Hardening Debian means reducing attack surface, enforcing least privilege, and detecting changes early. This page is the index for a split hardening guide with more detailed sub-pages.
- Apply security updates regularly (or enable unattended upgrades).
- Remove/disable services you do not need.
- Restrict SSH: keys, no root login, rate limiting.
- Configure a default-deny firewall policy.
- Enable AppArmor (or SELinux if you know why).
- Centralize logs and run periodic audits (AIDE/Lynis/auditd).
- Protect data at rest (LUKS) and the boot chain (Secure Boot, GRUB settings).