When you start configuring a server, there is many stuff to do. It's quit hard to remember everything and very painfull to deal with that. In this article, I will summarize step by step what I usually do when I have a new (virtual or not) dedicated server.
I encourage you before apply some commands to understand it and adapt it to your configuration instead of copy/paste without paying attention to what you do.
First of all, I work with only one Linux distribution : Debian because of stability and security. In this article, I will use the version 9 "Stretch".
Step 1 : Access to your server
- Install Debian 9 from the host dashboard
You need to get:
- the IP of your server
- the Root password
SSH tools (see this article : Install SSH tool )
With all requirements bellow, you can connect to you server using ssh protocol. You just have to use the
It will ask you, the root password, just copy paste it and here we go. We can now configure the machine.
Step 2 : Minimal configuration
To change a password you just have to use the following command :
We will change the default root password, to secure a bit our server, runing this command :
You will be asked to type your new password twice, don't forget it !
I also add a user with the command
You will be asked to type your password twice, don't forget it ! And some others fields not really usefull..
Vim is an text editor running in the shell, I use it to modify all my configuration files.
To install VIM run this command (as a root user
su then type the root password ):
apt-get install vim
In debian 9, VIM does'nt allow natively to paste with the right click of the mouse, really painfull for me so I decided to correct this by editing VIM config file :
and comment the following text by adding " before the line :
if has('mouse') set mouse=r endif
To see more tips and shortcut about VIM go to this article : todo
To configure some SSH features and secure a bit your server, you can go in this file :
I usually add/modify theose lines :
Port 1337 #select a port, dont let the 22 as default port PermitRootLogin no # don't permit to connect as super user AllowUsers <YOUR-USERNAME> #login only with your username
To update your change run this command :
But dont close SSH connexion, verify first in other shell if your configuration works to prevent a reinstallation.
Step 3 : some security
You can add some Iptables rules - natively installed on Debian :
Here you can copy paste this text :
#!/bin/sh # Clear all rules iptables -t filter -F # Clear all personal rules iptables -t filter -X # Restrict all connexions iptables -t filter -P INPUT DROP iptables -t filter -P FORWARD DROP iptables -t filter -P OUTPUT DROP # Don't break etablished connexions iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Allow loopback iptables -t filter -A INPUT -i lo -j ACCEPT iptables -t filter -A OUTPUT -o lo -j ACCEPT # ICMP (Ping) iptables -t filter -A INPUT -p icmp -j ACCEPT iptables -t filter -A OUTPUT -p icmp -j ACCEPT # --- # SSH In iptables -t filter -A INPUT -p tcp --dport 1990 -j ACCEPT # SSH Out iptables -t filter -A OUTPUT -p tcp --dport 1990 -j ACCEPT # DNS In/Out iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT # NTP Out iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT # HTTP + HTTPS Out iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT # HTTP + HTTPS In iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 8443 -j ACCEPT iptables -A OUTPUT -p tcp --dport 3260 -m state --state NEW,ESTABLISHED -j ACCEPT
To see more about Iptables configurations , go to this article : todo.
To allow the bash script to run you need to give it some access :
chmod +x /etc/init.d/firewall
To run it at boot use this :
update-rc.d firewall defaults
To start it manualy do this :
apt-get install fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
apt-get install rkhunter