The threat of running unnecessary services on a system bloated with extra software is a less commonly discussed security concern. Yet enabled and listening services weaken the server’s defences by creating potential entry points for the attacker, as well as by providing resources for the attacker to use against other machines. The server hardening maxim we’re interested in today goes as follows: “Install only necessary software; delete or disable everything else.” With this topic in mind, our task is to examine how this technique applies to a Xen Project hypervisor DomU virtual machine running a paravirtualized Debian 9 operating system.
The purpose of this tutorial is to describe how to install and configure a Xen Project hypervisor with control and guest domains using Debian as the base operating system. Note that this tutorial uses Xen version 4.8.5-pre as included in the current stable release of Debian 9.5 (stretch).