Debian provides several packages to assist the administrator in securing the system. They are all meta packages, and include:
- harden: lbis installs harden-environment and harden-servers
- harden-clients: lbis prevents installation of software clients that have the potential to expose critical information or allow unauthorized access to your system
- harden-environment: lbis installs tools for intrusion detection
- harden-nids: 1bis installs tools for network intrusion detection
- harden-servers: lbis prevents installation of services that are potentially insecure and could allow unauthorized access to your system
- harden-tools: 1bis installs tools to help enhance and analyze system security
There are other hardening packages that install tools to analyze or audit systems remotely, and help developers create more secure programs. The packages can be found by searching the package cache for "harden". One way to do this is the command apt-cache search harden.
Installing any of these packages is just a start, and won't automatically make your system secure. They are just a way of installing groups of security related packages, or preventing certain packages from being installed ifthey have potential security issues. In particular, ifyou install harden-environment, harden-nids, and hardentools, you will also need to consult the appropriate package documentation and configure them properly to detect and analyze security issues, issue the proper warnings, or take the necessary actions.
One thlng to be aware of is that some of these packages prevent the installation of certain services, such as an F1P server. Ifyour server must provide F1P services (for example), then first install the appropriate hardening packages. After the install completes, install the F1P package confirming that you want to remove the hardening package. That way, you at least know that insecure services other than FlP have not been installed. To mamtam that assurance, periodically test what harden-servers would remove ifinstalled. This can be done, for example, by running apt-get -dry-run install harden-servers, and examining the output to see what would be done.