This section assumes you have a fresh Debian install on a server (either physical or VPS)
It will cover installing the essentials for access, and basic security so you don't need to worry in the future. This section may seem a little daunting for a first-time linux user, but most of it is copy/paste, hopefully with enough description to understand what is being done.
This first section will be done on the physical PC, or on the VPS via their website, or SSH'd as root if that's the option given.
Perhaps silly, but login as your user with root priveleges or the root user if a user isn't currently setup.
For the first few steps it's written as if you're logged in as root, if you followed my install guide, this won't have a password, so we'll change user with the following command
sudo su -
Now just follow along with the remainder of the guide. If you wish not to change users you could also just add sudo in-front of the commands to run them as root that way.
Update the OS
Even with a fresh install of Debian from the latest ISO, there may be some updates you're missing, and it's a good idea to have these, especially in case they're security updates.
apt update && apt upgrade
Install essential packages
These are packages that are needed for accessing, and controlling the server
apt install sudo ssh -y
Some useful packages too
apt install vim htop wget curl tmux -y
Add a user, and give super user privilleges
This can be ignored if my guide was followed, or you already have a user setup. Some VPS just have root however, so I believe this should be included.
The reason for a new account instead of using root, basically comes down to security. If you want multiple people on the server too, it's best to have a unique account for each.
adduser $USERNAME$ usermod -aG sudo $USERNAME$
*replace $USERNAME$ with the user you want to create, e.g. nathan
(Local server) Set static IP
If the server is a physical PC in your home you will need to set a static IP, otherwise your router could assign a different IP on reboot, and this would mess with port forwarding, and internal DNS.
If you're using a VPS, this step can be ignored.
Set static IP for local server
Although this is optional, I recommend it, as SSH (secure shell) will likely be the primary means of access to the server. You don't want to be next to it whenever you've got a change to make.
Open the following file with your editor of choice, I use vim.
Within the editor you will need to search for PermitRootLogin and set it to no, this prevents ssh as root
Search for Port and set it to a different port than 22, a port over 1024 prevents basic nmap scans, and therefor a lot of bruteforcing, so let's go with 2020 as it's easy to remember
Below the Port line, add a new line and write Protocol 2 this enables ssh2, which is more secure than the standard ssh protocol.
(Optional) Comment/Add a # to the beginning of the passwordlogin line. This will prevent sshing to the server from any PC that doesn't have it's SSH key on the server already. I recommend only doing this if your sshkeys are on the server, or you're comfortable adding them.
systemctl reload sshd
This reloads the ssh daemon, and enables all the changes we've made
UFW (Uncomplicated Firewall) is a simple to use firewall, that can be used to easily open/close ports on your server.
We'll install ufw, deny access inwards to all ports, but allow our server to access any ports outwards. We will then manually allow traffic to the SSH port we set, in this case 2020.
apt install ufw
ufw default deny incoming && ufw default allow outgoing && ufw allow 2020 && ufw enable
If there are any other ports that need to be opened in the future this can be done with:
ufw allow $PORT
Setting the name for a server is not an important step, but it's nice to have each server easily identifable.
Simply change the hostname within the two files below. Ensure they share the same name between files.
This next section is to be done via a terminal, or an SSH client e.g. PuTTY for Windows. This part of the guide is written for a Unix terminal.
SSH into the server
This is a two part section, and I recommend using this every time you SSH into a server from a new PC.
ssh $USER$@$HOST$ -p 2020
This will likely display a message asking to verify the key for the server. This is to prevent man-in-the-middle attacks, so I recommend verifying this whenever asked.
To verify, you'll need to run the following command on the server.
ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key.pub
Then if the key the server shows matches that on your PC's SSH prompt, type yes and hit enter from your PC.
SSH without a password
To be more secure, and to SSH faster we can setup an SSH key, and use that for user authentication.
Create an SSH key
We'll create an ed25519 ssh-key, as it's more secure, and performant than the default rsa.
ssh-keygen -t ed25519
Copy the SSH key onto the server
From the terminal there's a nifty command to copy ssh keys to a server.
ssh-copy-id -p 2020 -i ~/.ssh/id_ed25519 USER@HOST
Alternatively you can add the key to the server manually. This is recommended, especially when adding other users.
First on your PC you need to run the following, and take note of the output.
Then on the server, open the following file, and add the output to a new line.
Now simply run the same ssh command as before, and you shouldn't get a password prompt.
ssh $USER$@$HOST$ -p 2020
Fail2ban is used to periodically check server logs, and bans IPs that appear to be trying to brute-force into your server. It's only "required" for servers exposed to the internet.
apt install fail2ban -y
systemctl enable fail2ban
There's a lot of options for fail2ban, this just installs it. For a little more detail checkout Crownclouds fail2ban guide.
TODO:(Optional) Unattended Upgrades
Updates to a server typically want to be done by a human in case things go wrong, but smaller updates can be set to be done automatically.
apt install unattended-upgrades
The above downlads, and starts unattended-upgrades with some good defaults, but if you want a some more details check cyberciti'sunattended upgrades guide.
(Optional) Setup User preferences
These are a few things I personally like to have on a basic server. If you have your own preferences, dotfiles, or intend to use oh-my-zsh fell free to skip over this.
Vi mode bash
Warning this is a preference you may not want to use if you're a beginner, and/or don't use VIM (text editor), as it sets the terminal to work more like VIM
Open your .bashrc file in your editor of choice
Add the following to the bottom of the file
set -o vi
Instead of typing out long commands you can alias them, and type a shorthand version. I've written an article about aliases that explains setting up, and aliases I use. Below are some essentials for those that don't want to jump to another article.
alias ll="ls -lhtr" alias df="df -h" alias ta="tmux attach || tmux new" alias ipe="curl ifconfig.co"
Reads shouldn't write!
Another personal opinion, and change is to enable noatime, and nodiratime. Be careful with this change! And ignore if you followed my Debian install guide, as they're already enabled.
Basically without these, when a file is opened (read) on your filesystem, a write is invoked to update the time it was opened, which causes unwanted writes, and CPU cycles.
Open your fstab file
sudo vim /etc/fstab
And edit your mounted drive(s) to include these flags
UUID=<YOUR-UUID> / ext4 noatime,nodiratime 0 1
The above uses an example, make your EXISTING lines look kinda like the above. Essentially just adding noatime, nodiratime
Server maintance notes
Keep the server up-to date as much as possible
Only install things that you need. If this is a server for learning, half ignore this, but for production servers only install services, and make changes that are required.