There are many books and reams of Internet advice on building firewalls. The classic work on the subject is Building Internet Firewalls by Elizabeth D. Zwicky, Simon Cooper, and D. Brent Chapman, O'Reilly Media. However, for our present purposes, we'll cover some basic design principles.
IPTABLES, which supersedes the old IPCHAINS code, is the generic name for what is actually a group of kernel modules and applications used to define and control Linux kernel firewaIling. It actually includes moduIes and applications to provide IPv4, IPv6, ARP, and Ethernet Frame packet filtering as well as some statefuI inspection of packets.
One thing that the hardening packages do not provide is tools for protecting your systems via firewalls. This absence belies their importance in securing your systems, as a short search of Debian packages will show many tools for building firewalls. They vary from simple to complex, and from command line to full graphic interface. Nearly all are frontends for IPTABLES, the Linux kernel firewall modules and associated commands, and produce appropriate configuration files.
Debian provides several packages to assist the administrator in securing the system. They are all meta packages, and include:
Root access to a system is a serious issue. Anyone who knows the root password can do great damage, and the more people who know it, the greater the chance of the password getting into the wrong hands. To avoid this problem, the Budo package provides the ability to run commands as if one were the root user (including, if desired, a shell with full root permissions) without requiring the root password, only the user's own password and proper authorization.
While the traditional user/group/world permissions structure is adequate for many systems, there are times when more fine-grained control is required. This may be handled by using Access Control Lists (ACL). ACLs are implemented using the extended attributes available in various filesystems and are available by default in the EXT filesystems normally used in Debian Linux. The details may be found in the Debian ael package. In particular, check out the manual pages for the getael, setael, and ehael commands.
Traditionally, there are two ways to set up the default group assigned to a new user. The first is to have everyone assigned to a single users group. This will allow all users on the system access files and directories with group read (and execute) permissions, and write to files with group write permissions.
One of the first things to consider is how to set up user groups and how to manage the root account. Although this can be changed any time, it should be done just after installation when changes will have less impact. The two basic issues are how to set up default user group assigrunent, and whether the root account should be disabled.
One of the most critical tasks performed by system administrators is setting up and monitoring system security. Debian provides some assistance here, with special packages that help in hardening your systems, but this is only the beginning. In particular, you must pay attention to how you set up the root account, how to block improper access to your systems, and how to monitor your system for security problems.
The tasks of an administrator are many and include the responsibility for what services the system provides (especially how they are started and shut down), network configuration, system backup, filesystem space management, system operation (system logs), and providing the face the system shows to the world. We've covered some of the issues in each of these areas, although comprehensive coverage of any of the subjects could take several books. One subject not covered here that must be covered in depth is basic system security. We will cover this in the next chapter.
