Secure Debian 10 Installation (Debian Buster)
I have been a Debian power user for years. One, thing that Debian stand out from other popular linux distro (i.e. Ubuntu, CentOS) is their minimal installation. To date, debian still maintain is minimalism like what it was 10 years ago.
Debian does not come with sudo preinstalled.
That’s so 10-year-ago.
This installation guide will walk you through the process of tightening your Debian installation’s security.
1. Installing your Debian
I am not going to tell you how you install your linux. You know how to do it when you have to do it. But I will give you this piece of advice.
- Use any
passwordfor root. (We will disable root password later.) - When you are creating a new user, use secure password.
- On Software Selection page, you must check SSH Server. This will install SSH Server for you.
2. Setup SSH
When your Debian is installed, first thing we wanted to do is to secure our SSH login. After all, SSH will be our primary way to access our Debian installation.
At the moment, our SSH is not secure. Everyone can brute-force SSH login with root user until they crack your Debian. You do not wanted that.
- Add your public key to the server
$ ssh-copy-id <yourusername>@<your-debian-ip>
// You will be prompt for the passwordThis command copy your SSH RSA Public Key on ~/.ssh/id_rsa.pub to your Debian server.
Now we can do ssh <yourusername>@<your-debian-ip> without providing any password.
2. Secure SSH server config
// Execute the following line from your workstation
$ ssh <yourusername>@<your-debian-ip>// Now we are logged in// Give yourself a root access
$ su -# nano /etc/ssh/sshd_config
Here is our configuration:
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication noWhat we did was
- Disallow Root from logging in via SSH.
- Explicitly allow SSH login with Public Key.
- Disallow any SSH login with the Password.
To make it our change effective, we need to do one last step:
# systemctl restart sshdNow we re-login,
// exit from su
# exit// log out of SSH
$ exit// re-login
$ ssh <yourusername>@<your-debian-ip>
3. Setup sudo
As you might have notice, we have been using su for elevate our user as root. The reason we are using su is sudo is not yet installed in our system.
This setup, we will
- Install
sudo - Grant our user to use
sudo
// Become root
$ su -// Install sudo
# apt install sudo// Put yourself in sudoers' group
# usermod -aG sudo <yourusername>// exit from su
# exit// log out of SSH
$ exit// re-login
$ ssh <yourusername>@<your-debian-ip>
Now you should be able to perform sudo.
We can test it by execute the following lines:
// Enter root shell
$ sudo -s// exit root shell
# exit
It is that simple.
4. Disable usage of su
su is powerful. And you might have already notice that, it does not restrict anyone to use it. We do not want that. In fact, we are now restricting everyone, including yourself, to use su.
Let’s start!
$ sudo nano /etc/pam.d/suNow we wanted to un-comment the line:
// Find the line:
# auth required pam_wheel.so// Uncomment it:
auth required pam_wheel.so
Save, and now it is effective.
You can no longer use su. Don’t believe me, try it yourself.
$ su -
Password:
su: Permission denied5. Lock root account
Locking root account is as simple as
$ sudo passwd -l rootYou are done.
Explanation of what passwd -l <username> does:
Lock the password of the named account. This option disables a password by changing it to a value which matches no possible encrypted value (it adds a ´!´ at the beginning of the password).
6. Suggestions
Now we have secure our Debian installation. Here is what you have to keep in mind.
- You are the sole administrator who have privilege access.
- Keep your private key secure and DO NOT lose it.
- Do not forget your password. You don’t need it for SSH login but you need it for
sudo.
References: