Debian basic hardening (2nd.)

STATUS: Frozen (2019-11-17)

No more updates for this guide.

Please refer to the TOC page.

We have now "Read-Only filesystem small Debian".

In this stage, we will harden before we connect it to the Internet, to apt update && apt upgrade.


Add notes for wheel.

Remount as rw

Now we are in read-only root filesystem world.

root# mount -o remount,rw /

We DO NEED to do this every time we modify /etc. Please don't forget.

Classical network hardening

This is from harden-doc Debian package.

root# nano /etc/sysctl.conf # Uncomment net.ipv{4,6} related.
... rpfilter = 1
... tcp_syncookies = 1
... accept_redirects = 0
... send_redirects = 0
... accept_source_route =0
... log_martians = 1
root# sysctl -p # and enable them, confirm them.
net.ipv4.conf.default.rp_filter = 1

Restrict securetty


You need a physical root console access under this setting.


First, re-login from your "securetty". Let us assume it is tty5.

root# exit # change to tty5 (Hit Ctrl-Alt-F5) and re-login as root
root# w # make sure which tty you are using now.
(time) up (uptime), 1 user,  load average: (loads)
USER     TTY      FROM      LOGIN@   ...
root     tty5     -         (time)   ...

Then, tweak the securetty.

root# mv /etc/securetty /etc/securetty.orig
root# nano /etc/securetty
#tty1 # on desktop, used by gdm3, etc.
#tty2 # on desktop, tends to be used by users' xsessions tty2-4
tty6 # and more and/or other ttys such as ttyS0, if you want.

Typically, Debian provides tty1~6.

Restrict su by PAM

You can restrict users' su commands not to become them the super user.

root# nano /etc/pam.d/su
auth required pam_wheel.so # uncomment this


Combined with the securetty above, you only can have root privilege from physical securetty.

System Group "wheel"

As described in the comment of /etc/pam.d/su, you can add group option for it.

Typically adding wheel group and set group=wheel option, and add trusted user into wheel group.

We don't recommend to enable it.


NEVER include ordinal daily users into the wheel group.

On security threats, that user can be abused to intrude, since it penetrates securetty with standard Debian PAM settings.

Confirm security settings

Reboot the box.

root# reboot -n

Check everything okay

Assuming we only have tty5 in securetty and PAM su restrictions,

Debian GNU/Linux 9 hostname ttyN (where N != 5)

hostname login: root

Login incorrect

securetty works. No password prompt, simple failure.

Change the console to tty5 by hitting Ctrl+Alt+F5.

Debian GNU/Linux 9 hostname tty5

hostname login: root
password: (enter it)
(motd shown)

securetty confirmed.

root# systemctl # does not show any "fail"
root# journalctl # does not show any Error.

You can ignore "kvm disabled" error if you disabled virtualization on BIOS, and also ignore Intel DmC related firmware loading failure logs.

Next, PAM su restriction.

We need a normal user.

root# mount -o remount,rw / # DON'T FORGET!
root# adduser user
Enter new UNIX password: (enter it)
Retype new UNIX password: (enter it)
passwd: password updated successfully
... (those optional into are up to you.)
     Full Name []:


Debian GNU/Linux 9 hostname ttyX

hostname login: user
password: (enter it)
user@hostname:~$ su -
Password: (enter root password)
su: Permission denied

PAM works fine. The password is correct but rejected by permission.

You can confirm them in the syslog.

root# journalctl
date hostname login[PID]: pam_securetty(login:auth) access denied: tty `...` is not secure !
date hostname login[PID]: FAILED LOGIN (1) on '/dev/ttyX' FOR 'root', Authentication failure
date hostname su[PID]: pam_authenticate: Permission denied
date hostname su[PID]: FAILED su for root by USER
date hostname su[PID]: - /dev/ttyX USER:root

If you enabled "wheel" group PAM su module option, you should try this.

root# adduser user wheel
(then, from non-securetty)
user$ su -
Password: (type the root password)
root# journalctl # let see what happened
date hostname su[PID]: Successful su for root by user

Use "wheel" with extreme care.


If you install sudo and add some user into sudo group, they can do anything. Never do it.

Edit sudoer if you install sudo, at least.

Separating sudores from ordinal users is recommended; say, bob (normal user) and bob-apt (sudoer who can use apt, with sufficient /etc/sudoers).

Let's proceed network connection setting.

published: MODIFIED: