This is not an exhaustive step by step guide to securirty. Instead it is to jog the memory of system administrators, who remain solely responsible for their own security. To give them tips, and hints, or reminders. System admins should do they own research and assume articles they find online are out of date. ## Hosting party website user control panel Many hosting companies offer a webgui to their customers, here see if you can: 1. Enable two-factor-authentication to secure this web-portal 1. Configure and activate the firewall # Debian hardening ## umask By default users can read files belonging to other users, for isntance in their home directory. If the system is going to be used by multiple peopel taht do not share trust you may consider changing the umask from 022 to 027. ### Via login.defs 1. Edit `/etc/login.defs` to change the line `UMASK 022` to `UMASK 027` Example file included: `./etc/login.defs` ### Via profile #### Globally 1. Append to `/etc/profile`: `umask 027` #### Individually 1. Optionally set it as default in `/etc/skel/.profile`, by appending `umask 027` to it 1. Append `umask 027` to any `~/.profile` files for users that require this umask ### Via pam 1. `apt install libpam-umask` 1. Append `session optional pam_umask.so umask=027` to `/etc/pam.d/common-session` ## root account Do not by default use the root account, instead create your own and escallate privileges only when needed. 1. Create your user: `useradd -m -s /bin/bash USERNAME` (Where USERNAME is your username) 1. Add your new user to the sudo group: `usermod -aG sudo USERNAME` ## ssh Consider disconnecting inactive users, as disconnected SSH sessions can be hyjakced. 1. Open `/etc/profile` 1. Append `TMOUT=1800` for a 30 minute timeout 1. Append `readonly TMOUT` to make users unable to edit their timeout 1. Append `export TMOUT` 1. Also append the same to any `~/.profile` files for users already created Example: ``` TMOUT=1800 readonly TMOUT export TMOUT ``` Disable root login and create a group for users who are allowed to login. (There are many bad-faith actors constantly scanning for servers with port 22 open and then try to bruteforce the root password) 1. Create group: `groupadd ssh-user` 1. Add users to the group: `usermod -aG ssh-user USERNAME` (Where USERNAME is your username) 1. Open `/etc/ssh/sshd_config`: `nano /etc/ssh/sshd_config` 1. Append to file: `AllowGroups ssh-user` 1. Restart the SSH daemon: `sudo systemctl restart sshd` 1. Test establishing a connection with your non-root user, only proceed if this works 1. Edit `/etc/ssh/sshd_config` again and change `#PermitRootLogin prohibit-password` to `#PermitRootLogin no` 1. Alter `Ciphers and keying`, `Authentication`, settings to modern settings and fitting to your case 1. Consider running the SSH daemon on a non-standard port Example file included: `./etc/ssh/sshd_config` ## Password Authentication Module: PAM It might be interesting to look at `apt-cache search libpam` to find other uses for pam that fit your situation. ### Password policy You can not rely on peolpe using sane and secure passwords, even if they are professionals. Since Debian 12 `pam_cracklib.so`/`libpam-cracklib` is no longer used for this. 1. `sudo apt install libpam-pwquality` 1. Read `man pam_pwquality` for the options 1. Open `/etc/pam.d/common-password` and edit the line starting with `password requisite pam_pwquality.so` to your liking Example file included: `./etc/pam.d/common-password` ## Authentication Disable passwordless logins for accounts with no password set. 1. Set `PREVENT_NO_AUTH no` to `PREVENT_NO_AUTH yes` in `/etc/login.defs` Limit the amount of time a password can be entered before the login is rejected. 1. Modify the value for `LOGIN_RETRIES` in `/etc/login.defs` Example file included: `./etc/login.defs` ## Netfilter In case there is no dataenter firewall via its webgui. Or just for improved/redundant security (Imagine if one layer fails or gets compromised) See: https://git.h0v1n8.nl/tBKwtWS/netfilter-config