Does anyone know any good resources for securing a remote debian server?

I was tasked with managing a debian server, but I am relatively new to cyber security. Does anyone know a tutorial that would tell me all the details I would need to consider for the security?

1 Like

Hi goncharow,

all the details I would need to consider for the security?

My feeling is that nobody knows “all” the details, which is why companies keep getting hacked … so there are some very opinionated sites that will try to sell you security solutions, however many are about as much use as snake oil. There is of course the Debian security manual here;

In general

Debian is relatively secure by default, the problems come when you start installing applications on it, so it really depends on what’s been installed. Typically on a remote server you will find at least;

  • A web server
  • A SSH server

To verify this you can use a port scanning tool like nmap to check for open ports, so scanning your local network router might look like this;

$ nmap 192.168.x.x
Starting Nmap 7.93 ( https://nmap.org ) at 2024-06-12 09:17 BST
Nmap scan report for _gateway (192.168.x.x)
Host is up (0.019s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT    STATE    SERVICE
22/tcp  filtered ssh
53/tcp  open     domain
80/tcp  open     http
443/tcp open     https

Nmap done: 1 IP address (1 host up) scanned in 1.37 seconds

Which tells me that four services are being offered and potentially at risk, the ports they are open on (22,53,80,443) the low-level network protocol in use (tcp) and the service protocol (SSH, DNS, HTTP).

In this instance;

  • DNS generally isn’t an issue.
  • HTTP(s) can be checked with a website penetration test tool
  • SSH is the high risk item

You can check out the website with a scanner, something like this;

With regards to SSH, by default (and this is one thing IMHO Ubuntu do better than Debian) Debian enable password authentication, so by default if you “ssh” to the server with a username, it will prompt for a password … which potentially opens you up to brute force password attacks. (which is bad)

When I install SSH the very first thing I do is to install my public key in “authorized_keys” and disable password authentication in /etc/ssh/sshd_config by removing the ‘#’ from the beginning of this line and changing “yes” to “no”. (then doing service ssh restart)

PasswordAuthentication no 

Once you’ve done this, the only people who can “ssh” into the system are those who have public keys installed in their “~/.ssh/authorized_keys” file. So, if you are the only remote user, make sure the only “authorized_keys” file on the system is yours, and that your public key is the only one in it. Just to be a little more paranoid, go back to /etc/ssh/sshd_config and make sure nobody has added “alternative names” for “authorized_keys”. (see the AuthorizedKeysFile option)

Bottom line is that unless you trust 100% all previous system administrators to the extent that you would still trust them with a root login, you can’t be sure your system is secure unless you install a new server from scratch, install all applications from repositories, and transfer over your data.

Summary

To quote law-enforcement; “terrorists only have to get it right once, we have to get is right 100% of the time”. If the previous admin has “gone”, you might think seriously about the reinstall option.

And / Or get it checked by a security expert while your learning :slight_smile:

1 Like

There is a similar post on linux.org.
They shared a Guide About Linux Server Security that seems to cover all the bases.

2 Likes