Lately, I met with accident when administrator does not know anything about OS security. He installed desktop Linux version on the server and he did everything as his nose suggests a zero self-preservation. Hostname as the gateway, wheezy-update as one line in the sources – not long ago so I laughed.
However, it inspired me to write an article – this article, about a security of Debian system. Linux users know that this distribution is safe and stable. However, any idiot and looser, who does not know how to use it, can open the door for hackers. And the thread of good Linux admin as it is … you know what. Ok, let’s start!
It is the most important thing. At first, you will have the full control of your system. During the installation of a new server, select only the basic libraries and tools necessary to run the new system. In the case of Debian, they are: basic system utilities and SSH Server. The next step is an installation of additional software. Be sure to install only what is needed. You must give up the environment and the X Window graphical configuration tools. OK, maybe it is easier but lamer too and hazardous. Through this you will lose the control of its settings and operation.
You can do everything to secure your system, but if you put your server on the table, where everyone has an access, then you will have a huge problem. Remember to turn off a possibility of run system via CD on your server too. It is very important. In particular, pay attention to a mechanism to block access to the hard disk password. The content of the media will not be able to be read after booting from LiveCD or connect it to another computer. The good solution is CryptLUKS!!! Another way to block the possibility of launching the operating system by an unauthorized person is to set up passwords to boot manager (GRUB). In both cases, you will need to have remote access to the server console, e.g. by KVM or iLO card. Otherwise, each server restart will require your visits in the server room to unlock the drive or operating system.
Turn on firewall
The next necessary step, but remember to turn on firewall “with head”. What that you enable firewall when you will not able to configure it in the proper way and you will add any to any (all all) rule. When I see such entries in the firewall then it gets damn me!
Use sudo instead of root account
The title says all for itself. As it is seen in the case of Windows OS, the use of administrator account for all is not a good way to improve system performance. Try to use user account… Sorry!!! YOU HAVE TO USE USER ACCOUNT WITH SUDO!!!
Automatic clock synchronization
Do you know about it? In many traffic safety algorithms the time plays a key role, namely the accuracy of the system clock. If these parameters are set wrong (e.g. clock off by several hours), then not everything will work correctly. Problems may arise during the login to the site using cookies or SSL (HTTPS).
Lock the root directory
After the installation, change the default directory permissions / root 755 and 750 or even 700. If, after this operation, refresh the Nautilus window, you’ll find that at the root of the distinctive character appeared to indicate a lack of access.
NOTE! You can not go wrong with encryption privileges. The file permissions 000 mean that the file is unreadable to all but the root, on condition that no one has physical access to your machine. If someone can remove your hard disk or run a bootable Linux distribution, then modification of permissions will not help you.
Disable login as root via SSH
PermitRootLogin yes – this option must be hastily changed to no! By default root login over the network is allowed, which can significantly facilitate the intruders attempted intrusion into the system by force.
It is only a few things you need to do to protect your system. Nobody said that it will be easy.