In the cloud, security is paramount. Every instance, especially those running on Debian 13, represents a potential entry point for malicious actors. The flexibility and power of Debian make it a preferred choice for cloud environments, but without proper security measures, its strengths can quickly become vulnerabilities. This guide strips away the fluff to provide you with straightforward, actionable steps to secure your Debian 13 cloud instance right from the start.
Steps to take before installing your Webapp of choice
The following steps should be applied to every installation of Debian, wether it hosts a public facing webapplicaiton or not.
Creating an ED25519 Public Key
Start by creating an ED25519 SSH key, if you haven’t already. This modern key algorithm offers better security than RSA and is quicker to generate and use.
“`bash
ssh-keygen -t ed25519 -C “[email protected]”
“`
Replace “[email protected]” with your actual email address for easier identification of your key.
Setting Up the Key for the Root User
Next, ensure that the root user on your server can use this key for SSH access.
Log into your server and create the .ssh directory in the root’s home directory, if it doesn’t exist:
“`bash
mkdir -p /root/.ssh
chmod 700 /root/.ssh
“`
Add your public key to the authorized_keys file:
“`bash
echo your_public_key >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
“`
Replace your_public_key with the actual content of your public key.
Securing the SSH Server
It’s crucial to disable password-based authentication to prevent brute-force attacks. Edit the SSH configuration file:
“`bash
nano /etc/ssh/sshd_config
“`
Find the line #PasswordAuthentication yes and change it to:
“`plaintext
PasswordAuthentication no
“`
Reload the SSH service:
“`
systemctl reload sshd
“`
Fail2Ban for SSH
Fail2Ban monitors login attempts to SSH and temporarily bans IPs that show malicious patterns.
Install Fail2Ban:
“`bash
apt install fail2ban
“`
A default configuration should work well, but you can customize it in /etc/fail2ban/jail.local.
Configuring APT Unattended Upgrades
To keep your system updated automatically to reduce vulnerabilities, install the unattended-upgrades package:
“`bash
apt install unattended-upgrades apt-listchanges
“`
Enable it by editing /etc/apt/apt.conf.d/20auto-
“`bash
nano /etc/apt/apt.conf.d/20auto-
“`
Ensure the file contains at least the following lines:
“`plaintext
APT::Periodic::Update-Package-
APT::Periodic::Download-
APT::Periodic::
APT::Periodic::Unattended-
“`
Steps to take after installing your Webapp of choice
After installing your web application of choice, ensure that the services it requires are securely configured. You should never have services like mysql, redis or others be accessible from the internet.
Checking Open Ports with lsof / netstat
It is important to check which ports are open to the public internet:
“`bash
lsof -i :3306
“`
You might see output similar to this for a MySQL server listening on all interfaces:
“`plaintext
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
mariadbd 2066804 mysql 47u IPv4 629720196 0t0 TCP 0.0.0.0:mysql (LISTEN)
“`
This indicates that your MySQL server is accessible from the internet, which is a risk. Ensure services only listen on 127.0.0.1 if they do not require external access.
Scanning for open ports with nmap
An nmap scan can help identify ports that are accessible to the public internet instead of just localhost:
“`bash
nmap -p 0-65535 www.example.com
“`
Example output where nmap found an open MySQL port:
“`plaintext
PORT STATE SERVICE
3306/tcp open mysql
“`
Simple Firewall with UFW
UFW (Uncomplicated Firewall) provides an easy way to manage firewall rules.
Enable UFW:
“`bash
ufw enable
“`
Allow SSH, HTTP and HTTPS and deny everything else by default:
“`bash
ufw allow ssh
ufw allow 80
ufw allow 443
ufw default deny incoming
“`
This setup helps prevent unintended exposure of services like MySQL in case they are not configured correctly by accident. Keep in mind that Debian has a (bad) habbit of starting services directly after installation, meaning that if you `apt install mariadb-server`, it will be briefly accessible to the internet until you can reconfigure it. A firewall helps with that.
Basic Monitoring with Atop
atop is a tool for monitoring system resources and load similar to `top`. It helps diagnose load spikes and resource bottlenecks. However it saves all data periodically so you can look at the `top` information that was saved in the past. This can help you to answer questions like “which process caused high load three hours ago”.
To install atop:
“`bash
apt install atop
“`
You can find a detailed description on atops interface and how to use it here.
Security Auditing with Lynis
lynis audits your system for security best practices. It’s output might be a bit paranoid at times, but you should run it periodically to make sure you did not misconfigure anything critical.
To install Lynis:
“`bash
apt install lynis
“`
T run a lynis audit:
“`bash
lynis audit system
“`
Conclusion
This guide provides foundational steps towards securing your Debian 13 cloud instance. Regularly review and update your security practices to address new vulnerabilities and threats.
Special Thanks
We thank the Linux Consultants of Blunix GmbH Berlin for their assistance and help in creating this article. If you are looking for emergency support for your Linux server because your server was compromised, Blunix is ready to assist you 24/7/365.
