Update README.md

This commit is contained in:
Florian Hoss 2021-12-07 08:59:06 +01:00 committed by GitHub
parent fed6f3573f
commit e8840d57dc
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

171
README.md
View file

@ -4,32 +4,33 @@ This is a small guide on how to secure a fresh debian install. Some of the comma
# Prepare the system
```bash
apt-get update && apt-get upgrade -y
# only if you are using awesome vim editor
apt-get install vim -y
```
```apt-get update && apt-get upgrade -y```
only if you are using awesome vim editor
```apt-get install vim -y```
OPTIONAL for backups with restic & rclone:
```bash
apt-get install restic -y
restic self-update
curl https://rclone.org/install.sh | sudo bash
```
```apt-get install restic -y```
```restic self-update```
```curl https://rclone.org/install.sh | sudo bash```
# Create Admin user
```bash
useradd -m -U -s /bin/bash -G sudo sysadmin
passwd sysadmin
```
```useradd -m -U -s /bin/bash -G sudo sysadmin```
```passwd sysadmin```
# Configure SSH
```bash
vim /etc/ssh/sshd_config
```
edit the sshd_config file
```vim /etc/ssh/sshd_config```
with following content:
```bash
Include /etc/ssh/sshd_config.d/*.conf
@ -68,25 +69,35 @@ AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
```
```bash
# check config for errors
sshd -t
# restart ssh service to apply settings
systemctl restart sshd
# check if service has been started successfully
systemctl status sshd
```
check config for errors
```sshd -t```
restart ssh service to apply settings
```systemctl restart sshd```
check if service has been started successfully
```systemctl status sshd```
# Configure Fail2Ban
```bash
apt-get install fail2ban
systemctl enable fail2ban
# create a backup of the old config just in case
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# edit the config file
vim /etc/fail2ban/jail.local
```
install fail2ban
```apt-get install fail2ban```
enable fail2ban
```systemctl enable fail2ban```
create a backup of the old config just in case
```cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local```
edit the config file
```vim /etc/fail2ban/jail.local```
```bash
[INCLUDES]
@ -127,24 +138,31 @@ port = 29
logpath = %(sshd_log)s
backend = %(sshd_backend)s
```
restart fail2ban
```bash
systemctl restart fail2ban
systemctl status fail2ban
fail2ban-client status sshd
```
```systemctl restart fail2ban```
check the status of fail2ban
```systemctl status fail2ban```
check the status of the client
```fail2ban-client status sshd```
**-- Logout from Server --**
# Configure SSH key auth (Unix Systems)
```bash
# create a ssh key with Edwards-curve Digital Signature Algorithm
# and name it server in the .ssh folder of the current user
ssh-keygen -t ed25519 -f ~/.ssh/server
# edit a ssh config file
vim ~/.ssh/config
```
## following steps are executed on the local system - NOT on the server
create a ssh key with Edwards-curve Digital Signature Algorithm and name it server in the .ssh folder of the current user
```ssh-keygen -t ed25519 -f ~/.ssh/server```
edit a ssh config file
```vim ~/.ssh/config```
```bash
Host server
@ -154,17 +172,21 @@ Host server
Port 29
```
```bash
# copy the created public key to the server
ssh-copy-id -i ~/.ssh/server.pub server
# login to the server with the users password
ssh server
# edit the ssh config
sudo vim /etc/ssh/sshd_config
```
copy the created public key to the server
```ssh-copy-id -i ~/.ssh/server.pub server```
login to the server with the users password
```ssh server```
edit the sshd_config file
```sudo vim /etc/ssh/sshd_config```
with following content:
```bash
# sshd_config
Include /etc/ssh/sshd_config.d/*.conf
Port 29
@ -201,23 +223,30 @@ AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
```
```bash
# check config for errors
sudo sshd -t
# restart ssh service to apply settings
sudo systemctl restart sshd
# check if service has been started successfully
sudo systemctl status sshd
```
check config for errors
```sudo sshd -t```
restart ssh service to apply settings
```sudo systemctl restart sshd```
check if service has been started successfully
```sudo systemctl status sshd```
# OPTIONAL Install UFW Firewall
```bash
sudo apt-get install ufw
# allow SSH if you are using a remote connection
sudo ufw allow ssh
# check the status of the firewall (should be off)
sudo ufw status verbose
# turn the firewall on
sudo ufw enable
```
```sudo apt-get install ufw```
allow SSH if you are using a remote connection
```sudo ufw allow ssh```
check the status of the firewall (should be off)
```sudo ufw status verbose```
turn the firewall on
```sudo ufw enable```