Debian Server Essentials: Setup, Configure, and Hardening Your System
Nice work!
Some small pieces of feedback:
You can disable the root user during installation, by leaving the root password blank. The installer explains this in the text at the top of the page. If you do this, root will be disabled and sudo will be installed automatically
If you really want to control which users can SSH in, it's recommended to create a group and use AllowGroups, rather than allowing individual users via AllowUsers. Note that once you disable PasswordAuthentication, the only users that can SSH in are users that have keys in authorized_keys, so you don't really need to use AllowUsers or AllowGroups.
Disabling IPv6 is unnecessary. If you don't want to use it, then just... don't use it? You should ideally always have IPv6 enabled for connections to the internet though. It's generally faster due to better routing (see Google's latency impact data: https://www.google.com/intl/en/ipv6/statistics.html#tab=per-country-ipv6-adoption), and more future-proof.
You may want to consider CrowdSec instead of fail2ban. It's more efficient and they have a shared list of known bad IPs that you can use.
Thanks for the feedback man! Save your comment and will go through it in a couple of days.
I know that setting the AllowUser and only allowing keys in combination is not really needed, but I thought "what's the harm"... But for the guide I might adjust that part.
On IPv6... My "research" was done quite a while ago... So not 100% sure anymore about the reasoning, but I what annoyed me most is the two rules in the firewall I had to delete when playing around. But I'll do some reading and update the guide accordingly.
Crowdsec is on my todo list! So much want to integrate it in quite a few areas, just haven't found the time to wrap my head around it yet.
Damn, I was legit spinning up a new Ubuntu server VM and thought I'm gonna look up a guide about proper initial config/hardening while it loads up ... You convinced me to give debian a go.
Nice timing! Happy you found it exactly when you needed it
Nice work!
Some small pieces of feedback:
You can disable the root user during installation, by leaving the root password blank. The installer explains this in the text at the top of the page. If you do this, root will be disabled and
sudowill be installed automaticallyIf you really want to control which users can SSH in, it's recommended to create a group and use
AllowGroups, rather than allowing individual users viaAllowUsers. Note that once you disablePasswordAuthentication, the only users that can SSH in are users that have keys inauthorized_keys, so you don't really need to useAllowUsersorAllowGroups.Disabling IPv6 is unnecessary. If you don't want to use it, then just... don't use it? You should ideally always have IPv6 enabled for connections to the internet though. It's generally faster due to better routing (see Google's latency impact data: https://www.google.com/intl/en/ipv6/statistics.html#tab=per-country-ipv6-adoption), and more future-proof.
You may want to consider CrowdSec instead of fail2ban. It's more efficient and they have a shared list of known bad IPs that you can use.
Thanks for the feedback man! Save your comment and will go through it in a couple of days.
I know that setting the AllowUser and only allowing keys in combination is not really needed, but I thought "what's the harm"... But for the guide I might adjust that part.
On IPv6... My "research" was done quite a while ago... So not 100% sure anymore about the reasoning, but I what annoyed me most is the two rules in the firewall I had to delete when playing around. But I'll do some reading and update the guide accordingly.
Crowdsec is on my todo list! So much want to integrate it in quite a few areas, just haven't found the time to wrap my head around it yet.
More replies
Thanks!
I saw the ed25519 keys sometime ago, but haven’t had time to understand it.
Will look into it and the link!
More replies More replies
Another great article! I'm curious about the reasoning for using Debian on a Pi vs the Pi OS which is based off Debian?
For Raspberry Pi's I prefer DietPi which is Debian based but not full of unnecessary stuff for servers like Pi OS is.
More replies
More replies
Damn, I was legit spinning up a new Ubuntu server VM and thought I'm gonna look up a guide about proper initial config/hardening while it loads up ... You convinced me to give debian a go.
Nice timing! Happy you found it exactly when you needed it
More replies