Debian setup
We will quickly recap all firsts security steps to install a Debian server quickly & cleanly. I will update these snippets over time, keep in mind it's just snippets :).
Set user
# Server root : create & add to sudo
sudo adduser user
sudo usermod -aG sudo user
# Server root : enable ssh
sudo nano /etc/ssh/sshd_config
>> AllowUsers user
# Local user : create sshkey
cd .
ssh-keygen -t rsa -b 4096 -C "mail"
cat .ssh/id_rsa.pub
# Local user : copy sshkey
# Server user : add sshkey
su user
cd
mkdir .ssh
echo "ssh-rsa .... past" >> .ssh/authorized_keys
chmod -R go= ~/.ssh
# exit and try login with new user
ssh user@host
SSHD config
# Server user
sudo nano /etc/ssh/sshd_config
>> Port 22333
>> PermitRootLogin no
sudo /etc/init.d/ssh restart
# exit and check connexion
ssh host -p 22333 -l user
Chmod
# Server user
sudo chmod o-x /usr/bin/apt-get
sudo chmod o-x /usr/bin/aptitude
sudo chmod o-x /usr/bin/dpkg
ZSH & ohmyzsh
# Server user
sudo apt-get install zsh curl git
sh -c "$(curl -fsSL https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"
Custom term
# Server user
nano .zshrc
>> alias ls='ls $LS_OPTIONS --color=auto'
>> alias ll='ls $LS_OPTIONS -al --color=auto'
>> alias vi='vim'
source .zshrc
Firewall
# Server user
sudo apt-get install firewalld
sudo systemctl start firewalld
sudo systemctl enable firewalld
# Select our content
sudo firewall-cmd --permanent --add-port=22333/tcp
sudo firewall-cmd --add-service={http,https} --permanent --zone=public
# list services preconf available
sudo firewall-cmd --get-services
# list rules set
sudo firewall-cmd --list-all
- or iptables
# Server user
sudo nano /etc/init.d/firewall
# Select our content
#!/bin/sh
# Vider les tables actuelles & règles personnelles
iptables -t filter -F
iptables -t filter -X
# Interdire toute connexion entrante et sortante
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
# ---
# Ne pas casser les connexions etablies
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Autoriser loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
# ICMP (Ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
# ---
# SSH In
iptables -t filter -A INPUT -p tcp --dport 22333 -j ACCEPT
# SSH Out
iptables -t filter -A OUTPUT -p tcp --dport 22333 -j ACCEPT
# DNS In/Out
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
# NTP Out
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
############################# WEB
# HTTP + HTTPS Out
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
# HTTP + HTTPS In
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 8443 -j ACCEPT
############################# FTP
# FTP Out
#iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
# FTP In
#modprobe ip_conntrack_ftp # ligne facultative avec les serveurs OVH
#iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
#iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
############################# MAIL
# Mail SMTP:25
#iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
#iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
# Mail POP3:110
#iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
#iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
# Mail IMAP:143
#iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
#iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT
# Mail POP3S:995
#iptables -t filter -A INPUT -p tcp --dport 995 -j ACCEPT
#iptables -t filter -A OUTPUT -p tcp --dport 995 -j ACCEPT
############################# Docker if no iptables option
#iptables -A FORWARD -i docker0 -o eth0 -j ACCEPT
#iptables -A FORWARD -i eth0 -o docker0 -j ACCEPT
#iptables -t filter -A FORWARD -i eth0 -j ACCEPT
#iptables -t filter -A FORWARD -o eth0 -j ACCEPT
############################# OpenVPN
#iptables -t filter -A INPUT -p udp --dport 1194 -j ACCEPT
#iptables -t filter -A OUTPUT -p udp --dport 1194 -j ACCEPT
# règles obligatoires pour ouvrir déverrouiller accès :
#iptables -I FORWARD -i tun0 -j ACCEPT
#iptables -I FORWARD -o tun0 -j ACCEPT
#iptables -I OUTPUT -o tun0 -j ACCEPT
# autres règles : Translation d'adresses
#iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 10.8.0.2/24 -o eth0 -j MASQUERADE
# Server user
sudo chmod +x /etc/init.d/firewall
update-rc.d firewall defaults
# remove : update-rc.d firewall remove
Fail2ban
# Server user
sudo apt-get install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
# change ssh = 22333
# change destemail = yourmail
sudo systemctl restart fail2ban
rkHunter
# Server user
sudo apt-get install rkhunter
sudo nano /etc/default/rkhunter
# change CRON_DAILY_RUN="yes"
# change CRON_DB_UPDATE="yes"
# change REPORT_EMAIL="yourmail"
sudo nano /etc/rkhunter.conf
# change UPDATE_MIRRORS=1
# change MIRRORS_MODE=0
# change WEB_CMD=""
sudo rkhunter --update
sudo rkhunter -c
Glances
# Server user
sudo apt install python3 python3-dev python3-jinja2 python3-psutil python3-setuptools hddtemp python3-pip lm-sensors -y
sudo pip3 install glances
glances --version
+ format disk
# Server root
apt-get install fdisk
fdisk -l
fdisk /dev/sdx
#p show partitions
#d delete all
#n write one
#w save
mkfs.ext4 -b 4096 /dev/sdx1
mount /dev/sdbx /mnt/ddx
nano /etc/fstab
>> /dev/sdbx /mnt/ddx ext4 defaults,errors=remount-ro 0 1
+ OpenVpn easy script
# Server user
git clone https://github.com/Nyr/openvpn-install.git
cd openvpn-install
chmod +x openvpn-install.sh
sudo ./openvpn-install.sh
# firewall-cmd
sudo firewall-cmd --add-service openvpn
sudo firewall-cmd --permanent --add-service openvpn
sudo firewall-cmd --add-masquerade
sudo firewall-cmd --permanent --add-masquerade
+ Docker
# Server user
sudo apt-get update
sudo apt-get install apt-transport-https ca-certificates curl gnupg-agent software-properties-common
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
sudo add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/debian \
$(lsb_release -cs) \
stable"
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io
sudo usermod -aG docker user
+ Sendmail via Gmail (rkHunter / Fail2ban alerts)
# require a dedicated email gmail with Less secure app access activated
# Server root
apt-get install sendmail mailutils sendmail-bin
mkdir -m 700 /etc/mail/authinfo/
cd /etc/mail/authinfo/
nano gmail-auth
>> AuthInfo: "U:root" "I:USER@gmail.com" "P:GMAIL_USER_PASSWORD"
makemap hash gmail-auth < gmail-auth
nano /etc/mail/sendmail.mc
>> dnl #
>> dnl # Defining Gmail Smarthost for sendmail
>> define(`SMART_HOST',`[smtp.gmail.com]')dnl
>> define(`RELAY_MAILER_ARGS', `TCP $h 587')dnl
>> define(`ESMTP_MAILER_ARGS', `TCP $h 587')dnl
>> define(`confAUTH_OPTIONS', `A p')dnl
>> TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
>> define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 >> LOGIN PLAIN')dnl
>> FEATURE(`authinfo',`hash -o /etc/mail/authinfo/gmail-auth.db')dnl
>> dnl #
>> dnl # Default Mailer setup
>> MAILER_DEFINITIONS
>> MAILER(`local')dnl
>> MAILER(`smtp')dnl
make -C /etc/mail
/etc/init.d/sendmail reload
echo "This is a test for sendmail gmail relay" | sendmail test-user@gmail.com