Hey there, server samurais and cyber sentinels! Ready to transform your Debian server into an impregnable fortress? Whether you’re a seasoned sysadmin or a newbie just dipping your toes into the world of server security, this guide is your one-stop shop for all things safety on the wild, wild web. Buckle up, because we’re about to embark on a journey full of scripts, tips, and jokes to keep things light and fun. There are many good guides on this online, I decided to add another one with the things I usually do. Let’s dive in!
Initial Setup: The First Line of Defense
Imagine setting up your server like moving into a new house. You wouldn’t leave the door wide open, right? The same logic applies here.
Update Your System
Outdated software is like a welcome mat for hackers. Run the following commands to get everything current:
sudo apt update && sudo apt upgrade -yCreate a New User
Root users are like the king of the castle. Let’s create a new user with sudo privileges:
sudo adduser yourusername
sudo usermod -aG sudo yourusernameNow, switch to your newly crowned user:
su - yourusernameSecuring SSH: Locking Down Your Castle Gates
SSH (Secure Shell) is the key to your castle gates. Leaving it unprotected is like leaving the keys under the doormat.
Disable Root Login
Edit the SSH configuration file:
sudo nano /etc/ssh/sshd_configChange PermitRootLogin to no:
PermitRootLogin noChange the Default SSH Port
Edit the SSH configuration file:
sudo nano /etc/ssh/sshd_configChange the port to a number between 1024 and 65535 (e.g., 2222):
Port 2222Restart the SSH service:
sudo systemctl restart sshThere is actually some controversy about security through obscurity, in my long tenure as an analyst and incident responser I believe less automated “easy” attacks do improve security.
Set Up SSH Keys
Generate a key pair using elliptic curve cryptography:
ssh-keygen -t ed25519 -C "[email protected]"Copy the public key to your server:
ssh-copy-id yourusername@yourserver -p 2222Disable password authentication:
sudo nano /etc/ssh/sshd_configChange PasswordAuthentication to no:
PasswordAuthentication noRestart SSH:
sudo systemctl restart sshFor more details, refer to the sshd_config man page.
Firewall Configuration: Building the Great Wall
A firewall is like the Great Wall of China for your server. Let’s set up UFW (Uncomplicated Firewall).
Install UFW
Install UFW if it’s not already installed:
sudo apt install ufw -yAllow SSH
Allow SSH connections on your custom port:
sudo ufw allow 2222/tcp
# add more services if you are hosting anything like HTTP/HTTPSEnable the Firewall
Enable the firewall and check its status:
sudo ufw enable
sudo ufw statusFor more information, check out the UFW man page.
Intrusion Detection Systems: The Watchful Eye
An Intrusion Detection System (IDS) is like a guard dog that barks when something suspicious happens.
Install Fail2Ban
Fail2Ban protects against brute force attacks. Install it with:
sudo apt install fail2ban -yConfigure Fail2Ban
Edit the configuration file:
sudo nano /etc/fail2ban/jail.localAdd the following content:
[sshd]
enabled = true
port = 2222
logpath = %(sshd_log)s
maxretry = 3Restart Fail2Ban:
sudo systemctl restart fail2banFor more details, refer to the Fail2Ban man page.
Regular Updates and Patching: Keeping the Armor Shiny
A knight with rusty armor won’t last long in battle. Keep your server’s software up to date.
Enable Unattended Upgrades
Debian can automatically install security updates. Enable this feature:
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure --priority=low unattended-upgradesEdit the configuration:
sudo nano /etc/apt/apt.conf.d/50unattended-upgradesEnsure the following line is uncommented:
"${distro_id}:${distro_codename}-security";For more details, refer to the unattended-upgrades man page.
Again there is also some controversy about this. Most people are afraid that they wake up one night and all their servers are down, because a botched automated update. In my non-professional live with my home IT, this has never happened and even professionally, if we are just talking security updates of an OS like Debian, I haven’t seen it, yet.
User Management: Only the Knights in the Realm
Not everyone needs the keys to the kingdom. Ensure only trusted users have access. On a fresh install probably unnecessary, but good housekeeping.
Review and Remove Unnecessary Users
List all users:
cut -d: -f1 /etc/passwdRemove any unnecessary users:
sudo deluser usernameImplement Strong Password Policies
Enforce strong passwords:
sudo apt install libpam-pwquality -yEdit the PAM configuration file:
sudo nano /etc/pam.d/common-passwordAdd the following line:
password requisite pam_pwquality.so retry=3 minlen=12 difok=3For more details, refer to the pam_pwquality man page.
File and Directory Permissions: Guarding the Treasure
Permissions are like guards watching over the royal treasure. Make sure they’re doing their job.
Secure /etc Directory
Ensure the /etc directory is not writable by anyone except root:
sudo chmod -R go-w /etcThis is heavily dependent on your distribution and may be a bad idea. I use it for locked down environments like Debian LXC that only do one thing.
Set Permissions for User Home Directories
Ensure user home directories are only accessible by their owners:
sudo chmod 700 /home/yourusernameFor more details, refer to the chmod man page.
Automatic Backups: Preparing for the Worst
Even the best fortress can be breached. Regular backups ensure you can recover from any disaster.
Full disclosure: I have had a very bad data loss experience with rsync and have since switched to Borg. I can also recommend restic. This had nothing to do with rsync in itself, rather how easy it is to mess up.
Install rsync
rsync is a powerful tool for creating backups. Install it with:
sudo apt install rsync -yCreate a Backup Script
Create a script to backup your important files:
nano ~/backup.shAdd the following content:
#!/bin/bash
rsync -a --delete /var/www/ /backup/var/www/
rsync -a --delete /home/yourusername/ /backup/home/yourusername/Make the script executable:
chmod +x ~/backup.shSchedule the Backup
Use cron to schedule the backup to run daily:
crontab -eAdd the following line:
0 2 * * * /home/yourusername/backup.shFor more details on cron, refer to the crontab man page.
For longer backup jobs you should switch to a service with timer rather than cron. Here is a post from another blog about it. Since my data has grown to multiple terabyte this is what I do now too
Advanced Security Best Practices
Enable Two-Factor Authentication (2FA)
Adding an extra layer of security with 2FA can significantly enhance your server’s protection. Use tools like Google Authenticator or Authy. I had this on an Ubuntu server for a while and thought it was kind of cool.
- Install the required packages:
sudo apt install libpam-google-authenticator -y- Configure each user for 2FA:
google-authenticator- Update the PAM configuration:
sudo nano /etc/pam.d/sshdAdd the following line:
auth required pam_google_authenticator.so- Update the SSH configuration to require 2FA:
sudo nano /etc/ssh/sshd_configEnsure the following lines are set:
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactiveRestart SSH:
sudo systemctl restart sshImplement AppArmor
AppArmor provides mandatory access control and can restrict programs to a limited set of resources.
- Install AppArmor:
sudo apt install apparmor apparmor-profiles apparmor-utils -y- Enable and start AppArmor:
sudo systemctl enable apparmor
sudo systemctl start apparmorFor more details, refer to the AppArmor man page.
Conclusion: The Crown Jewel of Security
Congratulations, noble guardian! You’ve fortified your Debian server into a digital fortress. By following these steps, you’ve implemented strong security practices, ensuring your server is well-protected against common threats. Remember, security is an ongoing process, and staying vigilant is key to maintaining your kingdom’s safety.
Happy guarding, and may your server reign long and prosper!
Leave a Reply