Debian 11, Debian 10, Debian 9
After installing Debian Server, there are some initial configuration tasks you should complete to create a solid framework for your given application.
Assumptions
hedy is used as example in this bit.Before getting started, run an obligatory system update. This will make sure you have the latest updates and patches for all installed packages.
apt update && apt upgrade
apt update downloads updated package information from all the configured repositories on your system.apt upgrade upgrades all installed packages to the most recent versions available.You may also run the command apt autoremove to uninstall any package dependencies that are no longer needed.
After installing Debian Server, you should create a non-root, administrative, sudo user for everyday use. A sudo user allows you to execute commands with root privileges only when necessary, helping avoid detrimental mistakes and increasing security.
Debian may not have the sudo package installed by default. This can be remedied quickly with the following.
apt install sudo
Start by adding a new user to your Debian system.
adduser hedy
Create a strong password for the new user when prompted. After creating the user password you will be asked for some optional user information (name, email, etc).
Add the newly created user to the sudo group, granting them administrative privileges.
usermod -aG sudo hedy
After adding the user to the group, you will be able to execute a given command with root privileges by prefacing it with sudo.
The substitute user command is used to switch to a different system user. Switch over to the non-root user for continued system configuration.
su - hedy
Usage of the su command allows users to gain the privileges of another system user. To prevent any abuse of this, limit which users can utilize this command.
Create a new system group and add your administrative user to the group.
sudo groupadd suallow && sudo usermod -aG suallow hedy
Limit su command usage to the root user and suallow group.
sudo dpkg-statoverride --update --add root suallow 4750 /bin/su
dpkg-statoverride tells dpkg (debian package manager) to use different ownership/permissions for a given directory.A firewall is your first line of defense against a malicious third-party. You should only allow connections on the ports you need for the services your server is serving. Common ports include: 22 (SSH), 80 (HTTP), 443 (HTTPS).
Debian does not have UFW installed by default. UFW is an easy-to-use program for creating firewall rules. You may choose to use iptables, which is installed by default, instead.
sudo apt install ufw
You are likely connecting to your server remotely using SSH (Secure Shell), before enabling the firewall be sure to allow connections to the SSH port - 22 by default.
sudo ufw allow 22/tcp
Enable the firewall to start enforcing the created rules. All incoming connections that aren’t explicitly allowed in the firewall will be denied.
sudo ufw enable
Check the firewall status to see what connections are currently being accepted.
sudo ufw status
The output of this command should look similar to the following.
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
OpenSSH is presumably already installed on your server, but it can be installed with the following command if necessary.
sudo apt install openssh-server
To best secure SSH access to your server, there are a few changes and additions you should make to your OpenSSH config file. Open the /etc/ssh/sshd_config file in your text editor of choice.
sudo nano /etc/ssh/sshd_config
Some of the following configuration options may be commented out by default with the pound sign (#). You must uncomment any changed settings by removing the pound sign (#) from the beginning of the line.
Below the port and listen address definitions, specify the more secure SSH protocol, version 2, for incoming connections.
Protocol 2
Disable SSH logins as the root user.
PermitRootLogin no
Limit the maximum number of login attempts for a single session.
MaxAuthTries 3
Enable client inactivity disconnection. This will automatically disconnect any SSH connections that have been inactive for a specified amount of time (in seconds).
# 15 Minutes
ClientAliveInterval 300
ClientAliveCountMax 3
At the end of the configuration file, specify which users are allowed to login via SSH. You should only your administrative user(s) this option.
# Allowed Users
AllowUsers hedy
Restart the SSH service for changes to take effect.
sudo systemctl restart sshd
The login banner presents a warning to any users who attempts to connect via SSH. While this provides no direct security benefit, it can act as a deterrent by notifying users that connections are monitored.
Open the /etc/issue.net file in your text editor of choice.
sudo nano /etc/issue.net
Populate the file with your desired login banner text. An example is provided below.
************************************************************
* AUTHORIZED ACCESS ONLY *
* UNAUTHORIZED ACCESS PROHIBITED *
* *
* All connections are logged and monitored *
* Disconnect IMMEDIATELY if you are not an authorized user *
* *
* Thank you, have a nice day :) *
************************************************************
Enable the login banner in the OpenSSH config file.
sudo nano /etc/ssh/sshd_config
Search for the the text #Banner none in the file, uncomment the line, and specify the banner’s file path.
Banner /etc/issue.net
Restart the SSH service for changes to take effect.
sudo systemctl restart sshd
Fail2ban is an intrusion prevention software that protects your server from brute-force attacks. Fail2ban monitors the auth.log for patterns of failed login attempts. After a specified number of failed login attempts from a single IP address in a given time period, the IP address will be banned from making anymore connections.
Install fail2ban.
sudo apt install fail2ban
Create a fail2ban configuration file to monitor SSH connection attempts.
sudo nano /etc/fail2ban/jail.local
In the file, specify the following configuration. This configuration will ban any IP address that makes 3 failed login attempts in 30 minutes for 25 hours. If you changed your SSH port, make sure you specify that port here.
[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
# 30 minute findtime
findtime = 1800
# 25 hour ban
bantime = 90000
Restart the fail2ban service for changes to take effect.
sudo systemctl restart fail2ban