How to Secure Your Debian 12 Server: A Comprehensive Guide
Securing a Debian 12 server is crucial for protecting your data and ensuring the stability of your system. This guide will walk you through the essential steps to secure your server, from initial setup to regular maintenance.
Thanks to Teklan Hosting
A big thank you to Teklan Hosting for providing us with a server. Their support has made it possible for us to create and share this guide with you.
We appreciate Teklan Hosting’s contribution to our project – Give them a look if you need a VPS, Web hosting, Domains or dedicated servers and much more!
Initial Setup
1. Update the System
The first step is to ensure your system is up to date. Run the following commands:
sudo apt update && sudo apt upgrade -y
2. Create a New User
Avoid using the root account for regular activities. Create a new user and grant sudo privileges:
sudo adduser newuser
sudo usermod -aG sudo newuser
3. Set Up SSH
Enhance SSH security by disabling root login and password authentication. Edit the SSH configuration file:
sudo nano /etc/ssh/sshd_config
Set the following parameters:
PermitRootLogin no
PasswordAuthentication no
Then, restart the SSH service:
sudo systemctl restart ssh
Firewall Configuration
4. Install UFW
Uncomplicated Firewall (UFW) is a user-friendly frontend for managing iptables firewall rules:
sudo apt install ufw
5. Allow SSH and Enable UFW
Allow SSH connections and enable the firewall:
sudo ufw allow OpenSSH
sudo ufw enable
sudo ufw status
Security Enhancements
6. Disable Unnecessary Services
Identify and disable services that are not needed:
sudo systemctl list-unit-files --type=service | grep enabled
sudo systemctl disable <service_name>
7. Install Fail2Ban
Protect against brute-force attacks:
sudo apt install fail2ban
8. Configure Fail2Ban
Create a local configuration file and customize it:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
Enable jails for SSH:
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
System Monitoring and Hardening
9. Install Logwatch
Logwatch is a log analysis system:
sudo apt install logwatch
10. Schedule Logwatch Reports
Configure daily email reports:
sudo nano /etc/cron.daily/00logwatch
Add the following:
/usr/sbin/logwatch --output mail --mailto your-email@example.com --detail high
11. Install and Configure AIDE
AIDE is a file integrity checker:
sudo apt install aide
sudo aideinit
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
12. Regularly Check for Rootkits
Install and run chkrootkit:
sudo apt install chkrootkit
sudo chkrootkit
Additional Security Measures
13. Automatic Security Updates
Enable automatic updates for security patches:
sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades
14. Secure Shared Memory
Add the following to /etc/fstab:
tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0
15. Configure AppArmor
Ensure AppArmor is enabled and properly configured:
sudo apt install apparmor apparmor-profiles
sudo systemctl enable apparmor
sudo systemctl start apparmor
Regular Maintenance
16. Regularly Update and Upgrade
Keep your system and all installed packages up to date:
sudo apt update && sudo apt upgrade -y
17. Perform Regular Backups
Use tools like `rsync` or `borgbackup` for regular backups.
18. Review Logs
Regularly review logs for any suspicious activity:
sudo tail -f /var/log/syslog
sudo tail -f /var/log/auth.log
Final Steps
19. Document Your Configuration
Keep a detailed record of your security configuration and any changes made.
20. Test Your Security
Regularly perform security audits and vulnerability scans using tools like `nmap` and `lynis`.
By following these steps, you can significantly enhance the security of your Debian 12 server. Regular maintenance and staying updated with the latest security practices are crucial for maintaining a secure environment.