In this final chapter, we'll cover briefly several advanced administration subjects. Remote backups and configuration administration will be covered, and we will briefly look at cluster management. Finally, we will look at one of the most useful administration tools for any Linux system, Webmin.
System security is one of the most important duties of an administrator. Ensure that your system is protected by setting up proper policies for users and groups, and hardening your systems (especially servers) when exposed to attack from the Internet. Firewall tools are useful in blocking attacks, and intrusion detection should be used to discover any system anomalies as early as possible.
We've now been through pretty much all of the major administrative areas of Debian Linux, not counting individual software suites. Next, we will cover some advanced administration techniques.
System scanners include packages that scan for possible rootkits that may be installed or active on your system, and virus scanners. The packages rkhunter and chkrootkit are two of the most used rootkit detection packages. The Tiger package is a somewhat more comprehensive scanner that uses chkrootkit and Tripwire or AIDE as well as its own scripts to perform a full audit of your system's security. After the first audit of your clean system, Tiger will alert you to changes in your system's vulnerabilities.
The second level of intrusion detection involves monitoring the files on the system. There are several good monitors that will alert you to new, deleted, or modified files, usually filtering the reports so they include only changes that indicate a potential compromise. The most commonly used File Monitor is Tripwire and that is what is installed by the harden-environment package. However, Tripwire is now owned by a commercial enterprise that sells proprietary versions.
Network Intrusion Detection basically involves monitoring network interfaces, analyzing all the packets seen, and providing alerts when certain attack characteristics are seen. On Debian, the primary tool for this is Snort. Snort will be installed if you install harden-nids, mentioned previously. Other packages are also available in Debian as well.
Snort can be paired with a package called fwsnort to not only detect potential attacks, but block them dynamically via adding IPTABLES rules when attacks are detected.
Debian includes a number of intrusion detection applications. There are three basic classes: Network Intrusion Detection Systems (NIDS), File Monitors, and System Scanners. The former works by scanning network traffic to detect attempts to discover and exploit allowed network connections. The latter works by scanning a known clean system, then monitoring it for new, deleted, and modified files.
Probably one of the most important ways to protect private networks while still providing services available to the public Internet is by using a perimeter network. Often called a De-Militarized Zone (DMZ), it is a buffer between attackers and your internal network.
Most administrators are not concerned with traffic on the local loopback interface. This is because such traffic is often necessary for proper operation of the local system. It is also rather difficult to analyze in order to determine what is necessary and what may be safely blocked without affecting normal operation. The major reason to firewall loopback traffic is that if rogue software is installed on the system by a virus or worm, then that software has more avenues to further attack the local system over the unprotected loopback interface.
In general, outbound traffic is legitimate, and many administrators do not restrict traffic originating on the local system going to remote systems. Unfortunately, there are cases where this is not advisable. A common example is when a company wishes to restrict the outside services its employees can use (such as preventing the use of YouTube because it is inappropriate for them to be using it during working hours).
Any time someone can open a connection to a system, that system can be attacked via that connection. This doesn't refer to inbound traffic in general, especially since much of this will be related to connections the local system established. It refers to the request from a remote system for a new connection to a local service. This is usually called an inbound open as it involves an initial request by a remote system to open a connection on a specific IP port.
