2021-12-08 07:15:14 +01:00
# Secure a debian system
This is a small guide on how to secure a fresh debian install. Some of the commands will have to be executed as root and depending on the base system the commands can be different to the guide. The steps should be a good start though.
## Prepare the system
```apt-get update & & apt-get upgrade -y```
only if you are using awesome vim editor
```apt-get install vim -y```
OPTIONAL for backups with restic & rclone:
```apt-get install restic -y```
```restic self-update```
2021-12-08 07:19:58 +01:00
```curl https://rclone.org/install.sh | bash```
2021-12-08 07:15:14 +01:00
## Create Admin user
```useradd -m -U -s /bin/bash -G sudo sysadmin```
```passwd sysadmin```
## Configure SSH
edit the sshd_config file
```vim /etc/ssh/sshd_config```
with following content:
```bash
Include /etc/ssh/sshd_config.d/*.conf
Port 29
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
MaxSessions 4
AllowUsers sysadmin # change to the created user
PubkeyAuthentication no
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
PrintMotd no
PrintLastLog no
ClientAliveInterval 300
ClientAliveCountMax 1
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
```
check config for errors
```sshd -t```
restart ssh service to apply settings
```systemctl restart sshd```
check if service has been started successfully
```systemctl status sshd```
2021-12-20 09:37:32 +01:00
## Configure SSH key auth (Unix Systems)
2021-12-08 07:15:14 +01:00
**-- Logout from Server --**
**following steps are executed on the local system - NOT on the server**
create a ssh key with Edwards-curve Digital Signature Algorithm and name it server in the .ssh folder of the current user
```ssh-keygen -t ed25519 -f ~/.ssh/server```
2022-10-01 10:46:59 +02:00
if you want, you can change the comment of the key to something better
```ssh-keygen -c -C "server.example.com" -f ~/.ssh/server```
2021-12-08 07:15:14 +01:00
edit a ssh config file
```vim ~/.ssh/config```
```bash
Host server
HostName 0.0.0.0
User sysadmin
IdentityFile ~/.ssh/server
Port 29
```
copy the created public key to the server
```ssh-copy-id -i ~/.ssh/server.pub server```
login to the server with the users password
```ssh server```
edit the sshd_config file
```sudo vim /etc/ssh/sshd_config```
with following content:
```bash
Include /etc/ssh/sshd_config.d/*.conf
Port 29
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
MaxSessions 4
AllowUsers sysadmin
PubkeyAuthentication yes # different to previous config
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no # different to previous config
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
PrintMotd no
PrintLastLog no
ClientAliveInterval 300
ClientAliveCountMax 1
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
```
check config for errors
```sudo sshd -t```
restart ssh service to apply settings
```sudo systemctl restart sshd```
check if service has been started successfully
```sudo systemctl status sshd```
2021-12-20 09:37:32 +01:00
## OPTIONAL Configure Fail2Ban
install fail2ban
```apt-get install fail2ban```
enable fail2ban
```systemctl enable fail2ban```
create a backup of the old config just in case
```cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local```
edit the config file
```vim /etc/fail2ban/jail.local```
```bash
...
bantime.increment = true
...
bantime.multipliers = 1 2 4 8 16 32 64
...
bantime = 300m
...
findtime = 10m
...
maxretry = 3
[sshd]
...
enabled = true
port = 29
logpath = %(sshd_log)s
backend = %(sshd_backend)s
...
```
restart fail2ban
```systemctl restart fail2ban```
check the status of fail2ban
```systemctl status fail2ban```
check the status of the client
```fail2ban-client status sshd```
2021-12-08 07:15:14 +01:00
## OPTIONAL Install UFW Firewall
2021-12-20 09:37:32 +01:00
```sudo su```
```apt-get install ufw```
allow SSH (or port 29 like in the config earlier) if you are using a remote connection
2021-12-08 07:15:14 +01:00
2021-12-20 09:37:32 +01:00
```ufw allow ssh```
2021-12-08 07:15:14 +01:00
2021-12-20 09:37:32 +01:00
or
```ufw allow 29/tcp```
2021-12-08 07:15:14 +01:00
check the status of the firewall (should be off)
2021-12-20 09:37:32 +01:00
```ufw status verbose```
2021-12-08 07:15:14 +01:00
turn the firewall on
2021-12-20 09:37:32 +01:00
```ufw enable```
check the status of the firewall (should be on)
```ufw status verbose```