Things to Do After Installing a Debian Linux Server

In this page, we will go over things to install, configure the debian server to harden the security and get ready for general use. Assuming all the commands are run from the user root, else add the sudo keyword as prefix to all commands below.

Update to Latest Patches

Keep your system up to date.

apt update

apt dist-upgrade -y

apt clean

apt autoremove

reboot

SSH - Reconfigure SSH Server

Regenerate the SSH host keys to ensure uniqueness.

Change directory to ssh config:

cd /etc/ssh/

Remove old host keys:

rm ssh_host_*

Reconfigure the server to generate new keys:

dpkg-reconfigure openssh-server

SSH Public Key Pair

Generate a new SSH key pair.

ssh-keygen -b 4096

Copy the public key to the remote server.

ssh-copy-id user@ip-address

Add Users

Add New User

adduser <USERNAME>

Add User to Sudo User Group

usermod -aG sudo <USERNAME>

Verify New User Belongs to Sudo Group

groups <USERNAME>

Useful for service accounts.

useradd -u 1000 -M -s /sbin/nologin admin

adduser -M admin

usermod -s /sbin/nologin admin

Enable Automatic Security Updates

Ensure your server stays patched automatically.

sudo apt-get install unattended-upgrades

Edit the Configuration

sudoedit /etc/apt/apt.conf.d/50unattended-upgrades

If your OS is Raspbian, search for this line:

"origin=Debian,codename=${distro_codename}-security,label=Debian-Security";

And add these 2 lines below it:

"origin=Raspbian,codename=${distro_codename},label=Raspbian";
"origin=Raspberry Pi Foundation,codename=${distro_codename},label=Raspberry Pi Foundation";

Save and exit.

Docker Container

Run the command below to install Docker.

curl -fsSL get.docker.com | sudo sh

Additional Security Measures

Setup UFW (Uncomplicated Firewall)

It is highly recommended to set up a firewall to deny incoming traffic by default and only allow necessary ports (like SSH).

Install UFW:

apt install ufw

Allow SSH (Port 22) - CRITICAL: Do this before enabling!:

ufw allow ssh

Allow HTTP/HTTPS if needed:

ufw allow http

ufw allow https

Enable the firewall:

ufw enable

Install Fail2Ban

Protect your SSH from brute-force attacks.

apt install fail2ban

systemctl enable fail2ban

systemctl start fail2ban

Update to Latest Patches#

SSH - Reconfigure SSH Server#

SSH Public Key Pair#

Add Users#

Add New User#

Add User to Sudo User Group#

Verify New User Belongs to Sudo Group#

Create User with No Home Dir and No Login#

Enable Automatic Security Updates#

Edit the Configuration#

Docker Container#

Additional Security Measures#

Setup UFW (Uncomplicated Firewall)#

Install Fail2Ban#