QUESTION
I am installing a Debian server which is connected directly to the Internet. Obviously I want to make it as secure as possible. I would like you guys/gals to add your ideas to secure it and what programs you use for it.
I want part of this question to cover what do you use as a firewall? Just iptables manually configured or do you use some kind of software to aid you? What's the best way? Block everything and allow only what is needed? Are there maybe good tutorials for beginners to this topic?
Do you change your SSH port? Do you use software like Fail2Ban to prevent bruteforce attacks?
ANSWER
Obligatory:
- installation of system with expert mode, only packages that I need
- hand written firewall with default policy on iptables'input: drop, permitting access to SSH, HTTP or whatever else given server is running
- Fail2Ban for SSH [ and sometimes FTP / HTTP / other - depending on context ]
- disable root logins, force using normal user and sudo
- custom kernel [ just old habit ]
- scheduled system upgrade
Depending on level of paranoia additionally:
- drop policy on output except a couple of allowed destinations / ports
integritfor checking if some parts of file system ware not modified [with checksum kept outside of the machine], for example Tripwire- scheduled scan at least with nmap of system from the outside
- automated log checking for unknown patterns [but that's mostly to detect hardware malfunction or some minor crashes]
- scheduled run of chkrootkit
- immutable attribute for
/etc/passwdso adding new users is slightly more difficult - /tmp mounted with noexec
- port knocker or other non-standard way of opening SSH ports [e.g. visiting 'secret' web page on web server allows incoming SSH connection for a limited period of time from an IP address that viewed the page. If you get connected,
-m state --satete ESTABLISHEDtakes care of allowing packet flow as long as you use a single SSH session]
Things I do not do myself but make sense:
- grsecurity for kernel
- remote syslog so logs cannot be overwritten when system gets compromised
- alerting about any SSH logins
- configure rkhunter and set it up to run from time to time