Secure Your Linux System: Complete Hardening Guide (Debian/Ubuntu)

Distribution Note

This guide is for Debian/Ubuntu and other .deb-based systems. For Arch Linux and Arch-based distributions (Manjaro, CachyOS, etc.), see Part 2: Hardening Arch Linux and CachyOS.

Key differences between distributions will be noted throughout this guide.

Why System Hardening Matters

A hardened system reduces attack surface and protects against:

Unauthorized access
Privilege escalation
Malware execution
Data theft
Service disruption

This guide covers essential hardening steps for Debian/Ubuntu-based systems.

1. Initial System Setup

Update System

sudo apt update
sudo apt upgrade -y
sudo apt autoremove
sudo apt autoclean

Configure Automatic Updates

sudo apt install unattended-upgrades

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

# Enable security updates
Unattended-Upgrade::Mail "root";
Unattended-Upgrade::Package-Blacklist {};

Set Timezone and NTP

timedatectl set-timezone UTC
timedatectl set-ntp true
timedatectl status

2. User and Group Management

# Set root password to impossible value
sudo usermod -p '!' root

# Or lock the account
sudo passwd -l root

Create Non-Root User

sudo useradd -m -s /bin/bash -G sudo newuser
sudo passwd newuser

Configure sudo

sudo visudo

# Allow specific users
newuser ALL=(ALL) NOPASSWD: /bin/systemctl
deploy ALL=(ALL) NOPASSWD: /usr/bin/docker

# Or require password for sudo
Defaults use_pty

3. Filesystem Hardening

Mount Options

# Add to /etc/fstab
/dev/sda1 /boot        ext4 defaults,ro,nodev,nosuid,noexec
/dev/sda2 /            ext4 defaults,nodev
/dev/sda3 /tmp         tmpfs defaults,nodev,nosuid,noexec
/dev/sda4 /var         ext4 defaults,nodev
/dev/sda5 /var/tmp     tmpfs defaults,nodev,nosuid,noexec
/dev/sda6 /var/log     ext4 defaults,nodev,nosuid,noexec
/dev/sda7 /home        ext4 defaults,nodev,nosuid

# Apply changes
sudo mount -o remount /tmp

Check Permissions

# Critical files should be restricted
sudo chmod 600 /etc/shadow
sudo chmod 644 /etc/passwd
sudo chmod 000 /etc/gshadow
sudo chmod 644 /etc/group

# SUID binaries (check regularly)
sudo find / -perm -4000 2>/dev/null
sudo find / -perm -2000 2>/dev/null

4. Network Hardening

Configure Firewall (UFW)

sudo apt install ufw

# Enable firewall
sudo ufw enable

# Default policy
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow specific services
sudo ufw allow ssh/tcp
sudo ufw allow http/tcp
sudo ufw allow https/tcp
sudo ufw allow 8080/tcp

# Status
sudo ufw status numbered

Kernel Parameters

sudo nano /etc/sysctl.d/99-hardening.conf

# Add:
# Disable IP forwarding
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0

# Disable ICMP
net.ipv4.icmp_echo_ignore_all = 1
net.ipv6.conf.all.disable_ipv6 = 1

# Enable SYN cookies
net.ipv4.tcp_syncookies = 1

# Reverse path filtering
net.ipv4.conf.all.rp_filter = 1

# Ignore bogus error responses
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Apply changes
sudo sysctl -p /etc/sysctl.d/99-hardening.conf

Disable Unnecessary Services

# Identify listening ports
sudo ss -tlnp

# Disable unnecessary services
sudo systemctl disable avahi-daemon
sudo systemctl disable cups
sudo systemctl stop avahi-daemon
sudo systemctl stop cups

5. Authentication Hardening

Configure PAM

sudo nano /etc/security/pwquality.conf

minlen = 14
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1
difok = 4
maxrepeat = 3

sudo nano /etc/pam.d/common-auth

# Add pam_tally2
auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900

Password Aging

sudo nano /etc/login.defs

PASS_MAX_DAYS   90
PASS_MIN_DAYS   1
PASS_MIN_LEN    14
PASS_WARN_AGE   7

6. SSH Hardening (Advanced)

Create SSH Configuration

# Create restricted SSH keys
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_restricted -N ""

# Force command execution
echo 'command="/usr/local/bin/allowed-script" ssh-ed25519 AAAA...' >> ~/.ssh/authorized_keys

# Restrict from IP
echo 'from="10.0.0.0/8" ssh-ed25519 AAAA...' >> ~/.ssh/authorized_keys

7. File Integrity Monitoring

Install AIDE

sudo apt install aide aide-common

# Initialize database
sudo aideinit

# Check integrity
sudo aide --check

Monitor with Auditd

sudo apt install auditd audispd-plugins

# Monitor sudo usage
echo '-w /etc/sudoers -p wa -k sudoers_changes' | sudo tee -a /etc/audit/rules.d/audit.rules

# Monitor file access
echo '-w /etc/passwd -p wa -k passwd_changes' | sudo tee -a /etc/audit/rules.d/audit.rules

# Reload rules
sudo service auditd restart

# Check logs
sudo ausearch -k sudoers_changes

8. Logging and Monitoring

Configure rsyslog

sudo nano /etc/rsyslog.conf

# Enable remote logging if needed
#*.* @@syslog-server:514

# Set log permissions
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022

Monitor System Logs

# Watch auth logs for suspicious activity
sudo tail -f /var/log/auth.log | grep -i failed

# Check for recent root access
sudo grep 'sudo:' /var/log/auth.log | tail -20

# Monitor system errors
sudo journalctl -p err -f

9. Application Hardening

AppArmor Profiles

# Check active profiles
sudo aa-status

# Enable profiles
sudo aa-enforce /etc/apparmor.d/usr.bin.man

# Monitor violations
sudo grep apparmor /var/log/syslog | tail -10

10. Security Tools

Install Security Tools

# ClamAV antivirus
sudo apt install clamav clamav-daemon
sudo freshclam

# Lynis - Security audit
sudo apt install lynis
sudo lynis audit system

# fail2ban - Already covered in SSH section

Vulnerability Scanning

# Lynis detailed audit
lynis audit system --quick

# Check for listening ports
netstat -tlnp

# Check process privileges
ps aux | awk '{print $1}' | sort | uniq

11. Secure Boot Configuration

Enable UEFI Secure Boot

# Check status
mokutil --sb-state

# If disabled, enable in BIOS/UEFI

Kernel Hardening

# Add to /etc/default/grub
GRUB_CMDLINE_LINUX="... apparmor=1 security=apparmor"

# Update grub
sudo update-grub

12. Backup and Recovery

Automated Backups

#!/bin/bash

BACKUP_DIR="/backups"
RETENTION_DAYS=30

# Full system backup (exclude /proc, /sys, /dev)
tar --exclude=/proc --exclude=/sys --exclude=/dev \
    --exclude=/tmp --exclude=/run \
    -czf "$BACKUP_DIR/system_$(date +%Y%m%d).tar.gz" /

# Remove old backups
find "$BACKUP_DIR" -type f -mtime +$RETENTION_DAYS -delete

Security Checklist

System fully updated
Automatic security updates enabled
Root account locked
SSH hardened with key-only authentication
Firewall configured
Unnecessary services disabled
SELinux or AppArmor enabled
File integrity monitoring active
Audit logging enabled
Regular backups configured
Password policy enforced
sudo properly configured

Verification

# Quick security audit
sudo lynis audit system --quick

# Check system users
cut -d: -f1,3 /etc/passwd | awk -F: '($2 == 0) {print $1}'

# Verify SSH configuration
sudo sshd -T

# Check firewall status
sudo ufw status

Hardening Frameworks

CIS Benchmarks: Industry-standard hardening
NIST Cybersecurity Framework: Comprehensive security guidance
DISA STIG: DoD Security Technical Implementation Guides

For Arch Linux Users

If you’re running Arch Linux, CachyOS, Manjaro, or other Arch-based distributions, check out Part 2: Hardening Arch Linux and CachyOS for distribution-specific hardening techniques using pacman, systemd, and Arch-specific tools.

Conclusion

System hardening is an ongoing process. Start with basic measures and progressively implement advanced hardening based on your threat model and compliance requirements.