On Thu, Feb 15, 2001 at 03:34:07PM +0100, Raphael Bauduin wrote: > Hi, > > I'm looking for a way to install a debian potato as securely as > possible. I would follow this procedure in the future to install a lot > of servers. The problem I have is that a lot of unwanted packages get > installed by default (telnetd, exim, at, bc, fingerd, gpm, lpr, mtools, > mutt, nfs-server, talkd, ....), and having to deinstall them manually > each time is not very secure as one could forget a package anytime. It > is also time consuming.
I am working on a web page to step through this, but in essence, I do a base install, and after the reboot, I step through the install to the point where I enter dselect, then choose 6 to exit. One of the best features of dpkg is that you can do dpkg --get-selections and dpkg --set-selections combined with an apt-get dselect-upgrade. I have found that there are a finite number of base configurations, mailserver, firewall, etc. I am working on my perspective of a package list for several of these installs. In any case, I sneaker-net the package list over to the box being built, then do dpkg --set-selections apt-get dselect-upgrade The system builds with the custom tailored package list. You can then select the few specific packages that are host-specific as needed. This has the effect of giving you a custom-tailored list of what gets installed and also simplifies backups. If you are careful about division of your partitions, you can simply tar up the non-standard or unique partitions (e.g. /home, /usr/local, /opt, etc.) and dpkg --get-selections and redirect a file and you can regenerate a machine fairly quickly. cfengine could also be an option in your situation too. -- --Brad ============================================================================ Bradley M. Alexander, CISSP | Co-Chairman, Beowulf System Admin/Security Specialist | NoVALUG/DCLUG Security SIG Winstar Telecom | [EMAIL PROTECTED] (703) 889-1049 | [EMAIL PROTECTED] ============================================================================ If you don't know your rights, you don't have any.
