# Secure a debian system This is a small guide on how to secure a fresh debian install. Some of the commands will have to be executed as root and depending on the base system the commands can be different to the guide. The stept should be a good start though. # Prepare the system ```bash apt-get update && apt-get upgrade -y # only if you are using awesome vim editor apt-get install vim -y ``` OPTIONAL for backups with restic & rclone: ```bash apt-get install restic -y restic self-update curl https://rclone.org/install.sh | sudo bash ``` # Create Admin user ```bash useradd -m -U -s /bin/bash -G sudo sysadmin passwd sysadmin ``` # Configure SSH ```bash vim /etc/ssh/sshd_config ``` ```bash Include /etc/ssh/sshd_config.d/*.conf Port 29 LoginGraceTime 2m PermitRootLogin no StrictModes yes MaxAuthTries 3 MaxSessions 4 AllowUsers sysadmin # change to the created user PubkeyAuthentication no AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication yes PermitEmptyPasswords no ChallengeResponseAuthentication no UsePAM yes AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no PrintMotd no PrintLastLog no ClientAliveInterval 300 ClientAliveCountMax 1 AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server ``` ```bash # check config for errors sshd -t # restart ssh service to apply settings systemctl restart sshd # check if service has been started successfully systemctl status sshd ``` # Configure Fail2Ban ```bash apt-get install fail2ban systemctl enable fail2ban # create a backup of the old config just in case cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local # edit the config file vim /etc/fail2ban/jail.local ``` ```bash [INCLUDES] before = paths-debian.conf [DEFAULT] bantime.increment = true bantime.multipliers = 1 2 4 8 16 32 64 ignorecommand = bantime = 240m findtime = 10m maxretry = 5 maxmatches = %(maxretry)s backend = auto usedns = warn logencoding = auto enabled = false mode = normal filter = %(__name__)s[mode=%(mode)s] destemail = root@localhost sender = root@ mta = sendmail protocol = tcp chain = port = 0:65535 fail2ban_agent = Fail2Ban/%(fail2ban_version)s banaction = iptables-multiport banaction_allports = iptables-allports action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] action = %(action_)s [sshd] enabled = true mode = extra port = 29 logpath = %(sshd_log)s backend = %(sshd_backend)s ``` ```bash systemctl restart fail2ban systemctl status fail2ban fail2ban-client status sshd ``` **-- Logout from Server --** # Configure SSH key auth (Unix Systems) ```bash # create a ssh key with Edwards-curve Digital Signature Algorithm # and name it server in the .ssh folder of the current user ssh-keygen -t ed25519 -f ~/.ssh/server # edit a ssh config file vim ~/.ssh/config ``` ```bash Host server HostName 0.0.0.0 User sysadmin IdentityFile ~/.ssh/server Port 29 ``` ```bash # copy the created public key to the server ssh-copy-id -i ~/.ssh/server.pub server # login to the server with the users password ssh server # edit the ssh config sudo vim /etc/ssh/sshd_config ``` ```bash # sshd_config Include /etc/ssh/sshd_config.d/*.conf Port 29 LoginGraceTime 2m PermitRootLogin no StrictModes yes MaxAuthTries 3 MaxSessions 4 AllowUsers sysadmin PubkeyAuthentication yes # different to previous config AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no # different to previous config PermitEmptyPasswords no ChallengeResponseAuthentication no UsePAM yes AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no PrintMotd no PrintLastLog no ClientAliveInterval 300 ClientAliveCountMax 1 AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server ``` ```bash # check config for errors sudo sshd -t # restart ssh service to apply settings sudo systemctl restart sshd # check if service has been started successfully sudo systemctl status sshd ``` # OPTIONAL Install UFW Firewall ```bash sudo apt-get install ufw # allow SSH if you are using a remote connection sudo ufw allow ssh # check the status of the firewall (should be off) sudo ufw status verbose # turn the firewall on sudo ufw enable ```