Debian Security Tools – The Linkielist

Debian comes installed standard without much in the way of active security (such as a firewall, a file state checker, disk encryption, etc) but has got the packages to implement an actively secure environment. Given a little work you can securify Debian with existing packages quite nicely. This article has a nice list of the packages Debian has on offer and what they’re for:

Table 1. Some Security-Enhancing Packages in Debian 3.1

Package Name Description

aide, fam, tripwire, osiris File/system integrity checkers.

bastille Excellent, comprehensive and interactive (yet scriptable) hardening utility.

bochs Bochs virtual x86 PC.

bozohttpd, dhttpd, thttpd Minimally featured, secure Web server daemons.

chrootuid, jailer, jailtool, makejail Utilities for using and creating chroot jails.

clamav General-purpose virus scanner.

cracklib2, cracklib-runtime Library and utilities to prevent users from choosing easily guessed passwords.

filtergen, fireflier, firestarter, ferm, fwbuilder, guarddog, mason, shorewall Tools for generating and managing local firewall policies.

flawfinder, pscan, rats Scripts that parse source code for security vulnerabilities.

freeradius, freeradius-ldap, etc. Free radius server, useful for WLANs running WPA.

frox, ftp-proxy FTP proxies.

gnupg, gnupg2, gpa, gnupg-agent GNU Privacy Guard (gpg), a versatile and ubiquitous e-mail- and file-encryption utility.

harden, harden-clients, harden-servers, etc. Actually an empty package containing only scripts that install and un-install other packages so as to improve system security.

ipsec-tools, pipsecd, openswan, openswan-modules-source Tools for building IPSec-based virtual private networks.

libapache-mod-chroot, libapache2-mod-chroot Apache module to run httpd chrooted without requiring a populated chroot jail.

libapache-mod-security, libapache2-mod-security Proxies user input and server output for Apache.

oftpd, twoftpd, vsftpd Minimally featured, secure FTP server daemons.

privoxy Privacy-enhancing Web proxy.

psad Port-scan attack detector.

pyca, tinyca Certificate authority managers.

selinux-utils, libselinux1 Utilities and shared libraries for SELinux.

slat Analyzes information flow in SELinux policies.

slapd OpenLDAP server daemon.

squidguard Adds access controls and other security functions to the popular Squid Web proxy.

squidview, srg Log analyzers for Squid.

syslog-ng Next-generation syslog daemon with many more features than standard syslogd.

trustees Extends file/directory permissions to allow different permissions for different (multiple) groups on asingle object.

uml-utilities User-mode Linux virtual machine engine for Linux guests.

In addition to the local security-enhancing packages in Table 1, Debian includes many tools for analyzingthe security of other systems and networks. Table 2 lists some notable ones.

Table 2. Security Audit Tools in Debian 3.1

Package Name Description

dsniff, ettercap Packet sniffers for switched environments.

ethereal, tcpdump Excellent packet sniffers.

fping Flood ping (multiple-target ping).

idswakeup Attack simulator for testing intrusion detection systems (IDSes).

john John the Ripper, a password-cracking tool (legitimately used for identifying weak passwords).

kismet Wireless LAN sniffer that supports many wireless cards.

nessus, nessusd, nessus-plugins Nessus general-purpose security scanner.

nmap Undisputed king of port scanners.

snort Outstanding packet sniffer, packet logger and intrusion detection system.

Robin

razor@edgarbv.com https://www.edgarbv.com

M	T	W	T	F	S	S
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30

Package Name	Description
aide, fam, tripwire, osiris	File/system integrity checkers.
bastille	Excellent, comprehensive and interactive (yet scriptable) hardening utility.
bochs	Bochs virtual x86 PC.
bozohttpd, dhttpd, thttpd	Minimally featured, secure Web server daemons.
chrootuid, jailer, jailtool, makejail	Utilities for using and creating chroot jails.
clamav	General-purpose virus scanner.
cracklib2, cracklib-runtime	Library and utilities to prevent users from choosing easily guessed passwords.
filtergen, fireflier, firestarter, ferm, fwbuilder, guarddog, mason, shorewall	Tools for generating and managing local firewall policies.
flawfinder, pscan, rats	Scripts that parse source code for security vulnerabilities.
freeradius, freeradius-ldap, etc.	Free radius server, useful for WLANs running WPA.
frox, ftp-proxy	FTP proxies.
gnupg, gnupg2, gpa, gnupg-agent	GNU Privacy Guard (gpg), a versatile and ubiquitous e-mail- and file-encryption utility.
harden, harden-clients, harden-servers, etc.	Actually an empty package containing only scripts that install and un-install other packages so as to improve system security.
ipsec-tools, pipsecd, openswan, openswan-modules-source	Tools for building IPSec-based virtual private networks.
libapache-mod-chroot, libapache2-mod-chroot	Apache module to run httpd chrooted without requiring a populated chroot jail.
libapache-mod-security, libapache2-mod-security	Proxies user input and server output for Apache.
oftpd, twoftpd, vsftpd	Minimally featured, secure FTP server daemons.
privoxy	Privacy-enhancing Web proxy.
psad	Port-scan attack detector.
pyca, tinyca	Certificate authority managers.
selinux-utils, libselinux1	Utilities and shared libraries for SELinux.
slat	Analyzes information flow in SELinux policies.
slapd	OpenLDAP server daemon.
squidguard	Adds access controls and other security functions to the popular Squid Web proxy.
squidview, srg	Log analyzers for Squid.
syslog-ng	Next-generation syslog daemon with many more features than standard syslogd.
trustees	Extends file/directory permissions to allow different permissions for different (multiple) groups on asingle object.
uml-utilities	User-mode Linux virtual machine engine for Linux guests.

Package Name	Description
dsniff, ettercap	Packet sniffers for switched environments.
ethereal, tcpdump	Excellent packet sniffers.
fping	Flood ping (multiple-target ping).
idswakeup	Attack simulator for testing intrusion detection systems (IDSes).
john	John the Ripper, a password-cracking tool (legitimately used for identifying weak passwords).
kismet	Wireless LAN sniffer that supports many wireless cards.
nessus, nessusd, nessus-plugins	Nessus general-purpose security scanner.
nmap	Undisputed king of port scanners.
snort	Outstanding packet sniffer, packet logger and intrusion detection system.

Robin

Leave a Reply