How To Harden Debian Server


Its not enough to harden just Debain. Its necessary to harden the rest of Apache-MySQL-PHP as well.

Harden MYSQL
sudo mysql_secure_installation

answer Yes to all questions (but no need to change password)

Disabling SSH root login and settings
sudo vi /etc/ssh/sshd_config

change

PermitRootLogin yes
to
PermitRootLogin no

LoginGraceTime 120
to
LoginGraceTime 30

add line

AllowUsers username username username

Consider disabling ChallengeResponse logins in SSH

Restart Apache (any one of these)

sudo service ssh restart
sudo /etc/init.d/ssh restart
sudo apachectl restart
Limiting access to su
sudo chown root:admin /bin/su
sudo chmod 04750 /bin/su
Limiting access to apt-get and aptitude

Remember you’ll have to change this back to 700 everytime you update the system

sudo chmod 000 /usr/bin/apt-get
sudo chmod 000 /usr/bin/aptitude
Install Fail2ban

Install Fail2ban
Fail2ban Wiki

Add rules to iptables

Handy iptables rule for handling w00tw00t attacks that Fail2ban is not best to handle

iptables -I INPUT -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP

http://pierre.linux.edu/2010/06/using-iptables-to-reject-w00tw00t-at-isc-sans-dfind-scanners/

iptables How To & Tips & Tricks

Prevent Apache from displaying index /var/www

add this line

sudo vi /var/www/.htaccess

Options -Indexes

Set permissions and protect .htaccess from tampering
sudo chown username:www-data /var/www/.htaccess
sudo chmod 444 /var/www/.htaccess

Harden Debian using PSAD

Now don’t forget to Harden WordPress

Disable Timestamp

Adversaries can remotely access the current uptime of your machine and the host’s clock-down to millisecond precision. To avoid this information being passed, it is recommended that you disable TCP timestamps on your systems. The less information attackers can get, the higher the security.

sudo vi /etc/sysctl.conf

add line

net.ipv4.tcp_timestamps = 0

sudo sysctl -p


You may also like...