Fortifying Your Linux Fortress: Essential Security for Debian & Ubuntu Servers

April 25, 2024 | By Pietro Dubsky

Debian and Ubuntu are two of the most popular Linux distributions for servers, prized for their stability, extensive package repositories, and strong community support. However, a default installation, while functional, is often not sufficiently hardened against the myriad of threats present on the internet. Securing your Linux server is a critical and ongoing process. This guide will cover essential steps to fortify your Debian or Ubuntu server.

Why Server Hardening is Crucial

Servers, especially those exposed to the internet, are constant targets for automated attacks, hackers looking for vulnerabilities, and botnets. A compromised server can lead to:

  • Data breaches and theft of sensitive information.
  • Service disruption and downtime.
  • Use of your server for malicious activities (e.g., sending spam, hosting phishing sites, participating in DDoS attacks).
  • Reputational damage.
  • Financial losses.

Server hardening involves configuring the system to reduce its attack surface and enhance its overall security posture.

Initial Server Setup & User Accounts

1. Create a Non-Root Sudo User

Logging in and operating directly as the root user is risky. A single mistake can have catastrophic consequences. Action: Immediately after initial server setup, create a new user account and grant it sudo privileges. 

# As root
adduser newusername
usermod -aG sudo newusername
# Then, log out as root and log back in as newusername
Always use this user for daily administration, prefixing commands with sudo when administrative privileges are needed.

2. Disable Root Login via SSH

Once your sudo user is set up and tested, disable direct root login over SSH to reduce the risk of brute-force attacks targeting the root account. Action: Edit the SSH configuration file (sudo nano /etc/ssh/sshd_config) and set: 

PermitRootLogin no
Then restart the SSH service: sudo systemctl restart ssh or sudo systemctl restart sshd.

3. Use Strong Passwords (and Consider SSH Keys)

Ensure all user accounts, especially your sudo user, have very strong, unique passwords. Action: Use a password manager to generate these. Better yet, set up SSH key-based authentication, which is significantly more secure than password authentication, and then disable password authentication for SSH entirely (see next section).

Securing SSH Access

SSH (Secure Shell) is the primary way to remotely access and manage Linux servers. Securing it is paramount.

1. Use SSH Key-Based Authentication

SSH keys consist of a public key (placed on the server) and a private key (kept securely on your client machine). You can only log in if you possess the private key. Action: Generate an SSH key pair on your local machine (ssh-keygen) and copy the public key to your server's ~/.ssh/authorized_keys file for your sudo user. Test it, then consider disabling password authentication.

2. Disable Password Authentication for SSH (After Setting Up Keys)

This prevents brute-force password attacks against SSH. Action: In /etc/ssh/sshd_config, set: 

PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no
Restart the SSH service.

3. Change the Default SSH Port (Security through Obscurity - Optional)

Automated bots often scan for SSH on the default port 22. Changing it can reduce the number of automated login attempts. Action: In /etc/ssh/sshd_config, change Port 22 to a non-standard port (e.g., Port 2222). Remember to allow the new port in your firewall before restarting SSH. Note: This is a minor security measure and shouldn't be relied upon as your primary defense.

4. Implement Fail2Ban

Fail2Ban is an intrusion prevention software framework that monitors log files (e.g., for SSH, Apache) and bans IP addresses that show malicious signs, like too many password failures. Action: Install and configure Fail2Ban: 

sudo apt update
sudo apt install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local # Configure settings, especially for SSH
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Firewall Configuration

A firewall controls incoming and outgoing network traffic based on predefined security rules.

1. Use UFW (Uncomplicated Firewall) or nftables

Debian and Ubuntu often come with UFW, a user-friendly frontend for managing firewall rules (which uses nftables or iptables underneath). Action:

  • Install UFW if not present: sudo apt install ufw
  • Set default policies: sudo ufw default deny incoming and sudo ufw default allow outgoing.
  • Allow necessary services (e.g., SSH on your custom port, HTTP, HTTPS): 
    sudo ufw allow 2222/tcp  # Or your custom SSH port
sudo ufw allow http
sudo ufw allow https
  • Enable UFW: sudo ufw enable
  • Check status: sudo ufw status verbose

System Updates and Patch Management

Keeping your system and installed packages up to date is one of the most effective ways to protect against known vulnerabilities. Action:

  • Regularly update your system: 
    sudo apt update
sudo apt upgrade
sudo apt full-upgrade # Occasionally, for kernel updates etc.
sudo apt autoremove   # Remove unused packages
  • Consider enabling unattended-upgrades for automatic installation of security updates: sudo apt install unattended-upgrades and configure it (sudo dpkg-reconfigure --priority=low unattended-upgrades).

Minimize Installed Software (Reduce Attack Surface)

Every piece of software installed on your server potentially increases its attack surface. Action: Uninstall any unnecessary packages and services. If you're not using it, remove it. 

sudo apt list --installed # To see what's installed
sudo apt remove package_name
sudo apt purge package_name # To remove configuration files as well

Logging and Monitoring

System logs are crucial for detecting suspicious activity, troubleshooting issues, and for forensic analysis after an incident. Action:

  • Familiarize yourself with common log file locations (e.g., /var/log/auth.log for authentication, /var/log/syslog for general system messages).
  • Ensure services like rsyslog are running.
  • Consider centralized logging if you manage multiple servers.
  • Install tools like logwatch to get daily summaries of log activity.

Intrusion Detection Systems (IDS)

An IDS can monitor network or system activities for malicious activities or policy violations and report them. Action: Consider host-based IDS (HIDS) like:

  • Tripwire (AIDE is a free alternative): Monitors filesystem integrity for unauthorized changes.
  • OSSEC or Wazuh: More comprehensive HIDS solutions offering log analysis, integrity checking, rootkit detection, and real-time alerting.

Regular Security Audits

Periodically review your server's security configuration and logs. Action:

  • Run tools like lynis (sudo apt install lynis then sudo lynis audit system) to perform a security audit and get hardening suggestions.
  • Check for listening ports: sudo ss -tulnp or sudo netstat -tulnp.
  • Review user accounts and sudo privileges.

Physical Security (If Applicable)

If you manage physical servers, ensure they are in a secure location with restricted access.

Conclusion

Securing a Debian or Ubuntu server is an ongoing commitment, not a one-time task. The threat landscape is constantly changing, so continuous vigilance, regular updates, and periodic security reviews are essential. By implementing these fundamental hardening steps, you can significantly improve the security posture of your Linux servers and protect them against a wide range of common attacks. Remember to tailor these recommendations to your specific server role and security requirements.

« Back to Blog