Re: Securing a Debian machine


Subject: Re: Securing a Debian machine
From: John Goerzen (jgoerzen@complete.org)
Date: Wed Feb 02 2000 - 21:42:14 CET


On 15 Apr 1998 in <87yax7s1po.fsf@garfield.complete.org>, I wrote the
following to linux-security@redhat.com which might be a useful point
from which to start a document. It is a list of just these issues.
Note furthermore that these issues have been brought up in Debian
lists at least as far back as 1997. Those that were arguing against
me on this topic might note that I was the one that asked for the
prompt about whether or not to install MBR in the boot disks in the
first place.

1. "Linux 1" at the LILO boot prompt. RedHat 4.2 at least is
   vulnerable; Debian is not.

2. "Linux emergency". Same thing.

3. Changing the root= for a Linux partition, if another suitable root
   is available. (floppy, zip, jaz disk)

4. Changing the init= for a Linux system.

5. Set BIOS to disallow booting from floppy and password-protect it.
   Also lock your computer cases.

6. Many distributions install MBR on the partition table. If you
   press Shift during boot, it offers to boot from a different
   partition or floppy, even if booting from floppy was disabled in
   BIOS.

7. Most machines have Ctrl-Alt-Del enabled in /etc/inittab. Provides
   an easy way for someone to reboot the machine and use these
   methods.

8. Some machines have bootable CD-ROMs. Make sure you disable access
   to these in your BIOS.

9. Cheap denial-of-service attacks can be accomplished by passing
   incorrect information to the kernel -- eg, mem=3 (telling it you
   have 3 bytes of RAM in your system).

The best thing to do is remove, or at least disconnect, floppy and
CD-ROM drives. This of course, is not possible. You should also
either diable the LILO boot prompt or set a password on it. If your
machines have Windows 95 in a separate partition, consider the entire
system compromised; Windows 95 will let somebody mess with the MBR and

Linux partitions and bypass any safeguards you may have put in.

At one time, I was going to write a mini-HOWTO about this but somehow
never got around to it.

"James A. Treacy" <treacy@debian.org> writes:

> People are making many valid points with respect to mbr, security
> of a Debian based machine and ease of maintenance. I think everyone
> agrees that this is (yet another) way to 'break' into a Debian
> machine (even if you don't, discuss it elsewhere so you don't hijack
> this thread).
>
> I propose we do the following:
> - leave mbr as it currently stands. Most users are worried about
> net or user based attacks, not about physical attacks.
> - Create a security document outlining the changes needed to make
> a Debian machine secure from different types of attacks. One
> section would outline the steps needed to protect a machine
> from people with physical access to the machine (*). This
> document should be Debian specific.
>
> >From the emotional level of the mbr discussion, I am sure there are
> some people out there who would be willing to work on such a document.
> If someone comes up with a good outline, send it to me. I can give
> them access to the website so it can go online.
>
> The implementation of a 'Securing Debian' document could also go
> a long way toward showing people how secure a Debian based system
> can be. I get sick of hearing people state that *BSD is more secure.
>
> --
> James (Jay) Treacy
> treacy@debian.org
>
>
> --
> To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

-- 
John Goerzen   Linux, Unix consulting & programming   jgoerzen@complete.org |
Developer, Debian GNU/Linux (Free powerful OS upgrade)       www.debian.org |
----------------------------------------------------------------------------+
The 501,180th digit of pi is 9.

-- To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org



This archive was generated by hypermail 2b25 : Thu Feb 03 2000 - 00:36:18 CET