Initial Server Setup



This section assumes you have a fresh Debian 11 install on a server (either physical or VPS)

It will cover installing the essentials for access, and basic security so you don't need to worry in the future. This section may seem a little daunting for a first-time linux user, but most of it is copy/paste, hopefully with enough description to understand what is being done. Just remember not to copy the $/root$ they're there to show what user/directory we're in.

This first section will be done on the physical PC, or on the VPS via their website, or SSH'd as root if that's the option given.

Update the OS

Even with a fresh install of Debian from the latest ISO, there may be some updates you're missing, and it's a good idea to have these, especially in case they're security updates.

apt update && apt upgrade

Install essential packages

These are packages that are needed for accessing, and controlling the server

apt install sudo ssh

Some useful packages too

apt install vim htop wget curl tmux

Add a user, and give super user privilleges

You want to avoid using root as much as possible in regular use, so a new user for yourself is a must

adduser $USERNAME$	
usermod -aG sudo $USERNAME$

*replace $USERNAME$ with the user you want to create, e.g. nathan

(Local server) Set static IP

If the server is a physical PC in your home you will need to set a static IP, otherwise your router could assign a differnent IP on reboot, and this would mess with port forwarding, and internal DNS.

Set static IP for local server

Port forwarding for local server

If you've set the static IP for your local server, you'll also have an additional step when making public (internet served) services, as unlike a VPS your ISP will likely have all outbound ports disabled by default

Port forward your local server

Secure ssh

Although this is optional, I recommend it, as SSH (secure shell) will be the primary means of access to the server.

vim /etc/ssh/sshd_config

Within the editor you will need to search for PermitRootLogin and set it to no, this prevents ssh as root

Search for Port and set it to a different port to 22, a port over 1024 prevents basic nmap scans, and therefor a lot of bruteforcing, so let's go with 2020 so it's easy to remember

Below the Port line, add a new line with Protocol 2 this enables ssh2, which is more secure

(Optional) Comment/Add a # to the beginning of the passwordlogin line. This will prevent sshing to the server from any PC that doesn't have it's SSH key on the server already. I recommend only doing this if your sshkeys are on the server, or you're comfortable adding them.

systemctl reload sshd

This reloads the ssh daemon, and enables all the changes we've made

Setup UFW

UFW (Uncomplicated Firewall) is a simple to use firewall, that can be used to easily open/close ports on your server.

We'll install ufw, deny access inwards to all ports, but allow our server to access any ports outwards. We will then manually allow inwards traffic to the SSH port we set, in this case 2020

apt install ufw
ufw deny incoming &&
ufw allow outgoing &&
ufw allow 2020 &&
ufw enable

If there are any other ports that need to be opened in the future this can be done with:

ufw allow 

or

sudo ufw allow 

Set hostname

Setting the name for a server is an important step, but the name doesn't need to be serious

vim /etc/hosts

and

vim /etc/hostname

Within both of these files the hostname should be changed to the same thing

This next section can be done via a terminal, or an SSH client e.g. PuTTY for Windowss. For the sake of the guide, this assume you're using a Unix terminal

Create an SSH key

We'll create an ed25519 ssh-key, as it's more secure, and performant than the defaultrsa

ssh-keygen -t ed25519

SSH into the server

This is a two part section, and I recommend using this every time you SSH into a server from a new PC

ssh $USER$@$HOST$ -p 2020

This will likely display a message asking to verify the key for the server. This is to prevent man-in-the-middle attacks, so I reccommend verifying this whenever asked.

To check the key for the server, you need to run this command on the server.

ssh-keygen -l -f /etc/ssh/ssh_host_$KEY$_key.pub

Replace $KEY$ with the key the message is asking about (e.g. ecdsa, rsa, ed25519). Then if key the server shows matches that on your PC you are SSHing from, type yes and hit enter

TODO:(Optional) Fail2Ban

TODO:(Optional) Unattended Upgrades

Updates to a server typically want to be done by a human in case things go wrong, but smaller updates can be set to be done automatically

(Optional) Setup User preferences

These are a few things I personally like to have on a basic server. If you have your own preferences, dotfiles, or intend to use oh-my-zsh fell free to skip over this.

Vi mode bash

Warning this is a preference you may not want to use if you're a beginner, and/or don't use VIM (text editor), as it sets the terminal to work more like VIM

Open your .bashrc file in your editor of choice

vim ~/.bashrc

Add the following to the bottom of the file

set -o vi

Aliases

Instead of typing out long commands you can alias them, and type a shorthand version.I've written an article about aliases that explains setting up, and aliases I use. Below are some essentials for those that don't want to jump to another article.

alias ll="ls -lhtr"
alias df="df -h"
alias ta="tmux attach || tmux new"
alias ipe="curl ifconfig.co"

Ctrl-L clear-screen

Sometimes a new system doesn't have this by default, and it's probably the thing I use most after ls.

Add, or create an .inputrc file

vim ~/.inputrc

Add the following line to the file

"C-l": clear-screen

BashRC PS1

This will make your terminal look a little nicer, and display a directory path, user, and hostname. A ridiculously useful feature if you're managing multiple servers, or virtual machines

This is also in the .bashrc file, so open that up

vim ~/.bashrc

Then add the following to the bottom of the file

export PS1="\[\e[01;33m\]\u\[\e[0m\]\[\e[00;37m\]@\[\e[0m\]\[\e[01;36m\]\h\[\e[0m\]\[\e[00;37m\] \t \[\e[0m\]\[\e[01;35m\]\w\[\e[0m\]\[\e[01;37m\] \[\e[0m\]\n$ "

If you want to customise your terminal, you can do so with .bashrc PS1 generator.

Server maintance notes

Keep the server up-to date as much as possible

Only install things that you need. If this is a server for learning, half ignore this, but for production servers only install services, and make changes that are required.