Installing new packages
How do you check the signatures on packages you install are based on the keys from the debian-keyring package?
Subscribe to "debian-security-announce", http://lists.debian.org/debian-security-announce/ for information on security advisories.
Consider subscribing to "debian-security", http://lists.debian.org/debian-security/ a higher traffic discussion list for Debian's security issues
Read the "Securing Debian HOWTO", http://www.debian.org/doc/manuals/securing-debian-howto/
These are some basic points but be sure to read the HOWTO.
- Check '/etc/inetd.conf' to ensure you haven't left any open ports/services you didn't mean to.
- Use a firewall if you have services you want available locally or to a restricted set of IPs but not to everyone - 'ipchains' (potato), 'iptables' (woody)
'lsof -Pan -i tcp -i udp ||less' (as root) This shows all network connections
'netstat -le --inet||less' (as root) This lists open ports
- Ensure you know exactly what service has which port open and verify that any odd ports that are open are from daemons you mean to be running. Close any ports that you do not need open or any services that you do not want accessible to the outside world.
Ask yourself if you really * need ** that daemon to have an open port and if not then disable it (perhaps it has switches to do so or a config option that would disable networking (like mysql for instance))
- Use encrypted protocols so that passwords don't go over the network as clear text leaving them vulnerable to anyone who may be listening in. You can avoid this by wrapping services which have no encrypted alternative in SSL for instance. You might look at stunnel to do this for instance for POP or IMAP daemons.