Debian Server Security
Introduction
Security is a critical aspect of server administration. A compromised server can lead to data breaches, service disruptions, and even be used to attack other systems. Debian, known for its stability and security focus, provides excellent tools to create a secure server environment. This guide will walk you through essential security practices for your Debian server.
Why Server Security Matters
Server security is not optional—it's a necessity. Consider these facts:
- Servers are constantly targeted by automated scanning tools looking for vulnerabilities
- A single vulnerability can lead to complete system compromise
- Recovering from a security breach is far more difficult than preventing one
- You have ethical and potentially legal responsibilities to protect data
Core Security Principles
Before diving into specific techniques, let's understand the key principles of server security:
- Principle of Least Privilege: Only grant the minimum permissions necessary
- Defense in Depth: Implement multiple layers of security
- Keep It Simple: Complexity is the enemy of security
- Regular Updates: Patching is your first line of defense
- Monitoring and Logging: You can't protect what you don't observe
Initial Server Hardening
Updating Your System
Always start with a fully updated system:
# Update package lists
sudo apt update
# Upgrade all packages
sudo apt upgrade -y
# Perform distribution upgrade
sudo apt dist-upgrade -y
# Remove unused packages
sudo apt autoremove -y
Creating a Non-Root User
Never use the root account for daily operations:
# Create a new user
sudo adduser username
# Add user to sudo group
sudo usermod -aG sudo username
Securing SSH Access
SSH is often the primary entry point to your server. Securing it is critical:
# Edit SSH configuration
sudo nano /etc/ssh/sshd_config
Make these important changes:
# Disable root login
PermitRootLogin no
# Use SSH protocol 2
Protocol 2
# Disable password authentication (use keys instead)
PasswordAuthentication no
# Limit user access
AllowUsers username
# Change default port (optional but helpful)
Port 2222
After making changes, restart the SSH service:
sudo systemctl restart ssh
Setting Up SSH Key Authentication
SSH keys are much more secure than passwords:
- On your local machine, generate an SSH key pair:
ssh-keygen -t ed25519 -C "[email protected]"
- Copy the public key to your server:
ssh-copy-id -i ~/.ssh/id_ed25519.pub username@server_ip
- Now you can log in without a password:
ssh username@server_ip
Implementing a Firewall
A firewall controls traffic to and from your server. Debian provides ufw
(Uncomplicated Firewall) which simplifies iptables configuration.
# Install UFW
sudo apt install ufw
# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH (adjust port if you changed it)
sudo ufw allow 22/tcp
# Allow other necessary services (examples)
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPS
# Enable the firewall
sudo ufw enable
# Check status
sudo ufw status verbose
Example output:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)
Setting Up Fail2ban
Fail2ban protects against brute force attacks by temporarily banning IP addresses that show malicious behavior:
# Install Fail2ban
sudo apt install fail2ban
# Create a local configuration file
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# Edit the configuration
sudo nano /etc/fail2ban/jail.local
Configure SSH protection by adding or modifying:
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
Start the service:
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
Check its status:
sudo fail2ban-client status
Securing Package Management
APT (Advanced Package Tool) is Debian's package manager. Ensure it's secure:
Using HTTPS for Repository Access
# Install the required package
sudo apt install apt-transport-https
# Update sources to use HTTPS
sudo sed -i 's/http:/https:/g' /etc/apt/sources.list
Verifying Package Integrity
# Update package lists
sudo apt update
# Install debsums for package verification
sudo apt install debsums
# Verify installed packages
sudo debsums -c
Implementing Automatic Security Updates
Keep your system patched automatically with unattended-upgrades
:
# Install the package
sudo apt install unattended-upgrades apt-listchanges
# Configure automatic updates
sudo dpkg-reconfigure -plow unattended-upgrades
Edit the configuration for more control:
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
Common settings to enable:
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
};
// Automatically reboot if required
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
Securing the File System
Setting Proper Permissions
Always ensure files have the minimum necessary permissions:
# Find files with improper permissions
sudo find /etc -type f -perm -o+w -exec ls -l {} \;
# Fix world-writable files
sudo find /etc -type f -perm -o+w -exec chmod o-w {} \;
# Fix files without owner
sudo find /var -nouser -o -nogroup -exec ls -l {} \;
Mounting Partitions with Security Options
Edit your /etc/fstab
file to include secure mount options:
sudo nano /etc/fstab
Add security options:
# Example for adding security options to / partition
UUID=your-uuid / ext4 defaults,nodev,nosuid,noexec 0 1
Common security mount options:
nodev
: Prevents device files on the partitionnosuid
: Prevents SUID/SGID binaries from executingnoexec
: Prevents execution of binaries on the partition
Using AppArmor for Application Confinement
AppArmor is a Mandatory Access Control system that restricts program capabilities:
# Verify AppArmor is installed
sudo apt install apparmor apparmor-utils
# Check status
sudo aa-status
# Put AppArmor in enforce mode
sudo aa-enforce /etc/apparmor.d/*
Example of creating a custom AppArmor profile:
# Generate a profile for a specific application
sudo aa-genprof /usr/bin/program-name
# Test the profile
sudo aa-complain /etc/apparmor.d/usr.bin.program-name
# Once satisfied, enforce it
sudo aa-enforce /etc/apparmor.d/usr.bin.program-name
Implementing System Auditing
Setting Up Auditd
The Linux Audit system helps track security-relevant events:
# Install the audit system
sudo apt install auditd
# Start the service
sudo systemctl enable auditd
sudo systemctl start auditd
Create basic audit rules:
sudo nano /etc/audit/rules.d/audit.rules
Add security-focused rules:
# Monitor changes to authentication configuration
-w /etc/pam.d/ -p wa -k auth_changes
-w /etc/nsswitch.conf -p wa -k auth_changes
# Monitor system calls
-a always,exit -F arch=b64 -S execve -k exec_commands
# Monitor user/group modifications
-w /etc/group -p wa -k group_modification
-w /etc/passwd -p wa -k passwd_modification
-w /etc/shadow -p wa -k shadow_modification
Reload the rules:
sudo auditctl -R /etc/audit/rules.d/audit.rules
Monitoring and Intrusion Detection
Setting Up Rootkit Detection
# Install rkhunter
sudo apt install rkhunter
# Update its database
sudo rkhunter --update
# Perform a check
sudo rkhunter --check
Implementing LogWatch
LogWatch provides daily reports summarizing system activity:
# Install LogWatch
sudo apt install logwatch
# Run manually
sudo logwatch --output mail --mailto [email protected] --detail high
Configure daily reports:
sudo nano /etc/cron.daily/00logwatch
Network Security Hardening
Disable Unused Network Protocols
# Create a sysctl configuration file
sudo nano /etc/sysctl.d/99-security.conf
Add these common hardening parameters:
# Prevent IP spoofing
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable IP forwarding
net.ipv4.ip_forward = 0
# Disable ICMP redirect acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Enable protection against SYN flood attacks
net.ipv4.tcp_syncookies = 1
# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
Apply the changes:
sudo sysctl -p /etc/sysctl.d/99-security.conf
Regular Security Practices
Creating a Security Checklist
Implement a regular security routine:
- Run system updates weekly
- Check system logs daily
- Verify running services monthly
- Conduct vulnerability scans quarterly
- Review user accounts semi-annually
- Test backups monthly
Scanning for Vulnerabilities
# Install OpenVAS
sudo apt install openvas
# Set up the vulnerability scanner
sudo openvas-setup
# Start the scanner
sudo openvas-start
Practical Example: Securing a Web Server
Let's apply our security principles to a Debian web server running Apache:
# Install Apache
sudo apt install apache2
# Remove server information
sudo nano /etc/apache2/conf-enabled/security.conf
Add or modify these lines:
ServerTokens Prod
ServerSignature Off
TraceEnable Off
Set up proper file permissions:
# Set ownership
sudo chown -R root:www-data /var/www/html/
# Set proper permissions
sudo find /var/www/html/ -type d -exec chmod 750 {} \;
sudo find /var/www/html/ -type f -exec chmod 640 {} \;
Enable ModSecurity (Web Application Firewall):
# Install ModSecurity
sudo apt install libapache2-mod-security2
# Enable it
sudo a2enmod security2
# Set up base rules
sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
# Edit the configuration
sudo nano /etc/modsecurity/modsecurity.conf
Change the SecRuleEngine setting from DetectionOnly to On:
SecRuleEngine On
Restart Apache:
sudo systemctl restart apache2
Summary
Securing a Debian server requires a multi-layered approach:
- Keep your system updated - This is your first line of defense
- Implement proper authentication - Use SSH keys, disable root login
- Control network access - Configure firewalls, secure network settings
- Restrict permissions - Apply the principle of least privilege
- Monitor and audit - Set up logging and intrusion detection
- Automate security tasks - Use tools like unattended-upgrades
- Test and verify - Regularly check your security posture
Remember that security is an ongoing process, not a one-time setup. Regular maintenance and vigilance are essential to maintaining a secure server environment.
Additional Resources
Exercises
- Set up a test Debian server and implement all the security measures discussed in this guide.
- Create a custom security checklist for your specific server use case.
- Configure auditd to monitor a specific directory for changes.
- Set up automated security scans and email notifications.
- Research and implement additional security measures not covered in this guide.
If you spot any mistakes on this website, please let me know at [email protected]. I’d greatly appreciate your feedback! :)