DEBIAN - Hardening

Return to Wiki Index

This documentation describes a post-installation hardening script targeting Debian GNU/Linux (stable or LTS). The script is assumed to be executed with root privileges in a controlled environment and adapted to the system’s role (server, VM, workstation, appliance).

Assumptions:

• System is freshly installed or recently provisioned
• Administrator has console or out-of-band access
• System role is clearly defined before applying hardening
• No automated configuration management is yet enforcing security state

The hardening script is designed around the following security concepts:

• Principle of Least Privilege – services, users, and processes only receive strictly required permissions
• Defense in Depth – multiple independent layers (kernel, filesystem, network, services)
• Secure by Default – deny-all baseline, explicit allow rules
• Attack Surface Reduction – disable unused services, protocols, and kernel features
• Auditability – security-relevant events are logged and traceable
• Fail-Safe Defaults – misconfiguration leads to denial rather than silent allowance

Threats addressed:

• Remote service exploitation
• Credential brute-force and lateral movement
• Local privilege escalation
• Persistence via scheduled tasks or startup units
• Data exfiltration and log tampering

The hardening script should be modular and idempotent.

Recommended structure:

• 00-env-check.sh
• 10-packages.sh
• 20-kernel.sh
• 30-auth.sh
• 40-network.sh
• 50-services.sh
• 60-filesystem.sh
• 70-audit.sh
• 80-maintenance.sh

Example execution guard:

if [ "$(id -u)" -ne 0 ]; then
  echo "Must be run as root"
  exit 1
fi

Idempotency is achieved by:

• Using declarative configuration files
• Avoiding destructive inline edits
• Checking state before applying changes

Remove unnecessary packages and enforce secure package handling.

Example:

apt purge telnet rsh-client rsh-server talk talkd xinetd -y
apt install --no-install-recommends \
  sudo ufw fail2ban auditd apparmor apparmor-utils -y

Disable automatic installation of suggested packages:

echo 'APT::Install-Suggests "false";' > /etc/apt/apt.conf.d/99nosuggests

Ensure proper password policies and account controls.

Password aging and complexity:

sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS   90/' /etc/login.defs
sed -i 's/^PASS_MIN_DAYS.*/PASS_MIN_DAYS   7/' /etc/login.defs
sed -i 's/^PASS_WARN_AGE.*/PASS_WARN_AGE   14/' /etc/login.defs

Lock system accounts:

for u in sync shutdown halt games; do
  usermod -L "$u"
done

Restrict su access:

dpkg-statoverride --update --add root sudo 4750 /bin/su

Harden remote access while preventing lockout.

Configuration changes in /etc/ssh/sshd_config:

PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding no
MaxAuthTries 3
LoginGraceTime 20
AllowGroups sshusers

Validate before restart:

sshd -t && systemctl reload ssh

Apply a default-deny firewall policy.

UFW example:

ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp
ufw enable

Kernel network hardening:

cat <<EOF > /etc/sysctl.d/99-hardening.conf
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.tcp_syncookies=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
EOF
sysctl --system

Enable exploit mitigation features.

Example:

echo "kernel.kptr_restrict=2" >> /etc/sysctl.d/99-hardening.conf
echo "kernel.dmesg_restrict=1" >> /etc/sysctl.d/99-hardening.conf
echo "fs.protected_symlinks=1" >> /etc/sysctl.d/99-hardening.conf
echo "fs.protected_hardlinks=1" >> /etc/sysctl.d/99-hardening.conf

Harden mount points against code execution and abuse.

Example /etc/fstab entries:

tmpfs /tmp tmpfs defaults,noexec,nosuid,nodev 0 0
tmpfs /var/tmp tmpfs defaults,noexec,nosuid,nodev 0 0

Apply immediately:

mount -o remount /tmp

Enforce confinement for critical services.

Enable and enforce:

systemctl enable apparmor
systemctl start apparmor
aa-enforce /etc/apparmor.d/*

Check status:

aa-status

Ensure security-relevant events are recorded.

Audit rules example:

cat <<EOF > /etc/audit/rules.d/hardening.rules
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k scope
-w /var/log/auth.log -p wa -k authlog
EOF
augenrules --load

Prevent log tampering:

chattr +a /var/log/auth.log

Review and restrict scheduled execution.

Example:

chmod 700 /etc/cron.*
ls -l /etc/cron.d

Disable atd if unused:

systemctl disable --now atd

Ensure timely patching.

Enable unattended-upgrades:

apt install unattended-upgrades -y
dpkg-reconfigure unattended-upgrades

Verification:

unattended-upgrade --dry-run

Common issues and recovery guidance.

• Lost SSH access
  • Verify sshd configuration syntax with sshd -t
  • Use local console or recovery mode
  • Temporarily allow password authentication

• Firewall blocking services
  • Check active rules: ufw status verbose
  • Disable temporarily: ufw disable

• AppArmor breaking services
  • Identify denied actions in /var/log/syslog
  • Switch profile to complain mode:

aa-complain /etc/apparmor.d/profile-name

• System boot issues after sysctl changes
  • Boot with single-user mode
  • Remove problematic file from /etc/sysctl.d/

• Debian Security Documentation

 https://www.debian.org/security/

• Debian Hardening Guide

 https://www.debian.org/doc/manuals/securing-debian-manual/

• CIS Debian Linux Benchmark

 https://www.cisecurity.org/

• AppArmor Documentation

 https://gitlab.com/apparmor/apparmor/-/wikis/home

• Linux Audit Framework

 https://linux-audit.com/

• NIST Security Guidelines

 https://csrc.nist.gov/