This is not an exhaustive step-by-step guide to security. Instead, it is to jog the memory of system administrators, who remain solely responsible for their own security. To give them tips, and hints, or reminders. System admins should do they own research and assume articles they find online are out of date. ## Hosting party website user control panel Many hosting companies offer a webgui to their customers, see if you can: 1. Enable two-factor-authentication to secure this web-portal 1. Configure and activate the firewall # Debian hardening ## Installation A possible strategy is making multiple filesystems, so logs, homes, or temporary files can't clogg up the system. WIth the added bonus of being able to mount /tmp as noexec, or /usr as read-only ## umask By default users can read files belonging to other users, for isntance in their home directory. If the system is going to be used by multiple peopel taht do not share trust you may consider changing the umask from 022 to 027. ### Via login.defs 1. Edit `/etc/login.defs` to change the line `UMASK 022` to `UMASK 027` Example file included: `./etc/login.defs` ### Via profile #### Globally `/etc/profile` is read at login so admins can set global defaults without having to edit every user. 1. Append to `/etc/profile`: `umask 027` #### Individually 1. Optionally set it as default for new accounts in `/etc/skel/.profile`, by appending `umask 027` to it 1. Append `umask 027` to any `~/.profile` files for users that require this umask ### Via pam 1. `apt install libpam-umask` 1. Append `session optional pam_umask.so umask=027` to `/etc/pam.d/common-session` ## root account Do not by default use the root account, instead create your own and escallate privileges only when needed. 1. Create your user: `useradd -m -s /bin/bash USERNAME` (Where USERNAME is your username) 1. Add your new user to the sudo group: `usermod -aG sudo USERNAME` ## ssh Consider disconnecting inactive users, as disconnected SSH sessions can be hyjakced. 1. Open `/etc/profile` 1. Append `TMOUT=1800` for a 30 minute timeout 1. Append `readonly TMOUT` to make users unable to edit their timeout 1. Append `export TMOUT` 1. Also append the same to any `~/.profile` files for users already created Example: ``` TMOUT=1800 readonly TMOUT export TMOUT ``` Disable root login and create a group for users who are allowed to login. (There are many bad-faith actors constantly scanning for servers with port 22 open and then try to bruteforce the root password) 1. Create group: `groupadd ssh-user` 1. Add users to the group: `usermod -aG ssh-user USERNAME` (Where USERNAME is your username) 1. Open `/etc/ssh/sshd_config`: `nano /etc/ssh/sshd_config` 1. Append to file: `AllowGroups ssh-user` 1. Restart the SSH daemon: `sudo systemctl restart sshd` 1. Test establishing a connection with your non-root user, only proceed if this works 1. Edit `/etc/ssh/sshd_config` again and change `#PermitRootLogin prohibit-password` to `#PermitRootLogin no` 1. Alter `Ciphers and keying`, `Authentication`, settings to modern settings and fitting to your case 1. Consider running the SSH daemon on a non-standard port Example file included: `./etc/ssh/sshd_config` ## Password Authentication Module: PAM It might be interesting to look at `apt-cache search libpam` to find other uses for pam that fit your situation. ### Password policy You can not rely on peolpe using sane and secure passwords, even if they are professionals. Since Debian 12 `pam_cracklib.so`/`libpam-cracklib` is no longer used for this. 1. `sudo apt install libpam-pwquality` 1. Read `man pam_pwquality` for the options 1. Open `/etc/pam.d/common-password` and edit the line starting with `password requisite pam_pwquality.so` to your liking Example file included: `./etc/pam.d/common-password` ## Authentication Disable passwordless logins for accounts with no password set. 1. Set `PREVENT_NO_AUTH no` to `PREVENT_NO_AUTH yes` in `/etc/login.defs` Limit the amount of time a password can be entered before the login is rejected. 1. Modify the value for `LOGIN_RETRIES` in `/etc/login.defs` Example file included: `./etc/login.defs` ### fail2ban TODO ## Unattended upgrades 1. `sudo apt install unattended-upgrades apt-listchanges` 1. `sudo nano /etc/apt/apt.conf.d/50unattended-upgrades` ## Molly-guard It is not only about security, but also stability. Molly-guard protects machines from accidental shutdowns/reboots by asking to enter the hostname. 1. `sudo apt install molly-guard` ## Tripwire TODO ## Netfilter In case there is no dataenter firewall via its webgui. Or just for improved/redundant security (Imagine if one layer fails or gets compromised) See: https://git.h0v1n8.nl/tBKwtWS/netfilter-config ## Kernel flags ## Build flags ## Remove all unneeded packages Any possible attack surface that is not required could be removed.