Securing A Debian Linux Laptop For Road Warriors

s.
ht
rig
ull
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
or
th
Au
Securing a
2,
Debian Linux Laptop

00
for
-2
Road Warriors
00
20
te
tu
sti
In
NS
SA
©
By Stephanie
Key fingerprint = AF19 FA27 2F94 998D FDB5 Thomas
DE3D F8B5 06E4 A169 4E46
for SANS GCUX Certification
Version 1.6b, Option 1
April 4, 2001
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Table of Contents
Introduction.............................................................................................................................4
Assessing the Risks.................................................................................................................4
Choosing the Right Laptop...................................................................................................5
BIOS Power On Password..................................................................................................5
s.
ht
BIOS Supervisor Password.................................................................................................5
Hard Drive Password ..........................................................................................................6
rig
Security Screw for the Hard Drive.....................................................................................6
Hardware Locks...................................................................................................................6
ull
Debian Operating System Installation................................................................................6
f
First Thing's First - Partitioning the Hard Drive................................................................7
ns
Installing the Operating System and Device Driver Modules, Base System
KeyConfiguration.......................................................................................................................7
fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
Selecting Packages to Install...............................................................................................7
re
Kernel.......................................................................................................................................8
Securing Network Services ...................................................................................................8
or
Securing LILO ......................................................................................................................10
th
Setting Password and Login Policies.................................................................................10
Au
NTP.........................................................................................................................................12
Logging...................................................................................................................................13
2,
Remote System Administration, File Access (Copy and Transfer) and E-mail .........14
00
Installation..........................................................................................................................14
Setting up the Secure Shell daemon to Start on Boot.....................................................15
-2
Authentication....................................................................................................................15
Setting up Local Tunnels for E-mail ................................................................................16
00
Tightening up Access to Secure Shell..............................................................................17

20
Email and File Confidentiality...........................................................................................18

'Defensive' Security Measures............................................................................................18
te
TCP Wrappers ...................................................................................................................18

tu
Packet Firewall - IPChains................................................................................................18

sti
Psionic Portsentry..............................................................................................................19
Tripwire..............................................................................................................................19
In
Updating using apt-get ......................................................................................................19

NS
Backup, Backup, Backup..................................................................................................20

'Offensive' Security Measures............................................................................................21
SA
Nmap ..................................................................................................................................22
Tiger, Tara, SATAN, SAINT, Sara, and Nessus.............................................................22
©
Password Cracking Programs...........................................................................................23

User Education......................................................................................................................23
Passwords...........................................................................................................................23
Hardware Protection..........................................................................................................23
Backups..............................................................................................................................24
KeyOther
fingerprint = AF19 FA27
Good Practices 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
........................................................................................................24
Conclusion ..............................................................................................................................24
Checklist - Securing a Debian Linux Laptop for Road Warriors ................................25
Appendix A ............................................................................................................................29
Appendix B ............................................................................................................................32
Appendix C ............................................................................................................................45
s.
ht
rig
f ull
ns
tai
re
or
th
Au
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©
Introduction
For as long as mobile computers have been around, System Administrators have had to
wrestle with the problems of securing them. Having a portable computer, while
s.
immensely advantageous to the user, can present some unique and challenging security
ht
vulnerabilities to the System Administrator. Many laptop users work remotely where
rig
their computers are exposed to a hostile network. To ensure productivity, remote users
must be able to securely access email and files stored within the company's internal
ull
network. In addition, laptops are easy to steal - there have been numerous cases of laptop
theft at the U.S. State Department within the past year :
f
http://www.cnn.com/2000/US/04/17/state.computer.02/
ns
tai
All of these demonstrate how vulnerable a laptop containing corporate information can be
re
- and how very important it is that every available step is taken to protect the data that
these computers contain. While no computer can be completely secure, System
or
Administrators need to employ all security measures possible - from hardware locks,
th
BIOS power on, hard drive and supervisor passwords, to properly hardening the
operating system - to ensure that these 'Road Warrior' laptops are not only protected
Au
themselves - but that they do not expose the entire company's network by providing
attackers with valuable information with which to conduct an attack - See:
2,
http://www.zdnet.com/zdnn/stories/news/0,4586,2648861,00.html
00
-2
Defining the Role of the Computer

00
Defining the role of the computer will help you to determine what the risks are, as well as
20
how to limit those risks.

te
This guide will focus on securing a business laptop with the role of primary workstation
tu
for a user who either works from home or travels and requires remote file and email
access. The laptop will have the latest version of the Debian operating system installed,
sti
which is based on the Linux kernel.

In
Assessing the Risks

NS
As the user will be working remotely, connection to the company's network will be
SA
essential. The manner in which the user connects to the internet can have an affect on the
level of risk - but each will cause some level of exposure. Each administrator will need
©
to evaluate the specific situation they face and take the appropriate steps to address the
risks associated with that scenario. Following are some of the most common remote
access methods.
The fingerprint
Key most common access
= AF19 method
FA27 2F94 for
998D remote
FDB5users
DE3Dis F8B5
through a ppp,
06E4 A169or 4E46
dial-up modem
connection. Regardless what the user's most frequently used remote access method is, as
an administrator, you will almost certainly have to provide some sort of dial-up access to
the user at one point or another. Even a home DSL user may travel to a customer's site or
a conference where they only have modem access from their hotel room. Take steps to
secure this type of connection even if it will not be the user's primary remote access
method.
s.
ht
DSL and high-speed cable internet providers are becoming very popular access methods.
rig
The access is fast, and the cost is reasonable. These advantages also work in favor of the
hackers - fast, cheap access means more break-in attempts in less time. Cable and DSL
ull
services are known to be popular with the hacker community - see
http://www.zdnet.com/zdnn/stories/news/0,4586,2604170,00.html. In addition, providers
f
have not always been very responsive to administrators' requests for assistance when
ns
tracking
Key hackers= down
fingerprint AF19(same
FA27 article).
2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
ISDN can also provide fast access, but the cost is prohibitive and setup is less than
intuitive. ISDN's popularity has dwindled with the advent of DSL and high-speed cable
or
internet access.
th
Some other methods which are gaining ground are Ricochet, which offers wireless
Au
modem access at speeds of up to 128K, and wireless LAN.
2,
Most of these can be made more secure through the use of IPChains or some form of
00
VPN.
-2
In addition to network access issues, the portability of laptop computers makes them very
00
easy to steal. Physical security is often very difficult to achieve on something designed
20
to be easy to carry, but there are measures that System Administrators can take to address
this concern.
te
tu
Choosing the Right Laptop

sti
When deciding which laptop computer to provide for your remote users, you should look
In
for the following features:

NS
BIOS Power On Password

SA
Most computers have a BIOS power on password. Although on the majority of

computers this password is easy enough to circumvent, it should still be set to help
©
prevent the merely curious from gaining access to the computer's data. You should not
be able to boot the computer without entering this password. Both the user and the system
administrator should have this password.
BIOSfingerprint
Key Supervisor Password
= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
This password protects the BIOS settings itself, which will help prevent changing of the
boot order to enable booting from other media. You may also be able to disable floppy
and CDROM access altogether. No one should be able to gain access to the BIOS
without entering this password. On some laptops, the security provided by this password
cannot be circumvented by resetting the BIOS or pulling the CMOS battery - if you
s.
forget the password, you must replace the system board to access the BIOS. Take Care
ht
when assigning this password! Only the administrator should have this password.
rig
Hard Drive Password
ull
Some laptop computers also offer an additional password restricting access to the hard
f
drive itself. This password must be entered before the computer can be booted from the
ns
hard fingerprint
Key drive. It=should not be
AF19 FA27 possible
2F94 to circumvent
998D FDB5 DE3D F8B5 the06E4
security
A169provided
4E46 by this
tai
password - if you forget the password, you should have to replace the hard drive. This is
re
probably the single most important of the computer's hardware protections - even if
someone steals the laptop, they should not be able to gain access to the data stored on the
or
hard drive through conventional means - i.e., even moving the hard drive to a different
th
computer will not provide access to the data stored on the hard drive. Take Care when
assigning this password! Both the user and the system administrator should have this
Au
password.
2,
Security Screw for the Hard Drive

00
-2
On some laptops, where there is easy external removal of the hard drive, manufacturers
often offer a special security screw to replace the stock, easy-to-remove coin screw. This
00
will help make removal of the hard drive much more difficult if someone gains physical
20
access to the laptop. This screw has a key which should be held by the administrator.
te
Hardware Locks
tu
Make sure that the laptop has a provision for a hardware lock of some type. Especially
sti
helpful are hardware locks which have motion sensors to detect excessive movement of
In
the computer. The user and the System Administrator should both have a copy of the key
or know the combination to the hardware lock.
NS
Dell and IBM both offer all of these types of protection in their laptop lines. I was not
SA
able to confirm Toshiba's security offerings.

©
Debian Operating System Installation
Now that you've selected your hardware, its time to install Debian. Obtain the latest
version of Debian from the ftp site -ftp://ftp.us.debian.org/debian/
Installation should be done while not connected to the network.
One important point to consider before starting is disk encryption. This web site
http://munitions.polkaroo.net/dolphin.cgi?action=render&category=0503 offers many
options for disk encryption. While disk encryption is a good idea, many of the current
implementations do not seem stable enough for real-time deployment. It may be better to
s.
encourage the user to encrypt their data files using GPG or PGP until this technology has
ht
come of age.
rig
First Thing's First - Partitioning the Hard Drive
ull
The proper way to partition a Unix or Linux system is a heated debate. I found so many
f
conflicting opinions on this subject when researching this paper that I am reluctant to
ns
recommend
Key any= one
fingerprint AF19method exclusively.
FA27 2F94 Use DE3D
998D FDB5 your best
F8B5judgment on this,
06E4 A169 4E46taking into
tai
account the role of the system and the user's needs. Whatever you decide to do, be sure
re
to document the partition table you set up.
or
Installing the Operating System and Device Driver Modules, Base System Configuration
th
Most of the defaults will do for this section of the installation. If you wish to enable
Au
NTFS, MSDOS or Samba filesystem support, you can do so under the filesystem device
driver module.
2,
00
You will also be asked to set the hostname of the computer, install and configure the base
-2
system (setting the time zone and hardware clock), and to make Linux bootable (install
LILO). After these selections are complete, the system will reboot. Upon reboot, you
00
will be asked if you would like to enable MD5 passwords and install shadow passwords.
20
Answer yes to both of these - they help to secure your user password database by using a
stronger encryption algorithm and locating the passwords in a root-only accessible file.
te
tu
Next, you will be prompted to set the root password and create a user account. You will
want to create a user account for the end user of the system, as well as an account for the
sti
system administrator.
In
Selecting Packages to Install

NS
There are literally thousands of applications that come with the Debian operating system.
SA
Some of the important security-related packages already come installed by default - TCP
Wrappers, lprng, and lsof, to name a few. While it is often recommended to not install a
©
development environment to limit exposure, many of the programs which the user will
need to be productive are open-source, and may not come in binary format. If you have a
duplicate environment available on which to compile the programs the user will need,
you can set the laptop up without a development environment, and copy over binaries
compiled
Key on the= other
fingerprint AF19machine.
FA27 2F94If 998D
this isFDB5
not feasible, you can
DE3D F8B5 remove
06E4 A169 the development
4E46
libraries and compilers after the system is configured. Following are the recommended
packages to remove or install that have security concerns related to this specific scenario
- you will need to evaluate other packages as necessary for your environment and the
user's specific needs:
REMOVE:
s.
ht
telnet & telnetd - Secure Shell will be used for remote access
rig
finger & fingerd - numerous known security vulnerabilities
nfs-common & nfs-server - numerous known security vulnerabilities
ull
talk & talkd - not necessary, known security vulnerabilities
ftpd - unnecessary, this system will not function as a file server, numerous known
f
security vulnerabilities
ns
tai
ADD:
re
acct - GNU accounting utilities for login and process accounting
or
sudo - enable users to execute a command as another user
th
syslog-ng - provides advanced system logging, adding features that syslogd doesn't
support (configurability, filtering based on content, message integrity/encryption, etc.)
Au
logcheck - looks for anomalies in the system logs and emails them to the administrator
ampd - improved power management for laptops
2,
makepasswd - used to generate true random passwords using /dev/random. Can also
00
encrypt plaintext passwords given on the command line

-2
The ftp client must be installed to enable use of the Debian operating system update
00
module, apt-get.
20
Kernel
te
tu
Because Debian is a complete operating system, the release cycle takes a bit longer than
other standard Linux distributions. As a result, the kernel in the latest Debian release
sti
may be a bit outdated. The current release at the time of writing, 2.2r2 - code named
In
'potato' (all of the Debian releases are named after 'Toy Story' characters), uses the
2.2.18pre21 kernel. To obtain the latest kernel-level security fixes, you will want to
NS
compile the latest kernel after installing Debian. Be sure to backup your kernel before
recompiling. See Section 8.5 at http://www.debian.org/releases/potato/i386/ch-post-
SA
install.en.html for information on doing this 'the Debian way'. Also see
http://www.fs.tum.de/~bunk/kernel-24.html for information on running the 2.4 kernel
©
with the latest release of Debian.
Securing Network Services
The fingerprint
Key first step after installation
= AF19 will 998D
FA27 2F94 be to secure
FDB5 the network
DE3D F8B5services.
06E4 A169Nmap
4E46is used here
to scan for open ports, but there are numerous other utilities available for this. See
Appendix A for a listing of other security tools. Here is a list of the open ports reported
by nmap after an installation as described above:
# nmap -sT -sU 127.0.0.1
s.
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
ht
Interesting ports on testsystem (127.0.0.1):
rig
(The 3067 ports scanned but not shown below are in state: closed)
ull
Port State Service
9/tcp open discard
f
9/udp open discard
ns
13/tcp open daytime
tai
37/tcp open time
re
98/tcp open linuxconf
111/tcp open sunrpc
or
111/udp open sunrpc
th
113/tcp open auth
143/tcp open imap2 Au
177/udp open xdmcp
512/tcp open exec
2,
513/tcp open login

00
514/tcp open shell

-2
515/tcp open printer

1024/tcp open kdm
00
20
Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds

te
To disable unnecessary services, start with inetd. The configuration file for inetd is
tu
located in /etc/inetd.conf . None of the services started in inetd by default are needed for
this setup. To disable inetd, you can either comment out the /etc/inetd.conf, or comment
sti
out, rename or remove the /etc/init.d/inetd script that is called by the /etc/rc#.d runlevel
In
scripts. In addition, you will want to entirely comment out or remove the portmap script
in /etc/init.d .
NS
After disabling inetd and commenting out or deleting the portmap script, nmap should
SA
only report the following open ports:

©
# nmap -sT -sU 127.0.0.1
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )

Interesting ports on testsystem (127.0.0.1):
(Thefingerprint
Key 3078 ports=scanned but not
AF19 FA27 shown
2F94 998Dbelow
FDB5areDE3D
in state:
F8B5closed)
06E4 A169 4E46
Port State Service
177/udp open xdmcp
515/tcp open printer
1024/tcp open kdm
6000/tcp open X11
s.
Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds
ht
rig
Delete the Berkeley 'r' services and rpc utilities entirely - these services have numerous
know security vulnerabilities and will not be used.
ull
# cd /usr/local/bin
f
# rm rcp rgrep rjoe rlogin rpcgen rpcclient rsh rstart rstartd rpcinfo
ns
tai
Set the default login to be text only, not X, using linuxconf.
re
Securing LILO
or
th
Next you will want to password - protect LILO, the Linux Loader. This can be done
either by manually editing the /etc/lilo.conf or from linuxconf. If doing this by manually
Au
editing the /etc/lilo.conf file, you will want to add the following lines after the prompt
line:
2,
00
password = <your_password_here>
-2
restricted
00
Be sure to set the permissions for the /etc/lilo.conf file to 0600 since the password will be
20
saved in clear-text.
te
chmod 0600 /etc/lilo.conf

tu
Setting Password and Login Policies

sti
In
You will want to specify some basic password and login policies - such as setting a login
banner message, logging all su logins, minimum password length, minimum non-alpha
NS
characters in the password, and setting up the maximum number of days a password can
be used to login. Again, this can be done either manually at the command line, or from
SA
linuxconf. If you prefer doing this from the command line, here is how you go about
doing so:
©
First, create an /etc/issue file to display a message before login. Something simple is
usually best, but this is determined by your company's security policy :
"Employees
Key of =XYZ
fingerprint Corporation
AF19 FA27 2F94only.
998DUnauthorized
FDB5 DE3D access prohibited.
F8B5 06E4 All connection
A169 4E46
attempts are logged."
10
Next, edit the /etc/login.defs file:
# vi /etc/login.defs
s.
The /etc/login.defs file has several options which can be tweaked to provide extra
ht
protection - here are a few recommended settings:
rig
SULOG_FILE /var/log/sulog
ull
ISSUE_FILE /etc/issue
UMASK 077
f
PASS_MAX_DAYS 60
ns
PASS_MIN_LEN
tai
PASS_WARN_DAYS 5
re
There are other ways to implement password expiry - passwd and chage can also be used.
or
th
# passwd -x 60 -w 5 username
OR Au
# chage -M 60 -W 5 username
2,
These commands will expire the password for username after 60 days, giving a warning
00
for 5 days prior to expiration.

-2
To generate strong passwords, use the makepasswd program installed to generate true
00
random passwords for the user, admin, and root. If you specify a -minchars of 8, the
20
password will be at least 8characters:

te
# makepasswd -minchars 8
tu
x8xit5Hk
sti
You will also want to remove unnecessary accounts created during installation. Again,
In
this can be done from linuxconf or from the command line by using the userdel
command. Do a sanity check first and see if the user owns any files:
NS
# find / -user username_or_ID -print

SA
To remove a user, use the userdel command:

©
# userdel -r username
The -r option will remove all files in the user's home directory.
Some user candidates for this are games, majordomo, www-data, gnats, operator, list, irc,
11
uucp, proxy, msql, alias, and possibly news.
Next, you will want to set login access controls on the remaining users. This is done in
the /etc/security/access.conf file. I couldn't possibly write a better explanation of how to
configure the file than was already in the file itself, so here's an excerpt of the top of the
s.
file:
ht
rig
#Format of the login access control table is three fields separated by a
# ":" character:
ull
#
# permission : users : origins
f
#
ns
# Thefingerprint
Key first field=should
AF19 be a "+"
FA27 (access
2F94 998Dgranted) or "-" (access
FDB5 DE3D denied)
F8B5 06E4 A169 4E46
tai
# character.
re
#
# The second field should be a list of one or more login names, group
or
# names, or ALL (always matches). A pattern of the form user@host is
th
# matched when the login name matches the "user" part, and when the
# "host" part matches the local machine name. Au
#
# The third field should be a list of one or more tty names (for
2,
# non-networked logins), host names, domain names (begin with "."), host
00
# addresses, internet network numbers (end with "."), ALL (always

-2
# matches) or LOCAL (matches any string that does not contain a "."
# character).
00
20
Here are examples of restrictions recommended for this file:

te
This will disable all logins to the console except by the admin and root:
tu
-:ALL EXCEPT admin root :console

sti
In
Disable remote root logins:

NS
-:root:ALL EXCEPT LOCAL

SA
NTP
©
NTP, network time protocol, is required to ensure that accurate time is kept on the
system. Why is this SO important? Well, simply put, forensics. If your logs are out of
time sync with the server's logs, it will be difficult if not impossible to prosecute in the
event of a compromise. In addition, many important security software, such as Kerberos
and most
Key certificate
fingerprint = AF19authorities,
FA27 2F94 depend
998Don accurate
FDB5 DE3Dtime.
F8B5You want
06E4 A169to 4E46
ensure that you
are running an NTP server internally at your network, and you will want to make
12
provisions for laptop users to use the NTP client to sync their clocks with yours. This
web site http://www.eecis.udel.edu/~ntp/ntp_spool/html/build.htm has a very good
tutorial on how to do a basic setup of NTP. It is outside the scope of this guide to discuss
how you would set up NTP within your organization. If you would like to read more
about security and NTP, see RFC1305: ftp://sunsite.doc.ic.ac.uk/rfc/rfc1305.txt , section
s.
3.6.
ht
rig
To install NTP on the laptop, obtain the source code from:
http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/
ull
Compilation is the standard:
f
ns
$ ./configure
tai
$ make
re
# make install
or
And you will want to configure your /etc/ntp.conf file as follows:
th
server IP_of_1st_ntp_server Au
server IP_of_2nd_ntp_server
server IP_of_3rd_ntp_server
2,
00
driftfile /etc/ntp.drift
-2
restrict default nomodify

00
20
Generally speaking, you will want to have more than one server listed for redundancy.
te
Logging
tu
Logging is essential to security administration. Logs are one of the most important
sti
places where you will find the trail of clues, should you ever find your system the victim
In
of an attack, needed to determine the method of attack. Logs can also be used as evidence
if you are able to prosecute.
NS
When choosing to setup syslog-ng at installation-time, Debian very nicely sets up

SA
logging and log rotation for you. You will simply want to review the settings and ensure
that they are as desired for your environment, and add your email address to the syslog-
©
ng logrotate script.
syslog-ng is configured by default with all the settings that you should need, including
defaults to log kern, err, and warn messages. You can also specify filters using syslog-ng.
See the
Key man page
fingerprint for syslog-ng
= AF19 for998D
FA27 2F94 more FDB5
information
DE3Don this.06E4
F8B5 TheA169
configuration
4E46 file for
syslog-ng is /etc/syslog-ng/syslog-ng.conf
13
logrotate is also already setup, including cron jobs to run it daily and weekly - located,
appropriately enough, in /etc/cron.daily and /etc/cron.weekly . You may need to edit
these to also rotate the sulog. Add the administrator's email address to the top of the
/etc/logrotate.d/syslog-ng as follows:
s.
ht
mail admin@xyz.corp.com
rig
errors admin@xyz.corp.com
ull
This will email admin@xyz.corp.com with the compressed log files, as well as any
errors. It is also recommend that you set up a log server within your company's network,
f
if you haven't done so already, and have the laptop log to that. Another good idea is to
ns
scan fingerprint
Key your logs =using
AF19aFA27
program
2F94like Psionic'
998D FDB5s Logcheck
DE3D F8B5 - which checks4E46
06E4 A169 your logs for
tai
anomalies and will email you with alerts. This can help to reduce the amount of data that
re
you will need to sift through, but will require an initial time investment to tweak the
settings to reduce false alarms. There are many other log scanners that you can use. See
or
Appendix A for a list of security tools.
th
Remote System Administration, File Access (Copy and Transfer) and E-mail using
Au
Secure Shell
2,
Since the system will be operated remotely for at least part of the time (hence the need
00
for a laptop in the first place), you will want to be able to securely administer the machine
-2
from a remote location. Secure Shell accomplishes this nicely, as well as having other
useful features, such as scp, sftp (for remote file copy and transfer) and tunneling (which
00
will be used to provide the user with secure remote email access).
20
Installation
te
tu
You can obtain Secure Shell in source code from ftp://ftp.ssh.com/pub/ssh. Secure Shell
is free for use under a non-commercial license under Linux, NetBSD, FreeBSD, and
sti
OpenBSD. Secure Shell 2.4 is the latest version. SSH1 has been officially deprecated
In
due to fundamental security vulnerabilities, and its use is not recommended. See
http://www.ssh.com/products/ssh/cert/ and http://www.cert.org/ for information about
NS
these vulnerabilities.
SA
You will need to have Secure Shell installed on both the laptop and on an internal server
which allows connections from outside your network. Remember to open port 22 on
©
your firewall to allow Secure Shell connections from your remote users.
It is recommend to set up Secure Shell to support TCP Wrappers at a minimum (--with-

libwrap). Even though Secure Shell offers user and host restrictions in the server
configuration
Key fingerprintfile, it is easier
= AF19 to have
FA27 2F94 a central
998D FDB5 place
DE3Dfrom
F8B5which
06E4to administer
A169 4E46 user and
host restrictions. You can also take advantage of TCP Wrappers' advanced logging
14
features.
On the internal Secure Shell server, you may want to chroot users to restrict shell and sftp
access. This decision (and how you go about setting this up) depends on your network
security policies, and also whether the users need access only to their own files, or if they
s.
need to share files with other users. Keep in mind that as of version 2.4, chrooting for
ht
Secure Shell is only supported on Linux, AIX and Tru64, and is known to not work on
rig
Solaris or HP-UX. The operating system of your server will be a deciding factor in this
decision. A chrooted environment can be established only if static builds can be made,
ull
when no shared libraries are used. See Appendix B for more information on setting up
chrooting with Secure Shell.
f
ns
See the
Key README
fingerprint that FA27
= AF19 comes2F94
with 998D
the distribution
FDB5 DE3D for F8B5
complete
06E4installation
A169 4E46 instructions,
tai
as well as the online administrator's guide and Appendix B.
re
Setting up the Secure Shell daemon to Start on Boot
or
th
As an administrator, you want the Secure Shell daemon to start at boot time so that you
can connect to it if you need to do any remote system administration. Secure Shell comes
Au
with a startup script, sshd2.startup, for SYS-V style operating systems (it was specifically
written for Linux). This should work fine for the Debian laptop, but you may need to edit
2,
this for the company's internal Secure Shell server, depending on the operating system.
00
For the laptop, to start the Secure Shell daemon at boot time, copy the sshd2.startup script
-2
(should be in the source directory after installation) into the /etc/init.d directory. Create
symbolic links to the sshd2.startup script in the /etc/rc#.d directories to start (S#) or stop
00
(K#) the sshd2 daemon. The # designates the order that the scripts in the rc#.d directories
20
are started - the higher the number, the later in the boot (or shutdown) process the script
is run. For example:
te
tu
# ln -s /etc/init.d/sshd2.startup /etc/rc#.d/K90sshd2
sti
for /etc/rc1.d and /etc/rc6.d and

In
# ln -s /etc/init.d/sshd2.startup /etc/rc#.d/S90sshd2
NS
for /etc/rc2.d, /etc/rc3.d, /etc/rc4.d, and /etc/rc5.d

SA
will setup the Secure Shell daemon, sshd2, to start and stop properly on boot and reboot
©
on a Debian system.
Authentication
Secure
Key Shell is= configured
fingerprint AF19 FA27 to use998D
2F94 password
FDB5 authentication
DE3D F8B5 06E4 by default. Unless your
A169 4E46
company already uses a different method for authentication such as PAM, Kerberos or
15
RSA SecurID, the recommendation is public key authentication for both the administrator
connecting to the laptop to administer the computer, and for the user authentication to the
company's Secure Shell server for remote email and file access.
Setting up public key authentication is fairly simple. Do this in one direction first, then in
s.
the other, to avoid confusion. See Appendix B for information on which authentication
ht
methods are supported, and Appendix C for instructions on setting up public key
rig
authentication in Secure Shell.
ull
Setting up Local Tunnels for E-mail
f
Secure Shell has the ability to tunnel TCP ports through the secure connection, to the
ns
destination
Key application
fingerprint = AF19server specified.
FA27 2F94 998DThis
FDB5is DE3D
a very F8B5
useful06E4
feature,
A169and4E46
is what will be
tai
used to secure the user's email on the laptop. You will want to set up local tunnels from
re
the client machine for port 25 for smtp, and port 110 for pop or 143 for imap. Local
tunnels 'p ush' connections from the local port specified, through the Secure Shell server,
or
to the application server on the port specified. Keep in mind that while the connection
th
between the Secure Shell client and Secure Shell server is secure, the connection between
the Secure Shell server and the application server is not secured. Plan your network
Au
accordingly.
2,
Since the ports used for email are privileged ports (25, 143, and 110), the user must start
00
ssh as root, or they will not have adequate permission to forward the ports. You can
-2
setup tunnels from the command line:

00
# ssh2 -L 4025:smtp_server:25 user_name@ssh_server

20
but the best way to setup tunnels for repeated use such as for email is through the config
te
file - /etc/ssh2/ssh2_config:
tu
# Tunnels that are set up upon logging in

sti
In
LocalForward "25:smtp.xyz.corp.com:25"
LocalForward "143:imap.xyz.corp.com:143"
NS
Note that the arguments must be enclosed in double quotes ""

SA
Once the tunnels are setup in the config file, the user will still have to execute ssh2 as
©
root in order to access email, but the command is much shorter:
# ssh2 user_name@ssh_server
Nextfingerprint
Key setup the =mail
AF19client to point
FA27 2F94 to 127.0.0.1
998D FDB5 for smtp
DE3D and 06E4
F8B5 imap A169
servers. Secure Shell
4E46
will capture the connections to ports 25 and 143 and forward the connections to the smtp
16
and imap servers at XYZ Corp.
Tightening up Access to Secure Shell
There are many restrictions you can set in the server config file to limit access to Secure
s.
Shell on both the server and on the laptop. Following are the recommendations for the
ht
laptop /etc/ssh2/sshd2_config file:
rig
MaxConnections 2
ull
This will limit the number of connections to the sshd2 daemon to 2. As only the
f
administrator should be connecting to the laptop, this is more than sufficient. The default
ns
on this
Key is unlimited.
tai
re
RekeyIntervalSeconds 3600
or
This tells the server to re-exchange and verify hostkeys after the specified number of
th
seconds. This provides an extra level of security against hijacking Secure Shell sessions
and man-in-the-middle attacks - but be careful with this one! If the client you are using
Au
to connect does not support re-keying, you will be disconnected after the specified
number of seconds. By default this is commented out, but if your Secure Shell clients
2,
support re-keying, it is a good idea to enable this.

00
-2
PermitEmptyPasswords no
00
This will prevent users with NULL passwords from connecting. This is commented out
20
by default.
te
BannerMessageFile /etc/issue.net
tu
This displays the /etc/issue.net banner before login. This is commented out by default.
sti
In
AllowedAuthentications publickey,password
NS
This specifies the authentication methods allowed when connecting to the sshd2 daemon.
SA
PermitRootLogin no
©
This prevents direct root logins, which will require the administrator to su for root access
when connecting via Secure Shell. This is set to yes by default.
AllowUsers admin, user

This will allow in only users admin and user, and will deny login via Secure Shell to
17
everyone else.
Email and File Confidentiality
The best way for your users to retain email and file confidentiality is through the use of
s.
GPG or PGP for encryption. Many programs, such as StarOffice by Sun Microsystems
ht
(used to write this guide), offer pgp plug-ins for encryption of files and emails.
rig
StarOffice does require Java to be installed before the pgp plug-in will work. Make sure
your users keep a backup copy of both their public and private keyrings. Encourage
ull
through policy and education the use of GPG or PGP by your users.
f
'Defensive' Security Measures
ns
tai
Defensive Security measures refers to using available software and good system
re
administration practices to protect the system from attackers attempting to gain access
and from copying, altering, or deleting important data.
or
th
TCP Wrappers
Au
TCP Wrappers enables you to set access controls on network services with the use of two
files - /etc/hosts.deny and /etc/hosts.allow . TCP Wrappers also has some very nice
2,
logging features. Because we have already disabled all network services except for
00
Secure Shell, and compiled Secure Shell with TCP Wrappers support, your
-2
/etc/hosts.deny and /etc/hosts.allow files should look like this:

00
/etc/hosts.deny
20
ALL:ALL
te
/etc/hosts.allow
tu
sshd2:.xyz.corp.com
sshdfwd-X11:.xyz.corp.com
sti
In
This denies access to everyone, then allows access only to those specified in the
/etc/hosts.allow - anyone from the xyz.corp.com domain, in this case.
NS
Packet Firewall - IPChains

SA
Configuring a packet firewall on this machine is essential to keeping out intruders. This
©
will be the primary defense for this laptop when it is connected remotely. The Linux
ipchains How-To is located here: http://www.linux.org/docs/ldp/howto/IPCHAINS-
HOWTO.html . This goes into nauseating detail on how to install and configure
ipchains, as well as having several example configurations. An alternative example script
which
Key is best suited
fingerprint to this
= AF19 FA27scenario is the FDB5
2F94 998D one in DE3D
the "Securing Linux
F8B5 06E4 Step-by-Step"
A169 4E46 guide
available from www.sans.org, in Appendix D. This script is very well commented,
18
enabling ease of administration.
Psionic Portsentry
Portsentry is used to detect port scans, and can take configurable action on the scanning
s.
host. You can do all kinds of fun things with Portsentry - such as automatically adding
ht
any scanning host to /etc/hosts.deny, , displaying a banner message to the scanning host,
rig
executing a command directed at the $TARGET$ host, or simply dropping, denying, or
killing the route to the scanning host. This last is the recommended course of action.
ull
Since we've already added ALL:ALL to the /etc/hosts.deny, it is not necessary to add
every scanning host to that file, and executing a command or issuing a warning banner on
f
a scan attempt can taunt a hostile scanning host, and cause retaliatory action.
ns
tai
Here is the line you'll want to uncomment in your portsentry.conf:
re
KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"
or
th
Tripwire
Au
Tripwire is used to detect changes in files. When you initialize Tripwire, it builds a
database of the files on your hard drive. If any of those files is changed, and Tripwire is
2,
run again, you will receive a notice that the file has changed. This is helpful to detect
00
changed binaries - for example, if your ls command has been substituted with a trojaned
-2
version, Tripwire will detect this. Tripwire also detects permission changes on files.
Tripwire should be the last software you install before turning the system over to the user.
00
You will want to make sure there is a backup of the Tripwire database on non-changeable
20
media such as CD-R. Every time an update is applied to the system, you will want to
rebuild the Tripwire database.
te
tu
You build your Tripwire Database like this (from the directory where Tripwire is
installed):
sti
In
# ./tripwire --initialize
NS
Change the permissions on some files, and perhaps copy a binary from a different
machine over to this one (rename the original first, of course), then run Tripwire:
SA
# ./tripwire
©
Tripwire will report all the changes made since the last database was created.
Updating using apt-get

apt-get is the Debian answer to obtaining the latest updates for your system. Apt-get is
19
configured in the /etc/apt/apt.conf file. Apt-get uses /etc/apt/sources.list to list locations
where updates are obtained. The following web site has a list of 'unofficial' sources, in
addition to the 'official' Debian ones pre-configured:
http://www.internatif.org/bortzmeyer/debian/apt-sources/
Take care using these sites - they are not sanctioned by Debian and you may want to
s.
ensure that you can trust the sources before installing any software obtained from these
ht
sites.
rig
You can configure apt-get using apt-setup. apt-setup will ask you for sources to add to
ull
the /etc/apt/sources.list .
f
The first thing to do when running apt-get is to resynchronize the package overview files:
ns
tai
# apt-get -update
re
Next, you'll want to upgrade to the updated packages:
or
th
# apt-get -upgrade
If you only want to upgrade a specific package:

Au
2,
# apt-get -install package_name

00
-2
If you want to automate this (recommended), write a simple shell script for apt-get -
update and apt-get -upgrade and place both of these scripts in /etc/cron.daily or
00
/etc/cron.weekly, depending on how often you would like to update. Weekly should be
20
sufficient for most applications.

te
You will also want to ensure that whoever the administrator for the laptop, they are
tu
subscribed to the security lists for Debian. You can find information about Debian and
security at the following address: http://www.debian.org/security . SANS also has a
sti
very good security digest you can subscribe to where you can chose which operating
In
system flavor you would like to receive security updates on (for Debian chose Linux):
http://www.sans.org/sansnews
NS
Backup, Backup, Backup

SA
I personally experienced the immense value of backups AGAIN while working on this
©
document. StarOffice crashed on me (emulating M$ Office a little too well there :), and
when I reopened the document, it was corrupted. I would have lost the entire thirty-four
page document if not for a backup that was made the previous day. Even with daily
backups, however, I lost all the changes that had been done that day. I was not a happy
camper.
Key Imagine
fingerprint you user'
= AF19 s state
FA27 2F94of998D
mindFDB5
if theyDE3D
lose weeks or months
F8B5 06E4 A169of work because
4E46
they do not have a current backup. Don't wait for that frantic call before instituting a
20
backup policy. Another benefit is the ability, through backups, to determine exactly how
and when a compromise took place.
How you go about doing backups on this laptop will vary greatly depending on your
user's habits. If your user is in the office most of the time, and only occasionally on the
s.
road, you are probably safe using a networked backup method. Legato and HP-
ht
Openview both offer a free Linux backup client if your company already has the server
rig
software, although it is not supported by either company. If your user is mostly on the
road, however, your backup method will get a bit more complicated. Your user's method
ull
of connecting to the internet can also play a part here - you do not want to send the
backups of your user's home directory over a modem connection to a file server inside
f
your company network, but if your user connects using DSL, this is a valid option.
ns
tai
Other options here are external tape drives, CD-R drives, and perhaps even a backup
re
server at the user's home if the user usually works from home. Some laptops have the
ability to add a second hard drive to the system. This is a very good way to maintain a
or
mirror of the main hard drive should anything happen. If choosing a method which
th
involves any type of transmission over a network, ensure that the connection is secured.
Also make sure that the method is automated, through cron jobs usually, preferably in
Au
such a manner as to not interfere with the user's regular schedule.
2,
You will want to do a full backup of the system after all installations and configurations
00
are done, before turning over the laptop to the user, and again after any major system
-2
updates, as well as on a monthly schedule. Incremental backups are recommended on a

daily basis. Make sure that you also test your backup schedule and the backups
00
themselves by restoring them before turning the laptop over to the user.
20
tar (short for tape archive) is the most common method of compressing and archiving
te
data. This command will backup and compress the user's home directory:
tu
# tar czf /tmp/home_user.tgz /home/user_name

sti
In
This file can then be copied to some other media or to a server on the company's network.
Because it was created in the /tmp directory, it will be removed upon shutdown, thus not
NS
using up needed hard drive space.

SA
See http://www.debian.org/doc/manuals/system-administrator/ch-sysadmin-backup.html
for more information.
©
'Offensive' Security Measures
'Offensive' security measures means taking steps which will help you to assess the
system's
Key vulnerabilities
fingerprint before2F94
= AF19 FA27 an attacker does.DE3D
998D FDB5 This F8B5
includes applying
06E4 the same tools
A169 4E46
the hackers use - such as nmap, as used above, to determine which ports are open, tiger,
21
tara or sara, nessus, and password cracking programs. This type of testing is a good
sanity check on your security measures, and may catch some things you've missed. In
general, you will want to install these tools on a different machine, and run them against
laptop.xyz.corp.com for a better idea of the true vulnerabilities on the system.
s.
Nmap
ht
rig
Nmap is a port scanner. Nmap supports many different types of scans, TCP, UDP, TCP
SYN (half open), proxy, ICMP, as well as many others. Nmap is be used to conduct
ull
scans on the target system to determine which attack on which ports may be viable. In
the section earlier on Securing Network Services, there are two examples of nmap scans
f
against the test Debian system.
ns
tai
Nmap's syntax is very easy to understand. To run a scan on all TCP and UDP ports, you
re
would issue the following command as root:
or
# nmap -sT -sU laptop.xyz.corp.com
th
See man nmap for more information. Au
Tiger, Tara, SATAN, SAINT, Sara, and Nessus
2,
00
There is no shortage of vulnerability scanners to choose from. Understanding the

-2
relationships between them can help you choose which would best suit your environment.
There are links to all of the scanners mentioned here in Appendix A.
00
20
Tiger is a program which checks for basic security problems on a Unix system. Tara is
an updated version of Tiger.
te
tu
SATAN is another software designed to probe for security vulnerabilities. SATAN has
not been updated in some time, which limits it's ability to effectively test for current
sti
threats. SAINT is an expansion on the SATAN project. The original author of SAINT
In
now works for ARC, and the result is a new vulnerability scanner called Sara, an
evolution of the SATAN and SAINT projects.
NS
Out of all of the vulnerability scanners reviewed, the one which was easiest to use and
SA
easiest to keep up-to-date was Nessus. Nessus functions in client / server mode, and has
a GTK interface, for ease of use and administration. Each of the security tests in Nessus
©
are designed as plug-ins, which enables you to write your own security checks if desired,
and which enables easy updating of Nessus. When checking the plug-ins page at
www.nessus.org, ten plug-ins were added between March 25th and April 2nd -
demonstrating that the software is under current, active development. Most interesting of
all, however,
Key fingerprintwas that while
= AF19 FA27the software
2F94 was free
998D FDB5 of charge
DE3D to anyA169
F8B5 06E4 users,4E46
the developers
also offer professional, commercial support for the product - immensely valuable if you
22
plan to roll this out across your entire network. The commercial support even includes
twenty-four custom plug-ins per year, and minor customizations to the software, if
desired.
Password Cracking Programs
s.
ht
Password cracking programs are a good idea if you do not use the makepasswd utility to
rig
generate random passwords. This can help ensure that the passwords that are chosen are
not easily broken. Keep in mind that any password can be cracked eventually - your goal
ull
here should be to weed out the EASILY cracked passwords.
f
Some of the most common password cracking programs are crack, John the Ripper, and
ns
Nutcracker.
Key In =general,
fingerprint the larger
AF19 FA27 the dictionary,
2F94 998D FDB5 DE3D the better the chances
F8B5 06E4 are of cracking
A169 4E46
tai
the password. http://www.password-crackers.com/crack.html In addition, if you
re
implement PAM on the system, you can use the password strength checking module
listed here: http://www.openwall.com/passwdqc/
or
th
User Education
Au
User education is probably the single most important thing you can do to protect this
system. Securing any machine is useless unless you educate the end user on why the
2,
security is needed, what the policies are, and what they can do to limit exposure. As this
00
is a laptop, and will be operated remotely, your user will be on their own for a portion of
-2
their time - without anyone around to verify that they are actually using that Kensington
lock you provided. The single greatest point of failure of any security policy is personnel
00
- get yours on your side through education. Most users will cooperate if they understand
20
how important these measures are, and why they must take the time to enter several
passwords to boot the computer.
te
tu
Some topics to be sure to cover with your users:

sti
Passwords
In
Why passwords are important

NS
Why you need multiple passwords

Why all your passwords should NOT be the same
SA
What make good and bad passwords

How to choose a good password (or why to use one generated with makepasswd)
©
Password management (for a single user, the best method for this might be a PGP
encrypted text file, saved on removable media, not the hard drive)
Hardware Protection
Impress how vulnerable laptop computers are to theft
23
Show the user how to enter the BIOS Poweron and Hard drive Passwords
Show the user how to use the hardware locks provided
Advise the user to remove, if possible, removable media drives before traveling
Backups
s.
ht
Explain why backups are so necessary, both to protect data and as forensic evidence
rig
Explain what they can do to ease backup administration (save user files only in a specific
directory, notify the administrator if an update is applied so that a full backup can be
ull
made, etc)
Backup before installing any major software packages or updates
f
Why not to cancel the regularly scheduled backups
ns
If something
Key goes
fingerprint = AF19wrong with 998D
FA27 2F94 the scheduled
FDB5 DE3D backups, notify
F8B5 06E4 A169the4E46
administrator
tai
immediately
re
Other Good Practices
or
th
Don't leave your laptop logged on without setting a screen saver password AND using
the hardware lock Au
Don't circumvent any of the established security practices
Have the user review RFC2504 - http://www.faqs.org/rfcs/rfc2504.html
2,
Make sure the user has a copy of your laptop security policy, and make sure you have a
00
signed copy from them showing that they understand the policy, and agree to comply
-2
with the terms.

00
Conclusion
20
While perfect laptop security can never be achieved, there are steps which can be taken to
te
minimize the risks faced when connecting to the internet, as well as those faced when
tu
using a portable, easy-to-steal computer. These steps include disabling unused services,
setting login and password policies, and employing strategies to help defend against
sti
attacks, as well as using the hacker's own tools to do a vulnerability assessment. The
In
single most important part of any security plan, however, is user education. Explain to
your users the threats, and what they can do to help. This can help turn your single most
NS
dangerous security risk into an asset.

SA
©
24
Checklist - Securing a Debian Linux Laptop for Road Warriors
Laptop prepared for __________________________________
Laptop prepared by __________________________________
Date _________
s.
ht
Choosing the Right Laptop
rig
Laptop chosen supports the following:
ull
____ BIOS poweron password
____ BIOS supervisor password
f
ns
____ Hard drive password
Key
____fingerprint = AF19
Security screw forFA27
hard 2F94
drive 998D FDB5
if drive DE3D F8B5
is externally 06E4 A169 4E46
removable
tai
____ Hardware lock - Kennsington-type or motion-sensitive (preferred)
re
____ IMPORTANT - make sure that all of the above passwords and locks are set and
or
used!
th
_________ Laptop Manufacturer
_________ Laptop Model Number
Au
_________ Laptop Serial Number
2,
00
Operating System Installation

-2
____ Make sure laptop is not connected to the network during installation
00
____ Document partition scheme:

20
Run the following commands and report the output here:

# fdisk /dev/hda
te
Using /dev/hda as default device!

tu
Command (m for help): p

sti
In
NS
SA
©
____ Enable MD5 passwords

Key
____fingerprint = AF19
Install shadow FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
passwords
____ Set root password
25
____ Create user and admin accounts
Package Selection
Remove the following packages:
s.
ht
____ telnet & telnetd - Secure Shell will be used for remote access by admin only
rig
____ finger & fingerd - numerous known security vulnerabilities
____ nfs-common & nfs-server - numerous known security vulnerabilities
ull
____ talk & talkd - not necessary, known security vulnerabilities
____ ftpd - unnecessary, numerous known security vulnerabilities
f
ns
Add fingerprint
Key the following packages:
tai
re
____ acct - GNU accounting utilities for login and process accounting
____ sudo - enable users to execute a command as another user
or
____ syslog-ng - provides advanced system logging
th
____ logcheck - looks for anomalies in the system logs and emails them to admin
____ ampd - improved power management for laptopsAu
____ makepasswd - used to generate true random passwords using /dev/random
2,
You will most likely have to add other packages as necessary depending on the user's
00
needs. If the applications that come with the distribution are not the latest version, obtain
-2
and install the latest versions. Document the applications added and the version numbers
here:
00
20
te
tu
sti
In
NS
SA
Kernel
©
If the latest version of Debian uses an outdated kernel, backup your kernel, obtain the
latest kernel and recompile. Document the kernel version here: ____________
Disabling Network Services

____ Disable inetd (either from linuxconf or by commenting out /etc/inetd.conf)
26
____ Disable /etc/init.d/portmap script by commenting out
____ Set default boot mode to text (startx from the command prompt to start Xwindow)
____ Remove the following binaries entirely from /usr/bin: rcp rgrep rjoe rlogin rpcgen
rpcclient rsh rstart rstartd rpcinfo
s.
LILO
ht
rig
____ Password protect LILO by editing the /etc/lilo.conf or from linuxconf
____ Chmod /etc/lilo.conf to 0600
ull
Password and Login Policies
f
ns
____fingerprint
Key Set up banner message
= AF19 FA27 to display
2F94 998DforFDB5
all logins
DE3D F8B5 06E4 A169 4E46
tai
Edit the /etc/login.defs file to enable the following (these are recommended settings - set
re
these as appropriate for your environment):
____ SULOG_FILE /var/log/sulog
or
____ ISSUE_FILE /etc/issue
th
____ UMASK 077
____ PASS_MAX_DAYS 60 Au
____ PASS_MIN_LEN 6
____ PASS_WARN_DAYS 5
2,
____ Or set password to expire using passwd or chage - document max days here ____
00
____ Remove unnecessary users from the system

-2
____ Edit /etc/security/access.conf to restrict all root logins except from LOCAL and
console logins except from root or admin
00
20
NTP
te
____ Install and configure ntp client to connect to an internal ntp server
tu
Logging
sti
In
____ Review syslog-ng settings and logrotate settings, add email address to
/etc/logrotate.d/syslog-ng (if any changes are made to settings, attach a document
NS
detailing the changes to this checklist)

SA
Remote System Administration, File Access (Copy and Transfer) and Email using
Secure Shell
©
____ Install Secure Shell

____ Configure sshd2 to startup on boot
____ Set up public key authentication
____fingerprint
Key Configure= Local
AF19tunnels in /etc/ssh2/ssh2_config
FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
____ Tighten up access to the Secure Shell daemon in /etc/ssh2/sshd2_config
27
Email and File Confidentiality
____ Install and configure pgp - encourage users to use it for file and email encryption
____ If using StarOffice, install pgp plug-in
s.
ht
'Defensive' Security Measures
rig
____ Install TCP Wrappers
ull
____ configure /etc/hosts.deny for ALL:ALL
____ configure /etc/hosts.allow for sshd2 and sshdfwd-X11 for the internal domain only
f
____ Configure IPChains as a packet firewall to filter outbound and inbound traffic.
ns
Attach
Key a copy of= the
fingerprint script
AF19 FA27used to this
2F94 998Ddocument
FDB5 DE3D F8B5 06E4 A169 4E46
tai
____ Install PortSentry
re
____ configure PortSentry to kill the route to scanning hosts
____ Install Tripwire LAST
or
____ Build a tripwire database
th
____ Store Tripwire database on non-changeable media
____ Configure apt-get for updating Debian Au
____ Setup apt-get to run weekly from a cron job
____ Subscribe to Debian Security Lists and SANS Security Digests
2,
____ Develop and deploy a backup plan. Attach a copy of the backup plan to this
00
document.
-2
'Offensive' Security Measures

00
20
____ Run nmap against the laptop. Turn off any remaining unnecessary services.
____ Run one or more vulnerability scanners against the laptop. Review the results and
te
correct any open issues. Rerun the scanner. Review the results again to ensure all
tu
vulnerabilities were addressed.

____ Run a password cracking program against the /etc/shadow file. If any passwords
sti
were recovered, regenerate the password using makepasswd and rerun the password
In
cracking program.
NS
User Education
SA
____ Educate the user on why security policies are in place, and what the security
policies are, and what they can do to minimize exposure.
©
____ Have the user sign the security policy, demonstrating understanding and
acceptance
____________________________ Your Signature, attesting to having completed the

stepsfingerprint
Key listed above
__________ Date
28
Appendix A
The Missing Link(s)
s.
Log Checkers / Scanners
ht
rig
Log Scanner
ftp://logscanner.tradeservices.com/pub/logscanner/
ull
Logsurfer
http://www.cert.dfn.de/eng/logsurf/
f
Logstats
ns
http://www.cise.ufl.edu/~jfh/jst/
tai
Swatch
http://www.stanford.edu/~atkins/swatch/
re
WOTS
or
http://www.tony-curtis.cwc.net/tools/
Psionic Logcheck
th
http://www.psionic.com/
Au
Port Scanners / Scan Detectors
2,
00
Psionic PortSentry
-2
http://www.psionic.com/
Nmap
00
http://www.insecure.org/nmap/
Astaro
20
http://www.astaro.com
te
Iplog
http://ojnk.sourceforge.net/
tu
Scan Detect
sti
http://sdetect.sourceforge.net/
In
Security Scanners
NS
BASS
SA
http://www.securityfocus.com/data/tools/network/bass-1.0.7.tar.gz
Nessus
©
http://www.nessus.org/index.html
SAINT
http://www.wwdsi.com/saint/
Sara
http://www-arc.com/sara/index.shtml
SATAN
http://www.porcupine.org/satan/
29
Tara
http://www-arc.com/tara/
Firewall / VPN Solutions
s.
FireDog
ht
http://northernlightsgroup.hypermart.net/firewalls.htm
rig
RCF
http://rcf.mvlan.net/
ull
Astaro
http://www.astaro.com/products/index.html
f
FreeSWAN Linux (IPSec)
ns
http://www.freeswan.org/
tai
re
Password Utilities
or
Automated Password Generator
th
http://www.adel.nursat.kz/apg/
John the Ripper Au
http://www.openwall.com/john/
Npasswd
2,
http://www.utexas.edu/cc/unix/software/npasswd/
00
Nutcracker
-2
http://northernlightsgroup.hypermart.net/nutcracker.html
PAM module for checking passwords
00
http://www.openwall.com/passwdqc/
20
Password Cracking Library

http://www.password-crackers.com/pcl.html
te
List of Password Cracking Software

tu
(sorted by application which you want to crack)

http://www.password-crackers.com/crack.html
sti
Another List of Password Cracking Software

In
(not sorted by application you would like to crack)

http://neworder.box.sk/box.php3?gfx=neworder&prj=neworder&key=pwdcrax&txt=Pass
NS
word
SA
Debian Linux Sites

©
Home Page
http://www.debian.org/
Support
http://www.debian.org/support
Installation
Key for Intel
fingerprint = AF19x86FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
http://www.debian.org/releases/stable/i386/install.en.html#contents
30
Compiling a new Kernel
http://www.debian.org/releases/stable/i386/ch-post-install.en.html#s-kernel-baking
Reporting Bugs
http://www.debian.org/Bugs/
Unofficial APT Sources
s.
http://www.internatif.org/bortzmeyer/debian/apt-sources/
ht
rig
Other Interesting Tools and Security Related Sites
ull
SANS
http://www.sans.org
f
Automatic Security
ns
http://www.automaticsecurityunderlinux.com/
tai
Bastille (Redhat focused, but maybe they'll get to Debian soon)
re
http://bastille-linux.sourceforge.net/
Linux Tools for Toshiba Laptops
or
http://www.buzzard.org.uk/toshiba/
th
Practical Unix Security in a Networked Environment
http://www.shmoo.com/wp/pract/ Au
Secure Communication with GnuPG on Linux
http://linux.com/sysadmin/newsitem.phtml?sid=113&aid=11408
2,
LILO Security Tips

00
http://linux.com/security/newsitem.phtml?sid=11&aid=8252
-2
00
20
te
tu
sti
In
NS
SA
©
31
Appendix B
SSH2 Quick Setup Reference Guide
s.
Updated March 28, 2001
ht
Table of Contents
rig
1. About this Document
ull
2. About Secure Shell
f
3. Licensing Questions Answered
ns
4. Installation
tai
5. Setup for Special Circumstances
6. File Names and Locations
re
7. Authentication Methods
or
8. Configuration
9. Why NOT to use SSH1 and SSH1 Compatibility
th
10. Troubleshooting
11. Where to find help Au
2,
1. About this Document
00
This document is designed to assist administrators by explaining some of the uses and
-2
possibilities of SSH Secure Shell, by giving the sequence in which options should be
configured, and by providing a reference for where to find additional information.
00
20
This document provides background information and gives links to specific instructions
which are available on the web. This document will not reinvent the wheel: where
te
information is already available from the Administrator's Guide, you will be linked to the
tu
online Administrator's Guide. This is mostly for administrative purposes: updating

sti
multiple sources with the same information is tedious and error prone, and because online
In
sources can be updated and edited in a much more timely fashion, enabling us to ensure
that you get the most correct and up-to-date information possible.
NS
Although this document may reference Windows versions of the software, it is intended
SA
as a guide only for Unix and Linux operating systems.

©
2. About Secure Shell
From http://www.ssh.com/products/ssh/ :
"SSH Secure Shell is the de facto standard for remote logins, with an estimated three
million users in 80 countries. It solves the most important security problem on the
Internet: hackers stealing passwords. Typical applications include remote system
32
administration, file transfers, and access to corporate resources over the Internet.
SSH Secure Shell is intended as a complete replacement for ftp, telnet, rlogin, rsh, and
rcp. It has additional functionality that Berkeley Services don't include: file transfer, X11
forwarding, and TCP/IP port forwarding.
s.
ht
SSH Secure Shell is based on the SSH2 protocol. The secsh protocol is currently
rig
standardized by IETF and the standards process is in draft stage. You can find the current
versions of the drafts at http://www.ietf.org/ID.html "
ull
3. Licensing Questions Answered
f
ns
So, you'
Key v e read=the
fingerprint license
AF19 FA27that comes
2F94 with
998D SSHDE3D
FDB5 SecureF8B5
Shell,06E4
and A169
you are confused: can
4E46
tai
you legally use SSH Secure Shell? Are you required to purchase a license?
re
The Required Caveat: This is a summary and simplification of the license terms intended
or
to help explain them; please see the actual license file for the legal, binding terms and
th
conditions. This information is provided as a courtesy and is not intended to replace the
LICENSE file that comes with the distribution. This information specifically does NOT
Au
apply to SSH Secure Shell for Windows Servers.
2,
SSH Communications Security classifies licenses in two categories: commercial and non-
00
commercial (which includes personal use and educational use).

-2
Commercial licenses cover using the software in a business environment, usually for
00
work for which you will be paid (educational institution employees excepted from this
20
definition).
te
Non-commercial licenses cover those using the software for home or personal use, or as
tu
an agent or user of any educational institution.

sti
There are also two versions of the software: commercial and non-commercial. The main
In
differences in the code include text labels to enable identification of which version is
being used, some license checks for the Windows software, and additional binaries
NS
available for the commercial software which are not distributed freely.
SA
SSH Communications Security does not require payment for non-commercial licenses.
©
Use of SSH Secure Shell on Linux, NetBSD, OpenBSD, and FreeBSD operating systems
is available under a non-commercial license.
IMPORTANT: Please be aware that although SSH Communications Security will gladly
accept
Key bug reports
fingerprint and FA27
= AF19 feature2F94
requests,
998Dsupport for installation
FDB5 DE3D F8B5 06E4 and configuration
A169 4E46 is not
provided if you are using the non-commercial license. See section 10 for information on
33
where to obtain assistance with the non-commercial software.
4. Installation
If you are using the non-commercial version of the software, you have the choice of
s.
source for Unix / Linux, while binaries are available for Redhat, SuSe, and Windows
ht
client software.
rig
Installation Instructions:
ull
Installation instructions are well documented in the SSH Secure Shell for Unix
f
Administrators Guide.
ns
tai
SSH Secure Shell for Unix Servers Administrator's Guide
re
http://www.ssh.com/products/ssh/administrator24
or
Please see this location for standard installation instructions for both binaries and source
th
code.
Au
Following are the standard source code installation instructions.
2,
After unpacking the source code, change to the source directory and do the following:
00
-2
$ ./configure
$ make
00
# make install
20
5. Setup for Special Circumstances

te
tu
There are some specific functionality or compatibility options which are not available
through a standard install, and all of them require you to compile the source code. You
sti
can type ./configure --help from the source directory to list all options available at
In
compile time. This section gives the configure options for the most common special
setup situations. This section is intended to provide a starting point for compilation -
NS
once compiled, please see the Administrator's Guide for full instructions on setting up
these features.
SA
a) Chroot functionality for sftp

©
b) Kerberos support
c) PAM support
d) RSA SecurID support
e) TCP Wrappers support
a) Setting up chroot functionality for sftp:
34
IMPORTANT !!! PLEASE NOTE: This feature is only supported on Linux, AIX and
Tru64, and is known to not work on Solaris or HP-UX. A chrooted environment can be
established only if static builds can be made as then no shared libraries are used.
s.
$ ./configure --enable-static
ht
$ make
rig
# make install
ull
There are additional steps that must be taken to complete the set up. Please see the
online Secure Shell for Unix Servers Administrator's Guide at (the URL was split into
f
two lines for typographical purposes):
ns
http://www.ssh.com/products/ssh/administrator24/Using_Chroot_Manager__ssh-
tai
chrootmgr_.html
re
b) To set up Secure Shell with Kerberos support:
or
th
You must already have Kerberos setup on the machine prior to compiling Secure Shell
with Kerberos support. Secure Shell will detect if you have Kerberos5 installed. If for
Au
some reason Kerberos5 is not found, you can specify the location as follows:
2,
$ ./configure --with-kerberos5=[KRB_PREFIX]
00
$ make
-2
# make install
00
There are additional steps that must be taken to complete the setup. Please see the online
20
Secure Shell for Unix Servers Administrator's Guide at:

http://www.ssh.com/products/ssh/administrator24/Kerberos_Authentication.html
te
tu
c) To set up Secure Shell with PAM support:

sti
No special options are required during the compile to enable PAM support, but this
In
feature is not available from binaries. A standard install will work (from the ssh source
directory):
NS
$ ./configure
SA
$ make
# make install
©
Secure Shell for Unix Servers Administrator's Guide at (the URL was split into two lines
for typographical purposes):
http://www.ssh.com/products/ssh/administrator24/Pluggable_Authentication_Modules__
PAM_.html
35
d) To set up Secure Shell with RSA SecurID support:
From the ssh source directory:
s.
$ ./configure --with-serversecurid=/PATH --with-clientsecurid
ht
$ make
rig
# make install
ull
Replace /PATH with the absolute PATH to the directory containing the
following files:
f
ns
sdclient.a
tai
sdacmvls.h
re
sdconf.h
sdi_authd.h
or
sdi_size.h
th
sdi_type.h
sdi_defs.h Au
The above files are normally in /top/ace/examples
2,
00
Note: If you do not want to make the compilation as root, make sure that all the above
-2
files are readable.

00
20
Secure Shell for Unix Servers Administrator's Guide at:

http://www.ssh.com/products/ssh/administrator24/SecurID.html
te
tu
To enable TCP Wrappers support within Secure Shell:

sti
$ ./configure --with-libwrap=/path/to/libwrap.a
In
$ make
# make install
NS
The typical approach is to set up /etc/hosts.deny to refuse everyone, and /etc/hosts.allow

SA
to only allow in trusted hosts as follows:

©
/etc/hosts.deny
ALL:ALL
/etc/hosts.allow
sshd2:.ssh.com
Key foo.bar.fi
sshdfwd-X11:.ssh.com foo.bar.fi
36
Secure Shell will now use these files to filter access. Based on the files above, users
coming from any host in the ssh.com domain or from the host foo.bar.fi are allowed
access, while anyone else is denied access. See the documentation for TCP Wrappers for
more information on the /etc/hosts.allow and /etc/hosts.deny files and their format.
s.
ht
6. Secure Shell File Names and Locations
rig
The server configuration file is located in the /etc/ssh2 directory and is named
ull
sshd2_config .
f
The server binary is located in the /usr/local/sbin directory and is named sshd2 .
ns
tai
The system client configuration file is located in the /etc/ssh2 directory and is named
re
ssh2_config .
or
The client binaries are located in the /usr/local/bin directory and consist of the following
th
files: ssh2, scp2, sftp2, sftp-server2, ssh-add2, ssh-agent2, [ssh-askpass2], ssh-chrootmgr,
ssh-keygen2, [ssh-pam-client], ssh-probe2, ssh-pubkeymgr, ssh-signer2
Au
[The bracketed files exist only in some configurations.]
2,
The optional user-specific configuration file is located in the $HOME/.ssh2 directory,

00
and is named ssh2_config

-2
Each system's own host keypair is located in the /etc/ssh2 directory, and consists of the
00
following files: hostkey, hostkey.pub

20
When each user connects to a server for the first time, they are asked if they would like to
te
accept the server's public host key. These keys are stored in the $HOME/.ssh2/hostkeys
tu
directory. The user will have a separate key for each machine they have connected to.
sti
Please see the appropriate man pages for more information on each of the binaries and
In
configuration files. Files which are specific to authentication are discussed in the
Secure Shell for Unix Servers Administrator's Guide:
NS
http://www.ssh.com/products/ssh/administrator24/ under the setup instructions for the

authentication.
SA
7. Authentication Methods
©
Secure Shell has many different authentication methods. The choice of which
authentication method(s) to use depends on your environment, your network's setup, and
sometimes, what you are trying to accomplish with Secure Shell.
Following are brief descriptions of the different authentication methods supported by
37
Secure Shell. For setup instructions on each of these, please see the online Secure Shell
for Unix Servers Administrator's Guide at :
http://www.ssh.com/products/ssh/administrator24/
Password
s.
ht
Password authentication is the default authentication method, and is already setup when
rig
Secure Shell is installed. Password authentication can use either the /etc/passwd file or
the /etc/shadow file. This authentication method almost always requires user interaction.
ull
User Public Key
f
ns
Userfingerprint
Key Public Key= authentication
AF19 FA27 2F94 must be setup
998D FDB5onDE3D
a per-user
F8B5basis. Each user
06E4 A169 4E46generates a
tai
public keypair, copies the public key of the keypair over to the server to their ~/.ssh2
re
directory on the server, and then may need to edit the /etc/ssh2/ssh2_config file on the
client to add publickey to the AllowedAuthentications line. The system administrator of
or
the server may also need to edit the /etc/ssh2/sshd2_config file. An identification file on
th
the client, and an authorization file on the server also need to be created. Once that is
done, each user authenticates to the server by providing the passphrase they selected
Au
when generating the keypair. Users can also use ssh-agent2 and ssh-add2 to store their
identities in memory so that they do not have to repeatedly type their passphrase. When
2,
ssh-agent2 and ssh-add2 are used, public key authentication can be used for non-
00
interactive logins if the identities are already stored in the ssh-agent2.

-2
Hostbased Authentication
00
20
Hostbased authentication uses the client machine's public hostkey to authenticate the user
to the server. Hostbased authentication requires copying the client's hostkey over to the
te
server, editing both the client's /etc/ssh2/ssh2_config and the server's /etc/sshd2_config,
tu
and creating a .shosts file in the user's home directory on the server. Hostbased
authentication, once set up, can be completely non-interactive - this is the easiest
sti
authentication method to use for scripting and automation of tasks (such as backups run
In
through cron jobs).

NS
PAM
SA
Pluggable Authentication Module support has been added to Secure Shell for Unix as of
version 2.4. PAM support means that many other forms of authentication, such as
©
RADIUS, can also be used with Secure Shell via plug-ins for PAM. Setting up PAM
requires compiling the source code, some edits to the Secure Shell server and client
config files, and edits to the PAM config file.
Kerberos
38
Kerberos authentication is also available for Secure Shell. Setup may require compiling
the source code and changing the Secure Shell server and client config files. Kerberos is
mainly used in educational institutions.
RSA SecurID
s.
ht
RSA SecurID support was added to Secure Shell as of version 2.4. SecurID support will
rig
require compiling the source code, as well as various other setup procedures. SecurID
support adds a strong One-Time-Password authentication method to Secure Shell.
ull
8. Configuration
f
ns
The fingerprint
Key purpose of=this
AF19section
FA27is2F94
to explain some DE3D
998D FDB5 of the F8B5
options available
06E4 for configuring
A169 4E46
tai
Secure Shell to suit your environment. For specific instructions on how to set up some of
re
these options, please see the online Secure Shell for Unix Servers Administrator's Guide
at:
or
th
You can also check the man pages for the config files, man ssh2_config and man
sshd2_config, as well as the man pages on the commands themselves for further
Au
information.
2,
Client and Server Configuration Options

00
-2
The following options are available in both the client config file,
/etc/ssh2/ssh2_config, and in the server config file, /etc/ssh2/sshd2_config.
00
20
AllowedAuthentications
te
This option is used to specify which authentication method(s) you would like to allow.
tu
Order is important here - the methods are attempted in the order in which they are listed.
Please see the man page for the config file for descriptions of the values permitted.
sti
In
Ciphers
NS
Ciphers is where the cipher can be specified that you would like to use to encrypt the
connection. Please see the man page for the config file for descriptions of the values
SA
permitted.
©
MACs
MACs is where you can specify the message authentication code used. Please see the
man page for the config file for descriptions of the values permitted.
Server Only Configuration Options
39
The following options are only available in the server config file, /etc/ssh2/sshd2_config.
RequiredAuthentications
s.
RequiredAuthentications defines which authentication methods are required before a
ht
connection is permitted. This works in conjunction with AllowedAuthentications. Please
rig
see the man page for the config file for descriptions of the values permitted.
ull
AllowGroups, AllowHosts, AllowShosts, AllowUsers, DenyGroups, DenyHosts,
DenyShosts, DenyUsers, AllowTcpForwarding, AllowTcpForwardingForUsers,
f
AllowTcpForwardingForGroups, DenyTcpForwarding, DenyTcpForwardingForUsers,
ns
DenyTcpForwardingForGroups
tai
re
These can all be used to filter access to the sshd2 daemon and to filter TCP forwarding
access in a fashion similar to TCP Wrappers. Please see the man page for the config file
or
for descriptions of the values permitted.
th
BannerMessageFile Au
BannerMessageFile specifies the path to the message sent to the client before
2,
authentication. The default is /etc/ssh2/ssh_banner_message , but you can change this to

00
/etc/issue or /etc/issue.net if you already have that set up.

-2
PermitRootLogin
00
20
PermitRootLogin is where you can chose to accept or deny remote root logins to Secure
Shell. You can also chose nopwd, which means that only a user who has set up non-
te
password authentication (such as hostbased or public key) between their username (user
tu
or root) on the client, and root on the server can login.

sti
9. Why NOT to use SSH1 and SSH1 Compatibility

In
SSH Communications Security officially deprecated the SSH1 software as of January

NS
2001 due to various security issues with the software and protocol.
SA
From http://www.ssh.com/products/ssh/cert/deprecation.html :
©
"SSH Communications Security considers the SSH1 protocol deprecated and does not
recommend the use of it.
As of 1 May 2001, SSH Secure Shell 1.x will no longer be available from this site. Please
modify
Key your product
fingerprint plans
= AF19 FA27accordingly.
2F94 998DThe SSH2
FDB5 protocol
DE3D F8B5is06E4
in theA169
process
4E46of becoming
an IETF standard and is not subject to the security vulnerabilities found in SSH1.
40
Therefore, we will continue to focus on the newer SSH2 protocol as we offer, update,
upgrade and maintain SSH Secure Shell 2.x (and higher) of the software. If you have any
questions, please contact your SSH representative. "
Other sites which contain information related to the security problems with SSH1 :
s.
ht
http://www.ssh.com/products/ssh/cert/
rig
http://www.cert.org/ (simply type ssh or ssh1 in the search there)
http://www.sans.org
ull
10. Troubleshooting
f
ns
Troubleshooting
Key fingerprint = procedures
AF19 FA27vary
2F94depending
998D FDB5on what
DE3Dtype of 06E4
F8B5 problem you4E46
A169 are attempting
tai
to resolve. The most common problems are broken down into the following categories:
re
Installation
or
Configuration
th
Connection / Authentication
File Copy and Transfer Issues Au
For almost all troubleshooting (installation excepted, of course), your first step should be
2,
to start the server in verbose mode, then try connect with the client running in verbose
00
mode. This will give you more information on what is happening before you continue
-2
with resolving the problem. Redirect the output of both commands to a text file for later
viewing.
00
20
Client:
$ ssh2 -v server_name > ssh2_output 2>&1
te
tu
Server:
# kill -9 `cat /var/run/sshd2_22.pid`
sti
# sshd2 -v > sshd2_output 2>&1

In
Note that the sshd2 daemon will only accept one connection when running in verbose
NS
mode, then will die and must be restarted.

SA
Installation
©
When troubleshooting installation problems, you will need to check the following:
• DO YOU HAVE THE LATEST VERSION OF SECURE SHELL? Often we find

that many people having installation problems have an older copy of the software and
Keyare
fingerprint
running =into
AF19 FA27
issues 2F94
that 998D
have beenFDB5 DE3D
resolved F8B5
in the 06E4
latest A169 of
version 4E46
Secure Shell.
Please check ftp://ftp.ssh.com/pub/ssh for the latest version number and ensure that
41
you are using it.
• Are your platform and operating system supported?
• If installing via source code, are you using the correct compiler? See
http://www.ssh.com/products/ssh/portability.html to help answer these questions.
• Are you installing via binary or source code? Are you following the
s.
corresponding installation instructions?
ht
• Have you checked the README for installation instructions for source code or
rig
binaries? See http://www.ssh.com/products/ssh/administrator24/ for complete
installation instructions.
ull
• Are you having trouble getting a specific option to compile in? Have you
f
checked ./configure --help for more information on which compile-time options
ns
are available and their format?
Key•fingerprint = AF19 areFA27
only2F94 998Dvia
FDB5 DE3D
codeF8B5
- have06E4 A169 4E46
tai
Some options available source you checked to ensure that
the option you are trying to use is available with your chosen installation method?
re
Check the online Secure Shell for Unix Servers Administrator's Guide at:
or
th
Configuration
Au
• If the configuration you are attempting to setup requires special installation-time
2,
instructions, are you sure they were completed? If installed via source code,
00
check the source directory for the config.status to see what options were enabled
at compile-time.
-2
• Have you checked the config file on the server, /etc/ssh2/sshd2_config and the
system-wide config file on the client, /etc/ssh2/ssh2_config, as well as any user-
00
specific client config files, which are located in the user's home directory,
20
~/.ssh2/ssh2_config to ensure that all config files have the option you are trying to
configure enabled (if appropriate)? Try man sshd2_config and man ssh2_config
te
for a very good description of what each option in the config files does.
tu
• If you made changes to the server config file, /etc/ssh2/sshd2_config, did you
sti
HUP the sshd2 daemon?

•
In
Have you walked back through the configuration steps to ensure that they were all
completed?
NS
Connection / Authentication
SA
• Have you started the client and server in verbose mode and reviewed the output?
©
This is the best way to discover what is causing Connection / Authentication

problems.
• Check the client and server config files to ensure that the authentication method
you are attempting is enabled.
• Did you= compile
Key fingerprint AF19 FA27 Secure
2F94Shell
998Dwith
FDB5support
DE3Dfor TCP06E4
F8B5 Wrappers? If so, did you
A169 4E46
verify that your client is listed in the server's /etc/hosts.allow?
• Was Secure Shell compiled with support for PAM? Check your PAM config file.
42
If the authentication you are attempting involves copying keys over to the server, verify
that the keys were not modified during the copying by checking the fingerprints of both
keys. They should match. See man ssh-keygen2 for more information.
s.
If you are trying to setup hostbased authentication, and the setup looks correct, but you
ht
still are being prompted for a password - check your DNS. Nine times out of ten an
rig
incorrectly setup DNS is why hostbased authentication fails if the setup was done
correctly. If you are unsure if this is the problem, and the verbose output is not helpful,
ull
you may want to run the client and server in a higher debug level by using a command
line option: -d 5 or -d 7 should be sufficient.
f
ns
File Copy
Key / Transfer
fingerprint Issues
tai
re
If ssh2 works but scp2 or sftp2 is failing, you may want to check your PATH. Make sure
that /usr/local/bin is in the path for the user trying to copy files over. If the problem is
or
sftp2 and you do not wish to add /usr/local/bin to the PATH, then you can edit the
th
/etc/ssh2/sshd2_config file on the server to add the full path to the sftp-server at the
bottom. So, Au
subsystem-sftp sftp-server
2,
00
should change to
-2
subsystem-sftp /usr/local/bin/sftp-server
00
20
Remember to HUP the daemon after changing the config file.

te
11. Where to Find Help with Secure Shell

tu
While the software is free to use, and non-commercial users of Secure Shell are welcome
sti
to submit bug reports and feature requests, non-commercial users are not entitled to
In
support from SSH Communications Security. The good news is that Secure Shell has
been around since 1995, and there are many users in the open-source community who are
NS
already very familiar with Secure Shell, and many web sites containing information about
Secure Shell.
SA
Web resources for all users:

©
Cryptography A-Z
http://www.ssh.com/tech/crypto/
SSH Secure Shell for Unix Servers Administrator's Guide:
IETF secsh drafts:
43
http://www.ssh.com/tech/archive/secsh.html
List of Supported Platforms for SSH Secure Shell:
http://www.ipsec.com/products/ssh/portability.html
FTP site for non-commercial downloads:
ftp://ftp.ssh.com/pub/ssh
s.
Note: the following three links are for submissions only - you will not receive a response
ht
to emails sent using these forms.
rig
Compilation Success / Failure Reports:
http://www.ssh.com/tech/ssh_query.html/
ull
Bug Reports:
http://www.ssh.com/support/toolkits/bug-report.html
f
Feature Requests:
ns
http://www.ssh.com/support/toolkits/feature-request.html
tai
re
Non-SSH Communications Security web sites
or
There are numerous web sites out there about Secure Shell, but many of them are SSH1
th
specific. Here are a few that are SSH2 or both:
Au
Archives of the old Secure Shell public mailing list (ssh@clinet.fi):
http://www.mail-archive.com/ssh@clinet.fi/
2,
The Secure Shell FAQ:

00
http://www.employees.org/~satch/ssh/faq/
-2
The Secure Shell secsh IETF working group:

http://www.ietf.org/html.charters/secsh-charter.html
00
20
If you are a non-commercial user and you require assistance, please check the mailing list
archives (listed above) first. If you are not able to find an answer to your problem, you
te
can send a message to the Secure Shell mailing list:

tu
ssh@clinet.fi
sti
In
There are many helpful people on the list who are very knowledgeable about Secure
Shell, including some of the Secure Shell developers from SSH.
NS
SA
©
44
Appendix C
Setting up Public Key Authentication for Secure Shell
Secure Shell Generated Keys
s.
ht
1.Ensure that on the client, the /etc/ssh2/ssh2_config file contains the line:
rig
AllowedAuthentications publickey, password, hostbased
full
2.Create a keypair on the client using the ssh-keygen2 command:
ns
$ ssh-keygen2
tai
re
You will be asked to enter a passphrase twice. Please choose a passphrase that is difficult
to guess - spaces and special characters are OK. This will create a public key (.pub) and a
or
private key (no extension). The default file names are id_dsa_1024_a.pub and
th
id_dsa_1024_a (both assuming you don't change the filenames or key size, and this is the
first keypair you have generated). Au
3.Copy the public key to the server, to the ~/.ssh2 directory for the user.
2,
00
4.On the client, in the ~/.ssh2 directory for the user, make sure there is an identification
-2
file that contains the following:

00
idkey id_dsa_1024_a
20
or whatever your private key's filename is.

te
tu
5.Ensure that on the server, the /etc/ssh2/sshd2_config file contains the line:
sti
AllowedAuthentications publickey, password, hostbased

In
NS
6.On the server, in the ~/.ssh2 directory for the user, make sure there is an authorization
file that contains the following:
SA
key id_dsa_1024_a.pub
©
or whatever your public key's filename is.
That should be all you need to do to set up public key authentication for Secure Shell. If
you have problems, start both the client and server in verbose mode (-v) to see what is
Key fingerprint
happening when= the
AF19 FA27 2F94
connection 998D FDB5 DE3D F8B5 06E4 A169 4E46
is attempted.
45
PGP Keys
SSH Secure Shell only supports the OpenPGP standard and the PGP programs that use it.
GnuPG is used in the following instructions. If you use PGP, the only difference is that
the file extension is pgp instead of gpg.
s.
ht
1.Copy your private keyring (secring.gpg) to the ~/.ssh2 directory on the client.
rig
2.Create an identification file in your ~/.ssh2 directory on the client if you don't
already have one. Add any ONE of the following lines to the identification file:
ull
PgpSecretKeyFile <the filename of the user's private keyring>
f
IdPgpKeyName <the name of the OpenPGP key in PgpSecretKeyFile>
ns
IdPgpKeyFingerprint
Key fingerprint = AF19<the
FA27fingerprint
2F94 998Dof the OpenPGP
FDB5 key in06E4
DE3D F8B5 PgpSecretKeyFile>
A169 4E46
tai
IdPgpKeyId <the id of the OpenPGP key in PgpSecretKeyFile>
re
3.Copy your public keyring (pubring.gpg) to the .ssh2 sub-directory in the user's home
or
directory on the server:
th
scp2 pubring.gpg user@server:/home/user_name/.ssh2/
Au
4.Create an authorization file in your .ssh2 sub-directory in the user's home directory on
2,
the server. Add any ONE of the following lines to the authorization file:
00
-2
PgpPublicKeyFile <the filename of the user's public keyring>

PgpKeyName <the name of the OpenPGP key>
00
PgpKeyFingerprint <the fingerprint the OpenPGP key>

PgpKeyId <the id of the OpenPGP key>
20
te
Now you should be able to login to the server from the client using public key
tu
authentication.
sti
Try to login:
In
client>ssh server_name
NS
Passphrase for pgp key "user (comment)<user@client>":

SA
Enter your passphrase for the key. A Secure Shell connection will be established.
©
46

Securing A Debian Linux Laptop For Road Warriors

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Securing A Debian Linux Laptop For Road Warriors

Transféré par

Droits d'auteur :

Formats disponibles

s.

Debian Linux Laptop

Tightening up Access to Secure Shell..............................................................................17

Email and File Confidentiality...........................................................................................18

TCP Wrappers ...................................................................................................................18

Packet Firewall - IPChains................................................................................................18

Updating using apt-get ......................................................................................................19

Backup, Backup, Backup..................................................................................................20

Password Cracking Programs...........................................................................................23

Defining the Role of the Computer

how to limit those risks.

which is based on the Linux kernel.

Assessing the Risks

Choosing the Right Laptop

for the following features:

BIOS Power On Password

Most computers have a BIOS power on password. Although on the majority of

Security Screw for the Hard Drive

able to confirm Toshiba's security offerings.

Debian Operating System Installation

Selecting Packages to Install

encrypt plaintext passwords given on the command line

with the latest release of Debian.

Securing Network Services

# nmap -sT -sU 127.0.0.1

513/tcp open login

514/tcp open shell

515/tcp open printer

Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds

only report the following open ports:

# nmap -sT -sU 127.0.0.1

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )

chmod 0600 /etc/lilo.conf

Setting Password and Login Policies

for 5 days prior to expiration.

password will be at least 8characters:

# find / -user username_or_ID -print

To remove a user, use the userdel command:

# addresses, internet network numbers (end with "."), ALL (always

Here are examples of restrictions recommended for this file:

-:ALL EXCEPT admin root :console

Disable remote root logins:

-:root:ALL EXCEPT LOCAL

restrict default nomodify

When choosing to setup syslog-ng at installation-time, Debian very nicely sets up

It is recommend to set up Secure Shell to support TCP Wrappers at a minimum (--with-

for /etc/rc1.d and /etc/rc6.d and

for /etc/rc2.d, /etc/rc3.d, /etc/rc4.d, and /etc/rc5.d

setup tunnels from the command line:

# ssh2 -L 4025:smtp_server:25 user_name@ssh_server

# Tunnels that are set up upon logging in

Note that the arguments must be enclosed in double quotes ""

root in order to access email, but the command is much shorter:

Tightening up Access to Secure Shell

support re-keying, it is a good idea to enable this.

AllowUsers admin, user

Email and File Confidentiality

/etc/hosts.deny and /etc/hosts.allow files should look like this:

Packet Firewall - IPChains

Updating using apt-get

If you only want to upgrade a specific package:

# apt-get -install package_name