Harden Debian Install
---
Update (Ian Holmes, 19 March 2005): also try nessus for some excellent tutorial advice.
---
A summary of one person's experience using nmap to harden a default Debian Linux installation.
Using nmap -v -sT (IP addr):
Interesting ports on localhost.localhost (IP addr): (The 1544 ports scanned but not shown below are in state: closed) Port State Service 9/tcp open discard 13/tcp open daytime 22/tcp open ssh 25/tcp open smtp 37/tcp open time 111/tcp open sunrpc 113/tcp open auth 515/tcp open printer 1024/tcp open kdm
The kdm port was closed by deleting the corresponding entry in /etc/rc5.d/ : S99kdm. I also deleted all except the following entries in /etc/rc5.d: S10sysklogd S11klogd, S20inetd, S20lpd, S20makedev, S20ssh, S89atd, S89cron, and S99rmnologin. After rebooting the system, only the following ports were still open:
Port State Service 9/tcp open discard 22/tcp open ssh 111/tcp open sunrpc 113/tcp open auth
http://www.spirit.com/Resources/ports.html has a list of unsafe ports. Apparently ports 9, 13, 22, and 37 are ok. Port 25 is the server port for SMTP (sendmail) - we probably don't need it. Port 111 is the portmapper - spirit.com says to block it.
Further information about port 111 is available at http://www.linuxsecurity.com/resource_files/host_security/securing-debian-howto/ch8.en.html . This port is used by RPC services - if you have no program that requires RPC, portmap can be disabled either by running update-rc.d portmap remove or manually eliminating all symlinks in /etc/rc${runlevel}.d/. I followed the latter procedure; the relevant directories include (under /etc) ./rc0.d/, ./rcS.d/, and ./rc6.d/
The remaining ports, 9, 22, and 113, should be acceptable.
