How to harden Debian Buster
How to harden Debian Buster
Update & upgrade
apt-get update -y && apt-get upgrade -y
Install necessary packages
apt-get install -y vim git ufw fail2ban sudo
User Setup
Add new user
This step can be skipped if you allready have a user with sudo rights that is not root.
useradd -m -s /bin/bash your_username
Generate SSH Key on your local machine
On your local machine generate a SSH Key pair. Then copy the content of your public key. (id_rsa.pub
)
``bash
ssh-keygen -t rsa -b 4096 -C "yourname@youremail"
SSH Keys
Paste public key to ~/.ssh/authorized_keys
mkdir ~/.ssh
touch ~/.ssh/authorized_keys
chmod 755 ~/.ssh
chmod 644 ~/authorized_keys
Add user to sudo group
usermod -aG sudo your_username
SSH Configuration
Disable root and password login
Edit /etc/sshd/sshd_config
with your preferred text editor (e.g. vim or nano)
vim /etc/ssh/sshd_config
Search for and change following settings:
PermitRootLogin no
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
Reload SSH service:
systemctl reload ssh
Configure UFW firewall
Enable and start UFW
systemctl enable ufw
systemctl start ufw
Set default UFW rules
This will deny all incoming and allow all outgoing connections:
ufw default deny incoming
ufw default allow incoming
Make sure you allow ssh connections to be able to login:
ufw allow ssh
Optionally allow https if your running web applications. You can also allow http although I prefer for better security using only https.
ufw allow https
# ufw allow http
Enable rules and check status
ufw enable
ufw status
You should get following status output:
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
Configuring fail2Ban
This is my basic fail2ban configuration. Create local jail configuration and paste the below configuration.
vim /etc/fail2ban/jail.local
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxtretry = 5
Restart fail2ban service:
systemctl restart fail2ban