How to Perform Security Hardening on a Public-Facing Server in Debian 12 Bookworm System

How to Perform Security Hardening on a Public-Facing Server in Debian 12 Bookworm System
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  5 minute read  

Public-facing servers are prime targets for cyberattacks. Whether you’re running a web server, mail server, or any other service accessible from the internet, it is critical to ensure the system is secure. With Debian 12 “Bookworm” as your base, you’re already using a stable and secure operating system, but default configurations are often not enough for a production environment. This guide walks you through the best practices and practical steps to perform security hardening on a public-facing Debian 12 server.

Why Security Hardening Matters

Security hardening involves reducing the attack surface of your server by disabling unnecessary services, applying system updates, enforcing strict access control policies, and monitoring system activity. Without hardening, your server is exposed to threats such as:

  • Unauthorized access (via SSH, brute force attacks, or leaked credentials)
  • Software vulnerabilities and zero-day exploits
  • Malware injection and data exfiltration
  • Denial-of-Service (DoS) attacks

Let’s explore the steps to secure a Debian 12 server systematically.

Step 1: Keep the System Updated

Debian’s security team releases patches regularly. Keeping your system updated ensures known vulnerabilities are mitigated.

sudo apt update && sudo apt upgrade -y

Enable unattended upgrades to automatically apply security updates:

sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

This will help your system stay current with minimal manual intervention.

Step 2: Disable Unnecessary Services

Every open port is a potential attack vector. Identify services running on your system:

sudo ss -tulnp

Or use nmap from a remote machine:

nmap -sS your.server.ip

Disable unused services:

sudo systemctl disable --now service-name

For example, if you’re not using FTP:

sudo systemctl disable --now vsftpd

Step 3: Create a Non-Root User

Running services or commands as root unnecessarily is risky. Create a standard user and assign sudo privileges:

sudo adduser newuser
sudo usermod -aG sudo newuser

Now use sudo for administrative tasks instead of logging in as root.

Step 4: Secure SSH Access

SSH is a common entry point for attackers. Harden your SSH configuration:

  1. Change the default port:

Edit /etc/ssh/sshd_config:

Port 2222
  1. Disable root login:
PermitRootLogin no
  1. Use key-based authentication:

Generate a key on your local machine:

ssh-keygen -t ed25519

Copy the key to the server:

ssh-copy-id -p 2222 youruser@your.server.ip
  1. Disable password authentication:
PasswordAuthentication no
  1. Restart SSH:
sudo systemctl restart ssh

These changes help protect your server from brute-force and dictionary attacks.

Step 5: Configure the Firewall (UFW or iptables/nftables)

Debian 12 defaults to nftables, but UFW (Uncomplicated Firewall) is easier for beginners.

Using UFW

sudo apt install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp  # Allow your SSH port
sudo ufw allow 80/tcp    # HTTP
sudo ufw allow 443/tcp   # HTTPS
sudo ufw enable

Using nftables (native)

List current rules:

sudo nft list ruleset

Create a basic firewall configuration file: /etc/nftables.conf

table inet filter {
  chain input {
    type filter hook input priority 0;
    policy drop;

    ct state established,related accept
    iif "lo" accept
    tcp dport { 2222, 80, 443 } accept
  }

  chain forward {
    type filter hook forward priority 0;
    policy drop;
  }

  chain output {
    type filter hook output priority 0;
    policy accept;
  }
}

Apply it:

sudo systemctl enable nftables
sudo systemctl start nftables

Step 6: Install Fail2Ban

Fail2Ban protects your server from brute-force attacks by banning IPs that show malicious signs.

Install and enable:

sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Create a local configuration:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit /etc/fail2ban/jail.local and configure relevant jails (e.g., [sshd]).

To ban IPs aggressively:

[sshd]
enabled = true
port    = 2222
maxretry = 3
bantime = 1h
findtime = 10m

Restart the service:

sudo systemctl restart fail2ban

Step 7: Enforce Strong Passwords and Use 2FA

Install and configure libpam-pwquality to enforce password policies:

sudo apt install libpam-pwquality

Edit /etc/pam.d/common-password and include:

password requisite pam_pwquality.so retry=3 minlen=12 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1

For 2FA:

sudo apt install libpam-google-authenticator
google-authenticator

Follow the on-screen instructions and add to /etc/pam.d/sshd:

auth required pam_google_authenticator.so

And in /etc/ssh/sshd_config:

ChallengeResponseAuthentication yes

Then restart SSH:

sudo systemctl restart ssh

Step 8: Monitor System Logs and Set Up Auditing

Regularly monitor /var/log/auth.log, /var/log/syslog, and /var/log/fail2ban.log.

Install auditd for detailed auditing:

sudo apt install auditd
sudo systemctl enable --now auditd

Add rules to /etc/audit/rules.d/audit.rules, e.g.:

-w /etc/passwd -p wa -k passwd_changes
-w /etc/sudoers -p wa -k sudoers_changes

Then:

sudo service auditd restart

Review logs using:

ausearch -k passwd_changes

Step 9: Use AppArmor for Mandatory Access Control

AppArmor is enabled by default in Debian 12. Check status:

sudo aa-status

To enforce profiles:

sudo aa-enforce /etc/apparmor.d/*

To generate a new profile for a custom app:

sudo aa-genprof /usr/sbin/nginx

AppArmor restricts applications from performing unauthorized actions, adding another security layer.

Unless you specifically need IPv6, disable it to avoid exposing additional interfaces:

Edit /etc/sysctl.conf:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

Apply:

sudo sysctl -p

Step 11: Secure Web Applications (If Hosting a Site)

  • Use HTTPS (Let’s Encrypt + Certbot)
  • Keep your CMS (e.g., WordPress, Drupal) updated
  • Install ModSecurity or NAXSI if using Apache/Nginx
  • Use Content Security Policy (CSP) headers
  • Validate all user input (especially for forms)

For example, to secure Apache with Let’s Encrypt:

sudo apt install certbot python3-certbot-apache
sudo certbot --apache

Step 12: Perform Regular Backups

No security hardening is complete without disaster recovery in mind.

Use rsync, borgbackup, or restic to automate daily backups:

sudo apt install borgbackup
borg init /path/to/backup
borg create /path/to/backup::backup-{now:%Y-%m-%d} /important/data

Store backups off-site or on encrypted external drives.

Conclusion

Security hardening is not a one-time setup but an ongoing process. Start with the essentials: system updates, firewalls, and access control. Then expand into service-specific configurations, logging, auditing, and application-level security. Debian 12 Bookworm provides robust tools to support a secure server, but it’s up to the administrator to apply and maintain these practices.

With thoughtful hardening steps, you dramatically reduce the likelihood of successful cyberattacks, ensuring your public-facing server remains safe, stable, and trustworthy.


< How to Integrate GitHub with Jenkins CI/CD Pipeline on Debian 12 Bookworm SystemHow to Manage System Updates Using `unattended-upgrades` on Debian 12 Bookworm >