Changelog
Documenting a secure-ish installation of Debian, with partial references to the Debian security manual.
During installation, note the initial IP address (ip a
) and available network services (lsof -nPi
). Typically should only have DHCP (86/udp) and SSH (22/tcp) after installation.
root@host:/usr/sbin# ls aa-remove-unknown e4crypt iptables rtacct aa-status e4defrag iptables-apply rtcwake aa-teardown ebtables iptables-legacy rtmon accessdb ebtables-nft iptables-legacy-restore runlevel addgroup ebtables-nft-restore iptables-legacy-save runuser add-shell ebtables-nft-save iptables-nft select-default-ispell adduser ebtables-restore iptables-nft-restore select-default-wordlist agetty ebtables-save iptables-nft-save service apparmor_parser ebtables-translate iptables-restore setcap apparmor_status faillock iptables-restore-translate setvesablank arpd fdisk iptables-save sfdisk arptables filefrag iptables-translate shadowconfig arptables-nft findfs isosize shutdown arptables-nft-restore fsck ispell-autobuildhash sshd arptables-nft-save fsck.cramfs iucode-tool start-stop-daemon arptables-restore fsck.ext2 iucode_tool sulogin arptables-save fsck.ext3 kbdrate swaplabel aspell-autobuildhash fsck.ext4 killall5 swapoff badblocks fsck.minix ldattach swapon biosdecode fsfreeze ldconfig switch_root blkdeactivate fstab-decode locale-gen sysctl blkdiscard fstrim logrotate tarcat blkid genl logsave tc blkzone getcap losetup tcptraceroute blockdev getpcaps lsmod tcptraceroute.db bridge getty mke2fs telinit capsh groupadd mkfs tipc cfdisk groupdel mkfs.bfs traceroute chcpu groupmems mkfs.cramfs tune2fs chgpasswd groupmod mkfs.ext2 ufw chmem grpck mkfs.ext3 unix_chkpwd chpasswd grpconv mkfs.ext4 unix_update chroot grpunconv mkfs.minix update-ca-certificates cpgr grub-install mkhomedir_helper update-default-aspell cppw grub-macbless mkinitramfs update-default-ispell cron grub-mkconfig mklost+found update-default-wordlist ctrlaltdel grub-mkdevicemap mkswap update-dictcommon-aspell dcb grub-probe modinfo update-dictcommon-hunspell debugfs grub-reboot modprobe update-grub delgroup grub-set-default newusers update-grub2 deluser halt nfnl_osf update-initramfs depmod hwclock nft update-locale devlink iconvconfig nologin update-mime dhclient ifdown ownership update-passwd dhclient-script ifquery pam-auth-update update-pciids discover ifup pam_getenv update-rc.d discover-modprobe init pam_namespace_helper update-secureboot-policy discover-pkginstall insmod pam_timestamp_check update-shells dmidecode installkernel pivot_root useradd dmsetup invoke-rc.d poweroff userdel dmstats ip pwck usermod dpkg-fsys-usrunmess ip6tables pwconv validlocale dpkg-preconfigure ip6tables-apply pwhistory_helper vcstime dpkg-reconfigure ip6tables-legacy pwunconv vdpa dumpe2fs ip6tables-legacy-restore readprofile vigr e2freefrag ip6tables-legacy-save reboot vipw e2fsck ip6tables-nft remove-default-ispell vpddecode e2image ip6tables-nft-restore remove-default-wordlist wipefs e2label ip6tables-nft-save remove-shell xtables-legacy-multi e2mmpstatus ip6tables-restore resize2fs xtables-monitor e2scrub ip6tables-restore-translate rmmod xtables-nft-multi e2scrub_all ip6tables-save rmt zic e2undo ip6tables-translate rmt-tar zramctl
A list of user binaries are even larger:
root@host:/usr/bin# ls '[' infotocap run-parts aa-enabled install rview aa-exec instmodsh rvim aa-features-abi ionice savelog addpart ip scp apropos ipcmk screendump apt ipcrm script apt-cache ipcs scriptlive apt-cdrom iptables-xml scriptreplay apt-config ischroot sdiff apt-extracttemplates ispell sed apt-ftparchive ispell-wrapper see apt-get join select-default-iwrap apt-key journalctl select-editor apt-listchanges json_pp sensible-browser apt-mark kbdinfo sensible-editor apt-sortpkgs kbd_mode sensible-pager arch kernel-install seq awk kill setarch b2sum kmod setfont base32 laptop-detect setkeycodes base64 last setleds basename lastb setlogcons basenc lastlog setmetamode bash lcf setpci bashbug ldd setpriv buildhash ld.so setsid bunzip2 less setterm busctl lessecho setupcon busybox lessfile setvtrgb bzcat lesskey sftp bzcmp lesspipe sg bzdiff lexgrog sh bzegrep lft sha1sum bzexe lft.db sha224sum bzfgrep libnetcfg sha256sum bzgrep link sha384sum bzip2 linux32 sha512sum bzip2recover linux64 shasum bzless linux-boot-prober showconsolefont bzmore linux-check-removal showkey captoinfo linux-update-symlinks shred cat linux-version shuf catman ln skill chage lnstat slabtop chardet loadkeys sleep chardetect loadunimap slogin chattr locale snice chcon localectl soelim chfn localedef sort chgrp logger splain chmod login split choom loginctl splitfont chown logname ss chrt look ssh chsh ls ssh-add chvt lsattr ssh-agent ckbcomp lsblk ssh-argv0 cksum lsb_release ssh-copy-id clear lscpu ssh-keygen clear_console lsfd ssh-keyscan cmp lsinitramfs stat codepage lsipc stdbuf col lsirq streamzip colcrt lslocks stty colrm lslogins su column lsmem sum comm lsmod sync compose lsns systemctl corelist lsof systemd cp lspci systemd-analyze cpan lsusb systemd-ask-password cpan5.36-x86_64-linux-gnu lzcat systemd-cat cpio lzcmp systemd-cgls c_rehash lzdiff systemd-cgtop crontab lzegrep systemd-creds csplit lzfgrep systemd-cryptenroll ctstat lzgrep systemd-delta cut lzless systemd-detect-virt dash lzma systemd-escape date lzmainfo systemd-firstboot dbus-cleanup-sockets lzmore systemd-hwdb dbus-daemon man systemd-id128 dbus-monitor mandb systemd-inhibit dbus-run-session manpath systemd-machine-id-setup dbus-send man-recode systemd-mount dbus-update-activation-environment mapscrn systemd-notify dbus-uuidgen mawk systemd-path dd mcookie systemd-repart deallocvt md5sum systemd-run debconf md5sum.textutils systemd-socket-activate debconf-apt-progress mdig systemd-stdio-bridge debconf-communicate mesg systemd-sysext debconf-copydb mkdir systemd-sysusers debconf-escape mkfifo systemd-tmpfiles debconf-set-selections mk_modmap systemd-tty-ask-password-agent debconf-show mknod systemd-umount debianbts mktemp tabs deb-systemd-helper mokutil tac deb-systemd-invoke more tail defmt-c mount tar defmt-sh mountpoint tasksel delpart mt taskset delv mt-gnu tbl df munchlist tee dh_bash-completion mv telnet diff namei tempfile diff3 nano test dig nawk tic dir nc timedatectl dircolors nc.traditional timeout dirname neqn tload discover-config netcat toe dmesg networkctl top dnsdomainname newgrp touch dnstap-read ngettext tput domainname nice tr dotlockfile nisdomainname traceproto dpkg nl traceproto.db dpkg-deb nohup traceroute dpkg-divert normalizer traceroute6 dpkg-maintscript-helper nproc traceroute6.db dpkg-query nroff traceroute.db dpkg-realpath nsenter traceroute-nanog dpkg-split nslookup troff dpkg-statoverride nstat true dpkg-trigger nsupdate truncate du numfmt tryaffix dumpkeys od tset echo open tsort edit openssl tty editor openvt tzselect efibootdump os-prober ucf efibootmgr pager ucfq egrep partx ucfr enc2xs passwd uclampset encguess paste udevadm env pathchk ul envsubst pdb3 umount eqn pdb3.11 uname ex perl uncompress expand perl5.36.0 unexpand expiry perl5.36-x86_64-linux-gnu unicode_start expr perlbug unicode_stop factor perldoc uniq faillog perlivp unlink fallocate perlthanks unlzma false pgrep unmkinitramfs fgconsole pic unshare fgrep pico unxz file piconv unzstd fincore pidof update-alternatives find pidwait uptime findaffix ping usb-devices findmnt ping4 usbhid-dump flock ping6 usbreset fmt pinky users fold pkill utmpdump free pl2pm vdir geqn pldd vi getconf pmap view getent pod2html vim getkeycodes pod2man vim.basic getopt pod2text vimdiff gettext pod2usage vim.tiny gettext.sh podchecker vimtutor gpasswd pr vmstat gpgv preconv w gpic print wall grep printenv watch groff printf wc grog prlimit wdctl grops prove wget grotty ps whatis groups psfaddtable whereis grub-editenv psfgettable which grub-file psfstriptable which.debianutils grub-fstest psfxtable whiptail grub-glue-efi ptar who grub-kbdcomp ptardiff whoami grub-menulst2cfg ptargrep write grub-mkfont ptx x86_64 grub-mkimage pwd xargs grub-mklayout pwdx xauth grub-mknetdir py3clean xsubpp grub-mkpasswd-pbkdf2 py3compile xz grub-mkrelpath py3versions xzcat grub-mkrescue pydoc3 xzcmp grub-mkstandalone pydoc3.11 xzdiff grub-mount pygettext3 xzegrep grub-render-label pygettext3.11 xzfgrep grub-script-check python3 xzgrep grub-syslinux2cfg python3.11 xzless gtbl pzstd xzmore gunzip querybts yes gzexe rbash ypdomainname gzip rdma zcat h2ph readlink zcmp h2xs realpath zdiff hardlink rename.ul zdump hd renice zegrep head reportbug zfgrep helpztags report-hw zforce hexdump reset zgrep host resizecons zipdetails hostid resizepart zless hostname rev zmore hostnamectl rgrep znew i386 rm zstd icombine rmdir zstdcat iconv rnano zstdgrep id routel zstdless ijoin rtstat zstdmt inetutils-telnet runcon infocmp run-mailcap
Very straightforward.
PermitRootLogin no
user:~$ touch .hushlogin user:~$ su - root:~# apt install vim ufw nginx htop root:~# ufw allow 22/tcp root:~# ufw allow 80/tcp root:~# ufw allow 443/tcp root:~# ufw deny to 224.0.0.1 root:~# ufw enable root:~# >/etc/motd
apt update && apt upgrade apt install -y curl vim htop