Basic Security Practises [Harden Debian 8.0]
#1
Basic Security Practises [Harden Debian 8.0]

Foreword: Any non-sudo command is assumed to be done with root access.

Install the system

Do a security update
Code:
apt-get update
apt-get dist-upgrade

Establish automatic kernelcare management to update your packets, kernels and preform crucial restarts while you're not attending the server:
Code:
apt-get install needrestart
touch /etc/apt/sources.list.d/backports.list
echo "deb http://ftp.debian.org/debian jessie-backports main" >> !$
apt-get update
apt-get -t jessie-backports install "reboot-notifier"
apt-get install unattended-upgrades apt-listchanges
dpkg-reconfigure -plow unattended-upgrades

Auto-enable stable updates, control config thru:
Code:
nano /etc/apt/apt.conf.d/20auto-upgrades
(If you don't have nano, you can use vi or do apt-get install nano).
Basic Nano syntax:
CTRL + O - Save
CTRL + X - Exit
CTRL + K - Delete Line
CTRL + W - Search file

Config Block
Code:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
Save & Exit: CTRL + O, CTRL+ X

Auto-enable reboot after critical updates such as kernel and auto-clean uneeded dependencies - thru: 
Code:
nano /etc/apt/apt.conf.d/50unattended-upgrades

Config block:
Code:
Unattended-Upgrade::Origins-Pattern {
   // ... Scroll down the block, find the reboot options; uncomment it and set it to true. Also go to a few lines earlier and enable auto-removal of uneeded dependencies ... //
};
Save & exit.

For good measure, do an update/upgrade again:
Code:
apt-get update
apt-get dist-upgrade

We might also want to switch root password for safety. Since the default password is assigned by the hosting provider as well as often being sent in plaintext over email and such. Who knows what kind of people might snoop on your server:
Code:
passwd root
Enter new unix password of your choice. I recommend having caps, numbers and such. Keep it safe somewhere (Like with all your passwords).


Switch to using Sudo user instead of direct root account:

Install sudo
Code:
apt-get install sudo

Create a new user
Code:
adduser johnsmith
Enter the desired unix password.

Add newly created user to sudo
Code:
visudo

Scroll down to "User privilege specification" and add the following line below root:
Code:
johnsmith ALL=(ALL:ALL) ALL
Replace johnsmith with whatever username you chose when creating your new non-root account.
Then save and exit: Nano - CTRL + O, CTRL + X

Try to switch from root user to your now sudo privileged non-root account:
Code:
su - johnsmith

Test a command with sudo:
Code:
sudo apt-get update
It should work fine if everyone was done correctly.

Now to some SSH tweaking. Open your sshd config with an editor of your choice:
Code:
sudo nano /etc/ssh/sshd_config

Change SSH port to something between 0 and 1024 (This is so our port is not a non-privileged port. Anyone can listen to non-privileged ports and start a phising campaign against your SSH logins. Best to use a privileged port below 1024 which requires root privileges).
Warning: Do not replace your existing "Port 22" line, we want to add our new port below it for good meassure. If something messes up we'll still be able to fall back to the normal SSH 22 port.
Code:
Port 22
Port 987
Snippet example above. We'll remove Port 22 once we've tested that this work. Save and exit file (CTRL+ O, CTRL+ X).

Restart the SSH Daemon:
Code:
sudo service ssh restart

Start a new terminal session somewhere on your local computer and open up an SSH connection to your new port.
Code:
ssh johnsmith@ip_xxx -p 987
Enter your johnsmith password. And hopefully this should work.

Once you've tested and seen that it works, you can remove the Port 22 line.
Code:
Port 987
NOTE: If you need to transfer tiles over SFTP later I recommend that you add back the line regarding Port 22 to make your ssh compatible with file transfers. You can do this easily by just adding it, restarting the ssh daemon. And once your file has been transfered you can remove it again. I will not go into how to reconfigure the default SFTP set up to use another port here, but I'm sure you can figure it out.

Now we need to forbid all root logins over SSH. We have sudo user now so we don't need root logins anymore. Open up the /etc/ssh/sshd_config file again. Scroll down to the PermitRootLogin options, which should be under the authentication block. Change it to "No":
Code:
PermitRootLogin No
Then restart ssh again: sudo service ssh restart
You can try this by doing ssh root@ip_xxx -p 987 It shouldn't work.

Further Security Suggestions:
  • Switch from password/passphrase based SSH authentication to Key-based authentication. Alternative: Combination between both.
  • If you're using a dedicated server, you can implement full disk encryption through the dropbear method. There's a thread around here and a few articles. Note: If you do this, the configurations regarding automatic restarts with crucial kernel upgrades might cause trouble. As restarts might require your password to unlock your harddrive.
  • Sign up to the debian security mail-lists and keep up to date with the latest security flaws in linux. Examples in the past: Glibc vulnerability.
Reply
#2
Since I've switched to a Debian build on my other machine, this will come in handy. Appreciate the knowledge dump and I've bookmarked it.

Quote:Warning: Do not replace your existing "Port 22" line, we want to add our new port below it for good meassure. If something messes up we'll still be able to fall back to the normal SSH 22 port.

Little details like this make this information priceless. Thanks for sharing all of this knowledge.
Reply
#3
(02-05-2018, 04:28 AM)stealth Wrote: Since I've switched to a Debian build on my other machine, this will come in handy. Appreciate the knowledge dump and I've bookmarked it.

Quote:Warning: Do not replace your existing "Port 22" line, we want to add our new port below it for good meassure. If something messes up we'll still be able to fall back to the normal SSH 22 port.

Little details like this make this information priceless. Thanks for sharing all of this knowledge.

Thank you! And regarding your quoted snippet. You keep port 22 until you have tested that the new port works. When that is done, you can remove port 22.
Reply
#4
I recommend installing fail2ban to prevent brute force attempts against ssh. Putting an ssh server on the Internet, it will have bots attacking it pretty much instantly. I've had this happen to me so bad that the brute force traffic ended up eating a large portion of my bandwidth quota for the month.

apt install fail2ban
update-rc.d fail2ban enable

The defaults work, but you might want to whitelist an IP address so you don't lock yourself out or set up email notifications. See /etc/fail2ban/* for this.

I'd also personally add people to the sudo group versus adding them an explicit entry in /etc/sudoers:

usermod -aG sudo username_here

This change won't take effect until the user logs out and logs back in.

If you must add a line for sudoers, say you want to just let them use a command or two, add a new file in /etc/sudoers.d/:

visudo -f /etc/sudoers.d/username_here

# Let username_here use apt
username_here ALL=(ALL:ALL) /usr/bin/apt

In my opinion, this makes it much easier for future automation. Adding a user to a group via usermod or dropping a file in a directory is much cleaner and less error prone than using a monolithic sudoers file if you ever get to the point of making a deploy script for your server or a configuration manager like salt or puppet. Managing your configuration in this manner makes it very easy to recover from failures (reinstall OS, run script, ???, profit) or deploying another similar server elsewhere.

If you really want to go into depth, I recommend reading CIS benchmarks for Debian as well as for other software you may be running (Apache, Nginx, MySQL, etc). These benchmarks aren't perfect, but they're a good start.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  how to harden windows 2019 server? QMark 1 3,561 05-20-2019, 01:36 PM
Last Post: Insider
  [Help] "BootMGR is missing" after Debian 9 Install system32 4 6,293 07-22-2018, 08:03 PM
Last Post: system32
  [Tutorial] How To: Install Debian 9 (Stretch) system32 0 4,846 07-22-2018, 07:59 PM
Last Post: system32
  Finally Upgraded to Debian NO-OP 7 7,635 08-09-2017, 01:53 PM
Last Post: Insider