Hardening Debian involves securing the system against various threats by applying configurations, tools, and best practices. Here are several steps and tools to improve the security of a Debian system:
sudo apt update && sudo apt upgrade
sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
sudo systemctl disable <service>
sudo apt install ufw
sudo ufw enable
sudo ufw allow ssh
sudo ufw status verbose
sudo iptables -L
sudo nano /etc/ssh/sshd_config
# Set PermitRootLogin to no
PermitRootLogin no
PasswordAuthentication no
Port 2222
sudo apt install fail2ban
sudo apt install apparmor apparmor-profiles
sudo systemctl enable apparmor
sudo systemctl start apparmor
sudo apt install aide
sudo aideinit
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
sudo aide --check
sudo apt install lynis
sudo lynis audit system
sudo visudo
sudo grub-mkpasswd-pbkdf2
sudo apt install libpam-google-authenticator
google-authenticator
sudo nano /etc/pam.d/sshd
# Add the following line:
auth required pam_google_authenticator.so
sudo apt install logwatch
sudo logwatch --detail high --mailto your-email@example.com --range today
/home, /var).If you don’t use IPv6, consider disabling it to reduce the attack surface:
sudo nano /etc/sysctl.conf
# Add the following lines:
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1