Secure you Debian Server: Difference between revisions
mNo edit summary |
m (→Update Debian) |
||
Line 7: | Line 7: | ||
This is a good idea to do before anything else. | This is a good idea to do before anything else. | ||
Using the -y switch on ''apt-get'' will assume "yes" to all questions from apt-get. | * Using the -y switch on ''apt-get'' will assume "yes" to all questions from apt-get. | ||
* Sometimes ''ca-certificates'' needs an upgrade, and to make sure you know this is done you will need to press ''q'' to continue the ''apt-get -y upgrade'' | |||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
<syntaxhighlight lang="xml" line>root@pulspc:~# apt-get -y update | <syntaxhighlight lang="xml" line>root@pulspc:~# apt-get -y update | ||
Line 28: | Line 29: | ||
Get:16 http://security.debian.org jessie/updates/main Translation-en [183 kB] | Get:16 http://security.debian.org jessie/updates/main Translation-en [183 kB] | ||
Fetched 19.5 MB in 7s (2,674 kB/s) | Fetched 19.5 MB in 7s (2,674 kB/s) | ||
Reading package lists... Done</syntaxhighlight> | |||
<syntaxhighlight lang="xml" line>root@pulspc:~#apt-get -y upgrade | |||
Reading package lists... Done | Reading package lists... Done | ||
root@pulspc:~#</syntaxhighlight> | Building dependency tree | ||
Reading state information... Done | |||
Calculating upgrade... Done | |||
The following packages will be upgraded: | |||
apt apt-utils base-files bash bind9-host ca-certificates dbus dnsutils e2fslibs e2fsprogs exim4 exim4-base exim4-config | |||
exim4-daemon-light file host libapt-inst1.5 libapt-pkg4.12 libbind9-90 libc-bin libc-dev-bin libc6 libc6-dev libc6-i386 | |||
libcairo2 libcomerr2 libcurl3-gnutls libdbus-1-3 libdns-export100 libdns100 libevent-2.0-5 libfcgi-perl libgnutls-deb0-28 | |||
libgnutls-openssl27 libhogweed2 libicu52 libio-socket-ssl-perl libirs-export91 libisc-export95 libisc95 libisccc90 | |||
libisccfg-export90 libisccfg90 libjasper1 liblcms2-2 liblwres90 libmagic1 libnettle4 libpam-modules libpam-modules-bin | |||
libpam-runtime libpam-systemd libpam0g libpng12-0 libss2 libssl-dev libssl-doc libssl1.0.0 libsystemd0 libtiff5 libudev1 | |||
libxml2 linux-image-3.16.0-4-amd64 linux-libc-dev locales multiarch-support openssl python-pil sed systemd systemd-sysv | |||
tzdata udev vim vim-common vim-runtime vim-tiny w3m | |||
78 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. | |||
Need to get 0 B/87.2 MB of archives. | |||
After this operation, 391 kB of additional disk space will be used. | |||
Reading changelogs... 67% | |||
........ Lots of lines removed for convienience !! | |||
Setting up openssl (1.0.1t-1+deb8u6) ... | |||
Setting up ca-certificates (20141019+deb8u2) ... | |||
/usr/sbin/update-ca-certificates: [--verbose] [--fresh] | |||
Setting up libfcgi-perl (0.77-1+deb8u1) ... | |||
Setting up libio-socket-ssl-perl (2.002-2+deb8u2) ... | |||
Setting up python-pil:amd64 (2.6.1-2+deb8u3) ... | |||
Processing triggers for libc-bin (2.19-18+deb8u7) ... | |||
Processing triggers for ca-certificates (20141019+deb8u2) ... | |||
Updating certificates in /etc/ssl/certs... 10 added, 10 removed; done. | |||
Running hooks in /etc/ca-certificates/update.d....done. | |||
root@pulspc:~# | |||
</syntaxhighlight> | |||
</div> | </div> | ||
</div> | </div> |
Revision as of 09:04, 22 February 2017
This guide contain the steps i always do on first time login after installing Debian on a blank server.
- You need root access for the first steps, so gain root access as secure as you possibly can.
Update Debian
This is a good idea to do before anything else.
- Using the -y switch on apt-get will assume "yes" to all questions from apt-get.
- Sometimes ca-certificates needs an upgrade, and to make sure you know this is done you will need to press q to continue the apt-get -y upgrade
root@pulspc:~# apt-get -y update
Ign http://ftp.debian.org jessie InRelease
Get:1 http://ftp.debian.org jessie-updates InRelease [145 kB]
Get:2 http://ftp.debian.org jessie Release.gpg [2,373 B]
Get:3 http://ftp.debian.org jessie Release [148 kB]
Get:4 http://ftp.debian.org jessie-updates/main Sources [15.4 kB]
Get:5 http://ftp.debian.org jessie-updates/main amd64 Packages/DiffIndex [6,916 B]
Get:6 http://security.debian.org jessie/updates InRelease [63.1 kB]
Get:7 http://ftp.debian.org jessie-updates/main Translation-en/DiffIndex [2,704 B]
Get:8 http://ftp.debian.org jessie/main Sources [7,056 kB]
Get:9 http://ftp.debian.org jessie/main amd64 Packages [6,776 kB]
Get:10 http://security.debian.org jessie/updates/main Sources [188 kB]
Get:11 http://ftp.debian.org jessie/main Translation-en [4,582 kB]
Get:12 http://security.debian.org jessie/updates/main amd64 Packages [346 kB]
Get:13 http://ftp.debian.org jessie-updates/main amd64 2016-11-07-2025.04.pdiff [531 B]
Get:14 http://ftp.debian.org jessie-updates/main amd64 2016-11-30-2028.41.pdiff [530 B]
Get:15 http://ftp.debian.org jessie-updates/main amd64 2016-11-30-2028.41.pdiff [530 B]
Get:16 http://security.debian.org jessie/updates/main Translation-en [183 kB]
Fetched 19.5 MB in 7s (2,674 kB/s)
Reading package lists... Done
root@pulspc:~#apt-get -y upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
apt apt-utils base-files bash bind9-host ca-certificates dbus dnsutils e2fslibs e2fsprogs exim4 exim4-base exim4-config
exim4-daemon-light file host libapt-inst1.5 libapt-pkg4.12 libbind9-90 libc-bin libc-dev-bin libc6 libc6-dev libc6-i386
libcairo2 libcomerr2 libcurl3-gnutls libdbus-1-3 libdns-export100 libdns100 libevent-2.0-5 libfcgi-perl libgnutls-deb0-28
libgnutls-openssl27 libhogweed2 libicu52 libio-socket-ssl-perl libirs-export91 libisc-export95 libisc95 libisccc90
libisccfg-export90 libisccfg90 libjasper1 liblcms2-2 liblwres90 libmagic1 libnettle4 libpam-modules libpam-modules-bin
libpam-runtime libpam-systemd libpam0g libpng12-0 libss2 libssl-dev libssl-doc libssl1.0.0 libsystemd0 libtiff5 libudev1
libxml2 linux-image-3.16.0-4-amd64 linux-libc-dev locales multiarch-support openssl python-pil sed systemd systemd-sysv
tzdata udev vim vim-common vim-runtime vim-tiny w3m
78 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/87.2 MB of archives.
After this operation, 391 kB of additional disk space will be used.
Reading changelogs... 67%
........ Lots of lines removed for convienience !!
Setting up openssl (1.0.1t-1+deb8u6) ...
Setting up ca-certificates (20141019+deb8u2) ...
/usr/sbin/update-ca-certificates: [--verbose] [--fresh]
Setting up libfcgi-perl (0.77-1+deb8u1) ...
Setting up libio-socket-ssl-perl (2.002-2+deb8u2) ...
Setting up python-pil:amd64 (2.6.1-2+deb8u3) ...
Processing triggers for libc-bin (2.19-18+deb8u7) ...
Processing triggers for ca-certificates (20141019+deb8u2) ...
Updating certificates in /etc/ssl/certs... 10 added, 10 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.
root@pulspc:~#
Configure Automatic Security Updates
Create and use a non-root user account
Make SSH Access more secure
Install authentication key-pair
Harden the SSH Daemon
Brute force SSH Login Protection
Inspiration was found at http://www.linode.com/docs/security/securing-your-server/