I am back with another published article.

Ideogram.ai: penguin in a server room covered in ice and snow, whole picture made out of green matrix style lines of code, cinematic

Please be kind! I am a self-taught Linux user and by no means an expert. My goal with this guide is to help newcomers to Linux have an easier and more secure start.

To all the experts out there, please be kind and do share your tips and observations. I am happy to keep updating the article to make the self-hosting world more secure.

https://nerdyarticles.com/debian-server-essentials-setup-configure-and-hardening-your-system/

  • syswww@alien.topB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Great guide. Agree with disable IPv6, extra unnecessary exposure and firewall effort. Consider Automatic updates, review ports/disable unwanted services.

    • nomad@infosec.pub
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Automated security updates (unattended updates), netstat -ap --numeric-ports (for process review)

      Also consider that debian is the downstream distribution of ubuntu, its usually older but more stable. More stable => less bugs => more secure

    • KillerTic@alien.topOPB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Thanks!

      I saw the ed25519 keys sometime ago, but haven’t had time to understand it.

      Will look into it and the link!

      • kindrudekid@alien.topB
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Same protections as RSA but more efficient cause same strength of security but with shorter length making it fast.

        There is Edsa too but since it was developed by NSA, people are skeptic it may have a back door…

    • KillerTic@alien.topOPB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Personally I disagree. You might be running internal services you do not want to expose. It also is an active step to expose something. This way you are in control what is exposed and what isn’t.

      • maof97@alien.topB
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Yeah until you realize that e.g. docker compose doesn’t care about ufw rules and expose defined ports anyway (yes, through the firewall) and now you can argue that an inexperienced user doesn’t know this and thinks that the ufw will protect him and give him a false sense of security. You should always make sure to bind internal services to 127.0.0.1 only period. Anyway that doesn’t mean ufw is useless, but that it should only be used for filtering more than the default port allow rules because like this you have no security advantage (e.g. I use ufw on my Proxmox servers to block outgoing connection to the lan by default and then explicitly allow connection to server x if needed )

  • Daniel15@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Nice work!

    Some small pieces of feedback:

    • You can disable the root user during installation, by leaving the root password blank. The installer explains this in the text at the top of the page. If you do this, root will be disabled and sudo will be installed automatically
    • If you really want to control which users can SSH in, it’s recommended to create a group and use AllowGroups, rather than allowing individual users via AllowUsers. Note that once you disable PasswordAuthentication, the only users that can SSH in are users that have keys in authorized_keys, so you don’t really need to use AllowUsers or AllowGroups.
    • Disabling IPv6 is unnecessary. If you don’t want to use it, then just… don’t use it? You should ideally always have IPv6 enabled for connections to the internet though. It’s generally faster due to better routing (see Google’s latency impact data: https://www.google.com/intl/en/ipv6/statistics.html#tab=per-country-ipv6-adoption), and more future-proof.
    • You may want to consider CrowdSec instead of fail2ban. It’s more efficient and they have a shared list of known bad IPs that you can use.
    • shishlikcharif@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Hi Daniel15. Is it recommended to disable the root user for a server during installation as you suggested? Are there never any tasks which must (or should) be executed as root for server setup or maintenance? I just built my first (Debian) server, so quite new to it all. Thanks.

      • DrH0rrible@alien.topB
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        You can do almost everything with sudo. Some thing are easier when done as the root user (such as setting cron jobs that need root permissions), but it should never be a necessity.

        If you really do need root user, you can still enable root temporarily and disable it again.

        • Daniel15@alien.topB
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Anything that you absolutely must do as root can be done using sudo -i which will give you a root shell.

    • sexyshingle@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      You may want to consider CrowdSec instead of fail2ban. It’s more efficient and they have a shared list of known bad IPs that you can use.

      interesting, I’ll have to check out Crowdsec

  • Mr_Wobot@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    i might format my raspberry pi with the new raspbian OS. will definetly try this one out thanks

    • KillerTic@alien.topOPB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Not helpful… If that is your opinion, then at least put some reasoning behind it…

      • akamuraaa@alien.topB
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        i’m sorry.

        i personnally think, that debian is in a dying state.

        your article is very good and helpful. but just things like installing sudo is not very comfortable. any other linux os has it installed from the start.

        also your security tips are helpful for any linux os.

        • NerdyNThick@alien.topB
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          That’s not reasoning, that’s still just your opinion. Note, if you follow up with a straight up claim that “debian is in a dying state” I’m going to expect evidence to back it up. So keep that in mind should you choose to continue dying on this hill.

          • Nebakanezzer@alien.topB
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Fanboism. There are entire data centers (like linode) running Debian under the hood. It’s stable and consistent.

          • shepry_44@alien.topB
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Debian just hit 30 years and is still one of the most used Linux distros. It’s not.

          • Mr_ToDo@alien.topB
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Thinks it’s in dying state and the guy recommends the distro that’s doing it’s best to kill itself. What’s next, “Why don’t you use SCO linux?”

  • Charming-Molasses-22@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Installing fail2ban and not configuring it is as good as not installing the program in the first place.

    Include unattended-upgrades with configuration for security updates. This is essential to any actively accessible server.

  • sowhatidoit@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Another great article! I’m curious about the reasoning for using Debian on a Pi vs the Pi OS which is based off Debian?

      • KillerTic@alien.topOPB
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Just because I know it and I wanted something with as little bloat as possible.

        Tried alpine once, could not get it running.

        • ElevenNotes@alien.topB
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          1
          ·
          1 year ago

          You wrote a guide on how to install and use a Linux distro but you can’t install another distro. Isn’t that a little bit of a contradiction, same with the statement “with as little bloat as possible”, that’s exactly what Alpine is made for. Are you sure you should give other people advice?

          • sowhatidoit@alien.topB
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            I don’t see the contradiction. /u/KillerTic wrote about A linux distro, Debian, and wrote a how-to guide for said distro. Just because Alpine didn’t work out for them, doesn’t mean that they can’t write an article about Debian.

            I encourage you to actually read the article IF you are interested in learning about installing Debian. Not to mention, the writer clearly states this right up front.

            I want to make it clear that I’m not a Linux expert or administrator; everything I’ve learned has been self-taught. The same applies to security practices.

            If you happen to identify any issues or have valuable tips and advice, I welcome your input. I’m continually seeking ways to improve, and I’ll maintain a change log at the bottom of this article to track any updates and enhancements.

            • KillerTic@alien.topOPB
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              Exactly this. I remember how hard it was for me to start and how often I screwed up, felt uncertain, …

            • ElevenNotes@alien.topB
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              OP said he could not install another distro, this clearly shows the skill level, and even if you disclaim it at the begining, should people with little to no experience writr guides for the general public? Just because you figured out addition should not mean you can write a book about how to learn math.

              • sowhatidoit@alien.topB
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                Hmm. I’m not sure what you are trying to debate, /u/ElevenNotes. OP wrote a damn good guide, and looking at their other work - they are doing a great job at contributing to this community. Their post was also featured in the weekly newsletter over at selfh.st. This is a hobby sub with a contributing community. I urge you to treat it like one.

    • cylindrical_@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Full disk encryption is my reason. Super easy to do when installing debian from scratch. Big pain in the ass to do with Pi OS (last I googled).

  • jammsession@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    PermitRootLogin I would set to yes.

    sudo systemctl restart ssh will only restart your ssh client and not the ssh server you try to restart. Use sshd insted.

    I personally find it easier to use no root during setup and import my ssh keys from github using ssh-import-id.

    UFW doesn’t harm, but if the host is on your Proxmox Hypervisor, it is probably behind a deny all incoming firewall anyway. That is also why I would leave IPv6 on.

    Like other have noted, Crowdsec is a little bit more complex to setup but also offers more features. As a side note, Fail2ban is unfortunatly not IPv6 ready.

    • KillerTic@alien.topOPB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Thanks for the advice!

      Why would you leave PermitRootLogin to yes? Doesn’t really matter, if root ca nit login anyways?!

      You are right on restarting sshd. That’s a typo…

      An other user also mentioned to not fill out the root password and it will disable root + install sudo. Guess I didn’t read the instructions properly. Will definable be adopted.

      I agree on importing from Github, but I am unsure how many people have their keys there…

      UFW on a virtual machine might not be needed, but also not really harmful. I do like having in on every machine for piece of mind. Also this guide can be used for bare metal installs.

      Crowdsec is on the todo list!

      Thanks again. I will keep updating my article 😊

      • jammsession@alien.topB
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Why would you leave PermitRootLogin to yes? Doesn’t really matter, if root ca nit login anyways?!

        Just like you don’t really need UFW, not really harmful and for piece of mind :)

        But to be honest, I am no expert either. I look at your config and think, just leave everything at default besides these twos:

        PubkeyAuthentication yes PasswordAuthentication no

        Things like

        MaxAuthTries 3

        don’t matter for public key auth.

        • KillerTic@alien.topOPB
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Yeah and I went through it with thinking, let’s make it as secure as possible without 100% knowing the effect…

          You need password auth for copying your key, don’t you. Unless you import it during the install…

  • master117jogi@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    1 year ago

    Asks for donations but scams out artists by using AI art. You are just absolute scum OP.

    • KillerTic@alien.topOPB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Wow… very narrow minded perspective you have. So you call me scum, but did you donate or did you consume my content for free? Lol (I know the answer as so far I did not receive donations)

      I embrace new technology and as I wrote in my about section, I adopt GenAI for learning purposes. Because learning in real life use cases is how I learn best.

      I am sharing knowledge for free, spend hours on writing these articles. If I would need to pay for the pictures out of my pocket, I would not make my content available.

      I am happy to donate to people who spend time giving back to the community, I do not rely on donations, but if anyone is like me, I am happy to accept them!

      GenAI is one of the biggest revolutions we habe seen so far. Get behind it or be left in the dust…

      • nashosted@alien.topB
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        OP is open about using AI. His content is great and you can tell they are passionate about it. We need more of this and if people use AI to help them word their articles, who cares as long as they don’t ask it to write the article for them.

        • KillerTic@alien.topOPB
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Thank you very much. Means a lot coming from the creator of noted.lol!

          Which reminded me, I always wanted to donate and just did so!

          You are the reason I choose Ghost by the way and got quite a few inspiration from your articles! Thanks for that.

      • master117jogi@alien.topB
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        1 year ago

        did you donate or did you consume my content for free

        I didn’t even read one word of it. That’s why I didn’t comment on the content. Opening the link showed a donation ask and an AI image. That already tells me everything about you that I need to know. Glad for you that you are fine with stealing other people’s work, all the images used to train these.

  • New_d_pics@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    1 year ago

    Damn, I was legit spinning up a new Ubuntu server VM and thought I’m gonna look up a guide about proper initial config/hardening while it loads up … You convinced me to give debian a go.

      • KillerTic@alien.topOPB
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        I tried it briefly, but had to many issues getting it up and running properly…

          • KillerTic@alien.topOPB
            link
            fedilink
            English
            arrow-up
            0
            ·
            1 year ago

            Honestly, when I tried it was like two years ago. I think back then I wasn’t experienced enough and was annoyed at some stage not being able to get docker to run.

            I should give it another go. Would you just do it on RPi and a LXC container or also on your VM?

            • ElevenNotes@alien.topB
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              All three. Alpine (read-only from RAM) is the perfect OS for any RPi. Alpine in a VM is a perfect OS with native support for all hypervisors and drivers available from the start, and as a container base layer its simply one of the best OS out there. I run all my bare metal nodes with Alpine from USB (read-only from RAM). You setup a USB stick, plug it in, boot from it, done. You can setup the OS with your keys and everything, take the USB stick, simply copy the contents (its FAT32) and put it on another stick and plug that into another server and boom, OS ready, no installation required.

              Disclaimer: All my bare metal nodes are for containers, the OS has nothing installed, so read-only from RAM is IMHO the best option to do so, unless you want PXE.

              • KillerTic@alien.topOPB
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                All right, you got my attention 😂

                Challenge accepted! (Some rainy day I got some time).

                Thanks for that!

      • krysztal@alien.topB
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Isn’t alpine musl based? Last time I heard it can lead to some very obscure problems when interacting with applications compiled with gcc… so, hows it fare for you?

        • ElevenNotes@alien.topB
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Yes, but muscl > glibc, anyway, as a container host it does not matter. You can install 99% of all bins only the ones that are not 100% POSIX not (like GlusterFS for example) but in containers everything works.