Product SiteDocumentation Site

Chapter 4. After installation

4.1. Subscribe to the Debian Security Announce mailing list
4.2. Execute a security update
4.2.1. Security update of libraries
4.2.2. Security update of the kernel
4.3. Change the BIOS (again)
4.4. Set a LILO or GRUB password
4.5. Disable root prompt on the initramfs
4.6. Remove root prompt on the kernel
4.7. Restricting console login access
4.8. Restricting system reboots through the console
4.9. Restricting the use of the Magic SysRq key
4.10. Mounting partitions the right way
4.10.1. Setting /tmp noexec
4.10.2. Setting /usr read-only
4.11. Providing secure user access
4.11.1. User authentication: PAM
4.11.2. Password security in PAM
4.11.3. User access control in PAM
4.11.4. User limits in PAM
4.11.5. Control of su in PAM
4.11.6. Temporary directories in PAM
4.11.7. Configuration for undefined PAM applications
4.11.8. Limiting resource usage: the limits.conf file
4.11.9. User login actions: edit /etc/login.defs
4.11.10. User login actions: edit /etc/pam.d/login
4.11.11. Restricting ftp: editing /etc/ftpusers
4.11.12. Using su
4.11.13. Using sudo
4.11.14. Disallow remote administrative access
4.11.15. Restricting users's access
4.11.16. User auditing
4.11.17. Reviewing user profiles
4.11.18. Setting users umasks
4.11.19. Limiting what users can see/access
4.11.20. Generating user passwords
4.11.21. Checking user passwords
4.11.22. Logging off idle users
4.12. Using tcpwrappers
4.13. The importance of logs and alerts
4.13.1. Using and customizing logcheck
4.13.2. Configuring where alerts are sent
4.13.3. Using a loghost
4.13.4. Log file permissions
4.14. Adding kernel patches
4.15. Protecting against buffer overflows
4.15.1. Kernel patch protection for buffer overflows
4.15.2. Testing programs for overflows
4.16. Secure file transfers
4.17. File system limits and control
4.17.1. Using quotas
4.17.2. The ext2 filesystem specific attributes (chattr/lsattr)
4.17.3. Checking file system integrity
4.17.4. Setting up setuid check
4.18. Securing network access
4.18.1. Configuring kernel network features
4.18.2. Configuring syncookies
4.18.3. Securing the network on boot-time
4.18.4. Configuring firewall features
4.18.5. Disabling weak-end hosts issues
4.18.6. Protecting against ARP attacks
4.19. Taking a snapshot of the system
4.20. Other recommendations
4.20.1. Do not use software depending on svgalib
Once the system is installed you can still do more to secure the system; some of the steps described in this chapter can be taken. Of course this really depends on your setup but for physical access prevention you should read Section 4.3, “Change the BIOS (again)”,Section 4.4, “Set a LILO or GRUB password”, Section 4.6, “Remove root prompt on the kernel”, Section 4.7, “Restricting console login access ”, and Section 4.8, “Restricting system reboots through the console”.
Before connecting to any network, especially if it's a public one you should, at the very least, execute a security update (see Section 4.2, “Execute a security update”). Optionally, you could take a snapshot of your system (see Section 4.19, “Taking a snapshot of the system”).

4.1. Subscribe to the Debian Security Announce mailing list

In order to receive information on available security updates you should subscribe yourself to the debian-security-announce mailing list in order to receive the Debian Security Advisories (DSAs). See Section 7.1, “The Debian Security Team” for more information on how the Debian security team works. For information on how to subscribe to the Debian mailing lists read http://lists.debian.org.
DSAs are signed with the Debian Security Team's signature which can be retrieved from http://security.debian.org.
You should consider, also, subscribing to the http://lists.debian.org/debian-security for general discussion on security issues in the Debian operating system. You will be able to contact other fellow system administrators in the list as well as Debian developers and upstream developers of security tools who can answer your questions and offer advice.
FIXME: Add the key here too?