Basic Security Measures - Linux

───✱*.｡:｡✱*.:｡✧*.｡✰*.:｡✧*.｡:｡*.｡✱ ───

Hardening Your Debian Linux Server

Linux is renowned for its security and robustness. However, a default installation is often a blank canvas, and misconfigurations can unintentionally leave doors open for attackers. Hardening your server is the crucial process of reducing its “attack surface” by eliminating vulnerabilities and securing potential entry points.

This guide provides a descriptive, step-by-step approach to implementing essential security measures on your Debian-based Linux machine (like Ubuntu). While the commands are Debian-centric, the principles apply to nearly all Linux distributions.

---

1. The Foundation: Consistent System Updates

The single most important security practice is keeping your system up-to-date. Software vulnerabilities are discovered all the time, and developers release patches to fix them. Failing to update is like leaving a known vulnerability unpatched.

Why It Matters

Regular updates provide security patches for the Linux kernel, system libraries, and all installed services. These patches fix Common Vulnerabilities and Exposures (CVEs) that could otherwise be exploited by attackers to gain control of your system.

How to Do It

This command sequence should be your routine. First, it refreshes your system’s list of available packages, then it upgrades them to their latest versions.

# Update package lists and upgrade all installed packages
sudo apt update && sudo apt upgrade -y
 
# Remove old packages that are no longer required
sudo apt autoremove -y

Automating for Peace of Mind

Manually running updates can be forgotten. For critical security patches, automation is key. The unattended-upgrades package allows your system to automatically install new versions of packages that fix security issues without any manual intervention.

# Install the package
sudo apt install unattended-upgrades
 
# Run the configuration tool to enable it
sudo dpkg-reconfigure --priority=low unattended-upgrades

This sets up a cron job that will handle these critical updates for you, ensuring your server’s foundation remains secure.

---

2. Fortifying SSH: Your Remote Lifeline

Secure Shell (SSH) is the primary way administrators access servers remotely. This also makes it a prime target for attackers. Securing your SSH configuration is non-negotiable.

All changes are made in the SSH daemon’s configuration file: /etc/ssh/sshd_config.

Key Hardening Directives

a. Disable Direct Root Login

The root user is the ultimate prize for an attacker. Disabling direct login for root forces everyone (including you) to log in as a regular user and then elevate their privileges using sudo. This adds a layer of security and provides a better audit trail.

# Prevents the root user from logging in via SSH.
PermitRootLogin no

b. Enforce Key-Based Authentication

Passwords can be cracked through brute-force or dictionary attacks. SSH keys are a far more secure alternative, using a cryptographic key pair for authentication.

# Disallows the use of passwords for SSH login.
PasswordAuthentication no  
 
# Ensures that public key authentication is enabled.
PubkeyAuthentication yes
 
# Prevents users from logging in with an empty password.
PermitEmptyPasswords no

c. Limit Unnecessary Features

If you don’t need advanced SSH features like port forwarding (tunneling), disable them to reduce the potential for misuse.

# Disables TCP forwarding, which can be used to pivot into a network.
AllowTcpForwarding no

d. Add Two-Factor Authentication (2FA)

For the highest level of security, especially on internet-facing servers, enable 2FA. This requires “something you know” (your key) and “something you have” (a time-based code from your phone).

Step 1: Install the Google Authenticator PAM module. PAM (Pluggable Authentication Modules) is a framework that allows you to stack authentication methods.

sudo apt install libpam-google-authenticator

Step 2: Configure PAM. Add this line to the top of /etc/pam.d/sshd to tell SSH to use the 2FA module.

auth required pam_google_authenticator.so

Step 3: Modify the SSH Config. Edit /etc/ssh/sshd_config and make the following changes to enable the challenge-response mechanism that prompts for the 2FA code.

# Change this from 'no' to 'yes'
ChallengeResponseAuthentication yes
 
# Ensure this is set to 'no' since we are using keys + 2FA
PasswordAuthentication no

Step 4: Restart the SSH service and generate a token.

sudo systemctl restart sshd.service

Now, as the user you want to enable 2FA for, run google-authenticator. Answer the questions as recommended (time-based tokens, update the file, disallow multiple uses, enable rate-limiting). Scan the generated QR code with an app like Google Authenticator or Authy.

From now on, after providing your SSH key, you will be prompted for a verification code to complete the login.

---

3. Building Walls: The Firewall

A firewall is a digital barrier that controls incoming and outgoing network traffic based on a set of rules. The most secure firewall strategy is to deny all traffic by default and only allow specific, necessary connections.

A Note on iptables vs. nftables

nftables is the modern successor to iptables, but iptables remains widely used and effective.

Warning: Docker heavily manages iptables for its container networking. If you are running Docker, it is strongly recommended to stick with iptables to avoid complex and difficult-to-debug networking issues.

Sample iptables Ruleset

This ruleset drops all incoming traffic except for established connections and new connections on the standard SSH (22), HTTP (80), and HTTPS (443) ports.

# 1. Set default policies to DROP all incoming and forwarded traffic.
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
# 2. Allow all outgoing traffic.
sudo iptables -P OUTPUT ACCEPT
 
# 3. Allow traffic on the loopback interface (for services on the server to talk to each other).
sudo iptables -A INPUT -i lo -j ACCEPT
# 4. Allow return traffic for connections you initiated.
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# 5. Allow new incoming connections for SSH, HTTP, and HTTPS.
sudo iptables -A INPUT -p tcp -m multiport --dports 22,80,443 -j ACCEPT
 
# 6. Install iptables-persistent to make the rules survive a reboot.
sudo apt install iptables-persistent -y
# 7. Save the currently configured rules.
sudo netfilter-persistent save

---

4. Integrating with Cloudflare (for Web Apps)

If you use a service like Cloudflare to protect your web applications, attackers can sometimes bypass Cloudflare’s protection by sending traffic directly to your server’s IP address.

To prevent this, you can configure your firewall to only accept web traffic (ports 80 and 443) from Cloudflare’s IP ranges.

# Example: Allow traffic from a Cloudflare IP range to your web ports
sudo iptables -A INPUT -p tcp -s 173.245.48.0/20 --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp -s 173.245.48.0/20 --dport 443 -j ACCEPT

You must repeat this for all of Cloudflare’s official IP ranges, which are listed on their website: cloudflare.com/ips. Remember to save your iptables rules after adding them!

Conclusion: Security is a Process

Server hardening is not a one-time task; it’s an ongoing process. By implementing these foundational measures—keeping your system updated, locking down SSH, and configuring a strict firewall—you have significantly reduced your server’s exposure to common threats. From here, you can explore even more advanced topics like fail2ban for blocking malicious IPs, file integrity monitoring, and regular security audits.

───✱*.｡:｡✱*.:｡✧*.｡✰*.:｡✧*.｡:｡*.｡✱ ───