Learning how to keep a modern operating system secure is no easy task. The main reason is that even though modern systems implement strong security policies, there are many hackers trying to crack them.
In the case of Linux, it is even more sensitive, since most web servers use some distributions such as Debian. In other words, learning how to secure Debian can be an important point in keeping various web services afloat.
The task is complicated by the fact that not only the system itself is vulnerable, but also third-party applications have their vulnerabilities that have to be handled by the sysadmin.
Therefore, it is necessary to manage security policies that help prevent attacks against the system, against the services it offers and against third-party applications.
It is not always possible, but with a few tips, a good level of security can be achieved for Debian.
Some useful tips for securing your Debian server
1. Install only necessary packages and from official sources only
Debian has a massive package base, which makes it tempting to install as much software as you can get your hands on. But this is a massive security hole, the more packages you install, the more chances you have to find vulnerabilities.
So, it is best to invest a lot of time in finding the right tool for your needs. For example, if you require a web server, then analyze which one you require so that you don’t have to manage them all.
Another aspect to keep in mind is that you should only rely on official sources, such as the Debian repositories. That is, avoid installing packages from third-party repositories or with isolated packages of dubious origin.
2. Update your server
From time to time, Debian developers release security patches to fix vulnerabilities. However, they are of no use if they are not installed on the system regularly.
An alternative is to automate the process thanks to cron or to do it regularly manually if you prefer. In either case, doing so will result in the installation of packages that will improve the system.
3. Control user privilege policies
With certain applications installed, you may want to check what privileges they have on the system. This is why tools such as sudo
, which are useful, should be studied for use in certain cases.
On this topic, it is also important to disable access to the root user via SSH using passwords because it could pose a risk if it is intercepted. Furthermore, it is normal to disable the root user.
Finally, try to create users in a controlled way so that you know what they do and what applications they take advantage of.
4. Enabling and Configuring the Kernel Firewall
This slightly more technical measure is focused on making the system control incoming and outgoing traffic. These controls can be done thanks to a firewall like iptables
, although a frontend like ufw can help a lot.
Of course, there are specialized tools, but the point is to control access to the server through a firewall using specific rules.
A very basic use of ufw could be like this
ufw allow ssh
ufw allow http
ufw allow https
With the above lines of code, you can use the firewall to enable ssh, http and https services, but not the rest of the ports.
5. Secure SSH
Normally, you would use SSH to log in remotely to your server. However, it is normal for you to secure it a bit more. To achieve this, you will need to do the following things.
- Disable SSH password authentication
- Restrict root from logging in remotely
Of course, you can do more, but this is the basics.
In the case of Debian, you can edit the SSH configuration file
vi /etc/ssh/sshd_config
And change these lines
PasswordAuthentication yes
PermitRootLogin yes
to these:
PasswordAuthentication no
PermitRootLogin no
Save the changes, close the editor and apply the changes by running
sudo systemctl restart sshd
6. Protect SSH with Fail2Ban
SSH is one of the most important services on Linux because it allows you to remotely access the server. Not for nothing it is the target of many brute force attacks.
Fortunately, there is Fail2ban which is a tool that allows you to ban IP addresses or connections that continually fail in an attempt to use SSH.
Many sysadmins rely on this tool as yet another way to secure the Debian server.
7. Using a MAC Implementation like AppArmor or SELinux
This is another way to decure your Debian server.
Although Linux is a secure system due to its implementation and architecture, it is becoming increasingly common to use policy level access control tools such as AppArmor or SELinux.
Which one is better? Well, that’s not the point of this post, the essential thing is that you can have one of these tools to control the applications on the system and their access to it.
8. Use an Antivirus like ClamAV
ClamAV is an antivirus for Linux that is available for Debian and is fast, simple and very efficient. One of the main reasons to have it is that it prevents infections on the server, but also the spread of infections through the network.
With a healthy network, then the server will be able to work better and with the certainty that there is no malware.
For Debian, just run
apt install clamav
But then, it’s time to configure it to use it correctly.
To conclude…
A system is only as strong as the user’s dedication to its security policies. So, while these tips are useful, the reality is that they are just the beginning of many more things to be done.
It is also good to note that Debian takes the issue of security very seriously, implementing stable packages and supporting the kernel very well. On top of this, with security patches released continuously, they also make the system more complete.
I hope you liked this post, and help us to share it on all social networks.