TL;DR

To update air-gapped Debian 13 servers, follow these steps to ensure security and consistency:

  1. Prepare an Update Mirror: Use a connected Debian server to download updates.

    sudo apt update
    
    # Download packages to a local directory
    sudo apt-get -d -o Dir::Cache::archives="/path/to/mirror" upgrade
    

    Ensure /path/to/mirror is accessible and has enough space.

  2. Transfer Updates: Use a secure method to transfer the updates to the air-gapped server. A USB drive is common, but ensure it is clean and trusted.

  3. Verify Packages: On the air-gapped server, verify the integrity of the transferred packages.

    # Check package integrity
    dpkg-sig --verify /path/to/mirror/*.deb
    

    Caution: Only proceed if all packages are verified.

  4. Install Updates: Use dpkg to manually install the packages.

    # Install packages
    sudo dpkg -i /path/to/mirror/*.deb
    

    Safe Default: If dependencies are missing, use apt to resolve them from the local cache.

  5. Clean Up: After installation, clean up unnecessary files to maintain disk space.

    # Clean up package cache
    sudo apt clean
    
  6. Reboot: If kernel or critical system updates were applied, reboot the server.

    # Reboot the system
    sudo reboot
    

Caution: Always maintain a backup before applying updates. Test updates in a staging environment similar to the air-gapped server to prevent unexpected issues. Regularly review and update your security policies to adapt to new threats.

Understanding Air-Gapped Environments

Air-gapped environments are isolated networks that are physically separated from unsecured networks, such as the internet. This isolation is crucial for maintaining the security of critical systems, as it prevents unauthorized access and reduces the risk of malware infiltration. However, this also presents challenges for system updates, which are essential for maintaining security and functionality.

In an air-gapped setup, updates must be manually transferred from a secure, internet-connected system to the isolated network. This process requires careful planning to ensure that only verified and trusted updates are applied. The following steps outline a safe approach to managing updates in air-gapped environments on Debian 13.

First, on a secure, internet-connected system, update the package lists and download the necessary packages:

sudo apt update  # Update package lists
sudo apt-get install --download-only <package-name>  # Download packages without installing

Ensure that the downloaded packages are verified. Debian packages come with cryptographic signatures that can be checked using `dpkg-sig`:
dpkg-sig --verify <package-file.deb>  # Verify package signature

Transfer the verified packages to the air-gapped environment using a secure medium, such as a USB drive. Ensure the medium is free from malware by scanning it with a trusted antivirus tool before use.

On the air-gapped system, install the packages:

sudo dpkg -i <package-file.deb>  # Install the package

Be cautious of dependency issues. Use `apt` to resolve them:
sudo apt-get -f install  # Fix broken dependencies

Always maintain a log of installed packages and updates for auditing purposes. This practice helps in tracking changes and ensuring compliance with security policies. By following these steps, you can effectively manage updates in air-gapped environments while minimizing security risks.

Preparing the Update Repository

To prepare the update repository for an air-gapped Debian 13 server, you’ll need to set up a local repository on a machine with internet access and then transfer the necessary packages to the air-gapped server. Follow these steps carefully to ensure a secure and efficient update process.

First, identify the packages and their dependencies required for the update. Use a connected Debian 13 system to create a list of packages:

sudo apt-get update  # Refresh package lists
sudo apt-get --download-only --reinstall install <package-names>  # Download packages

Replace `<package-names>` with the specific packages you need. This command will download the packages to `/var/cache/apt/archives/`.

Next, copy the downloaded packages to a portable storage device:
cp /var/cache/apt/archives/*.deb /path/to/usb-drive/  # Copy to USB

Ensure the USB drive is formatted with a filesystem compatible with both the connected and air-gapped systems, such as ext4 or FAT32.

On the air-gapped server, mount the USB drive:

sudo mount /dev/sdX1 /mnt  # Replace sdX1 with your USB device identifier

Create a local repository directory and copy the packages:
sudo mkdir -p /usr/local/repo
sudo cp /mnt/*.deb /usr/local/repo/

Generate the package index files for the local repository:

cd /usr/local/repo
sudo dpkg-scanpackages . /dev/null | gzip -9c > Packages.gz  # Create index

Finally, configure the air-gapped server to use the local repository by adding the following line to `/etc/apt/sources.list`:
deb [trusted=yes] file:/usr/local/repo ./

Remember to unmount the USB drive safely:

sudo umount /mnt

This setup allows the air-gapped server to access the necessary updates securely and efficiently. Always verify package integrity and authenticity before proceeding with installations.

## Transferring Updates to the Air-Gapped Server

To transfer updates to an air-gapped Debian 13 server, you need to first download the necessary packages on a connected machine and then physically transfer them. Follow these steps:

1. **Prepare the Connected Machine:**

   Update the package list and download the updates on a connected Debian 13 machine.

   ```bash
   sudo apt update  # Refresh package list
   sudo apt-get -d upgrade  # Download updates without installing
   ```text

   The downloaded packages will be stored in `/var/cache/apt/archives/`.

2. **Collect the Packages:**

   Create a directory to store the packages and copy them from the cache.

mkdir ~/debian-updates # Create a directory for updates cp /var/cache/apt/archives/*.deb ~/debian-updates/ # Copy packages


3. **Transfer the Packages:**

Use a secure method, such as a USB drive, to transfer the `~/debian-updates` directory to the air-gapped server. Ensure the USB drive is clean and free of malware.

4. **Install the Updates on the Air-Gapped Server:**

Mount the USB drive on the air-gapped server and copy the packages.

sudo mount /dev/sdX1 /mnt # Replace sdX1 with your USB drive identifier cp /mnt/debian-updates/*.deb ~/ # Copy packages to home directory


Install the packages using `dpkg`.

sudo dpkg -i ~/debian-updates/*.deb # Install all packages


5. **Verify Installation:**

After installation, verify that all packages are correctly installed and dependencies are resolved.

sudo apt-get install -f # Fix broken dependencies if any


**Caution:** Always verify the integrity of the packages before installation. Use checksums or GPG signatures to ensure authenticity. Avoid using untrusted media for transfers to maintain security.

## Applying Updates on the Air-Gapped Server

To apply updates on an air-gapped Debian 13 server, you must first prepare the updates on a connected machine and then transfer them to the air-gapped server. This process ensures the server remains isolated while still receiving necessary updates.

1. **Prepare Updates on a Connected Machine:**

On a network-connected Debian 13 machine, update the package lists and download the updates:

sudo apt-get update # Update package lists sudo apt-get -d upgrade # Download package updates without installing


The downloaded packages are stored in `/var/cache/apt/archives/`.

2. **Transfer Updates to the Air-Gapped Server:**

Use a secure method, such as a USB drive, to transfer the downloaded `.deb` files to the air-gapped server. Ensure the USB drive is clean and free from malware before use.

3. **Install Updates on the Air-Gapped Server:**

Copy the `.deb` files to a directory on the air-gapped server, such as `/tmp/updates/`. Then, install the updates using `dpkg`:

sudo dpkg -i /tmp/updates/*.deb # Install all .deb files


If there are dependency issues, resolve them by running:

sudo apt-get install -f # Fix broken dependencies


4. **Verify Installation:**

After installation, verify that the updates were applied successfully:

dpkg -l | grep '^ii' # List installed packages


**Caution:** Always verify the integrity of the transferred files using checksums (e.g., SHA256) to ensure they have not been tampered with during transfer. Additionally, maintain a backup of critical data before applying updates to mitigate any unforeseen issues.

## Automating the Update Process

To automate the update process for air-gapped Debian 13 servers, we can utilize a combination of cron jobs and scripts to regularly check for and apply updates from a local repository. This ensures that critical servers remain secure without direct internet access.

First, ensure that your local repository is up-to-date with the latest packages. This repository should be accessible to your air-gapped server via a secure medium, such as a USB drive or a dedicated, isolated network.

Create a script to update the server from the local repository. Save the following script as `/usr/local/bin/update-from-local-repo.sh`:
#!/bin/bash

sudo apt-get update -o Dir::Etc::sourcelist="sources.list.d/local.list" \
               -o Dir::Etc::sourceparts="-" \
               -o APT::Get::List-Cleanup="0"

## Upgrade packages
sudo apt-get upgrade -y

## Clean up
sudo apt-get autoremove -y
sudo apt-get clean

Ensure the script is executable:

sudo chmod +x /usr/local/bin/update-from-local-repo.sh

Next, schedule this script to run at a regular interval using cron. Edit the crontab for the root user:
crontab -e

Add the following line to schedule the script to run weekly:

## Run update script every Sunday at 2 AM
0 2 * * 0 /usr/local/bin/update-from-local-repo.sh

**Caution:** Always test the update script manually before automating it to ensure it works correctly in your environment. Additionally, consider logging the output of the script to a file for audit purposes:
0 2 * * 0 /usr/local/bin/update-from-local-repo.sh >> /var/log/local-update.log 2>&1

By following these steps, you can maintain the security of your air-gapped Debian 13 servers with minimal manual intervention.

Verification

Once you have completed the air-gapped update process on your critical Debian 13 server, it is crucial to verify that the updates have been applied correctly and that the system remains stable and secure. Follow these steps to ensure a successful update:

  1. Check Installed Package Versions:

    Verify that the packages have been updated to the expected versions. Use the following command to list the installed package versions:

    dpkg-query -W -f='${binary:Package} ${Version}\n' | grep 'package-name'
    

    Compare the output with the version numbers from the update media to ensure consistency.

  2. Review System Logs:

    Inspect the system logs for any errors or warnings that might have occurred during the update process. Pay particular attention to the apt logs:

    less /var/log/apt/history.log
    # Review the log for any anomalies or errors
    

    Use less or another pager to scroll through the logs and look for any issues that need addressing.

  3. Verify System Integrity:

    Use the debsums tool to check the integrity of installed packages. This tool verifies that the installed files match the package’s checksums:

    sudo apt install debsums  # Install debsums if not already installed
    sudo debsums -s
    # The '-s' flag suppresses output for files that match checksums
    ```text
    
    Address any discrepancies reported by `debsums` to ensure system integrity.
    
  4. Test Critical Services:

    After updates, ensure that all critical services are running as expected. Use systemctl to check the status of important services:

    sudo systemctl status service-name
    # Replace 'service-name' with the actual service name to check
    

    Restart any services that are not running correctly and investigate any failures.

By following these verification steps, you can confirm that your air-gapped update process has been successfully completed and that your Debian 13 server remains secure and operational.

Rollback Procedure

If you need to revert these changes:

1. Stop the Service

sudo systemctl stop service

**2. Restore Configuration**
## Restore from backup (create backups before making changes)
sudo cp /etc/[config_file].backup /etc/[config_file]

3. Restart Service

sudo systemctl restart service
sudo systemctl status service

## Troubleshooting

### Issue: Service Fails to Start

**Symptoms:**
- Service exits immediately or fails to start
- Error messages in system logs

**Cause:**
- Configuration syntax errors
- Missing dependencies
- Permission issues

**Solution:**
## Check service status and recent logs
sudo systemctl status service
sudo journalctl -u service -n 50

## Test configuration file syntax
sudo service -t  # or appropriate test command

## Verify file permissions
ls -la /etc/service/

Prevention:

  • Always backup configuration before changes
  • Use configuration validation before applying
  • Monitor service status regularly

Issue: Permission Denied Errors

Symptoms:

  • “Permission denied” in logs
  • Unable to write to files/directories

Cause:

  • Incorrect file ownership
  • SELinux/AppArmor policies blocking access
  • Insufficient privileges

Solution:

## Check file ownership and permissions
ls -la /var/log/service/

## Verify process user
ps aux | grep service

## Check SELinux context (if enabled)
ls -Z /var/log/service/

## Review AppArmor status
sudo aa-status

**Prevention:**
- Set proper ownership during installation
- Document required permissions
- Test with minimal privileges first

---

### Issue: Configuration Not Taking Effect

**Symptoms:**
- Changes to config file seem ignored
- Service behaves with old settings

**Cause:**
- Service not restarted after changes
- Wrong configuration file being edited
- Syntax errors preventing load

**Solution:**
## Restart service to apply changes
sudo systemctl restart service

## Verify which config file is being used
sudo systemctl show service | grep FragmentPath

## Check for syntax errors
sudo service -t  # or appropriate test command

## View effective configuration
sudo service -T  # or appropriate show command

Prevention:

  • Always restart service after config changes
  • Document configuration file locations
  • Use version control for configs

Learn to implement a secure, automated DevSecOps pipeline on Debian 13 with step-by-step guidance on tools, integration, and troubleshooting.

Learn to automate Debian 13 hardening with Ansible and CIS Benchmarks, ensuring robust security and compliance efficiently.

  • Debian Secure Bootstrapping with PXE and Preseed + GPG
    Learn to securely automate Debian 13 installations using PXE, Preseed, and GPG, ensuring integrity and efficiency in network booting setups.

  • Infrastructure as Code Security with Terraform and Debian Learn to secure Infrastructure as Code with Terraform on Debian 13, covering setup, RBAC, module security, automation, and rollback strategies.

  • Hardening Debian 13 for Internet-Facing Servers
    Essential Debian 13 server hardening: SSH keys, firewall rules, fail2ban,