Update README.md

This commit is contained in:
Florian Hoss 2021-12-07 08:41:05 +01:00 committed by GitHub
parent 9a48f5123f
commit a5c74948be
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

225
README.md
View file

@ -1,2 +1,223 @@
# secureDebianServer # Secure a debian system
Guide, scripts and helper to secure a debian server
This is a small guide on how to secure a fresh debian install. Some of the commands will have to be executed as root and depending on the base system the commands can be different to the guide. The stept should be a good start though.
# Prepare the system
```bash
apt-get update && apt-get upgrade -y
# only if you are using awesome vim editor
apt-get install vim -y
```
OPTIONAL for backups with restic & rclone:
```bash
apt-get install restic -y
restic self-update
curl https://rclone.org/install.sh | sudo bash
```
# Create Admin user
```bash
useradd -m -U -s /bin/bash -G sudo sysadmin
passwd sysadmin
```
# Configure SSH
```bash
vim /etc/ssh/sshd_config
```
```bash
Include /etc/ssh/sshd_config.d/*.conf
Port 29
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
MaxSessions 4
AllowUsers sysadmin # change to the created user
PubkeyAuthentication no
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
PrintMotd no
PrintLastLog no
ClientAliveInterval 300
ClientAliveCountMax 1
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
```
```bash
# check config for errors
sshd -t
# restart ssh service to apply settings
systemctl restart sshd
# check if service has been started successfully
systemctl status sshd
```
# Configure Fail2Ban
```bash
apt-get install fail2ban
systemctl enable fail2ban
# create a backup of the old config just in case
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# edit the config file
vim /etc/fail2ban/jail.local
```
```bash
[INCLUDES]
before = paths-debian.conf
[DEFAULT]
bantime.increment = true
bantime.multipliers = 1 2 4 8 16 32 64
ignorecommand =
bantime = 240m
findtime = 10m
maxretry = 5
maxmatches = %(maxretry)s
backend = auto
usedns = warn
logencoding = auto
enabled = false
mode = normal
filter = %(__name__)s[mode=%(mode)s]
destemail = root@localhost
sender = root@<fq-hostname>
mta = sendmail
protocol = tcp
chain = <known/chain>
port = 0:65535
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
banaction = iptables-multiport
banaction_allports = iptables-allports
action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action = %(action_)s
[sshd]
enabled = true
mode = extra
port = 29
logpath = %(sshd_log)s
backend = %(sshd_backend)s
```
```bash
systemctl restart fail2ban
systemctl status fail2ban
fail2ban-client status sshd
```
**-- Logout from Server --**
# Configure SSH key auth (Unix Systems)
```bash
# create a ssh key with Edwards-curve Digital Signature Algorithm
# and name it server in the .ssh folder of the current user
ssh-keygen -t ed25519 -f ~/.ssh/server
# edit a ssh config file
vim ~/.ssh/config
```
```bash
Host server
HostName 0.0.0.0
User sysadmin
IdentityFile ~/.ssh/server
Port 29
```
```bash
# copy the created public key to the server
ssh-copy-id -i ~/.ssh/server.pub server
# login to the server with the users password
ssh server
# edit the ssh config
sudo vim /etc/ssh/sshd_config
```
```bash
# sshd_config
Include /etc/ssh/sshd_config.d/*.conf
Port 29
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
MaxSessions 4
AllowUsers sysadmin
PubkeyAuthentication yes # different to previous config
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no # different to previous config
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
PrintMotd no
PrintLastLog no
ClientAliveInterval 300
ClientAliveCountMax 1
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
```
```bash
# check config for errors
sudo sshd -t
# restart ssh service to apply settings
sudo systemctl restart sshd
# check if service has been started successfully
sudo systemctl status sshd
```
# OPTIONAL Install UFW Firewall
```bash
sudo apt-get install ufw
# allow SSH if you are using a remote connection
sudo ufw allow ssh
# check the status of the firewall (should be off)
sudo ufw status verbose
# turn the firewall on
sudo ufw enable
```