Configuration of dedicated server

When you start configuring a server, there is many stuff to do. It's quit hard to remember everything and very painfull to deal with that. In this article, I will summarize step by step what I usually do when I have a new (virtual or not) dedicated server.

I encourage you before apply some commands to understand it and adapt it to your configuration instead of copy/paste without paying attention to what you do.

First of all, I work with only one Linux distribution : Debian because of stability and security. In this article, I will use the version 9 "Stretch".


Step 1 : Access to your server

Requirement

  • Install Debian 9 from the host dashboard
  • You need to get:

    • the IP of your server
    • the Root password
  • SSH tools (see this article : Install SSH tool )

SSH connexion

With all requirements bellow, you can connect to you server using ssh protocol. You just have to use the ssh command.

ssh root@<YOUR-IP>

It will ask you, the root password, just copy paste it and here we go. We can now configure the machine.

Step 2 : Minimal configuration

Users

To change a password you just have to use the following command : passwd.

We will change the default root password, to secure a bit our server, runing this command :

 passwd root

You will be asked to type your new password twice, don't forget it !

I also add a user with the command adduser :

adduser <YOUR-USERNAME>

You will be asked to type your password twice, don't forget it ! And some others fields not really usefull..

Install VIM

Vim is an text editor running in the shell, I use it to modify all my configuration files.

To install VIM run this command (as a root user su then type the root password ):

 apt-get install vim

In debian 9, VIM does'nt allow natively to paste with the right click of the mouse, really painfull for me so I decided to correct this by editing VIM config file :

vim /usr/share/vim/vim80/defaults.vim

and comment the following text by adding " before the line :

if has('mouse')
  set mouse=r
endif

To see more tips and shortcut about VIM go to this article : todo

SSH configuration

To configure some SSH features and secure a bit your server, you can go in this file :

vim /etc/ssh/sshd_config

I usually add/modify theose lines :

Port 1337 #select a port, dont let the 22 as default port
PermitRootLogin no # don't permit to connect as super user
AllowUsers <YOUR-USERNAME> #login only with your username

To update your change run this command : /etc/init.d/ssh restart But dont close SSH connexion, verify first in other shell if your configuration works to prevent a reinstallation.

Step 3 : some security

Iptables

You can add some Iptables rules - natively installed on Debian :

vim /etc/init.d/firewall

Here you can copy paste this text :

#!/bin/sh

# Clear all rules
iptables -t filter -F

# Clear all personal rules
iptables -t filter -X

# Restrict all connexions
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP

# Don't break etablished connexions
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT

# ICMP (Ping)
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT

# ---

# SSH In
iptables -t filter -A INPUT -p tcp --dport 1990 -j ACCEPT

# SSH Out
iptables -t filter -A OUTPUT -p tcp --dport 1990 -j ACCEPT

# DNS In/Out
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT

# NTP Out
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT

# HTTP + HTTPS Out
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT

# HTTP + HTTPS In
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 8443 -j ACCEPT

iptables -A OUTPUT -p tcp --dport 3260 -m state --state NEW,ESTABLISHED -j ACCEPT

To see more about Iptables configurations , go to this article : todo.

To allow the bash script to run you need to give it some access : chmod +x /etc/init.d/firewall To run it at boot use this : update-rc.d firewall defaults To start it manualy do this : /etc/init.d/firewall

Other tools

Fail2Ban apt-get install fail2ban cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local /etc/init.d/fail2ban restart

Rootkit apt-get install rkhunter vim /etc/default/rkhunter CRON_DAILY_RUN="yes"


Related Posts

  • No related post found

Published by

Edouard

Edouard

Java Software Engineer