4

So I have thought a bit about hardening a Debian squeeze file & VPN server lately.
Right now, we've placed the machine behind a firewall only allowing SSH connections from LAN, set a strong root password and installed unattended-upgrades to keep us fresh on those security fixes.

What more should we do?

Industrial
  • 1,771
  • 4
  • 13
  • 12
  • 1
    `unattended-upgrades` is quite a bad idea. Your sysadmin should be keeping an eye on the mailing list and committing those fixes manually as needed. It promotes laziness and not keeping up to date with security issues. – Chris Down Feb 04 '12 at 13:30
  • 4
    Have you read the [Securing Debian](http://www.debian.org/doc/manuals/securing-debian-howto/) manual? – sakisk Feb 04 '12 at 18:16

2 Answers2

4

Have a quick read of the more general Hardening Linux question over on Security Stack Exchange

It includes guidance on removal of weak services, maintenance of security, links to SANS guidance etc., and while it is for general Linux, 90% of it will be absolutely appropriate for Debian.

Community
  • 1
Rory Alsop
  • 2,063
  • 15
  • 30
1

I see no problems with unattended updates. They are better than no updates or late updates. If you can afford manual update - good luck if you run more than 50 servers...

It has been a long time I ran Debian, but I bet bastille is sill around. Just run it - it will help you along the way.

Nils
  • 18,202
  • 11
  • 46
  • 82