How to secure your Debian virtual server

How to secure your Debian virtual server

In this article we will show you how to secure your Debian virtual server and protect your self from any unauthorized access. We are going to learn how create and use SSH key pair authentication to log in to your server via SSH and some basic firewall rules implementation and protection.

Another thing that you may be interested in is the automatic blocking mechanism called Fail2Ban.


LET’S START

The first thing that you will need to know is that in this tutorial you can use and work as the ROOT user, however logging in to your server as the ROOT user is pretty risky thing if you do not know what are you doing. As ROOT you can do anything you want and execute any command you want and that even includes a command that can accidentally break your system and delete anything from it. That is why in this tutorial we will create another system user account and we will be using that account at all times. You will also need to know that even with the new created system user account you will still be able to execute superuser commands using sudo.


CREATE A NEW USER

To create a new system user account under Debian you will need to log in to your VPS as ROOT via SSH. Once you are in the first thing you need to do is to downloads the package lists from the repositories and “update” them to get information on the newest versions of packages and their dependencies. It will do this for all repositories and PPAs. To do that just type:

apt-get update

The next step/command will actually update all the software on your VPS. So, type:

apt-get upgrade

Once everything is done and upgraded you can create your new user. To do that type:

adduser your_new_user

make sure to replace your_new_user with your desired username.

Set the password for the new created user:

passwd your_new_user

and add the new created user to the admin group so he can administer the system. You can do that by typing:

usermod -a -G sudo your_new_user

make sure to replace your_new_user with your desired username.

Once the user is created we will need to log out from our ROOT account, so type:

exit

Log in again, but this time using the new created system user. To do that type the following command:

ssh [email protected]

make sure to replace your_new_user with your real new username, and 111.111.111.111 with your real IP address.

NOTE: In case you are running windows on your local machine, please see this tutorial about how to log in via SSH.

Now you can safely work with your new created user account instead and use sudo when you want to execute some superuser command. And the best thing is that almost all superuser commands can be run with sudo. The log for the commands executed with sudo can be found in /var/log/auth.log


SECURING YOUR SERVER

Firewall

Now we will setup a firewall and limit or block any unwanted incoming traffic and requests.

By default Debian comes with iptables firewall installed. But if for some reason you did not have iptables installed now it is time to do that. Type:

apt-get install iptables

Once the firewall is installed you can check the default firewall rules with:

sudo iptables -L

And since we still did not implement any firewall rules you should see an empty ruleset:

 Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Now it is a real time to add and implement any firewall rules on place. First create an empty file that will store our firewall rules:

touch /etc/iptables.firewall.rules

Once the file is created as a start we will create some basic rules. To do that edit the new created file:

nano  /etc/iptables.firewall.rules

and copy + paste the following lines:

*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allow SSH connections
#
#  The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

So, in short, the firewall rules that we implemented will allow traffic to the following services and ports: HTTP (80), HTTPS (443), SSH (22), and ping. All other ports will be blocked.

Now it is time to activate the firewall rules. to do that type:

sudo iptables-restore < /etc/iptables.firewall.rules

and you can check if everything is ok and that the firewall rules are active with:

sudo iptables -L

and you should see something like:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             loopback/8          reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
LOG        all  --  anywhere             anywhere            limit: avg 5/min burst 5 LOG level debug prefix `iptables denied: '
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Another thing we can do is to make sure that the firewall rules are activated every time you restart your server. To do that you will need to create a small script. So create:

touch /etc/network/if-pre-up.d/firewall

edit the file:

nano /etc/network/if-pre-up.d/firewall

and copy + paste the following:

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules

Save and close the file, and make is executable with:

sudo chmod +x /etc/network/if-pre-up.d/firewall

That’s it.


DISABLE SSH PASSWORD AND ROOT LOGIN

Another thing you can do to protect your self from an unauthorized access is to disable the root login and the ability for anyone to log in to your server via SSH using password (to accomplish this we will use a key authentication method).

First, let’s disable the SSH password authentication and root login:

1. Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

2. Find the line that says #PasswordAuthentication yes and remove the comment in front of it and set it to no so at the end should look like:

PasswordAuthentication no

3.Next, in the same file, find the line that says PermitRootLogin yes and change it to no so at the end look like:

PermitRootLogin no

Save and close the file and restart the SSH service for the changes to take effects:

 service ssh restart

The second method that we will describe is using the SSH key authentication method. Using this method is far more secure than way of logging into via SSH than using a password, because the password can eventually be cracked with a brute force attack, but SSH keys is pretty much impossible to crack. Generating the SSH key pair provides you with two long string of characters a public and a private key. This works by putting your public key on your server, and then unlock it by connecting to it with a client that already has the private key. When these two aer matched the system unlocks and will let you in without asking a password.

So before starting with anything else we will need to create an SSH Key Pair. To do that type:

ssh-keygen -t rsa

and you will be asked a few more questions. Answer them by just pressing the “ENTER” key on your keyboard.

[email protected]:/# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
c0:af:31:18:9c:b1:6e:6a:1c:72:89:3c:d5:aa:f5:cd [email protected]
The key's randomart image is:
+--[ RSA 2048]----+
|    .            |
|   ..=           |
|   .=.o          |
|...o.o o         |
|oo+o+ o S        |
| +++. o+         |
| .+  ..E         |
| .               |
|                 |
+-----------------+

The private key is now stored in /root/.ssh/id_rsa and the public key in /root/.ssh/id_rsa.pub

The answer in the step when you are asked to enter a passphrase Enter passphrase (empty for no passphrase): depends entirely of you. Entering a passphrase does have its benefits: the security of a key, no matter how encrypted, still depends on the fact that it is not visible to anyone else, if someone steal your private key won’t be able to use it without the password etc… The only downside of a passphrase, is that you must type the password each time you log in to your server via SSH.

Once the SSH key pair is created, it’s time to place the public key on the server wher we want to log in. The simplest and the easiest way to do that is with the ssh-copy-id command. So type:

ssh-copy-id [email protected]

do not forget to replace your_new_user with your new created system username and 111.111.111.111 with your server IP address

That’s it. Now on your next SSH login you won’t be asked for a password but you will still be able to log in.

If you use Windows you can follow this tutorial to create an SSH key pairs.


If you’re one of our Linux VPS Hosting customers we can help you to secure your Debian virtual server for you free of charge. Just contact us and some of our experts will complete your request immediately.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>