe
vpnd
tinc
secvpn
pptpd
freeswan
The FreeSWAN package is probably the best choice overall, since it promises to interoperate with almost anything that uses the IP security protocol, IPsec (RFC 2411). However, the other packages listed above can also help you get a secure tunnel up in a hurry. The point to point tunneling protocol (PPTP) is a proprietary Microsoft protocol for VPN. It is supported under Linux, but is known to have serious security issues.
For more information see the VPN-Masquerade
HOWTO (covers IPsec and PPTP), VPN HOWTO
(covers PPP over SSH), and Cipe
mini-HOWTO, and PPP and SSH
mini-HOWTO.
If you want to provide a tunneling server for a mixed environment (both
Microsoft operating systems and Linux clients) and IPsec is not an option
(since it's only provided for Windows 2000 and Windows XP), you can use
PoPToP (Point to Point Tunneling Server), provided in the
pptpd package.
If you want to use Microsoft's authentication and encryption with the server
provided in the ppp package, note the following from the FAQ:
It is only necessary to use PPP 2.3.8 if you want Microsoft compatible
MSCHAPv2/MPPE authentication and encryption. The reason for this is that
the MSCHAPv2/MPPE patch currently supplied (19990813) is against PPP
2.3.8. If you don't need Microsoft compatible authentication/encryption
any 2.3.x PPP source will be fine.
However, you also have to apply the kernel patch provided by the
kernel-patch-mppe package, which provides the pp_mppe module for
pppd.
Take into account that the encryption in ppptp forces you to store user
passwords in clear text, and that the MS-CHAPv2 protocol contains known security
holes.
Public Key Infrastructure (PKI) is a security architecture introduced to provide an increased level of confidence for exchanging information over insecure networks. It makes use of the concept of public and private cryptographic keys to verify the identity of the sender (signing) and to ensure privacy (encryption).
When considering a PKI, you are confronted with a wide variety of issues:
Debian GNU/Linux has software packages to help you with some of these PKI
issues. They include OpenSSL (for certificate generation),
OpenLDAP (as a directory to hold the certificates),
gnupg and freeswan (with X.509 standard support).
However, as of the Woody release (Debian 3.0), Debian does not have any of the
freely available Certificate Authorities such as pyCA, OpenCA or the CA samples from OpenSSL.
For more information read the Open PKI book.
Debian does provide some SSL certificates with the distribution so that they
can be installed locally. They are found in the ca-certificates
package. This package provides a central repository of certificates that have
been submitted to Debian and approved (that is, verified) by the package
maintainer, useful for any OpenSSL applications which verify SSL connections.
FIXME: read debian-devel to see if there was something added to this.
There are not many anti-virus tools included with Debian GNU/Linux, probably because GNU/Linux users are not plagued by viruses. The UN*X security model makes a distinction between privileged (root) processes and user-owned processes, therefore a "hostile" executable that a non-root user receives or creates and then executes cannot "infect" or otherwise manipulate the whole system. However, GNU/Linux worms and viruses do exist, although there has not (yet, hopefully) been any that has spread in the wild over any Debian distribution. In any case, administrators might want to build up anti-virus gateways that protect against viruses arising on other, more vulnerable systems in their network.
Debian GNU/Linux currently provides the following tools for building anti-virus environments:
sanitizer, a
tool that uses the procmail package, which can scan email
attachments for viruses, block attachments based on their filenames, and more.
amavis-postfix, a
script that provides an interface from a mail transport agent to one or more
commercial virus scanners (this package is built with support for the
postfix MTA only).
scannerdaemon, a daemon written in Java that accepts incoming
requests to scan files for viruses.
As you can see, Debian does not currently provide any anti-virus software in the main distribution. There are, however, free software anti-virus projects which might be included in future Debian GNU/Linux releases:
Amavis Next
Generation, a mail virus scanner which integrates with your MTA and
supports multiple virus scanning engines (see Bug #154294).
There is also a virussignatures package, which provides signatures
for all packages, this package provides a script to download the latest virus
signatures from http://www.openantivirus.org/latest.php.
FIXME: Check to determine which packages are available for antivirus. Is clamav available? (there seem to be Debian packages for it).
FIXME: check if scannerdaemon is the same as the open antivirus scanner daemon (read ITPs).
However, Debian will never provide commercial anti-virus software such
as: Panda
Antivirus, NAI
Netshield (uvscan), Sophos
Sweep, TrendMicro
Interscan, or RAV. For more pointers see the
Linux
anti-virus software mini-FAQ. This does not mean that this software
can be installed properly in a Debian system.
For more information on how to set up an a virus detection system read Dave
Jones' article Building an E-mail
Virus Detection System for Your Network.
It is very common nowadays to digitally sign (and sometimes encrypt) e-mail. You might, for example, find that many people participating on mailing lists sign their list e-mail. Public key signatures are currently the only means to verify that an e-mail was sent by the sender and not by some other person.
Debian GNU/Linux provides a number of e-mail clients with built-in e-mail
signing capabilities that interoperate either with gnupg or
pgp:
Evolution.
mutt.
kmail.
sylpheed. Depending on how the stable version of this package
evolves, you may need to use the bleeding edge version,
sylpheed-claws.
gnus, which when installed with the mailcrypt
package, is an emacs interface to gnupg.
kuvert, which provides this functionality independently of your
chosen mail user agent (MUA) by interacting with the mail transport agent
(MTA).
Key servers allow you to download published public keys so that you may verify
signatures. One such key server is http://wwwkeys.pgp.net.
gnupg can automatically fetch public keys that are not already in
your public keyring. For example, to configure gnupg to use the
above key server, edit the file ~/.gnupg/options and add the
following line: [20]
keyserver wwwkeys.pgp.net
Most key servers are linked, so that when your public key is added to one
server, the addition is propagated to all the other public key servers. There
is also a Debian GNU/Linux package debian-keyring, that provides
all the public keys of the Debian developers. The gnupg keyrings
are installed in /usr/share/keyrings/.
For more information:
Securing Debian Manual
2.6 10 October 2002Wed, 18 Sep 2002 14:09:35 +0200jfs@computer.org