This thread has gotten less attention than I anticipated. I have hence written a very detailed blogpost about everything you need to know to thoroughly secure your new Debian Linux server. It describes every step you need to follow to keep your new Debian instance secure right from the start.
If you are still interested in helping to complete this thread, please feel free to keep reading.
PLEASE READ THE SECOND POST IN THIS THREAD BEFORE POSTING
Welcome new Linux Server admins! Take these steps to configure a reasonably secure server and to avoid falling victim to automated bot attacks!
[Security is a process not a task that can be completed, hence this thread will always be WIP]
1) Installing automatic security upgrades
Reason
This will automatically install security upgrades for all installed apt packages once a day.
Action
Select "Yes" when it asks if you want to automatically install unattended upgrades.
Configuration
No further configuration required.
2) Configure the SSH server public key authentication
Reason
By default (sadly), openssh-server on Debian and Ubuntu allows for authentication by password. This is widely discouraged, as passwords can be guessed.
Action
First generate a secure SSH keypair (private and public key)
If you do not trust that somebody can steal your laptop while it is running, or turned off if its disk is not encrypted, then you should enter a password for the ssh key. You will need to enter the password every time you use it - Debian and Ubuntu come with the
If you trust your laptop will not be stolen (while it is turned on if it has disk encryption) then you can skip this step.
Show the PUBLIC key and copy it:
Now SSH into your server and do the following:
Now logout by typing
Log out and back in again. If this works, you can additionally remove the password for this account. This has no effect in regard to SSH anymore but it doesn't hurt either:
From
If you are still interested in helping to complete this thread, please feel free to keep reading.
PLEASE READ THE SECOND POST IN THIS THREAD BEFORE POSTING
Welcome new Linux Server admins! Take these steps to configure a reasonably secure server and to avoid falling victim to automated bot attacks!
[Security is a process not a task that can be completed, hence this thread will always be WIP]
1) Installing automatic security upgrades
Reason
This will automatically install security upgrades for all installed apt packages once a day.
Action
Code:
apt install unattended-upgrades
dpkg-reconfigure unattended-upgrades
Select "Yes" when it asks if you want to automatically install unattended upgrades.
Configuration
No further configuration required.
2) Configure the SSH server public key authentication
Reason
By default (sadly), openssh-server on Debian and Ubuntu allows for authentication by password. This is widely discouraged, as passwords can be guessed.
Action
First generate a secure SSH keypair (private and public key)
Code:
ssh-keygen -t ed25519 -a 100 -o[/SIZE]
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/user/.ssh/id_ed25519): <== ENTER
Enter passphrase (empty for no passphrase): <== Enter a secure password or press ENTER to skip
Enter same passphrase again: <== same here
Your identification has been saved in /home/user/.ssh/id_ed25519
Your public key has been saved in /home/user/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:VdIgmgM/xJgvgeg1+Mz+VeAB9mFOKrWG+ira4mvHeXM user@host
The key's randomart image is:
+--[ED25519 256]--+
| ....Bo+. oo. |
|...oB+O=.. o. |
|. =o.*Boo . |
| ..++ .+ o |
| .. . S |
| .. . |
| ..o . |
|oo.+ + E |
|*=+ . o |
+----[SHA256]-----+
[SIZE=4]
ssh-agent
pre-installed in most variants (not minimal), which will cache the password for a couple of minutes.If you trust your laptop will not be stolen (while it is turned on if it has disk encryption) then you can skip this step.
Show the PUBLIC key and copy it:
Code:
[/SIZE]
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKSsgAYltS87EDN5rXy3rTezuBszeEfpUKcKArOYgk27 user@workstation
[SIZE=4]
Code:
ssh root@server
mkdir ~/.ssh
chmod 700 ~/.ssh
echo ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKSsgAYltS87EDN5rXy3rTezuBszeEfpUKcKArOYgk27 user@workstation >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
exit
or pressing CRTL + d and login to the server again. It should not ask for a password anymore. If it still asks for a password, debug this first and then continue with the following steps.
Code:
ssh root@server
echo [/SIZE]PasswordAuthentication no >> /etc/ssh/sshd_config.d/99-custom.conf
systemctl restart sshd.service
systemctl status sshd.service
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; preset: enabled)
Active: active (running) since Fri 2024-03-22 20:49:43 CET; 2s ago
Docs: man:sshd(8)
man:sshd_config(5)
Process: 553075 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
Main PID: 553076 (sshd)
Tasks: 7 (limit: 2244)
Memory: 85.9M
CPU: 75ms
CGroup: /system.slice/ssh.service
├─553017 "sshd: [accepted]"
├─553019 "sshd: [net]"
├─553059 "sshd: root [priv]"
├─553072 "sshd: root [net]"
├─553076 "sshd: /usr/sbin/sshd -D [listener] 1 of 10-100 startups"
├─553077 "sshd: root [priv]"
└─553078 "sshd: root [net]"
[SIZE=4]
Code:
ssh root@server
passwd --lock root
man passwd
:
Code:
-l, --lock
Lock the password of the named account. This option disables a password by changing it to a value which matches no possible encrypted value (it adds a ´!´ at the beginning of the password).
Note that this does not disable the account. The user may still be able to login using another authentication token (e.g. an SSH key). To disable the account, administrators should use usermod --expiredate 1 (this set the
account's expire date to Jan 2, 1970).
Users with a locked password are not allowed to change their password.
Last edited: