Debian Security

This page describes security settings for a Debian Squeeze server system.

SSH server
Firewall
Local mailserver
System update
Fail2ban
Checkrootkit
Rootkit hunter
Tiger
Logcheck
- Ignore accepted/dropped packages from shorewall, except to SSH
- Ignore "Emergency Sync" log entries
Logwatch
- Include Nginx logs
- Exclude Dovecot deliver logs

SSH server

See SSH Server for setting up a secure SSH server.

Firewall

Local mailserver

Many of the following services send notification mails, so it makes sense to send those mails to an external mail account.

See Local mailserver.

System update

The package "cron-apt" performs daily checks for updated packages. By default new packages are only downloaded by not installed.

Installation:

# apt-get install cron-apt

Configure /etc/cron-apt/config:

MAILON="always"

See Debootstrap to configure APT sources, make sure the "security" source is included.

Fail2ban

See Fail2ban.

Checkrootkit

Installation:

# apt-get install chkrootkit

Activate chkrootkit in /etc/chkrootkit.conf:

RUN_DAILY="true"
DIFF_MODE="true"

Test it:

# chkrootkit -q

Rootkit hunter

Installation:

# apt-get install rkhunter

Create /etc/rkhunter.conf.local:

ALLOWHIDDENDIR=/dev/.udev
ALLOWHIDDENDIR=/dev/.initramfs
ALLOWHIDDENDIR=/etc/.git
ALLOWHIDDENFILE=/etc/.gitignore
ALLOWHIDDENFILE=/etc/.etckeeper
ALLOWDEVFILE=/dev/shm/network/ifstate
ALLOWPROMISCIF=veth0

Test it:

# rkhunter --check

Update database:

# rkhunter --propupd

Tiger

Installation:

# apt-get install tiger

Test:

# tiger

TODO: configure

Logcheck

Installation:

# apt-get install logcheck

Ignore accepted/dropped packages from shorewall, except to SSH

Create /etc/logcheck/ignore.d.server/shorewall:

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[ */%3Adigit%3A+\./%3Adigit%3A+\])? Shorewall:net2fw:DROP:IN=eth0 .*$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[ */%3Adigit%3A+\./%3Adigit%3A+\])? Shorewall:net2fw:ACCEPT:IN=eth0 .*$

Create /etc/logcheck/violations.d/shorewall:

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[ */%3Adigit%3A+\./%3Adigit%3A+\])? Shorewall:net2fw:DROP:IN=eth0 .* DPT=22 .*$

Ignore "Emergency Sync" log entries

Create /etc/logcheck/ignore.d.server/emergency-sync:

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[ */%3Adigit%3A+\./%3Adigit%3A+\])? SysRq : Emergency Sync$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[ */%3Adigit%3A+\./%3Adigit%3A+\])? Emergency Sync complete$

Logwatch

Logwatch creates a daily report of activities.

Installation:

# apt-get install logwatch

Include Nginx logs

Logwatch doesn't watch Nginx logfiles. As long as Nginx uses combine log format it is possible to extend the configuration for Apache HTTPD. Just copy the existing configuration:

# cp /usr/share/logwatch/default.conf/logfiles/http.conf /etc/logwatch/conf/logfiles/

Then edit /etc/logwatch/conf/logfiles/http.conf and add the following lines at the right position:

LogFile = nginx/*access.log.1
LogFile = nginx/*access.log
Archive = nginx/*access.log.*.gz

Exclude Dovecot deliver logs

To exclude Dovecot's "deliver" log entries copy the existing script:

# cp /usr/share/logwatch/scripts/services/dovecot /etc/logwatch/scripts/services

Then edit /etc/logwatch/scripts/services/dovecot and add the following lines at the right position:

} elsif ( $ThisLine =~ /^dovecot: deliver\(.*\): sieve: msgid=.*: stored mail into mailbox /) {
  # We don't care about these

Sources: