Skip to main content

Disable serial console in Debian

Especially for not physically owned servers, like virtual servers, it makes sense to not only set the focus on SSH security. For virtual servers it’s quite common to have a virtual serial console which is accessible over your server control panel.

If someone grands access to this server control panel, the user has direct access to the system logon. Login control, like limit access to public key authentication, is part of SSH and is not active here. Because you shouldn’t trust the sever provider in terms of perfectly implemented security, it’s a good practice to also take this channel into account.

One solution is to completely disable the serial console after system boot. This makes a booted system inaccessible over the serial console. The following configuration is working on Debian with systemd.

Modify /etc/systemd/logind.conf and set ReserveVT and NAutoVTs to 0. This controls how many virtual terminals are reserved or allocated by the system.

Disable tty1.

The status of the disabled service should be like this.

After rebooting the system, you can still see the system boot including GRUB (boot loader) and also interrupt the system boot procedure. But after a complete system boot, the running system is inaccessible from the serial console.

Leave a Reply

Your email address will not be published.