In the realm of open-source operating systems, Debian stands as a beacon of stability, security, and simplicity. Its wide-ranging application, from personal computers to servers, attests to its robustness. But no system is entirely secure straight out of the box, Debian included.
This guide will highlight the necessary steps to maximize your Debian system’s security, detailing both fundamental and advanced techniques.
Introduction
When you first install Debian 11, you will be faced with a system that is fairly secure but basic in its configuration. Of course, you have to understand that later on, each user can modify it from their perspective and adapt it to their needs.
But the flexibility of Debian is what allows you to use it in many environments, such as servers, workstations or as a personal computer. Each of them requires a separate post because there are entirely unique policies and security levels that you can configure.
However, in this post, I will show you common and important elements that allow you to secure a Debian 11 installation, regardless of what you are going to use it for.
Of course, remember that the basic security measures of any operating system are applied from the care with the use and prevention of the information that is shared. But these, though not all, are intended to be oriented to Linux and its ecosystem.
Guide to secure Debian 11 installation
1.- Update the system periodically
Although it sounds a little basic, the truth is that having the system updated frequently, makes that the last patches of security in the system are counted on. These patches are not only at the kernel level but also at the software level.
Note that, periodically, Debian fixes bugs through system updates and other times when they see the right moment from new ISOs (that you don’t have to reinstall the system).
So, the first thing to do is to periodically update the system.
apt update
apt upgrade
With this pair of commands, you can do it quickly. It is advisable to do it frequently, but at times when you can afford a system reboot. It is not mandatory, but some patches require it.
2.- Be careful with the root user
The root user is everything on Linux. This user has permissions to do everything on the system, from installing programs to modifying advanced system configurations. So, you must avoid compromising this user.
First, if you are using Debian on a server, it is best to avoid logging into the server with the credentials but to do it using SSH keys.
The second thing is to create regular users to avoid always using the root user. Of course, these regular users will not be able to install or uninstall applications, but they will be able to use it normally.
Only the root user can create users by using this command
adduser
The above script will ask you for information about the new user and there you can set the password.
Taking care of root access and using regular users is a way to maintain security on Debian.
3.- Configure the Debian Firewall
Although on the desktop it may not be that important, the truth is that with so many computer thieves, it is a good idea to keep an eye on the traffic and connections that the system makes.
By default, Debian includes ufw
which is a simple (non-graphical) interface to IPTABLES. This firewall is easy to use and with a couple of commands you can set it up.
The first thing to do is to make sure it is installed.
apt update
apt install ufw
Next, take a look at the application list
ufw list
Allow some of the most important ones like SSH
ufw allow OpenSSH
Or you can do it via the port
ufw allow [port]
Enable it
ufw enable
As you can see, it is easy but has more options available that you can consult.
4.- Avoid installing third-party applications
If there is one thing about the Debian 11 repositories is that they are among the largest in all of Linux. So, it is unlikely that you will have to install external applications.
Although it is true, that not everything is malicious, something that contributes to the security of the system is to limit the external applications that you install. You only have to do it in case of real need.
In addition to this, another related issue is external repositories. These repositories are collections of programs that do not depend on Debian for verification and security. Check well the provider of the same one and if it is of confidence, and you require it you can add it, but in case of doubts better NOT.
Finally, Debian counts on backports that although not many times they solve the problem, you can take a look first to know if the required application is there.
5.- An antivirus can help.
Although Debian is not Windows, the use of an antivirus can help to maintain a little cleaner of the system and thus to prevent malicious infections. If you combine this with a proper root policy, you can save yourself some headaches.
On Linux, there are several antiviruses, but ClamAV is the most integrated with the system and its community spirit makes it ideal for many circumstances.
You can install it by executing this command
apt update
apt install clamav clamav-freshclam clamav-daemon
But if you use Debian with some graphical interface, then you can install the frontend for ClamAV.
Start it
systemctl start clamav-freshclam
And you can start scanning files
clamscan /path/to/file
Or folders
clamscan /path/
As you can see, it is simple, but you can visit the project website and get additional information.
6.- Final Tips
Debian is very reliable, but the use you make of the system is important to understand how secure it can be.
As a personal advice, I tell you to check frequently the applications that you install, check their reviews and the creator of the same one. Try to avoid overloading the system with applications that you will not use many times, and limit the number of them.
In the servers, the thing is more complex because there are many more configurations that you have to check. The fundamental advice is that you take the time to verify each one of them, starting with the basics like SSH access; going through the permissions to the users and checking the network configurations.
Every time you are going to install an application on the server, test it first, examine it and check the official documentation to find the optimal configuration.
Conclusion
Securing a Debian system involves various strategies, from basic system updates to sophisticated measures like disk encryption and security auditing. While this guide provides a solid foundation, remember that security is not a destination, but a journey. It requires ongoing vigilance, learning, and adaptation to new threats. By applying these steps, you can make your Debian system a veritable fortress, ready to repel security threats and keep your data safe
I hope you liked this guide and can share it with your friends.