linux - What steps do you take to secure a Debian server?url Friday, April 8, 2011
linux - What steps do you take to secure a Debian server?
Extracted Page: http://serverfault.com/questions/11659/what-steps-do-you-take-to-secure-a-debian-server/11669#11669linux - What steps do you take to secure a Debian server?
Some people have pointed at the Securing Debian Manual. This should be perfectly adequate for everything but military requirements.
Many people think that being ridiculously paranoid is cool or professional or something. It's not, it's just annoying for other admins and outright repressive for your users. Most of the stuff you'll see recommended is just fake busywork to feel useful for the paranoid admin, but not actually helpful, since the real security breach is likely to be caused by a not sufficiently updated system and/or from an inside source.
That said, I do consider it one of my tenets to not trust anything on the local network any more than anything from the Internet. Therefore, I configure everything to require authentication even on the local network. I encrypt and authenticate all traffic between every one of computer using IPsec.
I am in the process of converting to full-disk encryption for all my servers.
I install only services I use. I do not have a firewall; I configure the services I have to require authentication or limit them (by the program's own configuration or by TCP-wrappers) to certain IPs. The only thing I ever need to block using iptables was
memcached, since it had no configuration file, and did not use TCP-wrappers.
I use good, randomly generated passwords for my accounts and trust my SSH server (and all other services) to keep those who do not know the password out.
fail2ban is only for those with limited space for log files, IMO. (You should have good enough passwords to be able to trust them.)