Does anyone know a complete guidline for establishing security for debian servers?

xodsuefk

New Member
Joined
Jun 10, 2024
Messages
1
Reaction score
0
Credits
11
I tried googling and searching through forums but it always seems that I might miss something vital, are there any tutorials or guides that cover all necessary bases?
 


@osprey I actually also read this one while writing my blogpost, and found that there are many tutorials that offer in-depth security measures, but not many good ones that just explain the basics for people new to linux.

@JasKinasis that thread is sadly dead - i tried to revive it a couple of times, but the interest in our community to contribute was sadly low. I have hence written a blogpost about it (a LONG) one and posted it at the top of the thread. This way the thread still has value to users.
I'd still be delighted if we could finish the thread ofc :)
 
that thread is sadly dead - i tried to revive it a couple of times, but the interest in our community to contribute was sadly low.
It doesn't need to be update constantly, it might be an idea to pin/sticky it so that it stays at the top of the forum category that way it's easier to find and update if someone does think of something to add.
 
Oh cmon we tried so long, the topic is easy ;) Nobody really stuck to the rules. I consider it a failed experiment, thats why I wrote one myself. Feel free to read it, its well worth it. Was quite a bit of work.
 
Is openscap available for Debian? I know it is for most major Distro's.
I typically run this to see what fails. Then I run ansible scripts to fix the holes.


These cover about 95% of what openscap finds.

Also is "lynis" available for Debian?
 
Is openscap available for Debian? I know it is for most major Distro's.
I typically run this to see what fails. Then I run ansible scripts to fix the holes.


These cover about 95% of what openscap finds.

Also is "lynis" available for Debian?
In relation to openscap and lynis, both are available in debian:
Code:
[tom@min ~]$ apt-cache show openscap-<TAB>
openscap-common   openscap-scanner  
openscap-doc      openscap-utils    

[tom@min ~/notes]$ apt-cache show lynis<TAB>
lynis
 
@JasKinasis that thread is sadly dead - i tried to revive it a couple of times, but the interest in our community to contribute was sadly low. I have hence written a blogpost about it (a LONG) one and posted it at the top of the thread. This way the thread still has value to users.

Mm.

That's probably due to the fact that, for the majority of folks coming to Linux nowadays, running a server is of no interest whatsoever. Although I've been with Linux for around a decade myself, even I have no interest in such a thing.

Yes, I know the majority of internet servers are more often than not powered by various server builds of Linux, and the call for Linux sysadmins is growing all the time. But the landscape is very different now compared to the early days.

If you're old enough to remember, getting a toehold in the Linux world back then involved proving your abilities to the rest of the still fledgeling Linux community........usually involving building & setting-up your own server AND creating, building & hosting your own website. Only by so doing were the rest of the community convinced you were serious.

For most, the transition to Linux is due to various degrees of getting p***ed-off by M$'s self-centred antics.......and these folks mainly want a replacement desktop OS that will do everything - or at least, the equivalent - that their Windoze install did/yet does. Everybody wants to be online, yet very few have the slightest interest in the technology that makes the web possible....

lol.gif



Mike. :)
 
In Azure and AWS, there are marketplace Linux images that come "pre-hardened".
Most of our cloud servers use CIS compliant Linux images. Of course this does limit
what distro's are available.

 
well the microsoft server market is pretty much dead by now and replaced by linux. in my career i heared of somebody running a osx server once. not sure if they still exist.
when I started linux the desktop community was MUCH smaller. It was literally before there was ubuntu. I started with debian on my laptop x)
Its very nice to see that so many ppl use linux on the desktop by now, but essentially every website you visit runs linux under the hood ;) or openbsd if its sth paranoid. or microsoft if its a giant corporation xD they still use this old windows server nonsense.
 
In Azure and AWS, there are marketplace Linux images that come "pre-hardened".

azure and hardending (security optimized) in one sentence is funny x)

Thats not how it works and just marketing nonsense. You restrict services to the bare minimum of permissions it requires to run and then, if you're paranoid, monitor if it tries to break the rules. That only works if you know the application, which cloud providers of course don't - they can not estimate how I wrote my application.
 
Thats not how it works and just marketing nonsense. You restrict services to the bare minimum of permissions it requires to run and then, if you're paranoid, monitor if it tries to break the rules. That only works if you know the application, which cloud providers of course don't - they can not estimate how I wrote my application.

Azure does not make these images ( well not most of them, I'm sure they do the Ubuntu and Windows ones ) , they are in the marketplace images. The leading security recommendations are from CIS..


These are the standards the US government, military and RSA use. Azure has little to do with them, other than that's the platform they run on.
 


Top