Tuesday, April 23, 2024
HomeLatestSecuring Your Debian 13 Cloud Instance: A No-Frills Guide

Securing Your Debian 13 Cloud Instance: A No-Frills Guide

In the cloud, security is paramount. Every instance, especially those running on Debian 13, represents a potential entry point for malicious actors. The flexibility and power of Debian make it a preferred choice for cloud environments, but without proper security measures, its strengths can quickly become vulnerabilities. This guide strips away the fluff to provide you with straightforward, actionable steps to secure your Debian 13 cloud instance right from the start.

Steps to take before installing your Webapp of choice

The following steps should be applied to every installation of Debian, wether it hosts a public facing webapplicaiton or not.

Creating an ED25519 Public Key

Start by creating an ED25519 SSH key, if you haven’t already. This modern key algorithm offers better security than RSA and is quicker to generate and use.

“`bash
ssh-keygen -t ed25519 -C “[email protected]
“`

Replace “[email protected]” with your actual email address for easier identification of your key.

Setting Up the Key for the Root User

Next, ensure that the root user on your server can use this key for SSH access.

Log into your server and create the .ssh directory in the root’s home directory, if it doesn’t exist:

“`bash
mkdir -p /root/.ssh
chmod 700 /root/.ssh
“`

Add your public key to the authorized_keys file:

“`bash
echo your_public_key >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
“`

Replace your_public_key with the actual content of your public key.

Securing the SSH Server

It’s crucial to disable password-based authentication to prevent brute-force attacks. Edit the SSH configuration file:

“`bash
nano /etc/ssh/sshd_config
“`

Find the line #PasswordAuthentication yes and change it to:

“`plaintext
PasswordAuthentication no
“`

Reload the SSH service:

“`
systemctl reload sshd
“`

Fail2Ban for SSH

Fail2Ban monitors login attempts to SSH and temporarily bans IPs that show malicious patterns.

Install Fail2Ban:

“`bash
apt install fail2ban
“`

A default configuration should work well, but you can customize it in /etc/fail2ban/jail.local.

Configuring APT Unattended Upgrades

To keep your system updated automatically to reduce vulnerabilities, install the unattended-upgrades package:

“`bash
apt install unattended-upgrades apt-listchanges
“`

Enable it by editing /etc/apt/apt.conf.d/20auto-upgrades:

“`bash
nano /etc/apt/apt.conf.d/20auto-upgrades
“`

Ensure the file contains at least the following lines:

“`plaintext
APT::Periodic::Update-Package-Lists “1”;
APT::Periodic::Download-Upgradeable-Packages “1”;
APT::Periodic::AutocleanInterval “7”;
APT::Periodic::Unattended-Upgrade “1”;
“`

Steps to take after installing your Webapp of choice

After installing your web application of choice, ensure that the services it requires are securely configured. You should never have services like mysql, redis or others be accessible from the internet.

Checking Open Ports with lsof / netstat

It is important to check which ports are open to the public internet:

“`bash
lsof -i :3306
“`

You might see output similar to this for a MySQL server listening on all interfaces:

“`plaintext
COMMAND    PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
mariadbd 2066804 mysql   47u  IPv4 629720196      0t0  TCP 0.0.0.0:mysql (LISTEN)
“`

This indicates that your MySQL server is accessible from the internet, which is a risk. Ensure services only listen on 127.0.0.1 if they do not require external access.

Scanning for open ports with nmap

An nmap scan can help identify ports that are accessible to the public internet instead of just localhost:

“`bash
nmap -p 0-65535 www.example.com
“`

Example output where nmap found an open MySQL port:

“`plaintext
PORT     STATE SERVICE
3306/tcp open  mysql
“`

Simple Firewall with UFW

UFW (Uncomplicated Firewall) provides an easy way to manage firewall rules.

Enable UFW:

“`bash
ufw enable
“`

Allow SSH, HTTP and HTTPS and deny everything else by default:

“`bash
ufw allow ssh
ufw allow 80
ufw allow 443
ufw default deny incoming
“`

This setup helps prevent unintended exposure of services like MySQL in case they are not configured correctly by accident. Keep in mind that Debian has a (bad) habbit of starting services directly after installation, meaning that if you `apt install mariadb-server`, it will be briefly accessible to the internet until you can reconfigure it. A firewall helps with that.

Basic Monitoring with Atop

atop is a tool for monitoring system resources and load similar to `top`. It helps diagnose load spikes and resource bottlenecks. However it saves all data periodically so you can look at the `top` information that was saved in the past. This can help you to answer questions like “which process caused high load three hours ago”.

To install atop:

“`bash
apt install atop
“`

You can find a detailed description on atops interface and how to use it here.

Security Auditing with Lynis

lynis audits your system for security best practices. It’s output might be a bit paranoid at times, but you should run it periodically to make sure you did not misconfigure anything critical.

To install Lynis:

“`bash
apt install lynis
“`

T run a lynis audit:

“`bash
lynis audit system
“`

Conclusion

This guide provides foundational steps towards securing your Debian 13 cloud instance. Regularly review and update your security practices to address new vulnerabilities and threats.

Special Thanks

We thank the Linux Consultants of Blunix GmbH Berlin for their assistance and help in creating this article. If you are looking for emergency support for your Linux server because your server was compromised, Blunix is ready to assist you 24/7/365.

IEMA IEMLabs
IEMA IEMLabshttps://iemlabs.com
IEMLabs is an ISO 27001:2013 and ISO 9001:2015 certified company, we are also a proud member of EC Council, NASSCOM, Data Security Council of India (DSCI), Indian Chamber of Commerce (ICC), U.S. Chamber of Commerce, and Confederation of Indian Industry (CII). The company was established in 2016 with a vision in mind to provide Cyber Security to the digital world and make them Hack Proof. The question is why are we suddenly talking about Cyber Security and all this stuff? With the development of technology, more and more companies are shifting their business to Digital World which is resulting in the increase in Cyber Crimes.
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments

Izzi Казино онлайн казино казино x мобильді нұсқасы on Instagram and Facebook Video Download Made Easy with ssyoutube.com
Temporada 2022-2023 on CamPhish
2017 Grammy Outfits on Meesho Supplier Panel: Register Now!
React JS Training in Bangalore on Best Online Learning Platforms in India
DigiSec Technologies | Digital Marketing agency in Melbourne on Buy your favourite Mobile on EMI
亚洲A∨精品无码一区二区观看 on Restaurant Scheduling 101 For Better Business Performance

Write For Us