Linux Deep Dive
by Sergey Okinchuk
Shell ScriptingSSH Hardening

Chapter Twelve

Security and Hardening

Shrinking the attack surface of a Debian or Ubuntu server: locking down remote access, confining processes, recording who did what, blocking abuse, and keeping the system patched without leaking secrets.

5 topics

A default Debian or Ubuntu install is reasonably safe, but "reasonably safe" is not a security posture. Every open port, every process running as root, and every package you never patch is a path an attacker can walk. Hardening is the deliberate work of closing those paths one at a time, then proving they stayed closed.

This chapter works from the outside in. It starts at the network edge with SSH, the single most-attacked service on most servers, then moves to mandatory access control with AppArmor and SELinux, the audit trail that tells you what happened, automated tools that ban hostile clients, and finally the unglamorous discipline of patching and secret management that quietly prevents most real-world breaches.

Defense in depth on a server
SSH keysno passwords
Firewalldefault-deny
MACAppArmor / SELinux
fail2banban the noise
Patchingclose the holes

Topics in This Chapter

Topic 64
SSH Hardening
Turning OpenSSH from a default daemon into a locked door: key-only authentication, PermitRootLogin no, restricting accounts with AllowUsers, and the trade-offs of moving off port 22.
Accesssshd
Topic 65
SELinux and AppArmor
Mandatory access control beyond Unix permissions. AppArmor's path-based profiles are the Debian/Ubuntu default; SELinux's label-based enforcement is the RHEL default. Each confines a compromised process to the files it actually needs.
MACConfinement
Topic 66
Auditing
The kernel audit subsystem and auditd: writing rules that log file access, syscalls, and logins, then reading the trail with ausearch and aureport to reconstruct exactly what happened.
auditdForensics
Topic 67
Intrusion Prevention
Reacting to attacks and shrinking the surface. fail2ban bans brute-forcers from log patterns, AIDE baselines catch file tampering, and Lynis or CIS audits flag what is still exposed.
fail2banHardening
Topic 68
Patching and Secrets
The two disciplines that prevent most breaches: unattended-upgrades plus reboot coordination for kernel CVEs, and keeping credentials out of env vars, Git history, and world-readable files with a real secret store.
PatchingSecrets