Basic Debian Jessie Security Hardening

Posted on: 2017-04-24

Make sure you are subscribed to all official repos and then do updates and install some software.

vim /etc/apt/sources.list
deb http://ftp.debian.org/debian jessie main contrib non-free
deb http://ftp.debian.org/debian jessie-updates main contrib non-free
deb http://security.debian.org jessie/updates main contrib non-free

apt-get -y update
apt-get -y upgrade

apt-get -y install vim screen lsof telnet dnsutils openssl netcat-openbsd fail2ban unattended-upgrades netfilter-persistent iptables-persistent rsyslog sysv-rc-conf anacron rsync less

Generate and set a good root password

openssl rand -base64 24
#copy
passwd
#paste

Configure automatic updates

vim /etc/apt/apt.conf.d/50unattended-upgrades
#only the following should be uncommented
  "o=Debian,n=jessie";
  "o=Debian,n=jessie-updates";
  "o=Debian,n=jessie,l=Debian-Security";

dpkg-reconfigure -plow unattended-upgrades
y

vim /etc/apt/apt.conf.d/20auto-upgrades
#should look like
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

systemctl enable unattended-upgrades.service

#trying it
dpkg -l vim 
#note version number
apt-get remove vim-*
apt-get install vim=2:7.4.488-7+deb8u1 vim-common=2:7.4.488-7+deb8u1 vim-runtime=2:7.4.488-7+deb8u1
dpkg -l vim 
#note version number
unattended-upgrade --debug --dry-run
#should see notes about vim upgrades
#wait a day or so and check with a dpkg -l vim again

Locking down the firewall

vi /etc/iptables/rules.v4
#make the filter section look like this. open other ports like we are for 22 for other services you plan to offer. 
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT

systemctl enable netfilter-persistent
systemctl restart netfilter-persistent

#check it
iptables --list --verbose --numeric

Protecting against brute force ssh attacks

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
vim /etc/fail2ban/jail.local
#needed for some crappy vpses
banaction = iptables
#ensure
[ssh]
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

systemctl enable fail2ban
systemctl restart fail2ban

#check it
iptables --list --verbose --numeric
#try to login 10 or so times from a box that isn't the one you are connecting through right now or just wait and soon enough some 'hacker' will be blocked.

Turning off things that you aren't using

systemctl list-unit-files --type=service | grep enabled
anacron-resume.service                 enabled 
anacron.service                        enabled 
cron.service                           enable
getty@.service                         enabled 
hwclock-save.service                   enabled 
netfilter-persistent.service           enabled 
quota.service                          enabled 
rsyslog.service                        enabled 
ssh.service                            enabled 
sshd.service                           enabled 
syslog.service                         enabled 
systemd-networkd.service               enabled 
systemd-readahead-collect.service      enabled 
systemd-readahead-drop.service         enabled 
systemd-readahead-replay.service       enabled 
systemd-resolved.service               enabled 
systemd-timesyncd.service              enabled 
unattended-upgrades.service            enabled 
vzfifo.service                         enabled

^is what a tweaked system looks like for me.  You'll want to systemctl disable $x for anything you don't want to have running.

sysv-rc-conf

#disable things you aren't going to use, by unchecking them in 2-5.  A tweaked system for me runs:
bootlogs
fail2ban
motd
rc.local
rmnologin
rsyslog
ssh

Now reboot and make sure things look right

reboot
#almost nothing should be running
ps -ef 
root         1     0  0 12:38 ?        00:00:00 init -z       
root         2     1  0 12:38 ?        00:00:00 [kthreadd/10638]
root         3     2  0 12:38 ?        00:00:00 [khelper/10638]
systemd+    51     1  0 12:38 ?        00:00:00 /lib/systemd/systemd-networkd
root        52     1  0 12:38 ?        00:00:00 /lib/systemd/systemd-udevd
root        86     1  0 12:38 ?        00:00:00 /lib/systemd/systemd-journald
root       189     1  0 12:38 ?        00:00:00 /usr/sbin/sshd -D
systemd+   190     1  0 12:38 ?        00:00:00 /lib/systemd/systemd-resolved
root       191     1  0 12:38 ?        00:00:00 /usr/sbin/rsyslogd -n
root       208     1  0 12:38 tty2     00:00:00 /sbin/agetty --noclear tty2 linux
root       209     1  0 12:38 tty1     00:00:00 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt102
root       217     1  0 12:38 ?        00:00:00 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid
root       283   189  0 13:48 ?        00:00:00 sshd: root@pts/0    
root       285   283  0 13:48 pts/0    00:00:00 -bash

#should be very few ports listening
COMMAND PID USER   FD   TYPE    DEVICE SIZE/OFF NODE NAME
sshd    189 root    3u  IPv4 149984794      0t0  TCP *:22 (LISTEN)
sshd    189 root    4u  IPv6 149984796      0t0  TCP *:22 (LISTEN)

#firewall should be locked down
 iptables --list --verbose --numeric 
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  230 19105 fail2ban-ssh  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
  233 19779 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
7   376 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
   84  5155 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 166 packets, 18623 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain fail2ban-ssh (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  230 19105 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0