server-hardening

This is not an exhaustive step by step guide to securirty. Instead it is to jog the memory of system administrators, who remain solely responsible for their own security. To give them tips, and hints, or reminders. System admins should do they own research and assume articles they find online are out of date.

Hosting party website user control panel

Many hosting companies offer a webgui to their customers, here see if you can:

1. Enable two-factor-authentication to secure this web-portal
2. Configure and activate the firewall

Debian hardening

umask

By default users can read files belonging to other users, for isntance in their home directory. If the system is going to be used by multiple peopel taht do not share trust you may consider changing the umask from 022 to 027.

Via login.defs

1. Edit /etc/login.defs to change the line UMASK 022 to UMASK 027 Example file included: ./etc/login.defs

Via profile

Globally

1. Append to /etc/profile: umask 027

Individually

1. Optionally set it as default in /etc/skel/.profile, by appending umask 027 to it
2. Append umask 027 to any ~/.profile files for users that require this umask

Via pam

1. apt install libpam-umask
2. Append session optional pam_umask.so umask=027 to /etc/pam.d/common-session

root account

Do not by default use the root account, instead create your own and escallate privileges only when needed.

1. Create your user: useradd -m -s /bin/bash USERNAME (Where USERNAME is your username)
2. Add your new user to the sudo group: usermod -aG sudo USERNAME

ssh

Consider disconnecting inactive users, as disconnected SSH sessions can be hyjakced.

1. Open /etc/profile
2. Append TMOUT=1800 for a 30 minute timeout
3. Append readonly TMOUT to make users unable to edit their timeout
4. Append export TMOUT

5. Also append the same to any ~/.profile files for users already created Example:

   TMOUT=1800
   readonly TMOUT
   export TMOUT
   

Disable root login and create a group for users who are allowed to login. (There are many bad-faith actors constantly scanning for servers with port 22 open and then try to bruteforce the root password)

1. Create group: groupadd ssh-user
2. Add users to the group: usermod -aG ssh-user USERNAME (Where USERNAME is your username)
3. Open /etc/ssh/sshd_config: nano /etc/ssh/sshd_config
4. Append to file: AllowGroups ssh-user
5. Restart the SSH daemon: sudo systemctl restart sshd
6. Test establishing a connection with your non-root user, only proceed if this works
7. Edit /etc/ssh/sshd_config again and change #PermitRootLogin prohibit-password to #PermitRootLogin no
8. Alter Ciphers and keying, Authentication, settings to modern settings and fitting to your case
9. Consider running the SSH daemon on a non-standard port Example file included: ./etc/ssh/sshd_config

Password Authentication Module: PAM

It might be interesting to look at apt-cache search libpam to find other uses for pam that fit your situation.

Password policy

You can not rely on peolpe using sane and secure passwords, even if they are professionals. Since Debian 12 pam_cracklib.so/libpam-cracklib is no longer used for this.

1. sudo apt install libpam-pwquality
2. Read man pam_pwquality for the options
3. Open /etc/pam.d/common-password and edit the line starting with password requisite pam_pwquality.so to your liking Example file included: ./etc/pam.d/common-password

Authentication

Disable passwordless logins for accounts with no password set.

1. Set PREVENT_NO_AUTH no to PREVENT_NO_AUTH yes in /etc/login.defs

Limit the amount of time a password can be entered before the login is rejected.

1. Modify the value for LOGIN_RETRIES in /etc/login.defs Example file included: ./etc/login.defs

Netfilter

In case there is no dataenter firewall via its webgui. Or just for improved/redundant security (Imagine if one layer fails or gets compromised)

See: https://git.h0v1n8.nl/tBKwtWS/netfilter-config