Securing a Debian Server with Salt
Introduction:
Salt (also known as SaltStack) is a powerful and flexible configuration management and remote execution tool.
This tutorial will guide you through the process of securing a Debian server using Salt.
By the end of this tutorial, you will have set up a Salt master and minion, applied essential security configurations, and learned basic Salt commands.
Prerequisites:
- A Debian-based server with root access
- Basic knowledge of Linux and command-line usage
Step 1: Install Salt Master and Minion
1.1. Update the package list and install required dependencies:
sudo apt-get update
sudo apt-get install curl gnupg
1.2. Add the SaltStack repository and install Salt master and minion:
curl -fsSL https://repo.saltproject.io/py3/debian/10/amd64/latest/SALTSTACK-GPG-KEY.pub | sudo gpg --dearmor -o /usr/share/keyrings/salt-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg] https://repo.saltproject.io/py3/debian/10/amd64/latest buster main" | sudo tee /etc/apt/sources.list.d/salt.list
sudo apt-get update
sudo apt-get install salt-master salt-minion
Step 2: Configure Salt Master and Minion
2.1. Open the Salt master configuration file (/etc/salt/master) and modify it to listen on all available network interfaces:
interface: 0.0.0.0
2.2. Restart the Salt master service:
sudo systemctl restart salt-master
2.3. Open the Salt minion configuration file (/etc/salt/minion) and specify the Salt master's IP address or hostname:
master: <your_salt_master_ip_or_hostname>
2.4. Restart the Salt minion service:
sudo systemctl restart salt-minion
Step 3: Accept the Minion Key on the Master
3.1. List pending minion keys on the master:
sudo salt-key -L
3.2 Accept the minion key using its ID:
sudo salt-key -a <your_minion_id>
Step 4: Basic Security Configurations
Create a state file (/srv/salt/secure_debian.sls) with the following security configurations:
# Update package list and upgrade all packages
update_and_upgrade:
pkg.uptodate: []
# Install and enable Uncomplicated Firewall (UFW)
ufw:
pkg.installed: []
service.running:
- name: ufw
- enable: True
# Set UFW default policies
ufw_default_policy:
cmd.run:
- name: |
ufw default deny incoming
ufw default allow outgoing
# Allow essential services through UFW
ufw_allow_services:
cmd.run:
- name: |
ufw allow ssh
ufw allow http
ufw allow https
# Enable automatic security updates
unattended_upgrades:
pkg.installed:
- pkgs:
- unattended-upgrades
- update-notifier-common
file.managed:
- name: /etc/apt/apt.conf.d/20auto-upgrades
- source: salt://secure_debian/files/20auto-upgrades
# Configure fail2ban
fail2ban:
pkg.installed: []
service.running:
- name: fail2ban
- enable: True
Step 5: Apply the Security Configurations
5.1. Create a directory for Salt file resources:
sudo mkdir -p /srv/salt/secure_debian/files
5.2. Auto Upgrades
Create a file named 20auto-upgrades in the /srv/salt/secure_debian/files directory with the following contents to enable automatic updates:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
5.3. Apply the security configurations to the minion:
sudo salt <your_minion_id> state.apply secure_debian
Step 6: Verify the Security Configurations
6.1. Check the status of the UFW:
sudo salt <your_minion_id> cmd.run 'ufw status verbose'
6.2. Verify that fail2ban is running:
sudo salt <your_minion_id> cmd.run 'systemctl status fail2ban'
6.3. Confirm that automatic updates are enabled:
sudo salt <your_minion_id> cmd.run 'cat /etc/apt/apt.conf.d/20auto-upgrades'
Conclusion:
In this tutorial, you learned how to secure a Debian server using Salt.
You installed and configured Salt master and minion, applied basic security configurations, and verified their implementation.
This setup provides a strong foundation for server security, but you can further enhance it by implementing additional security measures such as intrusion detection systems, log analyzers, and periodic security audits.