Hardening Debian 13 for Internet-Facing Servers

August 12, 2025

TL;DR

To harden your Debian 13 server for internet-facing applications, follow these essential steps:

Update the System: Ensure all packages are up-to-date to mitigate vulnerabilities.

sudo apt update && sudo apt upgrade -y  # Update package lists and upgrade installed packages

Configure the Firewall: Use ufw to allow only necessary ports.

sudo apt install ufw -y  # Install UFW if not already installed
sudo ufw allow OpenSSH  # Allow SSH access
sudo ufw allow 80/tcp  # Allow HTTP
sudo ufw allow 443/tcp  # Allow HTTPS
sudo ufw enable  # Enable the firewall

Disable Root Login via SSH: Edit the SSH configuration to enhance security.

sudo nano /etc/ssh/sshd_config  # Open SSH config file
sudo systemctl restart ssh  # Restart SSH service

Install Fail2Ban: Protect against brute-force attacks.

sudo apt install fail2ban -y  # Install Fail2Ban
sudo systemctl enable fail2ban  # Enable Fail2Ban to start on boot

Regular Backups: Implement a backup strategy to recover from potential data loss.
```
# Consider using rsync or a similar tool for backups
```
Use Strong Passwords and SSH Keys: Enforce strong password policies and prefer SSH key authentication over passwords.
Limit User Privileges: Only grant necessary permissions to users and services.

Regularly Monitor Logs: Check logs for unusual activity.

sudo journalctl -f  # Monitor system logs in real-time

Keep Software Minimal: Uninstall unnecessary packages to reduce the attack surface.
```
sudo apt autoremove -y  # Remove unused packages
```

By following these steps, you can significantly enhance the security posture of your Debian 13 server against internet threats. Always test configurations in a safe environment before applying them to production systems.

System Updates and Package Management

Keeping your Debian 13 server updated is crucial for maintaining security, especially for internet-facing systems. Regular updates ensure that you have the latest security patches and software improvements. Here’s how to manage system updates and packages effectively.

First, ensure that your package list is up to date. You can do this by running:

sudo apt update  # Update the package list

Next, upgrade the installed packages to their latest versions:

sudo apt upgrade -y  # Upgrade all installed packages

For a more comprehensive upgrade that handles changing dependencies, use:

sudo apt full-upgrade -y  # Upgrade packages and handle dependencies

To keep your system secure, it’s advisable to enable unattended upgrades. This will automatically install security updates without manual intervention. Install the necessary package:

sudo apt install unattended-upgrades -y  # Install unattended-upgrades

Next, configure it by editing the configuration file:

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades  # Open the config file

Ensure that the following line is uncommented to allow security updates:

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
};

After making changes, save and exit the editor. To enable unattended upgrades, run:

sudo dpkg-reconfigure --priority=low unattended-upgrades  # Configure unattended upgrades

Caution: Regularly check the logs for unattended upgrades to ensure that updates are applied successfully. You can view logs at:

cat /var/log/unattended-upgrades/unattended-upgrades.log  # View upgrade logs

Lastly, consider removing unused packages to reduce potential vulnerabilities:

sudo apt autoremove -y  # Remove unnecessary packages

By following these steps, you can maintain a secure and up-to-date Debian 13 server.

Firewall Configuration

To secure your Debian 13 server, configuring a firewall is essential. The default firewall tool in Debian is iptables, but for ease of use, we will utilize ufw (Uncomplicated Firewall), which provides a user-friendly interface for managing firewall rules.

First, ensure that ufw is installed:

sudo apt update && sudo apt install ufw  # Install ufw if not already installed

Next, set the default policies to deny all incoming connections and allow all outgoing connections. This is a safe default that minimizes exposure:

sudo ufw default deny incoming  # Deny all incoming traffic
sudo ufw default allow outgoing  # Allow all outgoing traffic

Now, enable ufw:

sudo ufw enable  # Activate the firewall

Before enabling, you should ensure that you do not lock yourself out of the server. If you are accessing the server via SSH, allow SSH connections:

sudo ufw allow ssh  # Allow SSH connections (default port 22)

If you are using a different port for SSH, specify it like this:

sudo ufw allow 2222/tcp  # Replace 2222 with your custom SSH port

Next, add rules for any other services you plan to expose. For example, to allow HTTP and HTTPS traffic:

sudo ufw allow http  # Allow HTTP traffic (port 80)
sudo ufw allow https  # Allow HTTPS traffic (port 443)

To check the status of your firewall and review the rules:

sudo ufw status verbose  # Display the current firewall rules

Finally, remember to regularly review and update your firewall rules as needed. Always test your configuration to ensure that legitimate traffic is allowed while unwanted traffic is blocked.

SSH Hardening

To enhance the security of your SSH service on Debian 13, follow these steps:

Update SSH Configuration: Edit the SSH daemon configuration file to disable root login and change the default port.
```
sudo nano /etc/ssh/sshd_config
```
- Set PermitRootLogin to no to prevent root login:
```
PermitRootLogin no
```
- Change the default SSH port (22) to a non-standard port (e.g., 2222):
```
Port 2222
```
Use SSH Key Authentication: Disable password authentication and use SSH keys instead.
- Generate a new SSH key pair on your local machine:
```
ssh-keygen -t rsa -b 4096
```
- Copy the public key to your server:
```
ssh-copy-id -i ~/.ssh/id_rsa.pub user@your-server-ip
```
- In the sshd_config file, set the following:
```
PasswordAuthentication no
```
Limit User Access: Restrict SSH access to specific users or groups.
- Add the following line to sshd_config to allow only specific users:
```
AllowUsers user1 user2
```

Enable Firewall: Use ufw to allow only the specified SSH port.

sudo apt install ufw
sudo ufw allow 2222/tcp  # Replace with your chosen port
sudo ufw enable

Restart SSH Service: After making changes, restart the SSH service to apply the new configuration.
```
sudo systemctl restart ssh
```

Caution: Ensure you have console access to the server before changing the SSH port or disabling password authentication. Misconfiguration can lock you out of your server. Always test your SSH connection after making changes.

Fail2Ban Installation

To install and configure Fail2Ban on your Debian 13 server, follow these steps to enhance your security against brute-force attacks.

First, update your package list and install Fail2Ban:

sudo apt update && sudo apt install fail2ban -y  # Install Fail2Ban

Once installed, Fail2Ban will run with default settings. However, it’s essential to create a local configuration file to customize settings without modifying the default configuration directly. Copy the default configuration file:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local  # Create a local config file

Open the local configuration file for editing:

sudo nano /etc/fail2ban/jail.local  # Edit the local configuration

In this file, you can enable and configure jails for various services. For example, to protect SSH, ensure the following section is enabled:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600  # Ban for 1 hour

The maxretry setting defines how many failed login attempts are allowed before a ban is enforced. The bantime specifies the duration of the ban in seconds. Adjust these values according to your security needs, but be cautious not to set them too low, which could lead to denial of service for legitimate users.

After making your changes, save and exit the editor. Restart the Fail2Ban service to apply the new configuration:

sudo systemctl restart fail2ban  # Restart Fail2Ban to apply changes

To check the status of Fail2Ban and see which jails are active, use:

sudo fail2ban-client status  # Check Fail2Ban status

This setup will help protect your server from unauthorized access attempts. Regularly monitor the logs and adjust configurations as necessary to maintain optimal security.

Regular Security Audits

Regular security audits are essential for maintaining the integrity and security of your Debian 13 server. By routinely checking for vulnerabilities and misconfigurations, you can proactively address potential threats before they can be exploited.

Start by ensuring that your system is up to date. Regularly apply security updates using the following command:

sudo apt update && sudo apt upgrade -y  # Update package lists and upgrade installed packages

Next, consider using the built-in debian-security-support tool to check for unsupported packages that may pose a security risk:

sudo apt install debian-security-support  # Install the security support tool
debian-security-support --check  # Check for unsupported packages

Additionally, you can use Lynis, a security auditing tool, to perform a comprehensive audit of your system. Install it with:

sudo apt install lynis  # Install Lynis for security auditing
sudo lynis audit system  # Run a security audit

Review the report generated by Lynis and address any critical or high-risk findings.

For file integrity monitoring, consider using AIDE (Advanced Intrusion Detection Environment). Install it with:

sudo apt install aide  # Install AIDE for file integrity monitoring
sudo aideinit  # Initialize the AIDE database

Run AIDE checks regularly to detect unauthorized changes:

sudo aide --check  # Check for file integrity violations

Finally, schedule these audits using cron to ensure they are performed regularly. Edit the crontab with:

sudo crontab -e  # Edit the root user's crontab

Add a line to run the audit weekly:

0 2 * * 0 /usr/bin/lynis audit system >> /var/log/lynis.log  # Weekly Lynis audit at 2 AM every Sunday

Always review logs and findings promptly, and take corrective actions as necessary. Regular audits not only help in identifying vulnerabilities but also reinforce a culture of security awareness within your organization.

Verification

To ensure that your hardening measures are effective, it is crucial to verify the configuration and security posture of your Debian 13 server. Below are several steps to confirm that your hardening efforts have been successful.

First, check the status of the firewall to ensure it is active and configured correctly:

sudo ufw status verbose  # Check UFW status and rules

Ensure that only necessary ports are open. If you see unexpected ports, revisit your firewall rules.

Next, verify that unnecessary services are disabled. Use the following command to list active services:

sudo systemctl list-units --type=service --state=running  # List running services

Review the list and disable any services that are not required:

sudo systemctl stop <service_name>  # Stop the unnecessary service
sudo systemctl disable <service_name>  # Disable it from starting at boot

To check for installed packages that may pose security risks, run:

dpkg --get-selections | grep deinstall  # List packages marked for deinstallation

Consider removing any unnecessary packages:

sudo apt purge <package_name>  # Remove unwanted package

Next, verify that your system is up to date with security patches:

sudo apt update && sudo apt upgrade -y  # Update package lists and upgrade installed packages

Finally, check the integrity of critical system files using AIDE (Advanced Intrusion Detection Environment):

sudo aideinit  # Initialize AIDE database
sudo aide --check  # Check for file integrity

Regularly review the AIDE reports for any unauthorized changes.

Caution: Always back up your configuration files and important data before making significant changes or updates. Regularly schedule these verification steps to maintain a secure environment.

Buy me a coffee ☕