I was tasked with managing a debian server, but I am relatively new to cyber security. Does anyone know a tutorial that would tell me all the details I would need to consider for the security?
Hi goncharow,
all the details I would need to consider for the security?
My feeling is that nobody knows âallâ the details, which is why companies keep getting hacked ⌠so there are some very opinionated sites that will try to sell you security solutions, however many are about as much use as snake oil. There is of course the Debian security manual here;
In general
Debian is relatively secure by default, the problems come when you start installing applications on it, so it really depends on whatâs been installed. Typically on a remote server you will find at least;
- A web server
- A SSH server
To verify this you can use a port scanning tool like nmap to check for open ports, so scanning your local network router might look like this;
$ nmap 192.168.x.x
Starting Nmap 7.93 ( https://nmap.org ) at 2024-06-12 09:17 BST
Nmap scan report for _gateway (192.168.x.x)
Host is up (0.019s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 1.37 seconds
Which tells me that four services are being offered and potentially at risk, the ports they are open on (22,53,80,443) the low-level network protocol in use (tcp) and the service protocol (SSH, DNS, HTTP).
In this instance;
- DNS generally isnât an issue.
- HTTP(s) can be checked with a website penetration test tool
- SSH is the high risk item
You can check out the website with a scanner, something like this;
With regards to SSH, by default (and this is one thing IMHO Ubuntu do better than Debian) Debian enable password authentication, so by default if you âsshâ to the server with a username, it will prompt for a password ⌠which potentially opens you up to brute force password attacks. (which is bad)
When I install SSH the very first thing I do is to install my public key in âauthorized_keysâ and disable password authentication in /etc/ssh/sshd_config by removing the â#â from the beginning of this line and changing âyesâ to ânoâ. (then doing service ssh restart)
PasswordAuthentication no
Once youâve done this, the only people who can âsshâ into the system are those who have public keys installed in their â~/.ssh/authorized_keysâ file. So, if you are the only remote user, make sure the only âauthorized_keysâ file on the system is yours, and that your public key is the only one in it. Just to be a little more paranoid, go back to /etc/ssh/sshd_config and make sure nobody has added âalternative namesâ for âauthorized_keysâ. (see the AuthorizedKeysFile option)
Bottom line is that unless you trust 100% all previous system administrators to the extent that you would still trust them with a root login, you canât be sure your system is secure unless you install a new server from scratch, install all applications from repositories, and transfer over your data.
Summary
To quote law-enforcement; âterrorists only have to get it right once, we have to get is right 100% of the timeâ. If the previous admin has âgoneâ, you might think seriously about the reinstall option.
And / Or get it checked by a security expert while your learning
There is a similar post on linux.org.
They shared a Guide About Linux Server Security that seems to cover all the bases.