I am back with another published article.
Please be kind! I am a self-taught Linux user and by no means an expert. My goal with this guide is to help newcomers to Linux have an easier and more secure start.
To all the experts out there, please be kind and do share your tips and observations. I am happy to keep updating the article to make the self-hosting world more secure.
https://nerdyarticles.com/debian-server-essentials-setup-configure-and-hardening-your-system/
PermitRootLogin I would set to yes.
sudo systemctl restart ssh will only restart your ssh client and not the ssh server you try to restart. Use sshd insted.
I personally find it easier to use no root during setup and import my ssh keys from github using ssh-import-id.
UFW doesn’t harm, but if the host is on your Proxmox Hypervisor, it is probably behind a deny all incoming firewall anyway. That is also why I would leave IPv6 on.
Like other have noted, Crowdsec is a little bit more complex to setup but also offers more features. As a side note, Fail2ban is unfortunatly not IPv6 ready.
Thanks for the advice!
Why would you leave PermitRootLogin to yes? Doesn’t really matter, if root ca nit login anyways?!
You are right on restarting sshd. That’s a typo…
An other user also mentioned to not fill out the root password and it will disable root + install sudo. Guess I didn’t read the instructions properly. Will definable be adopted.
I agree on importing from Github, but I am unsure how many people have their keys there…
UFW on a virtual machine might not be needed, but also not really harmful. I do like having in on every machine for piece of mind. Also this guide can be used for bare metal installs.
Crowdsec is on the todo list!
Thanks again. I will keep updating my article 😊
Why would you leave PermitRootLogin to yes? Doesn’t really matter, if root ca nit login anyways?!
Just like you don’t really need UFW, not really harmful and for piece of mind :)
But to be honest, I am no expert either. I look at your config and think, just leave everything at default besides these twos:
PubkeyAuthentication yes PasswordAuthentication no
Things like
MaxAuthTries 3
don’t matter for public key auth.
Yeah and I went through it with thinking, let’s make it as secure as possible without 100% knowing the effect…
You need password auth for copying your key, don’t you. Unless you import it during the install…
Damn, I was legit spinning up a new Ubuntu server VM and thought I’m gonna look up a guide about proper initial config/hardening while it loads up … You convinced me to give debian a go.
Go Alpine, hardened from the start (almost).
I tried it briefly, but had to many issues getting it up and running properly…
Many issues like?
Honestly, when I tried it was like two years ago. I think back then I wasn’t experienced enough and was annoyed at some stage not being able to get docker to run.
I should give it another go. Would you just do it on RPi and a LXC container or also on your VM?
All three. Alpine (read-only from RAM) is the perfect OS for any RPi. Alpine in a VM is a perfect OS with native support for all hypervisors and drivers available from the start, and as a container base layer its simply one of the best OS out there. I run all my bare metal nodes with Alpine from USB (read-only from RAM). You setup a USB stick, plug it in, boot from it, done. You can setup the OS with your keys and everything, take the USB stick, simply copy the contents (its FAT32) and put it on another stick and plug that into another server and boom, OS ready, no installation required.
Disclaimer: All my bare metal nodes are for containers, the OS has nothing installed, so read-only from RAM is IMHO the best option to do so, unless you want PXE.
All right, you got my attention 😂
Challenge accepted! (Some rainy day I got some time).
Thanks for that!
Nice timing! Happy you found it exactly when you needed it
Great guide. Agree with disable IPv6, extra unnecessary exposure and firewall effort. Consider Automatic updates, review ports/disable unwanted services.
Automated security updates (unattended updates), netstat -ap --numeric-ports (for process review)
Also consider that debian is the downstream distribution of ubuntu, its usually older but more stable. More stable => less bugs => more secure