| .. | ||
| etc | ||
| config | ||
| README.md | ||
Secure a debian system
This is a small guide on how to secure a fresh debian install. Some of the commands will have to be executed as root and depending on the base system the commands can be different to the guide. The steps should be a good start though.
Prepare the system
apt-get update && apt-get upgrade -y
only if you are using awesome vim editor
apt-get install vim -y
OPTIONAL for backups with restic & rclone:
apt-get install restic -y
restic self-update
curl https://rclone.org/install.sh | bash
Create Admin user
useradd -m -U -s /bin/bash -G sudo sysadmin
passwd sysadmin
Configure SSH
edit the sshd_config file
vim /etc/ssh/sshd_config
with following content:
Include /etc/ssh/sshd_config.d/*.conf
Port 29
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
MaxSessions 4
AllowUsers sysadmin # change to the created user
PubkeyAuthentication no
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
PrintMotd no
PrintLastLog no
ClientAliveInterval 300
ClientAliveCountMax 1
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
check config for errors
sshd -t
restart ssh service to apply settings
systemctl restart sshd
check if service has been started successfully
systemctl status sshd
Configure SSH key auth (Unix Systems)
-- Logout from Server --
following steps are executed on the local system - NOT on the server
create a ssh key with Edwards-curve Digital Signature Algorithm and name it server in the .ssh folder of the current user
ssh-keygen -t ed25519 -f ~/.ssh/server
if you want, you can change the comment of the key to something better
ssh-keygen -c -C "server.example.com" -f ~/.ssh/server
edit a ssh config file
vim ~/.ssh/config
Host server
HostName 0.0.0.0
User sysadmin
IdentityFile ~/.ssh/server
Port 29
copy the created public key to the server
ssh-copy-id -i ~/.ssh/server.pub server
login to the server with the users password
ssh server
edit the sshd_config file
sudo vim /etc/ssh/sshd_config
with following content:
Include /etc/ssh/sshd_config.d/*.conf
Port 29
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
MaxSessions 4
AllowUsers sysadmin
PubkeyAuthentication yes # different to previous config
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no # different to previous config
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
PrintMotd no
PrintLastLog no
ClientAliveInterval 300
ClientAliveCountMax 1
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
check config for errors
sudo sshd -t
restart ssh service to apply settings
sudo systemctl restart sshd
check if service has been started successfully
sudo systemctl status sshd
OPTIONAL Configure Fail2Ban
install fail2ban
apt-get install fail2ban
enable fail2ban
systemctl enable fail2ban
create a backup of the old config just in case
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
edit the config file
vim /etc/fail2ban/jail.local
...
bantime.increment = true
...
bantime.multipliers = 1 2 4 8 16 32 64
...
bantime = 300m
...
findtime = 10m
...
maxretry = 3
[sshd]
...
enabled = true
port = 29
logpath = %(sshd_log)s
backend = %(sshd_backend)s
...
restart fail2ban
systemctl restart fail2ban
check the status of fail2ban
systemctl status fail2ban
check the status of the client
fail2ban-client status sshd
OPTIONAL Install UFW Firewall
sudo su
apt-get install ufw
allow SSH (or port 29 like in the config earlier) if you are using a remote connection
ufw allow ssh
or
ufw allow 29/tcp
check the status of the firewall (should be off)
ufw status verbose
turn the firewall on
ufw enable
check the status of the firewall (should be on)
ufw status verbose