Skip to content

Securing a Debian Server with Salt


Salt (also known as SaltStack) is a powerful and flexible configuration management and remote execution tool.

This tutorial will guide you through the process of securing a Debian server using Salt.

By the end of this tutorial, you will have set up a Salt master and minion, applied essential security configurations, and learned basic Salt commands.


  • A Debian-based server with root access
  • Basic knowledge of Linux and command-line usage

Step 1: Install Salt Master and Minion

1.1. Update the package list and install required dependencies:

sudo apt-get update
sudo apt-get install curl gnupg

1.2. Add the SaltStack repository and install Salt master and minion:

curl -fsSL | sudo gpg --dearmor -o /usr/share/keyrings/salt-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg] buster main" | sudo tee /etc/apt/sources.list.d/salt.list
sudo apt-get update
sudo apt-get install salt-master salt-minion

Step 2: Configure Salt Master and Minion

2.1. Open the Salt master configuration file (/etc/salt/master) and modify it to listen on all available network interfaces:


2.2. Restart the Salt master service:

sudo systemctl restart salt-master

2.3. Open the Salt minion configuration file (/etc/salt/minion) and specify the Salt master's IP address or hostname:

master: <your_salt_master_ip_or_hostname>

2.4. Restart the Salt minion service:

sudo systemctl restart salt-minion

Step 3: Accept the Minion Key on the Master

3.1. List pending minion keys on the master:

sudo salt-key -L

3.2 Accept the minion key using its ID:

sudo salt-key -a <your_minion_id>

Step 4: Basic Security Configurations

Create a state file (/srv/salt/secure_debian.sls) with the following security configurations:

# Update package list and upgrade all packages
  pkg.uptodate: []

# Install and enable Uncomplicated Firewall (UFW)
  pkg.installed: []
    - name: ufw
    - enable: True

# Set UFW default policies
    - name: |
        ufw default deny incoming
        ufw default allow outgoing

# Allow essential services through UFW
    - name: |
        ufw allow ssh
        ufw allow http
        ufw allow https

# Enable automatic security updates
    - pkgs:
      - unattended-upgrades
      - update-notifier-common
    - name: /etc/apt/apt.conf.d/20auto-upgrades
    - source: salt://secure_debian/files/20auto-upgrades

# Configure fail2ban
  pkg.installed: []
    - name: fail2ban
    - enable: True

Step 5: Apply the Security Configurations

5.1. Create a directory for Salt file resources:

sudo mkdir -p /srv/salt/secure_debian/files

5.2. Auto Upgrades

Create a file named 20auto-upgrades in the /srv/salt/secure_debian/files directory with the following contents to enable automatic updates:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

5.3. Apply the security configurations to the minion:

sudo salt <your_minion_id> state.apply secure_debian

Step 6: Verify the Security Configurations

6.1. Check the status of the UFW:

sudo salt <your_minion_id> 'ufw status verbose'

6.2. Verify that fail2ban is running:

sudo salt <your_minion_id> 'systemctl status fail2ban'

6.3. Confirm that automatic updates are enabled:

sudo salt <your_minion_id> 'cat /etc/apt/apt.conf.d/20auto-upgrades'


In this tutorial, you learned how to secure a Debian server using Salt.

You installed and configured Salt master and minion, applied basic security configurations, and verified their implementation.

This setup provides a strong foundation for server security, but you can further enhance it by implementing additional security measures such as intrusion detection systems, log analyzers, and periodic security audits.