Keeping Debian updated is the single highest-impact hardening step.
sudo apt update
sudo apt full-upgrade
sudo apt autoremove --purge
Notes:
full-upgrade when you want Debian to resolve dependency changes cleanly.Install the tooling:
sudo apt install unattended-upgrades apt-listchanges
sudo dpkg-reconfigure -plow unattended-upgrades
Check that timers are enabled:
systemctl status unattended-upgrades
systemctl list-timers | rg -n "apt-daily|apt-daily-upgrade|unattended"
Common config files:
/etc/apt/apt.conf.d/50unattended-upgrades/etc/apt/apt.conf.d/20auto-upgradesDebian stable uses a separate security suite. The exact codename changes by release.
. /etc/os-release
echo "$VERSION_CODENAME"
apt-cache policy | sed -n '1,120p'
If you manage sources manually, confirm you have a *-security entry for your release.
Helpful packages:
sudo apt install needrestart debsums
needrestart tells you which daemons need a restart after upgrades.debsums can verify package file checksums for installed packages.