From 7cf6e016039dff6fb4a34d3c9f29e8df6ded7511 Mon Sep 17 00:00:00 2001 From: Florian Hoss Date: Wed, 8 Dec 2021 07:15:14 +0100 Subject: [PATCH] move things around after renaming the repo --- MessageOfTheDay/README.md | 54 ++++ README.md | 235 +----------------- SecureSystem/README.md | 233 +++++++++++++++++ config => SecureSystem/config | 0 {etc => SecureSystem/etc}/fail2ban/jail.local | 0 {etc => SecureSystem/etc}/ssh/sshd_config | 0 6 files changed, 292 insertions(+), 230 deletions(-) create mode 100644 MessageOfTheDay/README.md create mode 100644 SecureSystem/README.md rename config => SecureSystem/config (100%) rename {etc => SecureSystem/etc}/fail2ban/jail.local (100%) rename {etc => SecureSystem/etc}/ssh/sshd_config (100%) diff --git a/MessageOfTheDay/README.md b/MessageOfTheDay/README.md new file mode 100644 index 0000000..756e8bf --- /dev/null +++ b/MessageOfTheDay/README.md @@ -0,0 +1,54 @@ +# Create an informative Message of the Day + +Remove static motd: + +```sudo rm /etc/motd``` + +Create or go to the dynamic motd folder: + +```sudo mkdir /etc/update-motd.d``` +```cd /etc/update-motd.d``` + +Remove existing dynamic motd: + +```sudo rm /etc/update-motd.d/*``` + +Create your own Message of the Day: + +```sudo vim 10-custom``` + +with following content + +```bash +#!/bin/sh +upSeconds="$(/usr/bin/cut -d. -f1 /proc/uptime)" +secs=$((${upSeconds}%60)) +mins=$((${upSeconds}/60%60)) +hours=$((${upSeconds}/3600%24)) +days=$((${upSeconds}/86400)) +UPTIME=`printf "%d days, %02dh%02dm%02ds" "$days" "$hours" "$mins" "$secs"` + +# get the load averages +read one five fifteen rest < /proc/loadavg + +echo "$(tput setaf 2) +`date +"%A, %e %B %Y, %r"` +`uname -snr`$(tput setaf 1) + +IP Addresses.......: `ip a | grep glo | awk '{print $2}' | head -1 | cut -f1 -d/` and `wget -q -O - http://icanhazip.com/ | tail` +CPU................: `lscpu | grep -i "Model name:" | cut -d':' -f2 | sed -e 's/^[ \t]*//'` +Load Averages......: ${one}, ${five}, ${fifteen} (1, 5, 15 min) +Running Processes..: `ps ax | wc -l | tr -d " "` +Uptime.............: ${UPTIME} +Memory.............: `cat /proc/meminfo | grep MemFree | awk {'print $2'}`kB (Free) / `cat /proc/meminfo | grep MemTotal | awk {'print $2'}`kB (Total) +Last Login.........: `last -i | grep -v 'still logged' | head -1 | cut -f 1,4- -d ' ' | tr -s ' '` +$(tput sgr0)" +``` + +Test it: + +```run-parts /etc/update-motd.d/``` + +Result: + +![Message of the Day](https://github.com/flohoss/setupDebianServer/blob/main/MessageOfTheDay/10-custom.png?raw=true) \ No newline at end of file diff --git a/README.md b/README.md index 01cb1fa..43f66c1 100644 --- a/README.md +++ b/README.md @@ -1,233 +1,8 @@ -# Secure a debian system +# Setting up a Debian Server -This is a small guide on how to secure a fresh debian install. Some of the commands will have to be executed as root and depending on the base system the commands can be different to the guide. The stept should be a good start though. +This repository should give you a good start on how to setup a debian server to be secure and nice to work with. I am trying to keep it up to date as much as i can. Hopefully this will be easy as this will also be a reference every time i will setup a new server. -# Prepare the system +[Secure the System](SecureSystem/Readme.md) +This is a small guide on how to secure a fresh debian install. Some of the commands will have to be executed as root and depending on the base system the commands can be different to the guide. The steps should be a good start though. -```apt-get update && apt-get upgrade -y``` - -only if you are using awesome vim editor - -```apt-get install vim -y``` - -OPTIONAL for backups with restic & rclone: - -```apt-get install restic -y``` - -```restic self-update``` - -```curl https://rclone.org/install.sh | sudo bash``` - -# Create Admin user - -```useradd -m -U -s /bin/bash -G sudo sysadmin``` - -```passwd sysadmin``` - -# Configure SSH - -edit the sshd_config file - -```vim /etc/ssh/sshd_config``` - -with following content: - -```bash -Include /etc/ssh/sshd_config.d/*.conf - -Port 29 - -LoginGraceTime 2m -PermitRootLogin no -StrictModes yes -MaxAuthTries 3 -MaxSessions 4 - -AllowUsers sysadmin # change to the created user - -PubkeyAuthentication no - -AuthorizedKeysFile .ssh/authorized_keys - -PasswordAuthentication yes -PermitEmptyPasswords no - -ChallengeResponseAuthentication no - -UsePAM yes - -AllowAgentForwarding no -AllowTcpForwarding no -X11Forwarding no -PrintMotd no -PrintLastLog no -ClientAliveInterval 300 -ClientAliveCountMax 1 - -AcceptEnv LANG LC_* - -Subsystem sftp /usr/lib/openssh/sftp-server -``` - -check config for errors - -```sshd -t``` - -restart ssh service to apply settings - -```systemctl restart sshd``` - -check if service has been started successfully - -```systemctl status sshd``` - -# Configure Fail2Ban - -install fail2ban - -```apt-get install fail2ban``` - -enable fail2ban - -```systemctl enable fail2ban``` - -create a backup of the old config just in case - -```cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local``` - -edit the config file - -```vim /etc/fail2ban/jail.local``` - -```bash -... -bantime.increment = true -... -bantime.multipliers = 1 2 4 8 16 32 64 -... -bantime = 300m -... -findtime = 10m -... -maxretry = 3 - -[sshd] -... -enabled = true -port = 29 -logpath = %(sshd_log)s -backend = %(sshd_backend)s -... -``` -restart fail2ban - -```systemctl restart fail2ban``` - -check the status of fail2ban - -```systemctl status fail2ban``` - -check the status of the client - -```fail2ban-client status sshd``` - -**-- Logout from Server --** - -# Configure SSH key auth (Unix Systems) - -## following steps are executed on the local system - NOT on the server - -create a ssh key with Edwards-curve Digital Signature Algorithm and name it server in the .ssh folder of the current user - -```ssh-keygen -t ed25519 -f ~/.ssh/server``` - -edit a ssh config file - -```vim ~/.ssh/config``` - -```bash -Host server - HostName 0.0.0.0 - User sysadmin - IdentityFile ~/.ssh/server - Port 29 -``` - -copy the created public key to the server - -```ssh-copy-id -i ~/.ssh/server.pub server``` - -login to the server with the users password - -```ssh server``` - -edit the sshd_config file - -```sudo vim /etc/ssh/sshd_config``` - -with following content: - -```bash -Include /etc/ssh/sshd_config.d/*.conf - -Port 29 - -LoginGraceTime 2m -PermitRootLogin no -StrictModes yes -MaxAuthTries 3 -MaxSessions 4 - -AllowUsers sysadmin - -PubkeyAuthentication yes # different to previous config - -AuthorizedKeysFile .ssh/authorized_keys - -PasswordAuthentication no # different to previous config -PermitEmptyPasswords no - -ChallengeResponseAuthentication no - -UsePAM yes - -AllowAgentForwarding no -AllowTcpForwarding no -X11Forwarding no -PrintMotd no -PrintLastLog no -ClientAliveInterval 300 -ClientAliveCountMax 1 - -AcceptEnv LANG LC_* - -Subsystem sftp /usr/lib/openssh/sftp-server -``` - -check config for errors - -```sudo sshd -t``` - -restart ssh service to apply settings - -```sudo systemctl restart sshd``` - -check if service has been started successfully - -```sudo systemctl status sshd``` - -# OPTIONAL Install UFW Firewall - -```sudo apt-get install ufw``` - -allow SSH if you are using a remote connection - -```sudo ufw allow ssh``` - -check the status of the firewall (should be off) - -```sudo ufw status verbose``` - -turn the firewall on - -```sudo ufw enable``` +[Create an informative Message of the Day](MessageOfTheDay/Readme.md) \ No newline at end of file diff --git a/SecureSystem/README.md b/SecureSystem/README.md new file mode 100644 index 0000000..259c854 --- /dev/null +++ b/SecureSystem/README.md @@ -0,0 +1,233 @@ +# Secure a debian system + +This is a small guide on how to secure a fresh debian install. Some of the commands will have to be executed as root and depending on the base system the commands can be different to the guide. The steps should be a good start though. + +## Prepare the system + +```apt-get update && apt-get upgrade -y``` + +only if you are using awesome vim editor + +```apt-get install vim -y``` + +OPTIONAL for backups with restic & rclone: + +```apt-get install restic -y``` + +```restic self-update``` + +```curl https://rclone.org/install.sh | sudo bash``` + +## Create Admin user + +```useradd -m -U -s /bin/bash -G sudo sysadmin``` + +```passwd sysadmin``` + +## Configure SSH + +edit the sshd_config file + +```vim /etc/ssh/sshd_config``` + +with following content: + +```bash +Include /etc/ssh/sshd_config.d/*.conf + +Port 29 + +LoginGraceTime 2m +PermitRootLogin no +StrictModes yes +MaxAuthTries 3 +MaxSessions 4 + +AllowUsers sysadmin # change to the created user + +PubkeyAuthentication no + +AuthorizedKeysFile .ssh/authorized_keys + +PasswordAuthentication yes +PermitEmptyPasswords no + +ChallengeResponseAuthentication no + +UsePAM yes + +AllowAgentForwarding no +AllowTcpForwarding no +X11Forwarding no +PrintMotd no +PrintLastLog no +ClientAliveInterval 300 +ClientAliveCountMax 1 + +AcceptEnv LANG LC_* + +Subsystem sftp /usr/lib/openssh/sftp-server +``` + +check config for errors + +```sshd -t``` + +restart ssh service to apply settings + +```systemctl restart sshd``` + +check if service has been started successfully + +```systemctl status sshd``` + +## Configure Fail2Ban + +install fail2ban + +```apt-get install fail2ban``` + +enable fail2ban + +```systemctl enable fail2ban``` + +create a backup of the old config just in case + +```cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local``` + +edit the config file + +```vim /etc/fail2ban/jail.local``` + +```bash +... +bantime.increment = true +... +bantime.multipliers = 1 2 4 8 16 32 64 +... +bantime = 300m +... +findtime = 10m +... +maxretry = 3 + +[sshd] +... +enabled = true +port = 29 +logpath = %(sshd_log)s +backend = %(sshd_backend)s +... +``` +restart fail2ban + +```systemctl restart fail2ban``` + +check the status of fail2ban + +```systemctl status fail2ban``` + +check the status of the client + +```fail2ban-client status sshd``` + +**-- Logout from Server --** + +## Configure SSH key auth (Unix Systems) + +**following steps are executed on the local system - NOT on the server** + +create a ssh key with Edwards-curve Digital Signature Algorithm and name it server in the .ssh folder of the current user + +```ssh-keygen -t ed25519 -f ~/.ssh/server``` + +edit a ssh config file + +```vim ~/.ssh/config``` + +```bash +Host server + HostName 0.0.0.0 + User sysadmin + IdentityFile ~/.ssh/server + Port 29 +``` + +copy the created public key to the server + +```ssh-copy-id -i ~/.ssh/server.pub server``` + +login to the server with the users password + +```ssh server``` + +edit the sshd_config file + +```sudo vim /etc/ssh/sshd_config``` + +with following content: + +```bash +Include /etc/ssh/sshd_config.d/*.conf + +Port 29 + +LoginGraceTime 2m +PermitRootLogin no +StrictModes yes +MaxAuthTries 3 +MaxSessions 4 + +AllowUsers sysadmin + +PubkeyAuthentication yes # different to previous config + +AuthorizedKeysFile .ssh/authorized_keys + +PasswordAuthentication no # different to previous config +PermitEmptyPasswords no + +ChallengeResponseAuthentication no + +UsePAM yes + +AllowAgentForwarding no +AllowTcpForwarding no +X11Forwarding no +PrintMotd no +PrintLastLog no +ClientAliveInterval 300 +ClientAliveCountMax 1 + +AcceptEnv LANG LC_* + +Subsystem sftp /usr/lib/openssh/sftp-server +``` + +check config for errors + +```sudo sshd -t``` + +restart ssh service to apply settings + +```sudo systemctl restart sshd``` + +check if service has been started successfully + +```sudo systemctl status sshd``` + +## OPTIONAL Install UFW Firewall + +```sudo apt-get install ufw``` + +allow SSH if you are using a remote connection + +```sudo ufw allow ssh``` + +check the status of the firewall (should be off) + +```sudo ufw status verbose``` + +turn the firewall on + +```sudo ufw enable``` \ No newline at end of file diff --git a/config b/SecureSystem/config similarity index 100% rename from config rename to SecureSystem/config diff --git a/etc/fail2ban/jail.local b/SecureSystem/etc/fail2ban/jail.local similarity index 100% rename from etc/fail2ban/jail.local rename to SecureSystem/etc/fail2ban/jail.local diff --git a/etc/ssh/sshd_config b/SecureSystem/etc/ssh/sshd_config similarity index 100% rename from etc/ssh/sshd_config rename to SecureSystem/etc/ssh/sshd_config