Setup & Secure Debian Server Last updated: 2021-07-05

Debian 10, Debian 9, Debian 8

After installing Debian Server, there are some initial configuration tasks you should complete to create a solid framework for your given application.

Assumptions
  • Installaton of Debian 10, 9, or 8 completed.
  • Logged in as root user.

Update & Upgrade

Before getting started, run an obligatory system update. This will make sure you have the latest updates and patches for all installed packages.

apt update && apt upgrade

apt update downloads updated package information from all the configured repositories on your system.

apt upgrade upgrades all installed packages to the most recent versions available.

You may also run the command apt autoremove to uninstall any package dependencies that are no longer needed.

Create a Non-Root User

After installing Debian Server, you should create a non-root, administrative, sudo user for everyday use. A sudo user allows you to execute commands with root privileges only when necessary, helping avoid detrimental mistakes and increasing security.

Install Sudo

Debian may not have the sudo package installed by default. This can be remedied quickly with the following.

apt install sudo

Create User

Start by adding a new user to your Debian system.

adduser hedy

Create a strong password for the new user when prompted. After creating the user password you will be asked for some optional user information (name, email, etc.).

Add to Sudo Group

Add the newly created user to the sudo group, granting them administrative privileges.

usermod -aG sudo hedy

After adding the user to the group, you will be able to execute a given command with root privileges by prefacing it with sudo.

Limit SU Access

The substitute user command is used to switch to a different system user. Switch over to the non-root user for continued system configuration.

su - hedy

Usage of the su command allows users to gain the privileges of another system user. To prevent any abuse of this, limit which users can utilize this command.

Create a new system group and add your administrative user to the group.

sudo groupadd suallow && sudo usermod -aG suallow hedy

Limit su command usage to the root user and suallow group.

sudo dpkg-statoverride --update --add root suallow 4750 /bin/su

Firewall Setup

A firewall is your first line of defense against a malicious third-party. You should only allow connections on the ports you need for the services your server is serving. Common ports include: 22 (SSH), 80 (HTTP), 443 (HTTPS).

UFW (Uncomplicated Firewall)

Debian does not have UFW installed by default. UFW is an easy-to-use program for creating firewall rules. You may choose to use iptables, which is installed by default, instead.

sudo apt install ufw

You are likely connecting to your server remotely using SSH (Secure Shell), before enabling the firewall be sure to allow connections to the SSH port - 22 by default.

sudo ufw allow 22/tcp

Enable the firewall to start enforcing the created rules. All incoming connections that aren't explicitly allowed in the firewall will be denied.

sudo ufw enable

Check the firewall status to see what connections are currently being accepted.

sudo ufw status

The output of this command should look similar to the following.

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)

Secure SSH

SSH is the most targeted service, mostly by bots. Securing SSH is a crucial step in preventing unathorized access. OpenSSH is presumably already installed on your server, but it can be installed with the following command if necessary.

sudo apt install openssh-server

Harden OpenSSH Config

To best secure SSH access to your server, there are a few changes and additions you should make to your OpenSSH config file. Open the /etc/ssh/sshd_config file in your text editor of choice.

sudo nano /etc/ssh/sshd_config

Some of the following configuration options may be commented out by default with the pound sign (#). You must uncomment any changed settings by removing the pound sign (#) from the beginning of the line.

Below the port and listen address definitions, specify the more secure SSH protocol, version 2, for incoming connections.

Protocol 2

Disable SSH logins as the root user.

PermitRootLogin no

Limit the maximum number of login attempts for a single session.

MaxAuthTries 3

Enable client inactivity disconnection. This will automatically disconnect any SSH connections that have been inactive for a specified amount of time (in seconds).

# 15 Minutes
ClientAliveInterval 900
ClientAliveCountMax 0

At the end of the configuration file, specify which users are allowed to login via SSH. You should only your administrative user(s) this option.

# Allowed Users
AllowUsers hedy

Restart the SSH service for changes to take effect.

sudo systemctl restart sshd

Login Banner

The login banner presents a warning to any users who attempts to connect via SSH. While this provides no direct security benefit, it can act as a deterrent by notifying users that connections are monitored.

Open the /etc/issue.net file in your text editor of choice.

sudo nano /etc/issue.net

Populate the file with your desired login banner text. An example is provided below.

************************************************************
*                  AUTHORIZED ACCESS ONLY                  *
*              UNAUTHORIZED ACCESS PROHIBITED              *
*                                                          *
*         All connections are logged and monitored         *
* Disconnect IMMEDIATELY if you are not an authorized user *
*                                                          *
*                Thank you, have a nice day :)             *
************************************************************

Enable the login banner in the OpenSSH config file.

sudo nano /etc/ssh/sshd_config

Search for the the text #Banner none in the file, uncomment the line, and specify the banner's file path.

Banner /etc/issue.net

Restart the SSH service for changes to take effect.

sudo systemctl restart sshd

Install Fail2ban

Fail2ban is an intrusion prevention software that protects your server from brute-force attacks. Fail2ban monitors the auth.log for patterns of failed login attempts. After a specified number of failed login attempts from a single IP address in a given time period, the IP address will be banned from making anymore connections.

Install fail2ban.

sudo apt install fail2ban

Create a fail2ban configuration file to monitor SSH connection attempts.

sudo nano /etc/fail2ban/jail.local

In the file, specify the following configuration. This configuration will ban any IP address that makes 3 failed login attempts in 30 minutes for 25 hours. If you changed your SSH port, make sure you specify that port here.

[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
# 30 minute findtime
findtime = 1800
# 25 hour ban
bantime = 90000

Restart the fail2ban service for changes to take effect.

sudo systemctl restart fail2ban

Server Time

While time may be relative according to Einstein, it is very much absolute in the eyes of your server. Configure your systems local timezone and NTP servers to keep everything running on schedule.

Set Timezone

Setting the local timezone for your server is important for certain administrative tasks, such as cron jobs and log file timestamps. Check your current timezone settings with the following command.

timedatectl

To change the timezone on your system, start by finding the relevant available timezone.

timedatectl list-timezones

Set the system timezone to the relevant timezone from the list.

sudo timedatectl set-timezone America/New_York

Restart the timesync service for changes to take effect.

sudo systemctl restart systemd-timesyncd