Basic Linux Server Setup & Hardening🔗︎

Here are initial steps I perform on any fresh Linux install. My preferred distro is Debian, so anything below is within that context.

Perform updates, set hostname, add non-root users🔗︎

Perform updates

apt update && apt upgrade -y

Configure hostname

hostnamectl set-hostname debian
#
# vim /etc/hosts and add following line
# <ip-address> debian
#

Add non-root users

adduser my-username
adduser my-username sudo

Configure SSH🔗︎

In order to secure SSH, I temporarily enable password auth to copy a non-root public key over. Once copied, I disable password auth, and disable root from authenticating via ssh

Temporarily enable password auth

# /etc/ssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf
PermitRootLogin yes
PasswordAuthentication yes

Restart sshd with:

systemctl restart sshd

From client machine, copy-id for non-root account from client host
```
ssh-copy-id my-username@<ip-address>
```
Reconfigure ssh to disable password auth, and disable remote root authentication
```
# /etc/ssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf
PermitRootLogin no
PasswordAuthentication no
```
Restart sshd with: systemctl restart sshd
Lastly, enable passwordless sudo

# update default visudo editor to vim
update-alternatives --config editor

# use visudo to edit /etc/sudoers file
visudo

%sudo    ALL=(ALL) NOPASSWD:ALL

Secure server with host firewall UFW🔗︎

Permit outbound traffic, deny all inbound traffic except SSH:

sudo apt install ufw
sudo ufw default allow outgoing
sudo ufw default deny incoming
sudo ufw allow ssh
sudo ufw enable
sudo ufw status