Debian Server #
Debian comes with a lot of security tools, but its up to the user to harden it:
I’ve yet to properly look into all of it, but the standouts were firewall and SSH hardening.
Firewall #
Firewalls scrutinize network packets and implement security policies, effectively barring unauthorized users or potentially harmful data from infiltrating or exiting a network. Notably, firewalls serve as gatekeepers, scrutinizing each network packet and deciding whether to permit or block it based on pre-set rules. This helps to ensure that only traffic deemed safe and legitimate is allowed through the firewall.
— Cisco
Firewalls usually separate a server from an outside network, like the internet. Since my server is behind a double NAT, it isn’t publicly accessible. Still, a firewall can be useful in the case of VPN or local network compromise to prevent privilege escalation.
Debian by default offers nftables for firewall configuration. Nftables are a fairly deep topic and require manual configuration, something I would look into in the future.
Uncomplicated Firewall #
For the time being, I settled on Uncomplicated Firewall (ufw).
- First I installed it:
sudo apt install ufw
- Then enabled all outbound connections: 1
sudo ufw default allow outgoing
- Disabled all incoming connections:
sudo ufw default deny incoming
- Made an exception for SSH:
sudo ufw allow ssh
- Enabled the service
sudo ufw enable
- Enabled http
sudo ufw enable http/tcp
- Enable ports for all my services:
sudo ufw enable <port1,port2,port3,...etc.>/tcp
The enable port command has a limit of 15 ports. If you have more than that to add, you will have to split it into multiple commands.
Fail2Ban #
Fail2Ban scans log files like
/var/log/auth.logand bans IP addresses conducting too many failed login attempts. It does this by updating system firewall rules to reject new connections from those IP addresses, for a configurable amount of time. Fail2Ban comes out-of-the-box ready to read many standard log files, such as those for sshd and Apache, and is easily configured to read any log file of your choosing, for any error you wish.
— Fail2Ban
Fail2ban is a good addition to SSH hardening by restricting the efficacy of brute force attacks. Setting it up is very simple.
- Install the package:
sudo apt install fail2ban
- And enable the service:
sudo systemctl enable fail2ban.service
Docker #
Container Network Access #
By default, Docker containers listen on all interfaces (0.0.0.0), making them accessible from any network interface. You can restrict this to localhost (127.0.0.1) only, by modifying the port binding in a Docker Compose file—for example, changing 80:80 to 127.0.0.1:80:80.
This renders the service directly unreachable by any external IPs. You can access it manually via SSH tunneling, or more easily through a reverse proxy like NGINX. However, the proxy must run in the same Docker network as the container. Since I have NGINX running in a separate container and manually adding it to each service’s network is cumbersome, I’ll consider traefik for a future Kubernetes-based setup.
Root #
The Docker daemon runs as root by default, giving containers potential access to the entire host system if exploited. Additionally, mounting /var/run/docker.sock in any container, grants it full control over Docker on the host, and by proxy root. Switching to rootless Docker or Podman (which is rootless by default) eliminates this risk by running everything as a non-privileged user.
For future configurations I will be prioritizing rootless container configurations.