Skip to content

Instantly share code, notes, and snippets.

@chris-redbeed
Last active October 19, 2020 13:13
Show Gist options
  • Save chris-redbeed/b3cee239532cee25b2357b4225e7f791 to your computer and use it in GitHub Desktop.
Save chris-redbeed/b3cee239532cee25b2357b4225e7f791 to your computer and use it in GitHub Desktop.
Sets up and hardens an Debian Linux server.
# Arch Linux Setup: https://gist.github.com/kevinkub/46ce7229ee4f17be710ddd7c5a80a3c3
# Change root password
echo "# Change password of root user"
passwd
# Change hostname
echo "# Change hostname"
hostname
hostname $hostname
# Setup mirror-list
echo "# Finding fastest mirrors"
aptitude -y install netselect netselect-apt
netselect-apt -c germany -t 15 -a amd64
# Self-upgrade
echo "# Update system"
aptitude -y update && aptitude -y safe-upgrade
# Create user
echo "# Create new user"
echo "Please enter username:"
read username
useradd -m $username
passwd $username
chsh -s /bin/bash $username
echo "Please enter public key:"
read publickey
mkdir "/home/"$username"/.ssh/"
echo $publickey > "/home/"$username"/.ssh/authorized_keys"
# Configure sshd
echo "# Configure sshd"
echo "Please enter a ssh port:"
read sshport
echo "# Custom sshd configurations
# Set the ssh port
Port "$sshport"
# Forbid root login
PermitRootLogin no
# End login-attempts after 30s
LoginGraceTime 30s
# Give only one try to auth
MaxAuthTries 1
# Use public key authentication only
PubkeyAuthentication yes
# Find the file in .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
# Use the pam authentication module
UsePAM yes
# Disable password auth
PasswordAuthentication no
# Limit the maximum number of not-logged-in connections to 2
MaxStartups 2
# Print no default message after login as this will be handeled by pam
PrintMotd no
# Load sftp-subsystem (default arch linux)
Subsystem sftp /usr/lib/ssh/sftp-server
# Add permissions for specific users
AllowUsers "$username > /etc/ssh/sshd_config
# Setup firewall
echo "# Setup firewall with ufw."
aptitude -y install ufw
ufw default allow outgoing
ufw default deny incoming
ufw allow $sshport/tcp
ufw limit $sshport/tcp
ufw enable
systemctl start ufw
systemctl enable ufw
# Setup auto-update
echo "# Setup auto-update (unattended-upgrades)"
aptitude -y install unattended-upgrades apt-listchanges
# run "apt-get update" and "upgrade" daily
echo 'APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";' >> /etc/apt/apt.conf.d/20auto-upgrades
# add whiteliste for "Security" updates
echo 'Unattended-Upgrade::Origins-Pattern {
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};
Unattended-Upgrade::Package-Blacklist {
};' >> /etc/apt/apt.conf.d/50unattended-upgrades
# add mail service (send root info)
echo '[apt]
frontend=pager
confirm=false
email_address=root
save_seen=/var/lib/apt/listchanges.db
which=news' >> /etc/apt/listchanges.conf
# Setup timezone and ntp
timedatectl set-timezone Europe/Berlin
timedatectl set-ntp true
# Good to know:
# nginx: https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-debian-10
# php: https://www.itzgeek.com/how-tos/linux/debian/how-to-install-php-7-3-7-2-7-1-on-debian-10-debian-9-debian-8.html
# certbot https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-debian-10
@chris-redbeed
Copy link
Author

chris-redbeed commented May 1, 2020

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment