Secure you Debian Server: Difference between revisions

From munkjensen.net/wiki
mNo edit summary
mNo edit summary
Line 68: Line 68:


=== Configure Automatic Security Updates ===
=== Configure Automatic Security Updates ===


<div class="toccolours mw-collapsible mw-collapsed">
<div class="toccolours mw-collapsible mw-collapsed">
Do this http://wiki.debian.org/UnattendedUpgrades
Do this http://wiki.debian.org/UnattendedUpgrades
<div class="mw-collapsible-content">
<div class="mw-collapsible-content">
<syntaxhighlight lang="xml" line>root@pulspc:~# apt-get install unattended-upgrades apt-listchanges
This is my version of the file /etc/apt/apt.conf.d/50unattended-upgrades
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
 
........ Lots of lines removed for convienience !!
 
root@pulspc:~#</syntaxhighlight>
Read this file and edit it to your needs.
<div class="mw-collapsible-content">
<syntaxhighlight lang="xml" line> vi /etc/apt/apt.conf.d/50unattended-upgrades</syntaxhighlight>
<div class="mw-collapsible-content">
This is my version.
<syntaxhighlight lang="xml" line>
<syntaxhighlight lang="xml" line>
// Unattended-Upgrade::Origins-Pattern controls which packages are
// Unattended-Upgrade::Origins-Pattern controls which packages are
Line 181: Line 167:
//Acquire::http::Dl-Limit "70";
//Acquire::http::Dl-Limit "70";
</syntaxhighlight>
</syntaxhighlight>
This is my version of the file /etc/apt/apt.conf.d/02periodic
<syntaxhighlight lang="xml" line>// Control parameters for cron jobs by /etc/cron.daily/apt //
// Enable the update/upgrade script (0=disable)
APT::Periodic::Enable "1";
// Do "apt-get update" automatically every n-days (0=disable)
APT::Periodic::Update-Package-Lists "1";
// Do "apt-get upgrade --download-only" every n-days (0=disable)
APT::Periodic::Download-Upgradeable-Packages "1";
// Run the "unattended-upgrade" security upgrade script
// every n-days (0=disabled)
// Requires the package "unattended-upgrades" and will write
// a log in /var/log/unattended-upgrades
APT::Periodic::Unattended-Upgrade "1";
// Do "apt-get autoclean" every n-days (0=disable)
APT::Periodic::AutocleanInterval "21";
// Send report mail to root
//    0:  no report            (or null string)
//    1:  progress report      (actually any string)
//    2:  + command outputs    (remove -qq, remove 2>/dev/null, add -d)
//    3:  + trace on
APT::Periodic::Verbose "2";
</syntaxhighlight>
This is my version of the file /etc/apt/listchanges.conf
<syntaxhighlight lang="xml" line>[apt]
frontend=pager
email_address=root
confirm=0
save_seen=/var/lib/apt/listchanges.db
which=both
</syntaxhighlight>
</div>
</div>
=== Create and use a non-root user account ===
<div class="toccolours mw-collapsible mw-collapsed">
<div class="mw-collapsible-content">
<div class="mw-collapsible-content">
<syntaxhighlight lang="xml" line>
<syntaxhighlight lang="xml" line>
Line 187: Line 217:
</div>
</div>
</div>
</div>
=== Create and use a non-root user account ===


=== Make SSH Access more secure  ===
=== Make SSH Access more secure  ===


==== Install authentication key-pair ====
==== Install authentication key-pair ====
<div class="toccolours mw-collapsible mw-collapsed">
<div class="mw-collapsible-content">
<syntaxhighlight lang="xml" line>
</syntaxhighlight>
</div>
</div>


==== Harden the SSH Daemon ====
==== Harden the SSH Daemon ====
<div class="toccolours mw-collapsible mw-collapsed">
<div class="mw-collapsible-content">
<syntaxhighlight lang="xml" line>
</syntaxhighlight>
</div>
</div>


==== Brute force SSH Login Protection ====
==== Brute force SSH Login Protection ====


<div class="toccolours mw-collapsible mw-collapsed">
<div class="mw-collapsible-content">
<syntaxhighlight lang="xml" line>


 
</syntaxhighlight>
</div>
</div>




Revision as of 10:03, 22 February 2017

This guide contain the steps i always do on first time login after installing Debian on a blank server.

  • You need root access for the first steps, so gain root access as secure as you possibly can.

Update Debian

This is a good idea to do before anything else.

  • Using the -y switch on apt-get will assume "yes" to all questions from apt-get.
  • Sometimes ca-certificates needs an upgrade, and to make sure you know this is done you will need to press q to continue the apt-get -y upgrade
root@pulspc:~# apt-get -y update
Ign http://ftp.debian.org jessie InRelease
Get:1 http://ftp.debian.org jessie-updates InRelease [145 kB]
Get:2 http://ftp.debian.org jessie Release.gpg [2,373 B]
Get:3 http://ftp.debian.org jessie Release [148 kB]
Get:4 http://ftp.debian.org jessie-updates/main Sources [15.4 kB]
Get:5 http://ftp.debian.org jessie-updates/main amd64 Packages/DiffIndex [6,916 B]
Get:6 http://security.debian.org jessie/updates InRelease [63.1 kB]
Get:7 http://ftp.debian.org jessie-updates/main Translation-en/DiffIndex [2,704 B]
Get:8 http://ftp.debian.org jessie/main Sources [7,056 kB]
Get:9 http://ftp.debian.org jessie/main amd64 Packages [6,776 kB]
Get:10 http://security.debian.org jessie/updates/main Sources [188 kB]
Get:11 http://ftp.debian.org jessie/main Translation-en [4,582 kB]
Get:12 http://security.debian.org jessie/updates/main amd64 Packages [346 kB]
Get:13 http://ftp.debian.org jessie-updates/main amd64 2016-11-07-2025.04.pdiff [531 B]
Get:14 http://ftp.debian.org jessie-updates/main amd64 2016-11-30-2028.41.pdiff [530 B]
Get:15 http://ftp.debian.org jessie-updates/main amd64 2016-11-30-2028.41.pdiff [530 B]
Get:16 http://security.debian.org jessie/updates/main Translation-en [183 kB]
Fetched 19.5 MB in 7s (2,674 kB/s)
Reading package lists... Done
root@pulspc:~#apt-get -y upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  apt apt-utils base-files bash bind9-host ca-certificates dbus dnsutils e2fslibs e2fsprogs exim4 exim4-base exim4-config
  exim4-daemon-light file host libapt-inst1.5 libapt-pkg4.12 libbind9-90 libc-bin libc-dev-bin libc6 libc6-dev libc6-i386
  libcairo2 libcomerr2 libcurl3-gnutls libdbus-1-3 libdns-export100 libdns100 libevent-2.0-5 libfcgi-perl libgnutls-deb0-28
  libgnutls-openssl27 libhogweed2 libicu52 libio-socket-ssl-perl libirs-export91 libisc-export95 libisc95 libisccc90
  libisccfg-export90 libisccfg90 libjasper1 liblcms2-2 liblwres90 libmagic1 libnettle4 libpam-modules libpam-modules-bin
  libpam-runtime libpam-systemd libpam0g libpng12-0 libss2 libssl-dev libssl-doc libssl1.0.0 libsystemd0 libtiff5 libudev1
  libxml2 linux-image-3.16.0-4-amd64 linux-libc-dev locales multiarch-support openssl python-pil sed systemd systemd-sysv
  tzdata udev vim vim-common vim-runtime vim-tiny w3m
78 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/87.2 MB of archives.
After this operation, 391 kB of additional disk space will be used.
Reading changelogs... 67%

........ Lots of lines removed for convienience !!

Setting up openssl (1.0.1t-1+deb8u6) ...
Setting up ca-certificates (20141019+deb8u2) ...
/usr/sbin/update-ca-certificates: [--verbose] [--fresh]
Setting up libfcgi-perl (0.77-1+deb8u1) ...
Setting up libio-socket-ssl-perl (2.002-2+deb8u2) ...
Setting up python-pil:amd64 (2.6.1-2+deb8u3) ...
Processing triggers for libc-bin (2.19-18+deb8u7) ...
Processing triggers for ca-certificates (20141019+deb8u2) ...
Updating certificates in /etc/ssl/certs... 10 added, 10 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.
root@pulspc:~#

Configure Automatic Security Updates

Do this http://wiki.debian.org/UnattendedUpgrades

This is my version of the file /etc/apt/apt.conf.d/50unattended-upgrades 

// Unattended-Upgrade::Origins-Pattern controls which packages are
// upgraded.
//
// Lines below have the format format is "keyword=value,...".  A
// package will be upgraded only if the values in its metadata match
// all the supplied keywords in a line.  (In other words, omitted
// keywords are wild cards.) The keywords originate from the Release
// file, but several aliases are accepted.  The accepted keywords are:
//   a,archive,suite (eg, "stable")
//   c,component     (eg, "main", "crontrib", "non-free")
//   l,label         (eg, "Debian", "Debian-Security")
//   o,origin        (eg, "Debian", "Unofficial Multimedia Packages")
//   n,codename      (eg, "jessie", "jessie-updates")
//     site          (eg, "http.debian.net")
// The available values on the system are printed by the command
// "apt-cache policy", and can be debugged by running
// "unattended-upgrades -d" and looking at the log file.
//
// Within lines unattended-upgrades allows 2 macros whose values are
// derived from /etc/debian_version:
//   ${distro_id}            Installed origin.
//   ${distro_codename}      Installed codename (eg, "jessie")
Unattended-Upgrade::Origins-Pattern {
        // Codename based matching:
        // This will follow the migration of a release through different
        // archives (e.g. from testing to stable and later oldstable).
      "o=Debian,n=jessie";
      "o=Debian,n=jessie-updates";
      "o=Debian,n=jessie-proposed-updates";
      "o=Debian,n=jessie,l=Debian-Security";

        // Archive or Suite based matching:
        // Note that this will silently match a different release after
        // migration to the specified archive (e.g. testing becomes the
        // new stable).
//      "o=Debian,a=stable";
//      "o=Debian,a=stable-updates";
//      "o=Debian,a=proposed-updates";
        "origin=Debian,codename=${distro_codename},label=Debian-Security";
};

// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
//      "vim";
//      "libc6";
//      "libc6-dev";
//      "libc6-i686";
};

// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
//   dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "false";

// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGUSR1. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true";

// Install all unattended-upgrades when the machine is shuting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
//Unattended-Upgrade::InstallOnShutdown "true";

// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "[email protected]"
Unattended-Upgrade::Mail "root";

// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
//Unattended-Upgrade::MailOnlyOnError "true";

// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";

// Automatically reboot *WITHOUT CONFIRMATION* if
//  the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "false";

// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
//  Default: "now"
Unattended-Upgrade::Automatic-Reboot-Time "02:00";

// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";

This is my version of the file /etc/apt/apt.conf.d/02periodic 

// Control parameters for cron jobs by /etc/cron.daily/apt //

// Enable the update/upgrade script (0=disable)
APT::Periodic::Enable "1";

// Do "apt-get update" automatically every n-days (0=disable)
APT::Periodic::Update-Package-Lists "1";

// Do "apt-get upgrade --download-only" every n-days (0=disable)
APT::Periodic::Download-Upgradeable-Packages "1";

// Run the "unattended-upgrade" security upgrade script
// every n-days (0=disabled)
// Requires the package "unattended-upgrades" and will write
// a log in /var/log/unattended-upgrades
APT::Periodic::Unattended-Upgrade "1";

// Do "apt-get autoclean" every n-days (0=disable)
APT::Periodic::AutocleanInterval "21";

// Send report mail to root
//     0:  no report             (or null string)
//     1:  progress report       (actually any string)
//     2:  + command outputs     (remove -qq, remove 2>/dev/null, add -d)
//     3:  + trace on
APT::Periodic::Verbose "2";

This is my version of the file /etc/apt/listchanges.conf 

[apt]
frontend=pager
email_address=root
confirm=0
save_seen=/var/lib/apt/listchanges.db
which=both

Create and use a non-root user account

Make SSH Access more secure

Install authentication key-pair

Harden the SSH Daemon

Brute force SSH Login Protection


Inspiration was found at http://www.linode.com/docs/security/securing-your-server/

Retrieved from "https://munkjensen.net/wiki/index.php?title=Secure_you_Debian_Server&oldid=486"