I am back with another published article.
Please be kind! I am a self-taught Linux user and by no means an expert. My goal with this guide is to help newcomers to Linux have an easier and more secure start.
To all the experts out there, please be kind and do share your tips and observations. I am happy to keep updating the article to make the self-hosting world more secure.
https://nerdyarticles.com/debian-server-essentials-setup-configure-and-hardening-your-system/
Mozilla has some guidelines for SSH which I use: https://infosec.mozilla.org/guidelines/openssh
Only thing I do differently is I use ed25519 instead of RSA.
ssh-keygen -t ed25519 -a 100Thanks!
I saw the ed25519 keys sometime ago, but haven’t had time to understand it.
Will look into it and the link!
Same protections as RSA but more efficient cause same strength of security but with shorter length making it fast.
There is Edsa too but since it was developed by NSA, people are skeptic it may have a back door…
Great guide. Agree with disable IPv6, extra unnecessary exposure and firewall effort. Consider Automatic updates, review ports/disable unwanted services.
Automated security updates (unattended updates), netstat -ap --numeric-ports (for process review)
Also consider that debian is the downstream distribution of ubuntu, its usually older but more stable. More stable => less bugs => more secure
Nice work!
Some small pieces of feedback:
- You can disable the root user during installation, by leaving the root password blank. The installer explains this in the text at the top of the page. If you do this, root will be disabled and
sudowill be installed automatically - If you really want to control which users can SSH in, it’s recommended to create a group and use
AllowGroups, rather than allowing individual users viaAllowUsers. Note that once you disablePasswordAuthentication, the only users that can SSH in are users that have keys inauthorized_keys, so you don’t really need to useAllowUsersorAllowGroups. - Disabling IPv6 is unnecessary. If you don’t want to use it, then just… don’t use it? You should ideally always have IPv6 enabled for connections to the internet though. It’s generally faster due to better routing (see Google’s latency impact data: https://www.google.com/intl/en/ipv6/statistics.html#tab=per-country-ipv6-adoption), and more future-proof.
- You may want to consider CrowdSec instead of fail2ban. It’s more efficient and they have a shared list of known bad IPs that you can use.
You may want to consider CrowdSec instead of fail2ban. It’s more efficient and they have a shared list of known bad IPs that you can use.
interesting, I’ll have to check out Crowdsec
Hi Daniel15. Is it recommended to disable the root user for a server during installation as you suggested? Are there never any tasks which must (or should) be executed as root for server setup or maintenance? I just built my first (Debian) server, so quite new to it all. Thanks.
You can do almost everything with sudo. Some thing are easier when done as the root user (such as setting cron jobs that need root permissions), but it should never be a necessity.
If you really do need root user, you can still enable root temporarily and disable it again.
Anything that you absolutely must do as root can be done using
sudo -iwhich will give you a root shell.
- You can disable the root user during installation, by leaving the root password blank. The installer explains this in the text at the top of the page. If you do this, root will be disabled and
Nice work!
Some small pieces of feedback:- use fedora
- or any other rhel derivate
Whith the way rhel is l taking. Home use in production is terrible idea
Not helpful… If that is your opinion, then at least put some reasoning behind it…
i’m sorry.
i personnally think, that debian is in a dying state.
your article is very good and helpful. but just things like installing sudo is not very comfortable. any other linux os has it installed from the start.
also your security tips are helpful for any linux os.
That’s not reasoning, that’s still just your opinion. Note, if you follow up with a straight up claim that “debian is in a dying state” I’m going to expect evidence to back it up. So keep that in mind should you choose to continue dying on this hill.
How is Debian in a dying state?
Fanboism. There are entire data centers (like linode) running Debian under the hood. It’s stable and consistent.
Debian just hit 30 years and is still one of the most used Linux distros. It’s not.
Thinks it’s in dying state and the guy recommends the distro that’s doing it’s best to kill itself. What’s next, “Why don’t you use SCO linux?”
u/KillerTic thanks for continuing to provide great write-ups.
PermitRootLogin I would set to yes.
sudo systemctl restart ssh will only restart your ssh client and not the ssh server you try to restart. Use sshd insted.
I personally find it easier to use no root during setup and import my ssh keys from github using ssh-import-id.
UFW doesn’t harm, but if the host is on your Proxmox Hypervisor, it is probably behind a deny all incoming firewall anyway. That is also why I would leave IPv6 on.
Like other have noted, Crowdsec is a little bit more complex to setup but also offers more features. As a side note, Fail2ban is unfortunatly not IPv6 ready.
Thanks for the advice!
Why would you leave PermitRootLogin to yes? Doesn’t really matter, if root ca nit login anyways?!
You are right on restarting sshd. That’s a typo…
An other user also mentioned to not fill out the root password and it will disable root + install sudo. Guess I didn’t read the instructions properly. Will definable be adopted.
I agree on importing from Github, but I am unsure how many people have their keys there…
UFW on a virtual machine might not be needed, but also not really harmful. I do like having in on every machine for piece of mind. Also this guide can be used for bare metal installs.
Crowdsec is on the todo list!
Thanks again. I will keep updating my article 😊
Why would you leave PermitRootLogin to yes? Doesn’t really matter, if root ca nit login anyways?!
Just like you don’t really need UFW, not really harmful and for piece of mind :)
But to be honest, I am no expert either. I look at your config and think, just leave everything at default besides these twos:
PubkeyAuthentication yes PasswordAuthentication no
Things like
MaxAuthTries 3
don’t matter for public key auth.
Yeah and I went through it with thinking, let’s make it as secure as possible without 100% knowing the effect…
You need password auth for copying your key, don’t you. Unless you import it during the install…
Another great article! I’m curious about the reasoning for using Debian on a Pi vs the Pi OS which is based off Debian?
For Raspberry Pi’s I prefer DietPi which is Debian based but not full of unnecessary stuff for servers like Pi OS is.
+1 for DietPi. It’s only system I have installed on my Raspberries and also on my Odroid H3.
Full disk encryption is my reason. Super easy to do when installing debian from scratch. Big pain in the ass to do with Pi OS (last I googled).
I only use Alpine on Pis so I’m interested to hear why any Debian at all?
Just because I know it and I wanted something with as little bloat as possible.
Tried alpine once, could not get it running.
You wrote a guide on how to install and use a Linux distro but you can’t install another distro. Isn’t that a little bit of a contradiction, same with the statement “with as little bloat as possible”, that’s exactly what Alpine is made for. Are you sure you should give other people advice?
I don’t see the contradiction. /u/KillerTic wrote about A linux distro, Debian, and wrote a how-to guide for said distro. Just because Alpine didn’t work out for them, doesn’t mean that they can’t write an article about Debian.
I encourage you to actually read the article IF you are interested in learning about installing Debian. Not to mention, the writer clearly states this right up front.
I want to make it clear that I’m not a Linux expert or administrator; everything I’ve learned has been self-taught. The same applies to security practices.
If you happen to identify any issues or have valuable tips and advice, I welcome your input. I’m continually seeking ways to improve, and I’ll maintain a change log at the bottom of this article to track any updates and enhancements.
OP said he could not install another distro, this clearly shows the skill level, and even if you disclaim it at the begining, should people with little to no experience writr guides for the general public? Just because you figured out addition should not mean you can write a book about how to learn math.
Hmm. I’m not sure what you are trying to debate, /u/ElevenNotes. OP wrote a damn good guide, and looking at their other work - they are doing a great job at contributing to this community. Their post was also featured in the weekly newsletter over at selfh.st. This is a hobby sub with a contributing community. I urge you to treat it like one.
Exactly this. I remember how hard it was for me to start and how often I screwed up, felt uncertain, …
This is fire, love it!
Hm good guide but some things like UFW are totally unnecessary for most users. See https://youtu.be/fKuqYQdqRIs?feature=shared&t=798
Personally I disagree. You might be running internal services you do not want to expose. It also is an active step to expose something. This way you are in control what is exposed and what isn’t.
Yeah until you realize that e.g. docker compose doesn’t care about ufw rules and expose defined ports anyway (yes, through the firewall) and now you can argue that an inexperienced user doesn’t know this and thinks that the ufw will protect him and give him a false sense of security. You should always make sure to bind internal services to 127.0.0.1 only period. Anyway that doesn’t mean ufw is useless, but that it should only be used for filtering more than the default port allow rules because like this you have no security advantage (e.g. I use ufw on my Proxmox servers to block outgoing connection to the lan by default and then explicitly allow connection to server x if needed )
Installing fail2ban and not configuring it is as good as not installing the program in the first place.
Include unattended-upgrades with configuration for security updates. This is essential to any actively accessible server.
i might format my raspberry pi with the new raspbian OS. will definetly try this one out thanks
Damn, I was legit spinning up a new Ubuntu server VM and thought I’m gonna look up a guide about proper initial config/hardening while it loads up … You convinced me to give debian a go.
Nice timing! Happy you found it exactly when you needed it
Go Alpine, hardened from the start (almost).
I tried it briefly, but had to many issues getting it up and running properly…
Many issues like?
Honestly, when I tried it was like two years ago. I think back then I wasn’t experienced enough and was annoyed at some stage not being able to get docker to run.
I should give it another go. Would you just do it on RPi and a LXC container or also on your VM?
All three. Alpine (read-only from RAM) is the perfect OS for any RPi. Alpine in a VM is a perfect OS with native support for all hypervisors and drivers available from the start, and as a container base layer its simply one of the best OS out there. I run all my bare metal nodes with Alpine from USB (read-only from RAM). You setup a USB stick, plug it in, boot from it, done. You can setup the OS with your keys and everything, take the USB stick, simply copy the contents (its FAT32) and put it on another stick and plug that into another server and boom, OS ready, no installation required.
Disclaimer: All my bare metal nodes are for containers, the OS has nothing installed, so read-only from RAM is IMHO the best option to do so, unless you want PXE.
All right, you got my attention 😂
Challenge accepted! (Some rainy day I got some time).
Thanks for that!
Isn’t alpine musl based? Last time I heard it can lead to some very obscure problems when interacting with applications compiled with gcc… so, hows it fare for you?
Yes, but muscl > glibc, anyway, as a container host it does not matter. You can install 99% of all bins only the ones that are not 100% POSIX not (like GlusterFS for example) but in containers everything works.
Asks for donations but scams out artists by using AI art. You are just absolute scum OP.
Wow… very narrow minded perspective you have. So you call me scum, but did you donate or did you consume my content for free? Lol (I know the answer as so far I did not receive donations)
I embrace new technology and as I wrote in my about section, I adopt GenAI for learning purposes. Because learning in real life use cases is how I learn best.
I am sharing knowledge for free, spend hours on writing these articles. If I would need to pay for the pictures out of my pocket, I would not make my content available.
I am happy to donate to people who spend time giving back to the community, I do not rely on donations, but if anyone is like me, I am happy to accept them!
GenAI is one of the biggest revolutions we habe seen so far. Get behind it or be left in the dust…
OP is open about using AI. His content is great and you can tell they are passionate about it. We need more of this and if people use AI to help them word their articles, who cares as long as they don’t ask it to write the article for them.
Thank you very much. Means a lot coming from the creator of noted.lol!
Which reminded me, I always wanted to donate and just did so!
You are the reason I choose Ghost by the way and got quite a few inspiration from your articles! Thanks for that.
did you donate or did you consume my content for free
I didn’t even read one word of it. That’s why I didn’t comment on the content. Opening the link showed a donation ask and an AI image. That already tells me everything about you that I need to know. Glad for you that you are fine with stealing other people’s work, all the images used to train these.