Hello, I currently have a Woody NAT/Firewall machine that provides internet to my home LAN. In addition to that it provides Web proxy and Web serving (mainly for a few pages for my family and friends). It's been running nicely for several years now. Last year I had 2 cases where I had near misses on being compromised. I've gotten a new box and I'm planning and preparing it to replace my existing Woody with Sarge on this new box. I'm trying to plan a somewhat hardened and more secure installation this time to better handle the possible compromises I nearly came to face last year. I have some questions and help that I need.
Goal: To provide an Internet Connection NAT/Firewall, with (Squid) Transparent Proxy, DNS Caching, Apache, and SSH. (ie replace and may be enhance a little the current box( Questions: I'm going to follow the Debian How-To on Securing Debian, which so far has been extermely helpful in seeing some thing I can do when I get that 'oh my, I've been compromised' feeling, how do I verify it ain't so. 1) What are some projects/software for light IDS, specifically file checksome/change control. I plan on doing the MD5 checksum floppy as described in the Secuirng How-To, but then I want an software that does that and e-mails my admin user whenever checksums and permissions change. 2) Apache & or cgi-bins I use, where the cause of my closest to being compromised situations. If I set-up Apache, PHP, cgis, etc in a chroot jail, how can I still provide and /~username/ type set-up, as I have at least 2 situations where I rely heavily on that? As near as I can tell this is not covered in any of the Apache chroot information I've read. 3) I'd like to provide some limited SFTP (SSH FTP) mechanisms for select individuals, for these I would really like to do away with the shell, but I haven't found away, how can I provide an shell-less SFTP or severely restricted SFTP service for these people? Any help or suggestions, especially software or packages that I should research during my planning would be greatly appreciated. Thanks, -- George
