Skip to main content

Debian Security Best Practices

Introduction

Debian is renowned for its stability and security in the Linux world. However, no system is inherently secure without proper configuration and maintenance. This guide introduces essential security practices for Debian systems, helping beginners understand how to protect their installations from common threats and vulnerabilities.

Security is not a one-time setup but an ongoing process. By implementing the practices outlined in this guide, you'll establish a strong security foundation for your Debian system and develop habits that contribute to maintaining that security over time.

Core Security Principles

Before diving into specific configurations, let's understand the fundamental principles of system security:

  1. Principle of Least Privilege: Grant only the permissions necessary for users and services to function
  2. Defense in Depth: Implement multiple layers of security
  3. Keep It Simple: Complex configurations can introduce security vulnerabilities
  4. Stay Updated: Security is an ongoing process, not a one-time setup

Keeping Your System Updated

Setting Up Automatic Updates

One of the most crucial security practices is keeping your system updated with the latest security patches.

bash
# Install the unattended-upgrades package
sudo apt update
sudo apt install unattended-upgrades apt-listchanges

# Enable automatic updates
sudo dpkg-reconfigure -plow unattended-upgrades

This will create a basic configuration file at /etc/apt/apt.conf.d/20auto-upgrades that enables automatic security updates.

Configuring Security Updates

Edit the configuration file to fine-tune your automatic update settings:

bash
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Ensure security updates are enabled by uncommenting the security line:

Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
// "${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};

Checking Update Status

Verify that automatic updates are working correctly:

bash
sudo unattended-upgrade --dry-run --debug

Output will show which packages would be upgraded during a real run:

Initial blacklisted packages: 
Starting unattended upgrades script
Allowed origins are: ['origin=Debian,codename=bookworm,label=Debian', 'origin=Debian,codename=bookworm,label=Debian-Security']
Checking: python3-software-properties (local=0.99.22, remote=0.99.22)
Checking: software-properties-common (local=0.99.22, remote=0.99.22)
No packages found that can be upgraded unattended and no pending auto-removals

Securing SSH Access

SSH (Secure Shell) is often the primary way to access servers remotely. Securing it is essential.

SSH Configuration Best Practices

Edit the SSH configuration file:

bash
sudo nano /etc/ssh/sshd_config

Apply these recommended settings:

# Disable root login
PermitRootLogin no

# Disable password authentication (use SSH keys instead)
PasswordAuthentication no

# Limit user access
AllowUsers username1 username2

# Change default port (optional but adds security through obscurity)
Port 2222

# Limit login attempts
MaxAuthTries 3

# Enable strict mode
StrictModes yes

# Use strong encryption protocols
Protocol 2

After making changes, restart the SSH service:

bash
sudo systemctl restart ssh

Setting Up SSH Key Authentication

Generate an SSH key pair on your client machine:

bash
ssh-keygen -t ed25519 -C "[email protected]"

Copy the public key to your Debian server:

bash
ssh-copy-id -i ~/.ssh/id_ed25519.pub username@server_ip

Now you can log in without a password:

bash
ssh username@server_ip

Firewall Configuration

A properly configured firewall helps control incoming and outgoing network traffic.

Setting Up UFW (Uncomplicated Firewall)

UFW is a user-friendly interface for managing iptables. Install and configure it with:

bash
# Install UFW
sudo apt update
sudo apt install ufw

# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (use your custom port if you changed it)
sudo ufw allow 22/tcp

# Allow other necessary services
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPS

# Enable the firewall
sudo ufw enable

Checking Firewall Status

Verify your firewall rules:

bash
sudo ufw status verbose

Output example:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)

User Account Security

Properly managing user accounts is crucial for system security.

Creating Strong Password Policies

Install the libpam-pwquality package to enforce password policies:

bash
sudo apt install libpam-pwquality

Edit the PAM configuration:

bash
sudo nano /etc/pam.d/common-password

Add or modify the line with pam_pwquality.so:

password requisite pam_pwquality.so retry=3 minlen=12 difok=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 reject_username enforce_for_root

This configuration:

  • Sets minimum password length to 12 characters
  • Requires at least 1 uppercase, 1 lowercase, 1 digit, and 1 special character
  • Prevents using parts of the username in the password
  • Applies these rules to the root user as well

Managing Sudo Access

Review and restrict sudo access to only those who need it:

bash
sudo visudo

Example of restricted sudo access:

# Allow specific commands for user "webadmin"
webadmin ALL=(ALL) /usr/bin/systemctl restart apache2, /usr/bin/systemctl restart nginx

File System Security

Securing your file system prevents unauthorized access to sensitive data.

Setting Proper File Permissions

Check and fix permissions for important directories:

bash
# Set secure permissions for configuration files
sudo find /etc -type f -exec chmod 644 {} \;

# Set secure permissions for home directories
sudo chmod 750 /home/*

# Set secure permissions for system binaries
sudo find /usr/bin -type f -exec chmod 755 {} \;

Mounting Partitions with Security Options

Edit your /etc/fstab file to add security options to mounted partitions:

bash
sudo nano /etc/fstab

Add these options to enhance security:

# Example: Add noexec, nosuid, and nodev to /tmp
UUID=xxxxx-xxxxx /tmp ext4 defaults,noexec,nosuid,nodev 0 2

These options:

  • noexec: Prevents execution of binaries on the partition
  • nosuid: Ignores the SUID/SGID bits on executable files
  • nodev: Prevents interpretation of character or block special devices

Monitoring and Logging

Proper monitoring helps detect potential security incidents.

Setting Up System Logging

Install and configure the rsyslog service:

bash
sudo apt install rsyslog
sudo systemctl enable rsyslog
sudo systemctl start rsyslog

Configure log rotation to prevent logs from consuming all disk space:

bash
sudo nano /etc/logrotate.conf

Example configuration:

# Rotate logs weekly
weekly

# Keep 4 weeks worth of logs
rotate 4

# Create new log files after rotation
create

# Compress old logs
compress

Installing and Configuring Fail2Ban

Fail2Ban helps protect against brute force attacks:

bash
sudo apt install fail2ban

Create a custom jail configuration:

bash
sudo nano /etc/fail2ban/jail.local

Example configuration for SSH protection:

[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

Start and enable Fail2Ban:

bash
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Check status with:

bash
sudo fail2ban-client status sshd

Output example:

Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:

Package Management Security

Ensuring the authenticity of packages is essential for system security.

Using Secure APT Sources

Only use official Debian repositories or trusted third-party repositories. Edit your sources list:

bash
sudo nano /etc/apt/sources.list

Example of a secure sources.list file:

deb http://deb.debian.org/debian bookworm main contrib non-free-firmware
deb http://security.debian.org/debian-security bookworm-security main contrib non-free-firmware
deb http://deb.debian.org/debian bookworm-updates main contrib non-free-firmware

Verifying Package Integrity

Always verify the signatures of packages you download:

bash
# Update the list of available packages and their versions
sudo apt update

# Install debian-keyring which contains the Debian developers' keys
sudo apt install debian-keyring

# Verify package signatures when installing
sudo apt install -V package_name

Security Auditing

Regular security audits help identify potential vulnerabilities.

Using Lynis for Security Auditing

Lynis is an open-source security auditing tool:

bash
# Install Lynis
sudo apt install lynis

# Run a system audit
sudo lynis audit system

The output will provide a detailed security report with recommendations:

[+] Finalizing
--------------------------------------------------------------------------------
Tests finished at 2023-10-05 14:32:25

Lynis security scan details:
- Hardening index : 65 [################## ]
- Tests performed : 231
- Plugins enabled : 0

Want more details? Full report at:
- /var/log/lynis.log
- /var/log/lynis-report.dat

Regular Security Checks with Rkhunter

Rkhunter (Rootkit Hunter) scans for rootkits, backdoors, and local exploits:

bash
# Install Rkhunter
sudo apt install rkhunter

# Update Rkhunter database
sudo rkhunter --update

# Perform a system check
sudo rkhunter --check

Example output:

System checks summary
=====================

File properties checks...
Required commands check failed
Files checked: 147
Suspect files: 0

Rootkit checks...
Rootkits checked : 492
Possible rootkits: 0

Applications checks...
All checks skipped

The system checks took: 1 minute and 13 seconds

Network Security

Securing network services reduces the attack surface of your system.

Disabling Unnecessary Network Services

Identify and disable unused network services:

bash
# List all listening services
sudo ss -tulpn

# Disable an unnecessary service
sudo systemctl disable service_name
sudo systemctl stop service_name

Example of disabling the telnet service:

bash
sudo apt purge telnetd

Implementing Network Access Controls

Configure TCP Wrappers to control access to network services:

bash
sudo nano /etc/hosts.allow

Add rules to allow specific hosts:

# Allow SSH access only from specific IP addresses
sshd: 192.168.1.0/24

Then deny all other connections in /etc/hosts.deny:

bash
sudo nano /etc/hosts.deny
# Deny all other connections
ALL: ALL

System Hardening with Security Frameworks

Debian supports various security frameworks that can enhance system security.

Implementing AppArmor

AppArmor is a Mandatory Access Control (MAC) system:

bash
# Install AppArmor
sudo apt install apparmor apparmor-utils apparmor-profiles

# Enable AppArmor at boot
sudo systemctl enable apparmor
sudo systemctl start apparmor

# Check status
sudo aa-status

Example output:

apparmor module is loaded.
20 profiles are loaded.
19 profiles are in enforce mode.
1 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

Setting Up SELinux (Alternative to AppArmor)

SELinux provides an alternative MAC framework:

bash
# Install SELinux
sudo apt install selinux-basics selinux-policy-default

# Enable SELinux
sudo selinux-activate

# Reboot to apply changes
sudo reboot

After rebooting, check the SELinux status:

bash
sudo sestatus

Example output:

SELinux status:                 enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31

Summary

Securing a Debian system requires a comprehensive approach that includes:

  1. Keeping your system updated with security patches
  2. Properly configuring SSH access
  3. Setting up and maintaining a firewall
  4. Implementing strong user account security
  5. Securing the file system
  6. Configuring monitoring and logging
  7. Using secure package management practices
  8. Performing regular security audits
  9. Securing network services
  10. Implementing security frameworks like AppArmor or SELinux

Security is an ongoing process, not a one-time setup. Regularly review your security practices and keep your knowledge up to date with the latest security recommendations for Debian.

Additional Resources

Practice Exercises

  1. Basic Security Audit:

    • Install and run Lynis on your system
    • Address at least three security issues identified by the scan
  2. SSH Hardening:

    • Configure SSH to use key-based authentication
    • Disable root login and password authentication
    • Implement Fail2Ban to protect against brute force attacks
  3. Firewall Configuration:

    • Install and configure UFW
    • Create rules to allow only necessary services
    • Test your configuration to ensure it blocks unauthorized access
  4. User Security:

    • Review all user accounts on your system
    • Implement strong password policies
    • Configure proper sudo access restrictions
  5. Security Monitoring:

    • Set up log monitoring for important security events
    • Configure automated alerts for suspicious activities
    • Implement regular log review procedures


If you spot any mistakes on this website, please let me know at [email protected]. I’d greatly appreciate your feedback! :)