flohoss/server-setup
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update README.md

Browse source
This commit is contained in:
Florian Hoss 2021-12-07 08:59:06 +01:00 committed by GitHub
parent fed6f3573f
commit e8840d57dc
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 100 additions and 71 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

171
README.md
View file

@ -4,32 +4,33 @@ This is a small guide on how to secure a fresh debian install. Some of the comma
# Prepare the system # Prepare the system
```bash ```apt-get update && apt-get upgrade -y```
apt-get update && apt-get upgrade -y
# only if you are using awesome vim editor only if you are using awesome vim editor
apt-get install vim -y
``` ```apt-get install vim -y```
OPTIONAL for backups with restic & rclone: OPTIONAL for backups with restic & rclone:
```bash ```apt-get install restic -y```
apt-get install restic -y
restic self-update ```restic self-update```
curl https://rclone.org/install.sh | sudo bash
``` ```curl https://rclone.org/install.sh | sudo bash```
# Create Admin user # Create Admin user
```bash ```useradd -m -U -s /bin/bash -G sudo sysadmin```
useradd -m -U -s /bin/bash -G sudo sysadmin
passwd sysadmin ```passwd sysadmin```
```
# Configure SSH # Configure SSH
```bash edit the sshd_config file
vim /etc/ssh/sshd_config
``` ```vim /etc/ssh/sshd_config```
with following content:
```bash ```bash
Include /etc/ssh/sshd_config.d/*.conf Include /etc/ssh/sshd_config.d/*.conf
@ -68,25 +69,35 @@ AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server Subsystem sftp /usr/lib/openssh/sftp-server
``` ```
```bash check config for errors
# check config for errors
sshd -t ```sshd -t```
# restart ssh service to apply settings
systemctl restart sshd restart ssh service to apply settings
# check if service has been started successfully
systemctl status sshd ```systemctl restart sshd```
```
check if service has been started successfully
```systemctl status sshd```
# Configure Fail2Ban # Configure Fail2Ban
```bash install fail2ban
apt-get install fail2ban
systemctl enable fail2ban ```apt-get install fail2ban```
# create a backup of the old config just in case
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local enable fail2ban
# edit the config file
vim /etc/fail2ban/jail.local ```systemctl enable fail2ban```
```
create a backup of the old config just in case
```cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local```
edit the config file
```vim /etc/fail2ban/jail.local```
```bash ```bash
[INCLUDES] [INCLUDES]
@ -127,24 +138,31 @@ port = 29
logpath = %(sshd_log)s logpath = %(sshd_log)s
backend = %(sshd_backend)s backend = %(sshd_backend)s
``` ```
restart fail2ban
```bash ```systemctl restart fail2ban```
systemctl restart fail2ban
systemctl status fail2ban check the status of fail2ban
fail2ban-client status sshd
``` ```systemctl status fail2ban```
check the status of the client
```fail2ban-client status sshd```
**-- Logout from Server --** **-- Logout from Server --**
# Configure SSH key auth (Unix Systems) # Configure SSH key auth (Unix Systems)
```bash ## following steps are executed on the local system - NOT on the server
# create a ssh key with Edwards-curve Digital Signature Algorithm
# and name it server in the .ssh folder of the current user create a ssh key with Edwards-curve Digital Signature Algorithm and name it server in the .ssh folder of the current user
ssh-keygen -t ed25519 -f ~/.ssh/server
# edit a ssh config file ```ssh-keygen -t ed25519 -f ~/.ssh/server```
vim ~/.ssh/config
``` edit a ssh config file
```vim ~/.ssh/config```
```bash ```bash
Host server Host server
@ -154,17 +172,21 @@ Host server
Port 29 Port 29
``` ```
```bash copy the created public key to the server
# copy the created public key to the server
ssh-copy-id -i ~/.ssh/server.pub server ```ssh-copy-id -i ~/.ssh/server.pub server```
# login to the server with the users password
ssh server login to the server with the users password
# edit the ssh config
sudo vim /etc/ssh/sshd_config ```ssh server```
```
edit the sshd_config file
```sudo vim /etc/ssh/sshd_config```
with following content:
```bash ```bash
# sshd_config
Include /etc/ssh/sshd_config.d/*.conf Include /etc/ssh/sshd_config.d/*.conf
Port 29 Port 29
@ -201,23 +223,30 @@ AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server Subsystem sftp /usr/lib/openssh/sftp-server
``` ```
```bash check config for errors
# check config for errors
sudo sshd -t ```sudo sshd -t```
# restart ssh service to apply settings
sudo systemctl restart sshd restart ssh service to apply settings
# check if service has been started successfully
sudo systemctl status sshd ```sudo systemctl restart sshd```
```
check if service has been started successfully
```sudo systemctl status sshd```
# OPTIONAL Install UFW Firewall # OPTIONAL Install UFW Firewall
```bash ```sudo apt-get install ufw```
sudo apt-get install ufw
# allow SSH if you are using a remote connection allow SSH if you are using a remote connection
sudo ufw allow ssh
# check the status of the firewall (should be off) ```sudo ufw allow ssh```
sudo ufw status verbose
# turn the firewall on check the status of the firewall (should be off)
sudo ufw enable
``` ```sudo ufw status verbose```
turn the firewall on
```sudo ufw enable```