I am back with another published article.
Please be kind! I am a self-taught Linux user and by no means an expert. My goal with this guide is to help newcomers to Linux have an easier and more secure start.
To all the experts out there, please be kind and do share your tips and observations. I am happy to keep updating the article to make the self-hosting world more secure.
https://nerdyarticles.com/debian-server-essentials-setup-configure-and-hardening-your-system/
Great guide. Agree with disable IPv6, extra unnecessary exposure and firewall effort. Consider Automatic updates, review ports/disable unwanted services.
Mozilla has some guidelines for SSH which I use: https://infosec.mozilla.org/guidelines/openssh
Only thing I do differently is I use ed25519 instead of RSA.
ssh-keygen -t ed25519 -a 100
Thanks!
I saw the ed25519 keys sometime ago, but haven’t had time to understand it.
Will look into it and the link!
Nice work!
Some small pieces of feedback:
- You can disable the root user during installation, by leaving the root password blank. The installer explains this in the text at the top of the page. If you do this, root will be disabled and
sudo
will be installed automatically - If you really want to control which users can SSH in, it’s recommended to create a group and use
AllowGroups
, rather than allowing individual users viaAllowUsers
. Note that once you disablePasswordAuthentication
, the only users that can SSH in are users that have keys inauthorized_keys
, so you don’t really need to useAllowUsers
orAllowGroups
. - Disabling IPv6 is unnecessary. If you don’t want to use it, then just… don’t use it? You should ideally always have IPv6 enabled for connections to the internet though. It’s generally faster due to better routing (see Google’s latency impact data: https://www.google.com/intl/en/ipv6/statistics.html#tab=per-country-ipv6-adoption), and more future-proof.
- You may want to consider CrowdSec instead of fail2ban. It’s more efficient and they have a shared list of known bad IPs that you can use.
Hi Daniel15. Is it recommended to disable the root user for a server during installation as you suggested? Are there never any tasks which must (or should) be executed as root for server setup or maintenance? I just built my first (Debian) server, so quite new to it all. Thanks.
You can do almost everything with sudo. Some thing are easier when done as the root user (such as setting cron jobs that need root permissions), but it should never be a necessity.
If you really do need root user, you can still enable root temporarily and disable it again.
This is fire, love it!
Another great article! I’m curious about the reasoning for using Debian on a Pi vs the Pi OS which is based off Debian?
For Raspberry Pi’s I prefer DietPi which is Debian based but not full of unnecessary stuff for servers like Pi OS is.
I only use Alpine on Pis so I’m interested to hear why any Debian at all?
Just because I know it and I wanted something with as little bloat as possible.
Tried alpine once, could not get it running.
You wrote a guide on how to install and use a Linux distro but you can’t install another distro. Isn’t that a little bit of a contradiction, same with the statement “with as little bloat as possible”, that’s exactly what Alpine is made for. Are you sure you should give other people advice?