Sent: Saturday, November 16, 2024 at 9:18 PM
From: debianmailinglists.hz...@simplelogin.com
To: "debian-secur...@lists.debian.org"
Subject: Securing Debian Manual, Out of Date?
To whom it may concern:
I'm not sure if this is appropriate for the "security" team, or if there is a docum
On Thu, Mar 08, 2012 at 04:46:24PM +0300, Stayvoid wrote:
> Hello.
>
> "Before you install any operating system on your computer, set up a
> BIOS password. After installation (once you have enabled bootup from
> the hard disk) you should go back to the BIOS and change the boot
> sequence to disabl
Read up on iptables.
On Thu, Mar 8, 2012 at 9:24 AM, Stayvoid wrote:
> Hello.
>
> "Implement IP traffic filtering validating the MAC address."
> How to do this?
>
> http://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html
>
> Cheers
>
>
> --
> To UNSUBSCRIBE, email to debian-user-requ.
Personally, I don't do any automatic updates, however I do run
apticron, which emails me a list every day, including a list of
urgency levels, and a description of each package being upgraded. I
then go through and prioritize my upgrades based on the function of
the server (e.g. if there is a new B
On Thu, Mar 8, 2012 at 15:39, Andrei POPESCU wrote:
> On Jo, 08 mar 12, 17:07:21, Stayvoid wrote:
>> Hello.
>>
>> "This sounds great, but it: only applies to ext2 or ext3 file systems…" [1]
>> What about ext4 (and others)?
>
> You may safely assume ext4 includes any features that ext2 and ext3
> i
On 03/08/2012 04:37 PM, Stayvoid wrote:
The one which suits your needs :p
Could you point me to the guide that actually explains this?
Every guide I read says something like: "do foo because foo is the right way."
It doesn't make any sense.
You're the only one who knows what you need. When you
On Jo, 08 mar 12, 17:25:53, Stayvoid wrote:
> Hello.
>
> "... Give users a restricted shell such as scponly or rssh. These
> shells restrict the commands available to the users so that they are
> not provided any remote execution privileges."
> Is it really necessary?
Do you (plan to) have users
On Jo, 08 mar 12, 17:21:02, Stayvoid wrote:
> Hello.
>
> "There are other role accounts and aliases on your system. On a small
> system, it's probably simplest to make sure that all such aliases
> point to the root account, and that mail to root is forwarded to the
> system administrator's persona
On Jo, 08 mar 12, 17:18:07, Stayvoid wrote:
> Hello.
>
> "Finally, you should consider changing root's default 022 umask (as
> defined in /root/.bashrc) to a more strict umask."
> Which one?
If you understand umask(s) you will know.
Kind regards,
Andrei
--
Offtopic discussions among Debian user
On Jo, 08 mar 12, 17:13:06, Stayvoid wrote:
> Hello.
>
> "Add root and the other users that should be able to su to the root
> user to this group."
> I'll be the only user of the server. Should I create a guest user for
> me? Will it be enough to have a root access?
It is considered good practice
On Jo, 08 mar 12, 17:07:21, Stayvoid wrote:
> Hello.
>
> "This sounds great, but it: only applies to ext2 or ext3 file systems…" [1]
> What about ext4 (and others)?
You may safely assume ext4 includes any features that ext2 and ext3
include.
Kind regards,
Andrei
--
Offtopic discussions among D
On Jo, 08 mar 12, 17:05:40, Stayvoid wrote:
> What can I do to disable keyboard access at all? (I'll use a remote
> connection (SSH).)
Does your VPS have a "keyboard"?
Kind regards,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/
On Jo, 08 mar 12, 16:55:51, Stayvoid wrote:
> Hello.
>
> "To manually update the system, put the following line in your
> sources.list and you will get security updates automatically, whenever
> you update your system. Replace [CODENAME] with the release codename,
> e.g. squeeze.
>deb http
On Jo, 08 mar 12, 16:54:09, Stayvoid wrote:
> Hello.
>
> "The presence, for example, of development utilities (a C compiler) or
> interpreted languages (such as perl - but see below -, python, tcl...)
> may help an attacker compromise the system…"
> "So, without Perl and, unless you remake these u
On Thu, 08 Mar 2012 23:21:12 +0100, Martin Steigerwald wrote:
> Hi Stayvoid!
> I am overwhelmed by your posting flood.
I'm not. He is already in the bozo bin.
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.de
On Thu, 8 Mar 2012 17:31:14 +0300, Stayvoid wrote in message
:
> Hello.
>
> "FIXME: Talk on how to do a debsums on a stable system with the
> MD5sums on CD and with the recovered file system restored on a
> separate partition."
> How to do it?
>
> http://www.debian.org/doc/manuals/securing-debi
Am Donnerstag, 8. März 2012 schrieb Stayvoid:
> Hello.
Hi Stayvoid,
> "Note that you could introduce the configuration above in the user's
> .profile. But then you would need to setup permissions properly in
> such a way that prevents the user from modifying this file. This
> includes: having the
Hi Stayvoid!
Thanks for what I perceive to be an attempt to help to improve the
securing Debian manual.
Am Donnerstag, 8. März 2012 schrieb Stayvoid:
> Hello.
>
> "Note, however, that there are rootkits which might work even in this
> case, there are some that tamper with /dev/kmem (kernel memo
Probably. ext4 is mature and stable enough that I don't think it makes
sense to use ext3. Unless, of course, some policy dictates or you are
preserving an existing legacy partition, I would go with ext4.
I just rebuilt my workstation and used ext4 for all, and all of the
boxes we are building at w
On Thu, Mar 8, 2012 at 06:13, Stayvoid wrote:
> Hello.
>
> "Violations, such as incorrect passwords or trying to run a program
> you don't have permission for, are logged and mailed to root."
> Where can I check this?
Log in/switch to root and run a mail reader, e.g. Mutt
If you diverted root's
On Thu, Mar 8, 2012 at 07:12, Camaleón wrote:
> On Thu, 08 Mar 2012 16:46:24 +0300, Stayvoid wrote:
>
>> Hello.
>
> (...)
>
> Hi.
>
> Before going any further, would you care to explain what's going on here?
> Were you bitten by a dancing bug or something like that?
>
Agree on that.
Stayvoid, I
On Jo, 08 mar 12, 17:35:38, Stayvoid wrote:
> > You really, really should read
> > http://catb.org/esr/faqs/smart-questions.html first (this applies to all
> > your other questions as well).
> I read it some time ago.
Well, maybe you should read it again. I'm not kidding, I've read it
myself seve
On Thu, 08 Mar 2012 16:46:24 +0300, Stayvoid wrote:
> Hello.
(...)
Hi.
Before going any further, would you care to explain what's going on here?
Were you bitten by a dancing bug or something like that?
Greetings,
--
Camaleón
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.or
> In ten years I've never seen so much of a flood sent to this list.
I'm really sorry for this, but it's not that easy to find.
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
http://lists.d
Are you trying to beat some number-of-posts-record?!
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
http://lists.debian.org/CAOdo=Sx3vvxCKE+8Wn_Zrc-_nXP0bOrAOkqNw7zQCxq=qhb...@mail.gmail.co
> The one which suits your needs :p
Could you point me to the guide that actually explains this?
Every guide I read says something like: "do foo because foo is the right way."
It doesn't make any sense.
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscr
In ten years I've never seen so much of a flood sent to this list.
Please see the following URL and place each one of your emails in the
magic box.
http://lmgtfy.com
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@
> You really, really should read
> http://catb.org/esr/faqs/smart-questions.html first (this applies to all
> your other questions as well).
I read it some time ago.
Sorry for zillions of questions, but I really want to hear some
thoughts on these topics. The guide is outdated and I hope it'll hel
On Jo, 08 mar 12, 16:49:15, Stayvoid wrote:
>
> What partition scheme is the best for a VPS (MTA + web server)?
The one which suits your needs :p
(SCNR)
You really, really should read
http://catb.org/esr/faqs/smart-questions.html first (this applies to all
your other questions as well).
Kind
"Exercise caution when dealing with security upgrades if you are doing
them over a remote connection like ssh. A suggested procedure for a
security upgrade that involves a service restart is to restart the SSH
daemon and then, inmediately, attempt a new ssh connection without
breaking the previous
On Jo, 26 ian 12, 19:35:46, Stayvoid wrote:
> I knew about it. But I need more information.
You could start by saying what specific points you are missing from it.
Kind regards,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-co
I knew about it. But I need more information.
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
http://lists.debian.org/cak5fs_emuze7_t28gvzy12cbci5euywaw4kjxmbd2wkcet1...@mail.gmail.com
On 26/01/12 16:12, Stayvoid wrote:
Hello there!
I'm going to run my own server (website + MTA).
Here is the chosen solution:
https://www.gandi.net/hosting/vps/dedicated (Debian 6 64 bits without
Gandi AI).
Is it OK?
This is my first attempt to administer a server and I want to be as
secure as p
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Alexander Wasmuth wrote:
> I've also added "Protocol 2" to omit ssh 1 and I set UsePam to no
> because I wasn't able to prohibit password authentication with PAM
> enabled.
I'm currently not planning on using PAM, but I'll disable it anyway -
that way
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Alexander Wasmuth wrote:
> * Jim Hyslop wrote:
>
>> PermitRootLogin no
>> RSAAuthentication no
>> PubkeyAuthentication yes
>> IgnoreRhosts yes
>> RhostsRSAAuthentication no
>> HostbasedAuthentication no
>> PermitEmptyPasswords no
>> ChallengeResponseA
* Jim Hyslop wrote:
> PermitRootLogin no
> RSAAuthentication no
> PubkeyAuthentication yes
> IgnoreRhosts yes
> RhostsRSAAuthentication no
> HostbasedAuthentication no
> PermitEmptyPasswords no
> ChallengeResponseAuthentication no
> PasswordAuthentication no
> UsePAM yes
> Subsystem sftp /usr/lib/
On Fri, Feb 23, 2007 at 05:05:24PM -0500, Jim Hyslop wrote:
>
> I've set the following options in my sshd_config (these aren't all the
> options, just the ones that appear to me to be relevant to my question):
>
> PermitRootLogin no
> RSAAuthentication no
On my system I have 'RSAAuthentication y
On Friday 23 February 2007 22:05, Jim Hyslop wrote:
> Oh, and when this is all OK, I'll set up port forwarding on my firewall
> to send port 22 to the machine in question.
> C/C++ * OOD * SW Development & Practices * Version Management
Changing the default port number for ssh connections also
Thanks for the help!
-Rick
**
Rick Weinbender wrote:
> I have an email server (qmail running on debian),
> that I need to make as secure as possible.
> Can anyone point me to some good links that
> relate to security?
>
> Has anyone used bastille? What do you think
> of it?
>
> Thanks,
> -Ri
On Thursday 13 November 2003 6:58 am, Johann Spies wrote:
> On Wed, Nov 12, 2003 at 05:31:44PM +, Geoff Thurman wrote:
> > There are a lot of links here:
> >
> > http://www.linuxquestions.org/questions/showthread.php?s=&threadid=
> >45261
> >
> > There was a good piece about security on the sam
On Wed, Nov 12, 2003 at 05:31:44PM +, Geoff Thurman wrote:
> There are a lot of links here:
>
> http://www.linuxquestions.org/questions/showthread.php?s=&threadid=45261
>
> There was a good piece about security on the same site roughly a
> fortnight ago, but I can't find it now. I might post
On Wednesday 12 November 2003 3:54 pm, Benedict Verheyen wrote:
> > I have an email server (qmail running on debian),
> > that I need to make as secure as possible.
> > Can anyone point me to some good links that
> > relate to security?
> >
> > Has anyone used bastille? What do you think
> > of it
> I have an email server (qmail running on debian),
> that I need to make as secure as possible.
> Can anyone point me to some good links that
> relate to security?
>
> Has anyone used bastille? What do you think
> of it?
>
> Thanks,
> -Rick
I used bastille in the past and found it to do
it's job
Hello
Rick Weinbender (<[EMAIL PROTECTED]>) wrote:
> I have an email server (qmail running on debian),
> that I need to make as secure as possible.
> Can anyone point me to some good links that
> relate to security?
You might want to take a look at the securing debian howto that is part
of the h
On Wednesday 12 November 2003 16:19, Rick Weinbender wrote:
> I have an email server (qmail running on debian),
> that I need to make as secure as possible.
> Can anyone point me to some good links that
> relate to security?
Have you read
http://www.debian.org/doc/manuals/securing-debian-howto/
I
On Sun, 10 Nov 2002 18:06:22 -0700
[EMAIL PROTECTED] (Bob Proulx) wrote:
> Joyce, Matthew <[EMAIL PROTECTED]> [2002-11-11 10:03:10 +1100]:
> > To be able to send and receive emails. SMTP
>
> Port 25
Also for ssl.
> > To access email via IMAP and POP3, including ssl.
>
IMAP: 143, IMAP over SSL
Joyce, Matthew <[EMAIL PROTECTED]> [2002-11-11 10:03:10 +1100]:
> At the moment I have to ask for ports to be opened on our networks router,
> and they are not really happy with me going back to them again and again,
> asking for new ports to be opened.
>
> Should I ask for all access control to b
Joyce, Matthew wrote:
Should I ask for all access control to be removed from the ip address
of the
box, and then secure the box within debian, or is it well worth having
that
extra level of security on the router ?
It is worth the security of the router.
Unless you are very very very sure t
On Mon, Nov 11, 2002 at 10:03:10AM +1100, Joyce, Matthew wrote:
>
> Hi,
>
> I work with a network, which is part of a much bigger network. The big
> network is managed by someone else.
>
> I am setting up a debian box, it will eventually do mail and web stuff for
> us.
>
> At the moment I hav
On Tue, May 02, 2000 at 04:23:21AM -0700, Graham Lillico wrote:
> Thanks anyway but I eventually got it to work, seems that the howto is not
> correct and some other packages need to be install for the `new options to
> work correctly.
ah yeah, i have not read it since it was first written but i s
Thanks anyway but I eventually got it to work, seems that the howto is not
correct and some other packages need to be install for the `new options to
work correctly.
Thanks for you help anyway.
Rgards
Graham
On Tue, 2 May 2000 03:18:24 -0800, Ethan Benson wrote:
> On Tue, May 02, 2000 at 03:2
On Tue, May 02, 2000 at 03:22:36AM -0700, Graham Lillico wrote:
> Hi,
>
> I have followed the howto on securing debian but I can not change
> my password i keep getting the message
>
> passwd: Module is unknown
>
> Does anyone know what the problem is, I think it may be a pam pro
On Sun, 26 Apr 1998, Chris wrote:
> Just a point of note:
>
> If your brother has physical access to the machine there is no way you can
> stop him from getting root access.
>
> You can increase the difficulty by setting the bios to only boot from HDD
> and then locking the bios - but if he's
On Sat, 25 Apr 1998, Carl Mummert wrote:
> Chris wrote:
> > > > You might consider installing the `sudo' package and using that for
> > > > all your root access. If you do that, then you can change the
> > > > encrypted root password to * in /etc/shadow (you *are* using shadow
> > > > passwords,
> Since a 4GB hard drive can be had for under $1000.00,
You must not have shopped for drives lately. I bought a 7 gig
drive in January for $320, including sales tax, or about $46 a GB.
This week's paper was advertising drives at around $40 a gig.
Bob
--
_
|_) _ |_ Robert D. Hi
[EMAIL PROTECTED] wrote:
> If you think about it, an 8 character password encodes to 4096 * 13 character
> strings. So a dictionary of say 400,000 common words, names, passwords, and
> simple variations would easily fit on a
> 4GB hard drive. The attacker need only sort them, and then check for mat
I would like to make my Debian box use shadow passwords since it is
allways on the 'Net. Firstly, how do I turn on shadow passwords in debian?
Secondly, will this affect my pppd, proftpd, telnetd, apache or other daemons?
Thanks,
Timothy Hospedales
BTW, I was reading the Shadow-HOWTO and i
> > > You might consider installing the `sudo' package and using that for
> > > all your root access. If you do that, then you can change the
> > > encrypted root password to * in /etc/shadow (you *are* using shadow
> > > passwords, I hope) and thus it becomes impossible to log in as r
Chris wrote:
> > > You might consider installing the `sudo' package and using that for
> > > all your root access. If you do that, then you can change the
> > > encrypted root password to * in /etc/shadow (you *are* using shadow
> > > passwords, I hope) and thus it becomes impossible to log in as
> You can increase the difficulty by setting the bios to only boot from HDD
> and then locking the bios
already done.
>- but if he's smart enough that you have to
> worry about the root password, he's going to know how to reset the bios.
i dont think he'll be able to do that because he dont kno
On Sat, 25 Apr 1998, Alain Toussaint wrote:
> > You might consider installing the `sudo' package and using that for
> > all your root access. If you do that, then you can change the
> > encrypted root password to * in /etc/shadow (you *are* using shadow
> > passwords, I hope) and thus it become
> But you don't have to give root access to your brother. Sudo lets you
> set up access by username, in the /etc/sudoers file. i.e., on my
> system:
>
> # User privilege specification
> root ALL=(ALL) ALL
> blp ALL=(ALL) ALL
>
> So no one but root, blp can take advantage of
this is a no go,i dont want to install this package because i dont want to
give root access to my brother:
Sudo is a program designed to allow a sysadmin to give limited root
privileges to users and log root activity. The basic philosophy is to
give
as few privileges as possible
> You might consider installing the `sudo' package and using that for
> all your root access. If you do that, then you can change the
> encrypted root password to * in /etc/shadow (you *are* using shadow
> passwords, I hope) and thus it becomes impossible to log in as root.
>
> Ben
this is a no
does there is a a reference for this package (say a web
page,manual,etc...)it's because i'm a bit nervous to try an unknown (by
me) package and removing any root access (which i can do anyway using the
/etc/login.access,take a look at man 5 login.access for information on
that topic)
> You might consider installing the `sudo' package and using that for
> all your root access. If you do that, then you can change the
> encrypted root password to * in /etc/shadow (you *are* using shadow
> passwords, I hope) and thus it becomes impossible to log in as root.
>
> Ben
does there is
i took a look at some article and manpages for securing my system and i
want to do 2 things to secure my system,i already disalowed telnet access
but there's 2 place i need to secure thing up,it's in the file securetty,i
want to remove login as root (i'll only need to use su when i need
67 matches
Mail list logo
