LinuxQuestions.org - HOWTO: securing debian

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - HOWTO: securing debian (https://www.linuxquestions.org/questions/linux-security-4/howto-securing-debian-61670/)

Hi,

First I'd like to outline something from my README file:

Code:

----------------------------------------------------------------------

intended audience

----------------------------------------------------------------------

I assume you match the following requirements:





        x good knowledge about computers in general

        x hostile to M$ testers (= users)

        x USB turned off

        x real linux knowledge

                [ not distribution specific stuff only ]

        x sensitive care for security

        x know how to use debian-tools like apt-get and dpkg





If you don't match all requirements you will not be able to

understand the ChangeLogs. By the way, I give NO WARRANTY OF ANY

KIND that after you did all these steps your system is more performant,

stable, secure or anything else. Don't cry - you have been warned!





Greetings to unSpawn, a security expert from Belgium who has helped

me out a lot so far!

----------------------------------------------------------------------

If you understand that you could continue reading. I just don't want complains or anything :-)

If you have a question to something plz quote ONLY the relevant part. This issue will be spread to different threads and maybe even different forums. I'll link those together though!

BTW, you CAN'T copy that 1:1 and use it for your system. Like everything else it needs to be adjusted to your system. Just like network config, e-Mail addresses, etc.

BASE INSTALL + MOVING DATA TO SPECIFIC PARTITIONS

Code:

----------------------------------------------------------------------

installation

----------------------------------------------------------------------

        x bf24 as boot option to install Kernel 2.4

----------------------------------------------------------------------









----------------------------------------------------------------------

base configuration

----------------------------------------------------------------------

        x MD5 passwords

        x shadow passwords

----------------------------------------------------------------------

I'm using Kernel v2.4 since I have some hardware that requires that and of course I want to use iptables. I'll built a customized kernel anyways but it's good to have some default fall-back kernel which supports my netfilter configuration :-)

Code:

----------------------------------------------------------------------

moved specific directories to other partitions

----------------------------------------------------------------------

why am I doing that ?

        x performance tuning (partition-specific)

        x security





how to do something alike ?

        x create the partitions using fdisk

        x format those using mkfs.ext3 (you need to adjust those)

        x edit /etc/fstab so you can follow my instructions





each of the following will get it's own partition:

        /boot

        /home

        /tmp

        /usr

        /usr/local

        /var/log

        /var/spool/postfix

        /var/tmp







/boot

        mv /boot /boot.old

        mkdir /boot

        mkfs.ext3 /dev/hdd6

        mount /dev/hdd6 /boot

        mv /boot.old/* /boot

        rm -r /boot.old



/home (directory is empty)

        mkfs.ext3 /dev/hdd7

        rmdir /home

        mount /dev/hdd7 /home

        chown root:users /home

        chmod o-rwx /home



/tmp (directory is empty)

        mkfs.ext3 /dev/hdd8

        mount /dev/hdd8 /tmp

        chmod 777 /tmp

        chmod +t /tmp



/usr

        mv /usr /usr.old

        mkdir /usr

        mkfs.ext3 /dev/hdd9

        mount /dev/hdd9 /usr

        mv /usr.old/* /usr

        rm -r /usr.old



/usr/local

        mv /usr/local /usr/local.old

        mkdir /usr/local

        mkfs.ext3 /dev/hdd10

        mount /dev/hdd10 /usr/local

        mv /usr/local.old/* /usr/local

        chmod g-sw -R /usr/local

        chown root:root -R /usr/local

        rm -r /usr/local.old



/var/log

        mv /var/log /var/log.old

        mkdir /var/log

        mkfs.ext3 /dev/hdd11

        mount /dev/hdd11 /var/log

        mv /var/log.old/* /var/log

        rm -r /var/log.old



/var/tmp

        mkfs.ext3 /dev/hdd13

        mount /dev/hdd13 /var/tmp

        chmod 777 /var/tmp

        chmod +t /var/tmp





Next thing of course is to modify /etc/fstab according to those

changes!

----------------------------------------------------------------------







----------------------------------------------------------------------

optimized mount flags                                  [ /etc/fstab ]

----------------------------------------------------------------------

        /boot                        defaults,nodev,noexex,nosuid

        /home                        defaults,nodev,noexex,nosuid

        /tmp                        defaults,nodev,noexec,nosuid

        /usr                        defaults,noatime,nodev

        /usr/local                defaults,noatime,nodev

        /var/log                defaults,nodev,nosuid,noexec

        /var/spool/postfix        defaults,noatime,nodev,nosuid

        /var/tmp                defaults,nodev,nosuid



        went into init 1 to be able to remount all of those

        umount -a

        mount -a

----------------------------------------------------------------------

Now we have everything split up to different partitions. I install self-coded scripts, etc in /usr/local/sbin. All daemons that will be installed chrooted will be under /usr/local/. For instance bind: /usr/local/bind. Remember this is just a BASE IMAGE for other servers. After securing the base image you can use that to set up new servers quickly ... you have to adjust AIDE, etc configuration for each server of course.

getting rid of not required software

A secure system should have as few as possible software on it. Like you don't need a compiler or anything on it (and you shouldn't have). Or would you like to provide an attacker with a full-featured tool set?

Code:

----------------------------------------------------------------------

packages I purged

----------------------------------------------------------------------

        - base-config                no need to modificate config!

        - dhcp-client                no DHCP required

        - ed                        don't like that editor 

        - fdutils                no floppy stuff required

        - ipchains                iptables since Kernel 2.4+

        - lilo                        will install grub

        - mbr                        not required

        - modconf                I know my modules 

        - pciutils                not required

        - ppp                        permanent connection

        - pppconfig                permanent connection

        - pppoe                        permanent connection

        - pppoeconf                permanent connection

        - setserial                not required

        - tasksel                I prefer apt-get and dpkg 

----------------------------------------------------------------------

You might need DHCP and PPP stuff so remove only those you don't really require.

configuring apt & installation of additional software

Before we can install the software we need configure APT:

Code:

----------------------------------------------------------------------

configured apt                                        [ /etc/apt/apt.conf ]

----------------------------------------------------------------------



        mkdir /var/cache/apt/tmp

        created /etc/apt/apt.conf



        APT

        {

                // ExtractTemplates

                ExtractTemplates

                {

                        // standard is /tmp which is mounted noexec

                        TempDir "/var/cache/apt/tmp";

                }

        };

----------------------------------------------------------------------









----------------------------------------------------------------------

reconfigured apt sources                    [ /etc/apt/sources.list ]

----------------------------------------------------------------------



# ====================================================================

# base system

# --------------------------------------------------------------------

deb http://ftp.de.debian.org/debian/ stable main

deb http://non-us.debian.org/debian-non-us stable/non-US main

# ====================================================================







# ====================================================================

# security updates

# --------------------------------------------------------------------

deb http://security.debian.org/ stable/updates main

# ====================================================================



----------------------------------------------------------------------

You wonder why I moved the temporary directory away from /tmp? Well apt-get relies on execution of scripts and since /tmp is noexec you do not have the chance to execute there, ergo we need to move it to a new path.

Now we can install the software we require:

Code:

----------------------------------------------------------------------

installed additionally software (no configuration required)

----------------------------------------------------------------------

        + bzip2                        used for compression, etc

        + dump                        for easing backups using images 

        + ftp-ssl                used for secure ftp communication

        + libdate-calc-perl        required for pflogsumm

        + mutt                        mail user agent

        + openssl                ssl 

        + sudo                        no comment 

        + traceroute                no comment 

----------------------------------------------------------------------

You might not need traceroute, mutt or dump. So install those only if you require those!

Next step to take is to install grub!

more additional software (configurtion required though)

Well now you have a nice bootloader and next step is of course to install some more software. Replace EXIM with a more performant MTA, etc:

Code:

----------------------------------------------------------------------

installed less

----------------------------------------------------------------------

        Application/* as mime handler

----------------------------------------------------------------------









----------------------------------------------------------------------

installed ntpdate

----------------------------------------------------------------------

        ntp-servers: ntp0.fau.de ptbtime1.ptb.de

----------------------------------------------------------------------









----------------------------------------------------------------------

installed pflogsumm (backported package)

----------------------------------------------------------------------

        created backport of pflogsumm at other host:

                apt-get source -b pflogsumm





        installed backported package:

                dpkg -i packages/pflogsumm/*.deb

----------------------------------------------------------------------









----------------------------------------------------------------------

installed postfix (backported package)

----------------------------------------------------------------------

        downloaded following backported packages of Postfix from

                http://people.debian.org/~nobse/debian/woody/



                backported/libdb4.1/libdb4.1_4.1.25-1.nobse.*.deb

                backported/postfix/postfix-pcre*.deb

                backported/postfix/postfix-tls*.deb

                backported/postfix/postfix_2.0.9-0.nobse.*.deb



        dpkg --purge exim

        dpkg -i packages/libdb4.1/*.deb

        dpkg -i packages/postfix/*.deb



        No configuration



        /usr/bin/newaliases

----------------------------------------------------------------------









----------------------------------------------------------------------

installed slocate

----------------------------------------------------------------------

        /etc/cron.daily/slocate

----------------------------------------------------------------------









----------------------------------------------------------------------

installed and secured ssh

----------------------------------------------------------------------

        Allow SSH protocol 2 only

        Do NOT install /usr/lib/ssh-keysign SUID root





        added/changed following in /etc/ssh/sshd_config:



        AllowGroups                                users

        ChallengeResponseAuthentication                no

        ClientAliveInterval                        15

        ClientAliveCountMax                        4

        DenyGroups                                root

        DenyUsers                                root

        KeepAlive                                no

        KeyRegenerationInterval                        900

        ListenAddress                                192.168.0.82:22

        LoginGraceTime                                15

        MaxStartups                                5:50:100

        PasswordAuthentification                no

        PermitRootLogin                                no

        PubkeyAuthentication                        yes

        RSAAuthentification                        no

        ServerKeyBits                                1024





        i'm restricting the users to be able to login using PAM, so

        inserted as 1st line to /etc/pam.d/ssh

        

        auth      required    pam_listfile.so \

                                sense=allow \

                                onerr=fail \

                                item=user \

                                file=/etc/ssh/allowed_users



        echo "markus" > /etc/ssh/allowed_users







        i've created a second ssh instance which will be just

        accessable from the internal network and by 1 person. the

        server is listening on a unassigned high port:



                cp /etc/ssh/sshd_config /etc/ssh/sshd_config_hp

                cp /etc/init.d/ssh /etc/init.d/ssh_hp

                update-rc.d ssh_hp start 20 2 3 4 5 . stop 20 0 1 6 .





        adjusted /etc/ssh/sshd_config_hp:



                AllowUsers        markus

                ListenAddress        192.168.0.82:49150

                PidFile                /var/run/sshd_hp.pid





        adjusted /etc/init.d/ssh_hp:



                x added "-f /etc/ssh/sshd_config_hp" to the config test

                x changed /var/run/sshd.pid to /var/run/sshd_hp.pid

                x added "-- -f /etc/ssh/sshd_config_hp" to

                  start-stop-daemon commands

----------------------------------------------------------------------









----------------------------------------------------------------------

installed uptimed

----------------------------------------------------------------------

        20 records to be kept

        never send mail

----------------------------------------------------------------------









----------------------------------------------------------------------

installed xinetd

----------------------------------------------------------------------

        do NOT convert /etc/inetd.conf to /etc/xinetd.conf



        created secure xinetd default configuration

                                                  [ /etc/xinetd.conf ]

                defaults

                {

                        bind                = 127.0.0.1

                        cps                = 64 5

                        instances        = 255

                        log_on_failure        = HOST ATTEMPT

                        log_on_success        = PID

                        log_type        = SYSLOG authpriv

                        only_from        = 

                        per_source        = 2

                }



                includedir /etc/xinetd.d





        mkdir /etc/xinetd.d

----------------------------------------------------------------------

Now everything for the bare base system is installed. Configuration is not done yet though (except for the ones that got freshly installed and don't have a lot of configuration lines). Remeber: this needs to be ADJUSTED TO YOUR SYSTEM.

It's time to put up some restrictions:

Code:

----------------------------------------------------------------------

restricting console login access                    [ /etc/securetty ]

----------------------------------------------------------------------

        removed all except tty1

----------------------------------------------------------------------









----------------------------------------------------------------------

disabling system reboots through console              [ /etc/inittab ]

----------------------------------------------------------------------

        commented shutdown -t1 line out

----------------------------------------------------------------------









----------------------------------------------------------------------

providing secure user access

----------------------------------------------------------------------

        user authentification: PAM                  

                                                  [ /etc/pam.d/login ]

                disallow zero length passwords

                use md5

                password length min=8, max=64

                user limits (pam_limits.so)



                                                    [ /etc/pam.d/su ]

                addgroup wheel

                allow only users of group wheel to become root



                use access denied for other applications that are

                supporting pam                          [ /etc/pam.d/other ]



                        auth    required      pam_deny.so

                        account  required      pam_deny.so

                        password required      pam_deny.so

                        session  required      pam_deny.so





        limiting resource usage          [ /etc/security/limits.conf ]



                *                hard        core                0

                *                -        maxlogins        3

                markus                -        maxlogins        4





        user login actions                          [ /etc/login.defs ]

                FAIL_DELAY                60

                FAILLOG_ENAB                yes

                LOG_UNKFAIL_ENAB        yes

                PASS_MAX_LEN                64





        disallow remote administrative access

        non-root logins are diallowed on console #1

                                          [ /etc/security/access.conf ]

                -:wheel:ALL EXCEPT LOCAL

                -:ALL EXCEPT root:tty1





        setting users umasks                              [ /etc/profile,

                                              /etc/skel/.bash_profile ]

                umask 077





        limiting access to other users's information

                                                  [ /etc/adduser.conf ]

                DIR_MODE = 0700

----------------------------------------------------------------------









----------------------------------------------------------------------

file system control (setuid check)          [ /etc/checksecurity.conf ]

----------------------------------------------------------------------

        CHECKSECURITY_EMAIL        linux-admins@example.com



changed CHECKSECURITY_DEVICEFILTER:

CHECKSECURITY_DEVICEFILTER="-path /dev/ptmx -o -path /dev/tty*"

----------------------------------------------------------------------









----------------------------------------------------------------------

secured network access

----------------------------------------------------------------------



using /etc/host.conf:

        - adding spoofing protection

                nospoof on



        - adding spoofing alert

                spoofalert on







using /etc/sysctl.conf:



        filesystem tuning:

        - max open files [ (ram/4) * 256 ]

                fs/file-max = 24576



        more resctrictive interface default setting (no router):

        - don't accept ICMP redirect messages

                net/ipv4/conf/default/accept_redirects = 0



        - don't accept packets with SRR option

                net/ipv4/conf/default/accept_source_route = 0



        - disable ip forwarding as interface default

                net/ipv4/conf/default/forwarding = 0



        - log packets with impossible adresses

                net/ipv4/conf/default/log_martians = 1



        - proxy arp

                net/ipv4/conf/default/proxy_arp = 0



        - enable source validation by reversed paths

                net/ipv4/conf/default/rp_filter = 1



        - accept ICMP redirect messages only for default gateways

                net/ipv4/conf/default/secure_redirects = 1



        - don't send redirects

                net/ipv4/conf/default/send_redirects = 0





        ipv4 general settings:

        - ignore ICMP ECHO requests sent to multicast / broadcast

                net/ipv4/icmp_echo_ignore_broadcasts = 1



        - enable bad error protection (avoid logging of RFC 1122

          router violations)

                net/ipv4/icmp_ignore_bogus_error_responses = 1



        - don't forward packets between interfaces

                net/ipv4/ip_forward = 0



        - time to hold packet in state if we closed the connection

                net/ipv4/tcp_fin_timeout = 30



        - interval to send out probes

                net/ipv4/tcp_keepalive_intvl = 60



        - keep alive probes until connection is declared as broken

                net/ipv4/tcp_keepalive_probes = 3



        - interval to send out keepalive messages

                net/ipv4/tcp_keepalive_time = 1800



        - no select acknowledgements

                net/ipv4/tcp_sack = 0



        - send out syncookies when the syn backlog queue of a socket

          overflows (prevention against syn flood attack)

                net/ipv4/tcp_syncookies = 1



        - timestamps as defined in RFC1323

                net/ipv4/tcp_timestamps = 0



        - window scaling as defined in RFC1323

                net/ipv4/tcp_window_scaling = 0



        sysctl -p

----------------------------------------------------------------------









----------------------------------------------------------------------

created sudo entries (basic tasks)

----------------------------------------------------------------------



# Host alias specification





# User alias specification

User_Alias        ADMIN =                markus





# Cmnd alias specification

Cmnd_Alias        A_DUMPS =        /sbin/dump, \

                                /sbin/restore

Cmnd_Alias        A_HALT =        /sbin/halt

Cmnd_Alias        A_REBOOT =        /sbin/reboot

Cmnd_Alias        A_SHUTDOWN =        /sbin/shutdown





# User privilege specification

ADMIN        ALL=        A_DUMPS, A_HALT, A_REBOOT, A_SHUTDOWN, \

                /etc/init.d/, \

                /usr/local/sbin/

root        ALL=(ALL) ALL



----------------------------------------------------------------------

Whou should be permitted to use cron? Nobody by default:

Code:

----------------------------------------------------------------------

secured cron

----------------------------------------------------------------------

        touch /etc/cron.allow

        echo "all" > /etc/cron.deny

----------------------------------------------------------------------

As you know you should run with the minimum number of services and you should have a minimum of ports open, so disable not required stuff:

Code:

----------------------------------------------------------------------

disabled inetd services

----------------------------------------------------------------------

        update-inetd --disable daytime

        update-inetd --disable discard

        update-inetd --disable time

----------------------------------------------------------------------

Inactive users should not be tollerated for a big time. Just think of somebody SSHing remotely to the server, gong outside for a beer and leaving SSH open forever ... this shouldn't be the case but it happens. Kick idle users after 60 seconds:

Code:

----------------------------------------------------------------------

configured pam_env                        [ /etc/security/pam_env.conf ]

----------------------------------------------------------------------

        TMOUT                DEFAULT=60

----------------------------------------------------------------------

Now you should set up some kind of policy and have every admin sign it. At the system you could use something like:

Code:

----------------------------------------------------------------------

adjusted /etc/motd

----------------------------------------------------------------------



Unauthorized access to this server is prohibited! Everything which has

not been explicitly allowed is unauthorized usage.



All activities are monitored and logged. There is NO RIGHT for privacy

on this system. Unauthorized access and activities or any criminal

activity in general will be reported to appropriate authorities

without any exceptions! Don't cry - you have been warned!



----------------------------------------------------------------------









----------------------------------------------------------------------

adjusted /etc/default/rcS

----------------------------------------------------------------------

        EDITMOTD=no

----------------------------------------------------------------------

Now that the whole system has been properly configured and secured it's time to secure all permissions:

Code:

----------------------------------------------------------------------

secured permissions

----------------------------------------------------------------------

        groupadd docs





        find /home -type f -name .bash_logout \

                -exec chattr -i {} \; \

                -exec chown root:users {} \; \

                -exec chmod 750 {} \; \

                -exec chattr +i {} \;





        chmod go-rwx -R \

                /etc/skel





        chmod o-rwx -R \

                /boot \

                /etc/adduser.conf \

                /etc/aide \

                /etc/apt \

                /etc/checksecurity.conf \

                /etc/cron.d \

                /etc/cron.daily \

                /etc/cron.monthly \

                /etc/cron.weekly \

                /etc/crontab \

                /etc/deluser.conf \

                /etc/dpkg \

                /etc/fstab \

                /etc/gateways \

                /etc/grsec \

                /etc/host.conf \

                /etc/hosts.* \

                /etc/init.d \

                /etc/logcheck \

                /etc/modules \

                /etc/network \

                /etc/ppp \

                /etc/rc* \

                /etc/securetty \

                /etc/shells \

                /etc/ssh \

                /etc/sysctl.conf \

                /etc/syslog.conf \

                /etc/xinetd.conf \

                /etc/xinetd.d \

                /lib/iptables \

                /lib/modules \

                /root \

                /usr/lib/apt \

                /usr/lib/dpkg \

                /usr/share/doc* \

                /usr/share/info \

                /usr/share/man \

                /var/cache/apt \

                /var/lib/aide \

                /var/lib/apt \

                /var/lib/dpkg \

                /var/lib/iptables \

                /var/lib/logcheck \

                /var/log/aide





        chmod 640 \

                /var/log/faillog





        chmod 664 \

                /var/log/wtmp





        chmod 750 \

                /bin/df \

                /bin/dmesg \

                /bin/mknod \

                /bin/mount \

                /bin/mt \

                /bin/netstat \

                /bin/ping \

                /bin/umount \

                /bin/uname \

                /sbin/MAKEDEV \

                /sbin/badblocks \

                /sbin/cfdisk \

                /sbin/debugfs \

                /sbin/depmod \

                /sbin/dumpe2fs \

                /sbin/e2image \

                /sbin/fdisk \

                /sbin/fsck* \

                /sbin/genksyms \

                /sbin/grub* \

                /sbin/halt \

                /sbin/hwclock \

                /sbin/ifconfig \

                /sbin/ifdown \

                /sbin/ifup \

                /sbin/init \

                /sbin/insmod \

                /sbin/ip6tables* \

                /sbin/iptables* \

                /sbin/ippool \

                /sbin/killall5 \

                /sbin/klogd \

                /sbin/ldconfig \

                /sbin/mii-tool \

                /sbin/mke2fs \

                /sbin/mkfs* \

                /sbin/mkswap \

                /sbin/modinfo \

                /sbin/modprobe \

                /sbin/route \

                /sbin/runlevel \

                /sbin/sfdisk \

                /sbin/shutdown \

                /sbin/swapon \

                /sbin/sysctl \

                /sbin/syslogd \

                /sbin/resize2fs \

                /sbin/tune2fs \

                /sbin/update-grub \

                /sbin/update-modules \

                /usr/bin/apt* \

                /usr/bin/dpkg* \

                /usr/bin/traceroute \

                /usr/bin/uprecords \

                /usr/sbin/adduser \

                /usr/sbin/atd \

                /usr/sbin/atrun \

                /usr/sbin/checksecurity \

                /usr/sbin/deluser \

                /usr/sbin/dpkg* \

                /usr/sbin/groupadd \

                /usr/sbin/groupdel \

                /usr/sbin/groupmod \

                /usr/sbin/grpck \

                /usr/sbin/grpconv \

                /usr/sbin/grpunconv \

                /usr/sbin/inetd \

                /usr/sbin/logcheck \

                /usr/sbin/logrotate \

                /usr/sbin/lsof \

                /usr/sbin/newusers \

                /usr/sbin/ntpdate \

                /usr/sbin/pwck \

                /usr/sbin/pwconv \

                /usr/sbin/pwunconv \

                /usr/sbin/rdev \

                /usr/sbin/tcpd \

                /usr/sbin/tcpdchk \

                /usr/sbin/tcpdmatch \

                /usr/sbin/tunelp \

                /usr/sbin/useradd \

                /usr/sbin/userdel \

                /usr/sbin/usermod \

                /usr/sbin/vipw





        chmod 4750 \

                /usr/bin/gpasswd





        chmod 6750 \

                /sbin/dump \

                /sbin/restore





        chown root:adm \

                /var/log/faillog





        chown root:docs -R \

                /usr/share/doc* \

                /usr/share/info \

                /usr/share/man





        chown root:root -R \

                /etc/xinetd.*





        chown root:utmp \

                /var/log/wtmp





        chown root:wheel \

                /usr/bin/uprecords





        chattr -R +i \

                /bin \

                /sbin \

                /usr/bin \

                /usr/local/bin \

                /usr/local/sbin \

                /usr/sbin \



        chattr +u \

                /var/log/wtmp

----------------------------------------------------------------------

Now you need to reinitialize the AIDE databases like described in this thread!

markus,

/var/tmp defaults,nodev,nosuid

Why no noexec? Also, why do you need two temp filesystems, why not /tmp and have /var/tmp symlink?

- timestamps as defined in RFC1323
net/ipv4/tcp_timestamps = 0

- window scaling as defined in RFC1323
net/ipv4/tcp_window_scaling = 0

Is there a specific problem with theses? Did quick search (just looked at the first couple from google,) and didn't see too much, at least not a explaination. Is timestamping expensive, do either lead to a DoS, give out too much info, or is it just plain good form (not using what you don't need)?

Thanks,
chris

Oh, and good show. Nice to see stuff like this.

Thanks again,
chris

Quote:

/var/tmp defaults,nodev,nosuid
Why no noexec? Also, why do you need two temp filesystems, why not /tmp and have /var/tmp symlink?

noexec because of /tmp attacks. remember tmp is writeable by EVERYBODY. i know that you can circumvent that and it offers no real protections but at least it will keep pretty lame people (= script kiddies) out. they'll play somewhere if their stuff which requires /tmp to be exec doesn't work.

regarding /var/tmp and /tmp:

Quote:

Filesystem Hierarchy Standard: 5.15 /var/tmp : Temporary files preserved between system reboots
The /var/tmp directory is made available for programs that require temporary files or directories that are preserved between system reboots. Therefore, data stored in /var/tmp is more persistent than data in /tmp.
Files and directories located in /var/tmp must not be deleted when the system is booted. Although data stored in /var/tmp is typically deleted in a site-specific manner, it is recommended that deletions occur at a less frequent interval than /tmp

Quote:

- timestamps as defined in RFC1323
net/ipv4/tcp_timestamps = 0

- window scaling as defined in RFC1323
net/ipv4/tcp_window_scaling = 0
Is there a specific problem with theses? Did quick search (just looked at the first couple from google,) and didn't see too much, at least not a explaination. Is timestamping expensive, do either lead to a DoS, give out too much info, or is it just plain good form (not using what you don't need)?

Well there is not really a problem with this. It's tuning to be honest. But it also defeat's Nmap's uptime detection AFAIK. I can't remember the docs I got that from ... but a google search higlighted it again:

http://linuxperf.nl.linux.org/general/kerneltuning.html
http://ruka12.tripod.com/performance.html

Regarding tcp_window_scaling:
http://www.checkpoint.com/techsuppor...rformance.html

Well, it looks a little bit short and misses a lot of explanations (e.g. that the desktop user should be in group docs).

Quote:

All activities are monitored and logged.

You probably might want to check this part of your /etc/motd with your lawyer first, too :)

For more in-depth coverage I suggest to read the Securing Debian Manual.

Quote:

Well, it looks a little bit short and misses a lot of explanations (e.g. that the desktop user should be in group docs)

Well I shouldn't call it HOWTO. I should call it "changelog", cause that is what it REALLY is. It focusses on using Debian as a SERVER without any GUI!

Quote:

You probably might want to check this part of your /etc/motd with your lawyer first, too :)

Probably :-)