Essential Initial Setup for a Secure Debian Server

Welcome to the essential security guide for any new Debian server. A fresh installation is a blank slate, and taking the right steps immediately after setup is crucial for protecting your server from threats. This guide provides a logical, step-by-step process to establish a strong security baseline.

We will cover user management, hardening SSH access, configuring a firewall, setting up automatic intrusion prevention, and enabling automatic security updates.

Changelog

Step 1: Initial Login and System Update

First, log into your new server as the root user. Your cloud provider will have supplied you with the initial IP address and password.

The very first action should always be to update the package list and upgrade all installed packages to their latest versions. This ensures all known security vulnerabilities are patched.

# Log in as root
ssh root@your_server_ip

# Update package lists
apt update

# Upgrade all installed packages
apt upgrade

Step 2: Create a Dedicated Admin User

Operating directly as the root user is risky. We will create a new user account with administrative privileges via the sudo command. This improves security and provides better auditing.

Replace adminuser with a username of your choice.

# Create a new user
adduser adminuser

# You will be prompted to set a password and fill in user information.

# Add the new user to the 'sudo' group
usermod -aG sudo adminuser

# Log out from the root session
exit

From now on, you will log in as this new user and prefix any administrative commands with sudo.

Step 3: Harden SSH Access (Most Important Step)

Securing SSH is the single most effective thing you can do to protect your server from unauthorized access. We will implement three key measures: SSH key authentication, changing the default port, and disabling root/password logins.

3.1. Set Up SSH Key Authentication

SSH keys are far more secure than passwords. A key pair consists of a private key (which you keep on your local computer) and a public key (which you place on the server).

On your local computer (not the server): If you don’t have an SSH key pair yet, generate one. The ed25519 algorithm is modern and highly secure.

# This command is run on your local machine
ssh-keygen -t ed25519 -C "your_email@example.com"

Press Enter to accept the default file location and set an optional (but recommended) passphrase for your key.

Copy your public key to the server: The ssh-copy-id command is the easiest way to do this. It will automatically add your public key to the correct file on the server.

# Replace with your new username and server IP
ssh-copy-id adminuser@your_server_ip

After this, you should be able to log into your server as adminuser without being asked for a password (you might be asked for your key’s passphrase if you set one).

3.2. Configure and Secure the SSH Daemon

Now we will edit the main SSH configuration file to improve security.

Open the configuration file with a text editor:

sudo vim /etc/ssh/sshd_config

Make the following changes:

1. Change the Port: Running SSH on a non-standard port reduces exposure to automated bots. Pick a random port number between 1024 and 65535. We’ll use 8496 as an example.

   Port 8496
   

2. Disable Root Login: The root user should never be allowed to log in directly via SSH.

   PermitRootLogin no
   

3. Disable Password Authentication: Since we have set up SSH keys, we can now disable password-based logins entirely. This is a major security enhancement.

   PasswordAuthentication no
   PubkeyAuthentication yes
   

Save the file and exit the editor.

3.3. Restart SSH and Test the New Connection

Apply the new configuration by restarting the SSH service.

sudo systemctl restart sshd.service

Now, open a new terminal window and try to connect using the new port and your key.

# Use your username, IP, and the new port number
ssh adminuser@your_server_ip -p 8496

If the login is successful, your SSH hardening is complete. You can now safely close the old terminal window.

Step 4: Configure a Firewall with UFW

A firewall is essential for controlling network traffic. We will use UFW (Uncomplicated Firewall) because it is user-friendly and effective.

# Install UFW
sudo apt install ufw

Next, we will set up some basic rules. By default, we will deny all incoming traffic and allow all outgoing traffic. Then we will explicitly allow traffic for the services we need.

# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow standard web traffic
sudo ufw allow http  # Port 80
sudo ufw allow https # Port 443

# IMPORTANT: Allow your new SSH port
# We use 'limit' to help protect against brute-force attacks
sudo ufw limit 8496/tcp # Use the port you chose

Now, enable the firewall. It will ask for confirmation to proceed.

sudo ufw enable

# Check the status of the firewall at any time
sudo ufw status verbose

Step 5: Prevent Intrusion with Fail2Ban

Fail2Ban is a tool that scans log files for malicious activity, such as repeated failed login attempts, and temporarily bans the offending IP addresses.

# Install Fail2Ban
sudo apt install fail2ban

Fail2Ban’s configuration should be done in a local file, which overrides the default settings without being changed during package updates.

# Create a local configuration file
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now, edit the new local file to configure it for our custom SSH port.

sudo vim /etc/fail2ban/jail.local

Find the [sshd] section. Most settings can be left as default, but you must update the port to match your custom SSH port and ensure it’s enabled.

[sshd]
enabled = true
port    = 8496

Save the file and restart Fail2Ban to apply the changes.

sudo systemctl restart fail2ban

# Check the status of the SSH jail
sudo fail2ban-client status sshd

Step 6: Automate Security Updates

Even with a hardened server, new vulnerabilities are discovered all the time. It is vital to install security updates promptly. The unattended-upgrades package can do this for you automatically.

# Install the package
sudo apt install unattended-upgrades apt-listchanges

Now, run the configuration wizard to enable it.

# This will open a simple text-based interface
sudo dpkg-reconfigure -plow unattended-upgrades

Select “Yes” to enable automatic updates. This will create a configuration file that tells the system to automatically install packages from Debian’s security repository.

Step 7: Final System Housekeeping

A few final touches will make your server easier to manage.

1. Set the Timezone: Correct log timestamps are crucial for troubleshooting.

# Set your timezone, e.g., for Berlin
sudo timedatectl set-timezone Europe/Berlin

2. Set the Hostname: Give your server a descriptive name.

sudo hostnamectl set-hostname my-awesome-server

You should also edit /etc/hosts to associate the new hostname with 127.0.1.1.

3. Install Useful Tools: These small utilities are incredibly helpful for administration.

sudo apt install htop ncdu curl git

• htop: An interactive process viewer.
• ncdu: A disk usage analyzer to easily find large files.
• curl: A tool for transferring data with URLs.
• git: Version control system, often needed to download software.

Conclusion

Congratulations! You have successfully performed the essential first steps to harden your new Debian server. By creating a sudo user, securing SSH with key authentication, and setting up a firewall and intrusion prevention system, you have built a solid foundation for any application you wish to deploy.

Your server is now significantly more resistant to common automated attacks.

📚OFFICIAL DEBIAN SECURITY MANUAL 🛡️DEBIAN WIKI: FAIL2BAN