Security Management

Ensuring the security of your Debian system is a core task in system administration. This guide covers several key areas to help you harden your system against potential threats.

🔐 User and Access Control

Limiting access to the system is the first line of defense.

Enforcing a Strong Password Policy

Use the libpam-pwquality module to enforce the creation of more secure passwords.

1. Install the module:

   sudo apt update
   sudo apt install libpam-pwquality

2. Configure the policy: Edit the /etc/security/pwquality.conf file to define your password rules.

   # Example configuration:
   minlen = 10                  # Minimum length of 10
   dcredit = -1                 # At least 1 digit
   ucredit = -1                 # At least 1 uppercase letter
   lcredit = -1                 # At least 1 lowercase letter
   ocredit = -1                 # At least 1 special character
   difok = 3                    # At least 3 characters must be different from the old password

SSH Security Hardening

SSH is the most common way to access a server remotely. Here are some hardening recommendations:

1. Edit the SSH configuration file:

   sudo nano /etc/ssh/sshd_config

2. Recommended settings:

   • Disable root login: PermitRootLogin no
   • Disable password authentication (keys recommended): PasswordAuthentication no
   • Enable public key authentication: PubkeyAuthentication yes
   • Change the default port (optional): Port 2222

3. Restart the SSH service:

   sudo systemctl restart sshd

🔥 Firewall Configuration (UFW)

Debian does not enable a firewall by default. UFW (Uncomplicated Firewall) is a user-friendly frontend for managing iptables.

1. Install UFW:

   sudo apt install ufw

2. Configure basic rules:

   sudo ufw default deny incoming   # Deny all incoming connections
   sudo ufw default allow outgoing  # Allow all outgoing connections
   sudo ufw allow ssh               # Allow SSH connections (or your custom port)
   sudo ufw allow http              # If it's a web server, allow HTTP
   sudo ufw allow https             # Allow HTTPS

3. Enable UFW:

   sudo ufw enable

   The system will warn that this may disrupt existing SSH connections; confirm to proceed.

4. Check the status:

   sudo ufw status verbose

🔄 Automatic Security Updates

Applying security patches promptly is crucial. unattended-upgrades can install security updates automatically.

1. Install it:

   sudo apt install unattended-upgrades

2. Enable it: Run the configuration wizard, which will create a basic configuration file.

   sudo dpkg-reconfigure -plow unattended-upgrades

   Select "Yes" in the dialog that appears.

3. Fine-tune the configuration (optional): You can edit /etc/apt/apt.conf.d/50unattended-upgrades to customize its behavior, such as enabling automatic reboots.

🛡️ Intrusion Prevention (Fail2Ban)

Fail2Ban monitors log files and automatically updates firewall rules to ban IP addresses based on suspicious activity, such as multiple failed login attempts.

1. Install Fail2Ban:

   sudo apt install fail2ban

2. Create a local configuration file: Do not edit the .conf files directly. Instead, create a .local file to override them.

   sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
   sudo nano /etc/fail2ban/jail.local

3. Configure SSH protection: In jail.local, find the [sshd] section and ensure enabled = true. You can adjust maxretry and bantime.

   [sshd]
   enabled = true
   port    = ssh
   maxretry = 3
   bantime = 3600  # Ban for 1 hour

4. Restart the service:

   sudo systemctl restart fail2ban

📝 Log Management and Auditing

Regularly checking system logs is key to identifying unusual activity.

• Using journalctl to view logs:

  # View all logs (oldest to newest)
  journalctl
  
  # Follow logs in real-time
  journalctl -f
  
  # View logs for a specific service, e.g., sshd
  journalctl -u sshd.service
  
  # View kernel logs
  journalctl -k