1 yr. ago • 100%

Debian Server Essentials: Setup, Configure, and Hardening Your System

I am back with another published article.

Ideogram.ai: penguin in a server room covered in ice and snow, whole picture made out of green matrix style lines of code, cinematic

Please be kind! I am a self-taught Linux user and by no means an expert. My goal with this guide is to help newcomers to Linux have an easier and more secure start.

To all the experts out there, please be kind and do share your tips and observations. I am happy to keep updating the article to make the self-hosting world more secure.

https://nerdyarticles.com/debian-server-essentials-setup-configure-and-hardening-your-system/

56 comments

Mozilla has some guidelines for SSH which I use: https://infosec.mozilla.org/guidelines/openssh

Only thing I do differently is I use ed25519 instead of RSA.

ssh-keygen -t ed25519 -a 100
2
- Thanks!
  
  I saw the ed25519 keys sometime ago, but haven’t had time to understand it.
  
  Will look into it and the link!
  
  1
  
  Same protections as RSA but more efficient cause same strength of security but with shorter length making it fast.
  
  There is Edsa too but since it was developed by NSA, people are skeptic it may have a back door…
  
  1
Great guide. Agree with disable IPv6, extra unnecessary exposure and firewall effort. Consider Automatic updates, review ports/disable unwanted services.

2
- Automated security updates (unattended updates), netstat -ap --numeric-ports (for process review)
  
  Also consider that debian is the downstream distribution of ubuntu, its usually older but more stable. More stable => less bugs => more secure
  
  1
Nice work!

Some small pieces of feedback:

You can disable the root user during installation, by leaving the root password blank. The installer explains this in the text at the top of the page. If you do this, root will be disabled and sudo will be installed automatically

If you really want to control which users can SSH in, it's recommended to create a group and use AllowGroups, rather than allowing individual users via AllowUsers. Note that once you disable PasswordAuthentication, the only users that can SSH in are users that have keys in authorized_keys, so you don't really need to use AllowUsers or AllowGroups.

Disabling IPv6 is unnecessary. If you don't want to use it, then just... don't use it? You should ideally always have IPv6 enabled for connections to the internet though. It's generally faster due to better routing (see Google's latency impact data: https://www.google.com/intl/en/ipv6/statistics.html#tab=per-country-ipv6-adoption), and more future-proof.

You may want to consider CrowdSec instead of fail2ban. It's more efficient and they have a shared list of known bad IPs that you can use.
1
- Hi Daniel15. Is it recommended to disable the root user for a server during installation as you suggested? Are there never any tasks which must (or should) be executed as root for server setup or maintenance? I just built my first (Debian) server, so quite new to it all. Thanks.
  
  1
  
  You can do almost everything with sudo. Some thing are easier when done as the root user (such as setting cron jobs that need root permissions), but it should never be a necessity.
  
  If you really do need root user, you can still enable root temporarily and disable it again.
  
  1
- You may want to consider CrowdSec instead of fail2ban. It's more efficient and they have a shared list of known bad IPs that you can use.
  
  interesting, I'll have to check out Crowdsec
  
  1
Installing fail2ban and not configuring it is as good as not installing the program in the first place.

Include unattended-upgrades with configuration for security updates. This is essential to any actively accessible server.

1
Nice work!
Some small pieces of feedback:

use fedora

or any other rhel derivate
1
- Whith the way rhel is l taking. Home use in production is terrible idea
  
  1
- Not helpful... If that is your opinion, then at least put some reasoning behind it...
  
  1
  
  i'm sorry.
  
  i personnally think, that debian is in a dying state.
  
  your article is very good and helpful. but just things like installing sudo is not very comfortable. any other linux os has it installed from the start.
  
  also your security tips are helpful for any linux os.
  
  1
i might format my raspberry pi with the new raspbian OS. will definetly try this one out thanks

1
PermitRootLogin I would set to yes.

sudo systemctl restart ssh will only restart your ssh client and not the ssh server you try to restart. Use sshd insted.

I personally find it easier to use no root during setup and import my ssh keys from github using ssh-import-id.

UFW doesn't harm, but if the host is on your Proxmox Hypervisor, it is probably behind a deny all incoming firewall anyway. That is also why I would leave IPv6 on.

Like other have noted, Crowdsec is a little bit more complex to setup but also offers more features. As a side note, Fail2ban is unfortunatly not IPv6 ready.

1
- Thanks for the advice!
  
  Why would you leave PermitRootLogin to yes? Doesn’t really matter, if root ca nit login anyways?!
  
  You are right on restarting sshd. That’s a typo…
  
  An other user also mentioned to not fill out the root password and it will disable root + install sudo. Guess I didn’t read the instructions properly. Will definable be adopted.
  
  I agree on importing from Github, but I am unsure how many people have their keys there…
  
  UFW on a virtual machine might not be needed, but also not really harmful. I do like having in on every machine for piece of mind. Also this guide can be used for bare metal installs.
  
  Crowdsec is on the todo list!
  
  Thanks again. I will keep updating my article 😊
  
  1
  
  Why would you leave PermitRootLogin to yes? Doesn’t really matter, if root ca nit login anyways?!
  
  Just like you don't really need UFW, not really harmful and for piece of mind :)
  
  But to be honest, I am no expert either. I look at your config and think, just leave everything at default besides these twos:
  
  PubkeyAuthentication yes PasswordAuthentication no
  
  Things like
  
  MaxAuthTries 3
  
  don't matter for public key auth.
  
  1
Hm good guide but some things like UFW are totally unnecessary for most users. See https://youtu.be/fKuqYQdqRIs?feature=shared&t=798

1
- Personally I disagree. You might be running internal services you do not want to expose. It also is an active step to expose something. This way you are in control what is exposed and what isn’t.
  
  1
  
  Yeah until you realize that e.g. docker compose doesn’t care about ufw rules and expose defined ports anyway (yes, through the firewall) and now you can argue that an inexperienced user doesn’t know this and thinks that the ufw will protect him and give him a false sense of security. You should always make sure to bind internal services to 127.0.0.1 only period. Anyway that doesn’t mean ufw is useless, but that it should only be used for filtering more than the default port allow rules because like this you have no security advantage (e.g. I use ufw on my Proxmox servers to block outgoing connection to the lan by default and then explicitly allow connection to server x if needed )
  
  1
u/KillerTic thanks for continuing to provide great write-ups.

1
This is fire, love it!

1
Asks for donations but scams out artists by using AI art. You are just absolute scum OP.

0
- Wow… very narrow minded perspective you have. So you call me scum, but did you donate or did you consume my content for free? Lol (I know the answer as so far I did not receive donations)
  
  I embrace new technology and as I wrote in my about section, I adopt GenAI for learning purposes. Because learning in real life use cases is how I learn best.
  
  I am sharing knowledge for free, spend hours on writing these articles. If I would need to pay for the pictures out of my pocket, I would not make my content available.
  
  I am happy to donate to people who spend time giving back to the community, I do not rely on donations, but if anyone is like me, I am happy to accept them!
  
  GenAI is one of the biggest revolutions we habe seen so far. Get behind it or be left in the dust…
  
  1
  
  OP is open about using AI. His content is great and you can tell they are passionate about it. We need more of this and if people use AI to help them word their articles, who cares as long as they don't ask it to write the article for them.
  
  1
  
  did you donate or did you consume my content for free
  
  I didn't even read one word of it. That's why I didn't comment on the content. Opening the link showed a donation ask and an AI image. That already tells me everything about you that I need to know. Glad for you that you are fine with stealing other people's work, all the images used to train these.
  
  0
Another great article! I'm curious about the reasoning for using Debian on a Pi vs the Pi OS which is based off Debian?

0
- For Raspberry Pi's I prefer DietPi which is Debian based but not full of unnecessary stuff for servers like Pi OS is.
  
  1
  
  DietPi
  
  +1 for DietPi. It's only system I have installed on my Raspberries and also on my Odroid H3.
  
  1
- Full disk encryption is my reason. Super easy to do when installing debian from scratch. Big pain in the ass to do with Pi OS (last I googled).
  
  1
- I only use Alpine on Pis so I'm interested to hear why any Debian at all?
  
  1
  
  Just because I know it and I wanted something with as little bloat as possible.
  
  Tried alpine once, could not get it running.
  
  1
Damn, I was legit spinning up a new Ubuntu server VM and thought I'm gonna look up a guide about proper initial config/hardening while it loads up ... You convinced me to give debian a go.

0
- Nice timing! Happy you found it exactly when you needed it
  
  1
- Go Alpine, hardened from the start (almost).
  
  0
  
  I tried it briefly, but had to many issues getting it up and running properly…
  
  1
  
  Isn't alpine musl based? Last time I heard it can lead to some very obscure problems when interacting with applications compiled with gcc... so, hows it fare for you?
  
  1

You've viewed 56 comments.