Secure you Debian Server
This guide contain the steps i always do on first time login after installing Debian on a blank server.
- You need root access for the first steps, so gain root access as secure as you possibly can.
Update Debian
- This is a good idea to do before anything else.
- Using the -y switch on apt-get will assume "yes" to all questions from apt-get.
- Sometimes ca-certificates needs an upgrade, and to make sure you know this is done you will need to press q to continue the apt-get -y upgrade
Here is how:
root@pulspc:~# apt-get -y update Ign http://ftp.debian.org jessie InRelease Get:1 http://ftp.debian.org jessie-updates InRelease [145 kB] Get:2 http://ftp.debian.org jessie Release.gpg [2,373 B] ........ Lots of lines removed for convienience !! Get:15 http://ftp.debian.org jessie-updates/main amd64 2016-11-30-2028.41.pdiff [530 B] Get:16 http://security.debian.org jessie/updates/main Translation-en [183 kB] Fetched 19.5 MB in 7s (2,674 kB/s) Reading package lists... Doneroot@pulspc:~#apt-get -y upgrade Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done The following packages will be upgraded: ........ Lots of lines removed for convienience !! Setting up python-pil:amd64 (2.6.1-2+deb8u3) ... Processing triggers for libc-bin (2.19-18+deb8u7) ... Processing triggers for ca-certificates (20141019+deb8u2) ... Updating certificates in /etc/ssl/certs... 10 added, 10 removed; done. Running hooks in /etc/ca-certificates/update.d....done. root@pulspc:~#
Configure Automatic Security Updates
Here you can see my configuration files
This is my version of the file /etc/apt/apt.conf.d/50unattended-upgrades
// Unattended-Upgrade::Origins-Pattern controls which packages are // upgraded. // // Lines below have the format format is "keyword=value,...". A // package will be upgraded only if the values in its metadata match // all the supplied keywords in a line. (In other words, omitted // keywords are wild cards.) The keywords originate from the Release // file, but several aliases are accepted. The accepted keywords are: // a,archive,suite (eg, "stable") // c,component (eg, "main", "crontrib", "non-free") // l,label (eg, "Debian", "Debian-Security") // o,origin (eg, "Debian", "Unofficial Multimedia Packages") // n,codename (eg, "jessie", "jessie-updates") // site (eg, "http.debian.net") // The available values on the system are printed by the command // "apt-cache policy", and can be debugged by running // "unattended-upgrades -d" and looking at the log file. // // Within lines unattended-upgrades allows 2 macros whose values are // derived from /etc/debian_version: // ${distro_id} Installed origin. // ${distro_codename} Installed codename (eg, "jessie") Unattended-Upgrade::Origins-Pattern { // Codename based matching: // This will follow the migration of a release through different // archives (e.g. from testing to stable and later oldstable). "o=Debian,n=jessie"; "o=Debian,n=jessie-updates"; "o=Debian,n=jessie-proposed-updates"; "o=Debian,n=jessie,l=Debian-Security"; // Archive or Suite based matching: // Note that this will silently match a different release after // migration to the specified archive (e.g. testing becomes the // new stable). // "o=Debian,a=stable"; // "o=Debian,a=stable-updates"; // "o=Debian,a=proposed-updates"; "origin=Debian,codename=${distro_codename},label=Debian-Security"; }; // List of packages to not update (regexp are supported) Unattended-Upgrade::Package-Blacklist { // "vim"; // "libc6"; // "libc6-dev"; // "libc6-i686"; }; // This option allows you to control if on a unclean dpkg exit // unattended-upgrades will automatically run // dpkg --force-confold --configure -a // The default is true, to ensure updates keep getting installed //Unattended-Upgrade::AutoFixInterruptedDpkg "false"; // Split the upgrade into the smallest possible chunks so that // they can be interrupted with SIGUSR1. This makes the upgrade // a bit slower but it has the benefit that shutdown while a upgrade // is running is possible (with a small delay) //Unattended-Upgrade::MinimalSteps "true"; // Install all unattended-upgrades when the machine is shuting down // instead of doing it in the background while the machine is running // This will (obviously) make shutdown slower //Unattended-Upgrade::InstallOnShutdown "true"; // Send email to this address for problems or packages upgrades // If empty or unset then no email is sent, make sure that you // have a working mail setup on your system. A package that provides // 'mailx' must be installed. E.g. "[email protected]" Unattended-Upgrade::Mail "root"; // Set this value to "true" to get emails only on errors. Default // is to always send a mail if Unattended-Upgrade::Mail is set //Unattended-Upgrade::MailOnlyOnError "true"; // Do automatic removal of new unused dependencies after the upgrade // (equivalent to apt-get autoremove) Unattended-Upgrade::Remove-Unused-Dependencies "true"; // Automatically reboot *WITHOUT CONFIRMATION* if // the file /var/run/reboot-required is found after the upgrade Unattended-Upgrade::Automatic-Reboot "false"; // If automatic reboot is enabled and needed, reboot at the specific // time instead of immediately // Default: "now" Unattended-Upgrade::Automatic-Reboot-Time "02:00"; // Use apt bandwidth limit feature, this example limits the download // speed to 70kb/sec //Acquire::http::Dl-Limit "70";This is my version of the file /etc/apt/apt.conf.d/02periodic
// Control parameters for cron jobs by /etc/cron.daily/apt // // Enable the update/upgrade script (0=disable) APT::Periodic::Enable "1"; // Do "apt-get update" automatically every n-days (0=disable) APT::Periodic::Update-Package-Lists "1"; // Do "apt-get upgrade --download-only" every n-days (0=disable) APT::Periodic::Download-Upgradeable-Packages "1"; // Run the "unattended-upgrade" security upgrade script // every n-days (0=disabled) // Requires the package "unattended-upgrades" and will write // a log in /var/log/unattended-upgrades APT::Periodic::Unattended-Upgrade "1"; // Do "apt-get autoclean" every n-days (0=disable) APT::Periodic::AutocleanInterval "21"; // Send report mail to root // 0: no report (or null string) // 1: progress report (actually any string) // 2: + command outputs (remove -qq, remove 2>/dev/null, add -d) // 3: + trace on APT::Periodic::Verbose "2";This is my version of the file /etc/apt/listchanges.conf
[apt] frontend=pager email_address=root confirm=0 save_seen=/var/lib/apt/listchanges.db which=both
Create and use a non-root user account
- It is not a good idea to use the root account all the time. It is so powerful that even the smallest mistake can have devastating results if executed as root. Logging in as root directly is also considered bad practice so we will fix that now.
The sudo feature is not installed by default on Debian so we will do this first, since we rely heavily on this command when logging in as a "normal" user that needs to do stuff that requires root privileges.
apt-get install sudo
root@pulspc:~# apt-get install sudo Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: sudo 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 855 kB of archives. After this operation, 2,390 kB of additional disk space will be used. .................... Setting up sudo (1.8.10p3-1+deb8u3) ... Processing triggers for systemd (215-17+deb8u6) ... root@pulspc:~#
Create the user, replacing new_user with your desired username. You’ll then be asked to assign the user a password:
adduser new_user
root@pulspc:~# adduser new_user Adding user `new_user' ... Adding new group `new_user' (1000) ... Adding new user `new_user' (1000) with group `new_user' ... Creating home directory `/home/new_user' ... Copying files from `/etc/skel' ... Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Changing the user information for new_user Enter the new value, or press ENTER for the default Full Name []: New User Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n] Y root@pulspc:~#
Add the new_user to the sudo group so it will have the option to do stuff that needs root-privileges.
adduser new_user sudo
root@pulspc:~# adduser new_user sudo Adding user `new_user' to group `sudo' ... Adding user new_user to group sudo Done. root@pulspc:~#
Make sure your new user is working by logging in to localhost from you current shell terminal using this command
ssh new_user@localhost
root@pulspc:~# ssh new_user@localhost The authenticity of host 'localhost (127.0.0.1)' can't be established. RSA key fingerprint is 12:34:56:78:90:12:34:56:78:90:12:34:56:78:90 Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (RSA) to the list of known hosts. new_user@localhost's password: The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. new_user@pulspc:~$
Test that new_user can use the sudo command by calling the harmless ls command using sudo.
sudo ls /
fm@pulspc:~$ sudo ls / We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for fm: bin etc lib lost+found opt run sys var boot home lib32 media proc sbin tmp vmlinuz dev initrd.img lib64 mnt root srv usr fm@pulspc:~$
Exit the new_user ssh connection and your root login.
exit
root@pulspc:~# fm@pulspc:~$ exit
logout
Connection to localhost closed.
root@pulspc:~# exit
ALWAYS login as the new_user from now on!
login as: new_user
login as: new_user new_user@<IP or HOST name>'s password: The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Wed Feb 22 09:55:27 2017 from localhost new_user@pulspc:~$
Make SSH Access more secure
Install authentication key-pair
Harden the SSH Daemon
Brute force SSH Login Protection
Inspiration was found at http://www.linode.com/docs/security/securing-your-server/