Debian 12 … is amazing! How to: Create your custom codehouse [Part 3B/4]
Anna
Posted on November 10, 2024
Securing your Debian against Network-Based attacks.
I have made the decision to split the broad topic "Debian security mechanisms and how to administer the system securely" due to the amount of content and the length of the article if both parts were combined. The first part (3A of the entire series) focuses on protecting your Debian system against malware. I have detailed good practices for managing your system’s software, including configuring package repositories, handling package updates, using private repositories, and a remark on antivirus tools. Additionally, that part addressed password and permission management.
To keep us on the same page, I will repeat how I understand a system became compromised and the main threats that can lead to it:
ಠ_ಠ Your system got affected by malware or a virus. The primary risk here is when you download/install/run third-party software that turns out to be malicious. <--- Previous part of series (managing system's software)
ಠ_ಠ An outside attacker hacked in and got access to your stuff, when you exposed your system to the internet without adequate protection. <--- This article's focus
ಠ_ಠ Someone unauthorized gained physical access to your PC, and accessed your system directly without your permission, because you made your system access easy for them to do so. <--- Previous part of series (managing passwords & permissions)
The article you are reading now is focused on securing Debian against Network-Based attacks and covers following topics:
① Monitoring systemd services for security oversight.
② Configuring Network & Open ports & Firewall
① Monitoring systemd
services for security oversight.
Software is a broad concept. For example, text editor Vim is a software, so the MongoDB is. But how this software behave and run on your system may greatly differ.
Take Vim, for instance: you run vim <filename>
, make edits, save changes, and exit. But MongoDB? You install it, and then…? If you follow the official installation guide, you’ll see that after you have installed mongodb
, you have to execute command like systemctl start mongod
. Why don't you need to start Vim this way?
That’s because MongoDB runs as a server — a database server. Once started, it runs continuously in the background until you manually stop it. It’s a background process, a “daemon,” managed by systemd
. But what exactly is systemd
, and what’s a daemon?
A daemon, or system service, is a background process usually started during the boot sequence. Daemons typically run independent of users, waiting for events to occur and providing services in response (Source)
All Debian system services are managed by systemd
.
systemd is a system and service manager for Linux, handling the entire process from system boot to shutdown. Systemd runs as a daemon with PID (process ID) 1.
Systemd uses unit files to control related processes, simplifying system administration. The most common units are services (.service), mount points (.mount), devices (.device), sockets (.socket), or timers (.timer).
Service units: These units define services provided bysystemd
and control how they are started, stopped, and managed.
Socket units: Socket units manage network or IPC sockets used for inter-process communication.
Target units: Target units represent groups of services that need to be reached, such as multi-user or graphical.target.
systemctl
is the main tool used to introspect and control the state of thesystemd
system and service manager. You can usesystemctl
for instance toenable/disable
services permanently or only for the current session. (source)
So, what can you do with systemd services? They seem well-managed by the systemd, so everything should be ok, right? Well, actually it is in your hands to control how many services are running. Take MongoDB, for instance. Let’s say you’re exploring different databases — Postgres, MongoDB, InfluxDB. You try them out, decide on one, and don’t need the others. Delete them! Or, if you don’t want to delete, just stop the services from running.
Similarly, don’t install services you don’t need, like Apache or Nginx if you’re not hosting a web server. Another service to consider is the SSH server. SSH is essential for remote access on servers — in enterprise setting employees often use it to connect from laptops to servers. But while it’s easy to use, managing a secure connection isn’t as simple.
For example, if you have a powerful PC and want to connect to it via SSH from your laptop over Wi-Fi (so you can relax on the sofa rather than working from your desk), that’s one thing. But if you’re considering connecting from a different network (like outside your house Wi-Fi network), you’ll need to expose your PC to the internet. If you’re not well-versed in networking or private VPNs, don’t do this. And if you installed SSH just for this reason and now realize the risks, disable the service — or even uninstall the SSH server entirely.
You can explore services managed with systemd
that are already present in your freshly installed Debian with following commands:
systemctl
systemctl list-units --type=service --state=running
systemctl list-units --state=running
ecc...
One of the things I love most about Debian minimal install (netinstall) is that it starts with the bare minimum — just enough to get your system up and running easily. If you’re here reading this article and you’re on Ubuntu, and now you’ve decided to review everything on your system… well, good luck with that! (Sorry, I have a bit of a beef with Ubuntu)
Summarizing:
- 🦄 Keep an eye on services running on your machine.
- 🦄 Do not enable services carelessly and stop services which you are not using. *** ### ② Configuring Network & Open ports & Firewall
As I mentioned at the start of this article, there are two scenarios where security measures differ. One scenario is personal use: your PC is just for you — you do some stuff on your PC, you browse internet, you upload something to the Internet, and download something from the Internet. Here, the main security risk is pretty clear: accidentally downloading or installing something harmful for your PC.
In the other scenario, you’re using your PC to host or run a public service. Maybe you’ve created a website and decided to host it on your own machine, or you’ve set up an SSH server to log into your PC from anywhere on the planet. These setups are less common on regular PCs, as they’re generally meant for servers. To make these functions work, usually you’d need your PC running 24/7, without downtime.
However, even if you’re not hosting services that expose your PC to the internet, understanding a bit how your PC interacts with Internet would be not excessive, wouldn’t it? After all, your PC is constantly connected to the Internet (I assume), so there’s that slight unease when you think about it, right?
②.① Network & Open ports & Firewall: about🪄 Wi Fi magic, local network vs Internet, IP addresses.
The classical setup is that there is a Wi-Fi router in your house, and this magic thing connects you to the internet. Your house has a physical address — unique — country, city, street, number, postal code. Your router also has a unique address — public IP address. But who gave you this address? Is it somewhere in your contract with your internet provider? Well… it depends. Some providers give you a dynamic IP address unless you pay extra for a static one. It’s your internet provider who assigns you the public IP address.
Alright, so it is more or less clear with router and its address. But at anyone’s house with one router, multiple devices can be connected to a Wi-Fi router — yours, and maybe others from people you live with. Now, you’ve installed Debian on your PC, and you can browse the web… but what actually happened after installation? Did your internet provider get notified to issue a unique IP address to your new Debian PC? And what if you reinstall tomorrow — will you get a different IP address? No.
Your router has a unique public IP address, but the devices connected to your Wi-Fi don’t have public IPs. Instead, they have IP addresses within your local network (the network managed by your router). These addresses are unique within your local network but not globally.
Think of it like physical addresses: let’s say my apartment number is 10 and I live in city X, and yours is also 10 but you live in city Z. Can we exchange letters directly? No way. But within my building, I could leave a letter for neighbors in apartment 11, and it would reach them. This is similar to how you can mirror your phone screen to your TV if both are on the same Wi-Fi network — they can “talk” to each other within your local network, because they know how to “find each other”. Here is the simplified scheme:
You can try to see what is the IP address of your PC. Later on, I will show how to configure Wi-Fi. For now, I will continue with some theory behind it.
# run a command that will display you summary of available network interfaces, their details and statuses
ip a
You will see something like this in the output:
-- 1. lo
-- This is the loopback interface (lo) - special network interface
-- that your PC uses to communicate with itself
-- It typically has an IP address of 127.0.0.1,
-- which is known as the "localhost" address.
-- 2.enoN (most probably, eno1)
-- this is your wired network interface
-- state is supposed to be UP if you are using it and still did not connect to Wi Fi
-- you will see IP of your system within local network.
-- this is the address that was assigned by router
-- and it will be something like 192.168.x.x
-- The 192.168.x.x IP address is a very common type of IP address used for local networks, like the ones you have at home.
-- 3. wlNNNNNNxxNNxx:....
-- this is your Wi Fi network interface (wl) (if your Wi Fi receiver device is connected and
-- has firmware and drivers
I will show how to connect to Wi-Fi using terminal only later, for now I am using wired connection.
②.② Network & Open ports & Firewall: what can make your system vulnerable for attacks from outside.
Let’s get back to the main topic — network security and what you need to understand. The analogy with physical addresses works well here. Just as you wouldn’t post your home address publicly on the internet, the same goes for your router’s public IP address: don’t expose it. How could you accidentally expose it? Well, if you don’t even know it (or how to check), that might actually be a good thing.
Continuing with the physical address example: imagine you somehow posted your home address online. Now, someone shows up at your house. Luckily, you have a door, and it’s locked, so the person leaves (let’s assume it’s that simple in real world, haha). But what if the door was open? They’d walk in and start messing with your stuff.
In Italian, “door” is “porta”, so think of ports as doors on your system. Similarly, in your computer’s network, you can create and open ports. Often, you don’t open them just for fun — they’re usually needed for certain services. Services running on your system (remember systemctl
) don’t just sit there listening to everything around them; each service listens for specific events on its own designated port. For example, PostgreSQL’s default port is 5432, MongoDB’s is 27017, and SSH server’s default port is 22.
Let’s take a step back and use a physical address analogy for better understanding.
_Imagine you work in a company office with 3 departments, one is your department and other two are where your colleagues work. Each department has some rooms. You’re an inventor, creating something in Room 17 in your Department. You frequently need supplies for your invention and sometimes need to communicate with other companies outside. All of this is managed by your company’s security department. You simply send requests, like “I need a new storage device!” — without knowing where the supplier is located — and this department handles it for you. If you need to communicate with an employee from another company, you tell to security office, “Send this message to Company A and bring me their reply.”
Also your company has strict security policies, so only employees can enter the building, and the security office follows these rules strictly. Moreover, if any package/correspondence arrives from unknown sender and without a specific destination withing your office, it’s destroyed.
One day, you finish your prototype and want to show it to your company, so, first, you announce an internal presentation for your colleagues: “Department A, Room 17, everyone come!” Your coworkers show up to see it, and it’s all good.
After the success, you want to showcase your invention to the outside world, so you plan an open-day exhibition where anyone can come to Room 17 of your Department to see it. You are very pushy and you force your company to levy the strict entry rules and allow anyone who says they’re here for Room 17 to enter.
The day arrives, and the public is allowed in — they enter office; they say that they are here for room 17, security office knows that only your department has room 17 “open” so it redirects all newcomers there. But one dude with bad intentions finds out that there is such kind of event. He enters the building and tells reception, “I’m here to go to Room 22!” (because he knows that usually open-day events are held in rooms 22). Security sends him away— Room 22 isn’t open in any department. He tries again with Room 21 — wrong again. Then he tries Room 40 — no luck. But finally, he guesses correctly: Room 17. He enters, steals your invention, even messes up your workspace so you do not invent anything new soon, and additionally sneaks around trying to access other departments along the way (luckily, all the doors were closed). And that’s the whole story._
In the example above, the security office serves as an analogy for the firewall on your Wi-Fi router.
From the explanation, you can see that a Wi-Fi router is much more than just a simple box that “shares the internet.” Even though it’s not part of your PC, it is an essential device. Routers also have varying specs and are advancing alongside new technologies. Modern, advanced routers can do much more than simply enforce firewall rules and providing a good signal in your house. Some include even Linux-based operating systems like OpenWRT, which offer numerous features like integrated ad-blocking technology, support for virtual private networks. Routers also employ different security protocols (the current latest being WPA3).
②.③ Network & Open ports & Firewall: what is Firewall.
A network firewall is a set of rules to allow or deny passage of network traffic, through one or more network devices. A network firewall may also perform more complex tasks, such as network address translation, bandwidth adjustment, provide encrypted tunnels and much more related to network traffic. (DebianFirewall — Debian Wiki)
The way it handles “newcomers” — or incoming packets from the outside world — is based on its rules. The room numbers represent ports, and the departments are devices in your local network (phone, your PC, PlayStation ecc).
When “you” in the example decided to hold an “internal presentation”, you modified the department rules — this represents the firewall on your Debian system.
You opened port 17 and let other devices on the Wi-Fi network know where they could connect if they wanted. When you decided to go public, you adjusted your router’s firewall rules, opening port 17 there too, so anyone coming in could access your Debian machine via that open port. The person guessing the port number is an attacker, scanning for open ports since the firewall was configured to accept only incoming traffic via port 17.
Of course, this is a simplified and very unrealistic example — realistically, we at least have passwords and usernames, especially for SSH ports, and databases have their own Role-Based Access Control (RBAC) systems. And in today’s world, with so many threats, people don’t rely on just passwords. We have private keys, LDAP servers, access tokens, multi-factor authentication, private VPNs, and so on.
But I hope this gives you a sense of the main network security threat. If you’re a fifona like me (Italian word for “easily scared person”), keep your ports closed and secure everything with a firewall on your Debian system.
If you’re not a networking expert, don’t mess with your router’s firewall. Use your system’s firewall instead. For Debian, the reliable option is Uncomplicated Firewall — ufw
. Even though the default Debian installation comes with the program iptables, I prefer ufw
because how it comes from its name it is less complicated to configure it.
②.④ Network & Open ports & Firewall: Post-installation actions I perform that fall into this category
First, when installing Debian, I used a wired (not wireless) internet connection. So, while the Wi-Fi network interface is detected (I see it in the output of ip a
command), its status is currently DOWN. The command ip a
(short for "address") is part of the iproute2
package—a collection of tools for networking and traffic control. However, I won’t be using this to configure Wi-Fi. A popular tool for network management is NetworkManager, which offers a terminal user interface (nmtui
) , command line interface (nmcli
) and graphical interfaces. I’ll be using the TUI version (nmtui
).
The point of NetworkManager is to make networking configuration and setup as painless and automatic as possible. If using DHCP, NetworkManager is intended to replace default routes, obtain IP addresses from a DHCP server and change nameservers whenever it sees fit. In effect, the goal of NetworkManager is to make networking Just Work.(Source)
First, I need to install NetworkManager, and then I’ll connect to my home Wi-Fi.
sudo apt install network-manager
#this will install for you NM package, be attentive to the messagses,
#I will share mine below.
# after installation, check if NetworkManager daemon was automatically started and enabled
systemctl status NetworkManager
#in my case it was started and enabled automatically
# now I will connect to my Wi Fi using Terminal UI of NM
sudo nmtui
#-- select 'Activate a connection'
#-- select your wi-fi in the list
#-- click Activate
#-- Enter password of your Wi Fi
#-- voila! You shall see and asterics and little cute signal level bars.
#check twice if everything is working
nmcli device status
# you should see that your device of Wi-Fi type has status 'connected'
nmcli networking connectivity check
full
#Now you can unplug internet cable
# Then, restart networking service (It is another service!
#That services manages in my case wired connection)
sudo systemctl restart netowrking
#After, try to ping google when you are connected to wi-fi only
ping 8.8.8.8
# you should NOT see that Host is Unreachable
# you should see instead that you have 0 packages loss
#when you interrupt command with Ctrl + C
# or use wget in spider mode to just grab google headers
wget --spider https://www.google.com
# in the lines of output you should see that you are connected
# and response 200 OK among outputs
I got this message from NetworkManger upon the completion of installation:
Indeed, NetworkManager is perfect for desktop use, especially with Wi-Fi interfaces, but it can be a bit tricky for server network management since NetworkManager doesn’t manage already managed network interfaces to not create conflicting situations. For more details check NetworkManager — Debian Wiki. My wired network interface eno1 was managed from the start by default networking service.
Second, I Install and configure Uncomplicated Firewall (Uncomplicated Firewall (ufw) — Debian Wiki).
sudo apt install ufw
#this will install for you UFW
# However, simply installing the firewall will not turn it on automatically,
#nor it will have any rule set by default.
# Firstly, the firewall must be enabled
sudo ufw enable
# Secondly, defaults must be set up. For normal users the
# following defaults will do just fine.
sudo ufw default deny incoming
sudo ufw default allow outgoing
#Next, it is recommended to verify that the firewall is enabled:
sudo ufw status verbose
A quick note about the default firewall rules: they’re generally fine, but they might feel restrictive for more advanced usage of your system. Keep this in mind for the future — if something isn’t working, especially connections with SSH or database servers, start by checking your UFW configuration. UFW lets you add custom, finely tailored rules, specifying particular ports, protocols, and even IP addresses from which traffic is accepted.
Summarizing:
🦄Do not open ports carelessly on your system (= do not keep running systemd services that are constantly listening something on one of the ports and that you do not use (except services needed for system functioning, ofc)).
🦄Do not mess around with your router’s firewall rules.
🦄 Use firewall on your system and ensure it is up and running all the time. Try not disable it, even if it sometimes feels like it’s getting in the way — just modify the rules as needed. And of course, if any installation guide of some software suggests disabling the firewall “to simlify things”, think 10000000 times before proceeding with installation.
🦄 Consider using a separate machine/server (not your PC that you use for personal use) for hosting any service that has to be exposed to public; if you do not have a separate machine that can be used as server, consider such options as Cloud servers or PaaS.
Additional details: How I do stuff on my Debian System:
- 🦄I do not use my personal PC to host anything, even for short time periods with testing purposes/to learn how (I use PaaSs or I “rent” AWS resources)
- 🦄🦄🦄 For hardening my PC when I’m in a particularly paranoid mood, I check my system for compliance with the CIS benchmark (there is a manual for Debian OS). If what I wrote here isn’t enough for you as well, my dear reader, feel free to explore further and you can start with CIS benchmark. But don’t go overboard — a large part of that manual is dedicated to system administrators managing servers, with elevated levels of required security.
Posted on November 10, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.