Debian comes installed standard without much in the way of active security (such as a firewall, a file state checker, disk encryption, etc) but has got the packages to implement an actively secure environment. Given a little work you can securify Debian with existing packages quite nicely. This article has a nice list of the packages Debian has on offer and what they’re for:
Table 1. Some Security-Enhancing Packages in Debian 3.1
Package Name Description aide, fam, tripwire, osiris File/system integrity checkers. bastille Excellent, comprehensive and interactive (yet scriptable) hardening utility. bochs Bochs virtual x86 PC. bozohttpd, dhttpd, thttpd Minimally featured, secure Web server daemons. chrootuid, jailer, jailtool, makejail Utilities for using and creating chroot jails. clamav General-purpose virus scanner. cracklib2, cracklib-runtime Library and utilities to prevent users from choosing easily guessed passwords. filtergen, fireflier, firestarter, ferm, fwbuilder, guarddog, mason, shorewall Tools for generating and managing local firewall policies. flawfinder, pscan, rats Scripts that parse source code for security vulnerabilities. freeradius, freeradius-ldap, etc. Free radius server, useful for WLANs running WPA. frox, ftp-proxy FTP proxies. gnupg, gnupg2, gpa, gnupg-agent GNU Privacy Guard (gpg), a versatile and ubiquitous e-mail- and file-encryption utility. harden, harden-clients, harden-servers, etc. Actually an empty package containing only scripts that install and un-install other packages so as to improve system security. ipsec-tools, pipsecd, openswan, openswan-modules-source Tools for building IPSec-based virtual private networks. libapache-mod-chroot, libapache2-mod-chroot Apache module to run httpd chrooted without requiring a populated chroot jail. libapache-mod-security, libapache2-mod-security Proxies user input and server output for Apache. oftpd, twoftpd, vsftpd Minimally featured, secure FTP server daemons. privoxy Privacy-enhancing Web proxy. psad Port-scan attack detector. pyca, tinyca Certificate authority managers. selinux-utils, libselinux1 Utilities and shared libraries for SELinux. slat Analyzes information flow in SELinux policies. slapd OpenLDAP server daemon. squidguard Adds access controls and other security functions to the popular Squid Web proxy. squidview, srg Log analyzers for Squid. syslog-ng Next-generation syslog daemon with many more features than standard syslogd. trustees Extends file/directory permissions to allow different permissions for different (multiple) groups on asingle object. uml-utilities User-mode Linux virtual machine engine for Linux guests.
In addition to the local security-enhancing packages in Table 1, Debian includes many tools for analyzingthe security of other systems and networks. Table 2 lists some notable ones.
Table 2. Security Audit Tools in Debian 3.1
Package Name Description dsniff, ettercap Packet sniffers for switched environments. ethereal, tcpdump Excellent packet sniffers. fping Flood ping (multiple-target ping). idswakeup Attack simulator for testing intrusion detection systems (IDSes). john John the Ripper, a password-cracking tool (legitimately used for identifying weak passwords). kismet Wireless LAN sniffer that supports many wireless cards. nessus, nessusd, nessus-plugins Nessus general-purpose security scanner. nmap Undisputed king of port scanners. snort Outstanding packet sniffer, packet logger and intrusion detection system.