XPost: linux.debian.security
[ Apologies on advance for top posting but I'm writing this on my phone in
an airplane ]
Dear Noah,
As the main developer of the manual I find tour comments very interesting.
I agree that the manual needs an overhaul and I'm sure more hands in it
would help improve it tremendously.
Moving the manual to a Wiki could be an option but I would rather first
have an updated version/content using the current package/toolset and then consider moving it to a wiki.
The manual is not "centrally maintained" as it is available in Salsa for
anyone to contribute bits and pieces as they see fit.
Alternatively, somebody could start writing in the wiki different sections related to hardening specific services and, once mature/finished, move it
to the manual.
Personally I think that the manual :
- Should not cover in details the principles you mention. There is enough literature out there that it does not make sense to describe what other
sources (books / sites) provide better info on (it is manual, not a book!)
- Should maybe focus only on specific use cases (eg setting up a server)
rather than trying to cover all potential use cases (eg desktop) unless
there are enough "hands" working on it
Those thoughts aside I would be glad to help in pushing patches / new
versions of the manual to the archive if people start actively contributing
to it.
Best regards,
Javier
El mar, 10 jun 2025, 15:11, Dave P. <
[email protected]> escribió:
Excellent idea Noah, especially Debian *server* security. I'm willing to help. The Wiki option sounds like the best way to me.
Some points:
- SSH server security
- Firewalls: I think someone mentioned nftables, and that is optimal. But
for people choosing between UFW and firewalld front-end tools, why
firewalld will usually be preferable.
- Monitoring/auditing: top/htop/etc, process termination, AIDE/Lynis/etc
- Minimizing the attack surface
- Modern backup strategies
- Looking at the current manual, user security needs to be updated as well.
Thanks for taking this on. As you say, the current manual has
been out-of-date for a long time and is not easily reviseable.
If you would like additional help, please email or contact me at my
Discord <https://discord.com/invite/mggw8VGzUp> server. I support Debian servers for several customers and use Debian 12 and sid on the client side. Also, I wrote an SSH server security manual for a customer; it can be
reused for this purpose.
Dave
On Mon, Jun 9, 2025 at 12:21 PM Noah Meyerhans <[email protected]> wrote:
Hi all. The Securing Debian Manual (the harden-doc package) is
woefully out of date and doesn't provide accurate guidance for
operating modern software in the current threat landscape. I'd like
to begin the task of updating it to reflect current best practice and
to document current tools and technologies.
Most basically, I wonder if folks think this is a worthy idea. The
landscape has changed significantly since harden-doc was first
written. Default configurations don't require as much hardening, and
there are lots more available resources. Maybe harden-doc has
stagnated because there's no real need for it?
Assuming we do revive the doc, here are some ideas of what I'd like to
do with the document. I'd like to also get feedback, ideas, and
contributions from others interested in the topic.
1. More background information on principles such as:
a. Threat modeling
b. Defense in depth
c. Least privilege
2. Modern server deployment practices, such as:
a. Sandboxing (with systemd, containers, etc)
b. Image-based deployments, including cloud
c. Update deployment strategies for large fleets
3. Data privacy:
a. VPNs, wireguard, etc
b. Disk encryption
4. Workstation best practices, including:
a. Ssh key generation and handling
b. Basic browser hygine
c. Password managers and other password hygine
My inclination is to primarily focus on general principles rather than
try to document specific settings in specific packages, as in the
current document's Chapter 5 ("Securing services running on your
system"). It'll make sense to document some approaches to safe usage of
the most common software (firefox, openssh, etc), but I don't believe
that it's feasible to provide useful advice for a meaningful subset of
Debian packages.
Should we maybe consider maintaining this document on wiki.debian.org,
rather than being a centrally maintained document? The wiki may scale
better to multiple contributors, leading to better content and more
active maintenance.
If you've got ideas for other topics, I'd love to hear them.
noah
<div dir="auto"><p dir="ltr">[ Apologies on advance for top posting but I'm writing this on my phone in an airplane ]</p>
<p dir="ltr">Dear Noah,</p>
<p dir="ltr">As the main developer of the manual I find tour comments very interesting. I agree that the manual needs an overhaul and I'm sure more hands in it would help improve it tremendously.</p>
<p dir="ltr">Moving the manual to a Wiki could be an option but I would rather first have an updated version/content using the current package/toolset and then consider moving it to a wiki.</p>
<p dir="ltr">The manual is not "centrally maintained" as it is available in Salsa for anyone to contribute bits and pieces as they see fit. </p>
<p dir="ltr">Alternatively, somebody could start writing in the wiki different sections related to hardening specific services and, once mature/finished, move it to the manual.</p>
<p dir="ltr">Personally I think that the manual : </p>
<p dir="ltr">- Should not cover in details the principles you mention. There is enough literature out there that it does not make sense to describe what other sources (books / sites) provide better info on (it is manual, not a book!)</p>
<p dir="ltr">- Should maybe focus only on specific use cases (eg setting up a server) rather than trying to cover all potential use cases (eg desktop) unless there are enough "hands" working on it </p>
<p dir="ltr">Those thoughts aside I would be glad to help in pushing patches / new versions of the manual to the archive if people start actively contributing to it. </p>
<p dir="ltr">Best regards,</p><div data-smartmail="gmail_signature"><br>Javier</div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">El mar, 10 jun 2025, 15:11, Dave P. <<a href="mailto:
[email protected]">
[email protected]</a>> escribió:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-family:tahoma,
sans-serif;font-size:small">Excellent idea Noah, especially Debian <i>server</i> security. I'm willing to help. The Wiki option sounds like the best way to me. <br></div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:
small">Some points:</div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small">- SSH server security <br></div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small">- Firewalls: I think someone
mentioned nftables, and that is optimal. But for people choosing between UFW and firewalld front-end tools, why firewalld will usually be preferable.</div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small">- Monitoring/
auditing: top/htop/etc, process termination, AIDE/Lynis/etc</div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small">- Minimizing the attack surface</div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-
size:small">- Modern backup strategies</div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small">- Looking at the current manual, user security needs to be updated as well.</div><div class="gmail_default" style="font-family:
tahoma,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small">Thanks for taking this on. As you say, the current manual has been out-of-date for a long time and is not easily reviseable.<br>
</div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small"></div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small">If you would like additional help, please email or contact me at my <a href="
https://discord.com/invite/mggw8VGzUp" target="_blank" rel="noreferrer">Discord</a> server. I support Debian servers for several customers and use Debian 12 and sid on the client side. Also, I wrote an SSH server security manual for a customer; it can be
reused for this purpose.</div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small">Dave<br></div></div><br><div class="gmail_quote"><
div dir="ltr" class="gmail_attr">On Mon, Jun 9, 2025 at 12:21 PM Noah Meyerhans <<a href="mailto:
[email protected]" target="_blank" rel="noreferrer">
[email protected]</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.
8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi all. The Securing Debian Manual (the harden-doc package) is<br>
woefully out of date and doesn't provide accurate guidance for<br> operating modern software in the current threat landscape. I'd like<br> to begin the task of updating it to reflect current best practice and<br>
to document current tools and technologies.<br>
Most basically, I wonder if folks think this is a worthy idea. The<br> landscape has changed significantly since harden-doc was first<br>
written. Default configurations don't require as much hardening, and<br> there are lots more available resources. Maybe harden-doc has<br>
stagnated because there's no real need for it?<br>
Assuming we do revive the doc, here are some ideas of what I'd like to<br> do with the document. I'd like to also get feedback, ideas, and<br> contributions from others interested in the topic.<br>
1. More background information on principles such as:<br>
a. Threat modeling<br>
b. Defense in depth<br>
c. Least privilege<br>
2. Modern server deployment practices, such as:<br>
a. Sandboxing (with systemd, containers, etc)<br>
b. Image-based deployments, including cloud<br>
c. Update deployment strategies for large fleets<br>
3. Data privacy:<br>
a. VPNs, wireguard, etc<br>
b. Disk encryption<br>
4. Workstation best practices, including:<br>
a. Ssh key generation and handling<br>
b. Basic browser hygine<br>
c. Password managers and other password hygine<br>
My inclination is to primarily focus on general principles rather than<br>
try to document specific settings in specific packages, as in the<br>
current document's Chapter 5 ("Securing services running on your<br> system"). It'll make sense to document some approaches to safe usage of<br>
the most common software (firefox, openssh, etc), but I don't believe<br> that it's feasible to provide useful advice for a meaningful subset of<br> Debian packages.<br>
Should we maybe consider maintaining this document on <a href="
http://wiki.debian.org" rel="noreferrer noreferrer" target="_blank">wiki.debian.org</a>,<br>
rather than being a centrally maintained document? The wiki may scale<br> better to multiple contributors, leading to better content and more<br>
active maintenance.<br>
If you've got ideas for other topics, I'd love to hear them. <br>
noah<br>
</blockquote></div>
</div>
</blockquote></div>
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)