Hardening Debian Linux
March 30th, 2010 by kc
Here are a few tips for hardening your Debian/Ubuntu server.
SSH key based authentication
Only allow logins using public SSH keys. This way we prevent brute force attacks. Create private and public keys using the ssh-keygen command. First copy the public key from your pc to the server using:
$ ssh-copy-id -i .ssh/id_rsa.pub user@host
Test if you can login with your public key. The public key is stored in .ssh/authorized_keys. So if you add a new user ask them their pub key and copy this into authorized keys.
Change /etc/sshd_config to disable password based logins:
ChallengeResponseAuthentication no PasswordAuthentication no UsePAM no
Filesystem permissions
The default user permission has umask 022 where other/world user also have access. Using umask 007 the owner en group has rw access, other/world hasn’t got any access.
Change default umask 022 to 007:
/etc/profile/ /etc/login.defs
Mounted volumes must have proper permissions
Add two mount options in /etc/fstab for partitions that have no suid programs and no device nodes.
Example:
/dev/sda5 /tmp ext3 defaults,nosuid,nodev 0 2 /dev/sda6 /var ext3 defaults,nosuid,nodev 0 2 /dev/sda7 /data2 ext3 defaults,nosuid,nodev 0 2
Dedicated group for su
Only allow users in adm group to become root using pam_wheel.
In /etc/pam.d/su uncomment this line and add group part.
auth required pam_wheel.so group=admSeparate temp directories for users
Using a pam tmpdir modules each user has a separate tmp dir. So instead of using /tmp each user gets /tmp/user/USERID. A user cannot see the temp files of other users.
Install the tmpdir pam module:
apt-get install libpam-tmpdir
Add the following line to /etc/pam.d/common-session
session optional pam_tmpdir.so
Do a security audit for the system
Lynis is an excellent tool to audit the system. Download the latest tarball, decompress and run. Lynis is an auditing tool which tests and gathers (security) information for *nix based systems.

