Harden Debian Install

From Biowiki
Jump to: navigation, search

---

Update (Ian Holmes, 19 March 2005): also try nessus for some excellent tutorial advice.

---

A summary of one person's experience using nmap to harden a default Debian Linux installation.

Using nmap -v -sT (IP addr):

Interesting ports on localhost.localhost (IP addr):
(The 1544 ports scanned but not shown below are in state: closed)
Port		 State		 Service
9/tcp		open		  discard					  
13/tcp	  open		  daytime					  
22/tcp	  open		  ssh							
25/tcp	  open		  smtp						  
37/tcp	  open		  time						  
111/tcp	 open		  sunrpc						
113/tcp	 open		  auth						  
515/tcp	 open		  printer					  
1024/tcp	open		  kdm							

The kdm port was closed by deleting the corresponding entry in /etc/rc5.d/ : S99kdm. I also deleted all except the following entries in /etc/rc5.d: S10sysklogd S11klogd, S20inetd, S20lpd, S20makedev, S20ssh, S89atd, S89cron, and S99rmnologin. After rebooting the system, only the following ports were still open:

Port		 State		 Service
9/tcp		open		  discard					  
22/tcp	  open		  ssh							
111/tcp	 open		  sunrpc						
113/tcp	 open		  auth

http://www.spirit.com/Resources/ports.html has a list of unsafe ports. Apparently ports 9, 13, 22, and 37 are ok. Port 25 is the server port for SMTP (sendmail) - we probably don't need it. Port 111 is the portmapper - spirit.com says to block it.

Further information about port 111 is available at http://www.linuxsecurity.com/resource_files/host_security/securing-debian-howto/ch8.en.html . This port is used by RPC services - if you have no program that requires RPC, portmap can be disabled either by running update-rc.d portmap remove or manually eliminating all symlinks in /etc/rc${runlevel}.d/. I followed the latter procedure; the relevant directories include (under /etc) ./rc0.d/, ./rcS.d/, and ./rc6.d/

The remaining ports, 9, 22, and 113, should be acceptable.

-- Pete Klosterman