nathan
/
aney.co.uk
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Changes to initial-server...

Browse Source
master^2
Nathan Steel 2 years ago
parent 04414fc042
commit 1e8d964275
1 changed files with 60 additions and 48 deletions
Show Stats Download Patch File Download Diff File

108
guides/initial-server-setup.html
Unescape Escape View File

@ -34,12 +34,18 @@
<main id="main">
<section>
<p>This section assumes you have a fresh Debian install on a server (either physical or VPS)</p>
<p>It will cover installing the essentials for access, and basic security so you don't need to worry in the future. This section may seem a little daunting for a first-time linux user, but most of it is copy/paste, hopefully with enough description to understand what is being done. Just remember not to copy the $/root$ they're there to show what user/directory we're in. </p>
<p>It will cover installing the essentials for access, and basic security so you don't need to worry in the future. This section may seem a little daunting for a first-time linux user, but most of it is copy/paste, hopefully with enough description to understand what is being done.</p>
</section>
<section>
<p>This first section will be done on the physical PC, or on the VPS via their website, or SSH'd as root if that's the option given.</p>
<h2>Login</h2>
<p>Perhaps silly, but login as your user with root priveleges or the root user if a user isn't currently setup.</p>
<p>For the first few steps it's written as if you're logged in as root, if you followed my <a href="/guides/server-install-debian.html" target="_blank" rel="noopener">install guide</a>, this won't have a password, so we'll change user with the following command</p>
<pre><code>sudo su -</code></pre>
<p>Now just follow along with the remainder of the guide. If you wish not to change users you could also just add sudo in-front of the commands to run them as root that way.</p>
<h2>Update the OS</h2>
<p>Even with a fresh install of Debian from the latest ISO, there may be some updates you're missing, and it's a good idea to have these, especially in case they're security updates.</p>
@ -48,13 +54,14 @@
<h2>Install essential packages</h2>
<p>These are packages that are needed for accessing, and controlling the server</p>
<pre><code>apt install sudo ssh</code></pre>
<pre><code>apt install sudo ssh -y</code></pre>
<h3>Some useful packages too</h3>
<pre><code>apt install vim htop wget curl tmux</code></pre>
<pre><code>apt install vim htop wget curl tmux -y</code></pre>
<h2>Add a user, and give super user privilleges</h2>
<p>You want to avoid using root as much as possible in regular use, so a new user for yourself is a must</p>
<p>This can be ignored if my guide was followed, or you already have a user setup. Some VPS just have root however, so I believe this should be included.</p>
<p>The reason for a new account instead of using root, basically comes down to security. If you want multiple people on the server too, it's best to have a unique account for each.</p>
<pre><code>adduser $USERNAME$
usermod -aG sudo $USERNAME$</code></pre>
@ -62,20 +69,19 @@ usermod -aG sudo $USERNAME$</code></pre>
<p>*replace $USERNAME$ with the user you want to create, e.g. nathan</p>
<h2>(Local server) Set static IP</h2>
<p>If the server is a physical PC in your home you will need to set a static IP, otherwise your router could assign a differnent IP on reboot, and this would mess with port forwarding, and internal DNS.</p>
<p><a href="#">Set static IP for local server</a></p>
<h3>Port forwarding for local server</h3>
<p>If you've set the static IP for your local server, you'll also have an additional step when making public (internet served) services, as unlike a VPS your ISP will likely have all outbound ports disabled by default</p>
<p><a href="#">Port forward your local server</a></p>
<p>If the server is a physical PC in your home you will need to set a static IP, otherwise your router could assign a different IP on reboot, and this would mess with port forwarding, and internal DNS.</p>
<p>If you're using a VPS, this step can be ignored.</p>
<p><a href="#" target="_blank" rel="noopener">Set static IP for local server</a></p>
<h2>Secure ssh</h2>
<p>Although this is optional, I recommend it, as SSH (secure shell) will be the primary means of access to the server.</p>
<p>Although this is optional, I recommend it, as SSH (secure shell) will likely be the primary means of access to the server. You don't want to be next to it whenever you've got a change to make.</p>
<p>Open the following file with your editor of choice, I use vim.</p>
<pre><code>vim /etc/ssh/sshd_config</code></pre>
<p>Within the editor you will need to search for <strong>PermitRootLogin</strong> and set it to <strong>no</strong>, this prevents ssh as root</p>
<p>Search for <strong>Port</strong> and set it to a different port to 22, a port over 1024 prevents basic nmap scans, and therefor a lot of bruteforcing, so let's go with 2020 so it's easy to remember</p>
<p>Below the <strong>Port</strong> line, add a new line with <strong>Protocol 2</strong> this enables ssh2, which is more secure</p>
<p>Search for <strong>Port</strong> and set it to a different port than 22, a port over 1024 prevents basic nmap scans, and therefor a lot of bruteforcing, so let's go with 2020 as it's easy to remember</p>
<p>Below the <strong>Port</strong> line, add a new line and write <strong>Protocol 2</strong> this enables ssh2, which is more secure than the standard ssh protocol.</p>
<p>(Optional) Comment/Add a <strong>#</strong> to the beginning of the <strong>passwordlogin</strong> line. This will prevent sshing to the server from any PC that doesn't have it's SSH key on the server already. I recommend only doing this if your sshkeys are on the server, or you're comfortable adding them.</p>
<pre><code>systemctl reload sshd</code></pre>
@ -84,52 +90,73 @@ usermod -aG sudo $USERNAME$</code></pre>
<h2>Setup UFW</h2>
<p>UFW (Uncomplicated Firewall) is a simple to use firewall, that can be used to easily open/close ports on your server.</p>
<p>We'll install ufw, deny access inwards to all ports, but allow our server to access any ports outwards. We will then manually allow inwards traffic to the SSH port we set, in this case 2020</p>
<p>We'll install ufw, deny access inwards to all ports, but allow our server to access any ports outwards. We will then manually allow traffic to the SSH port we set, in this case 2020.</p>
<pre><code>apt install ufw</code></pre>
<pre><code>ufw default deny incoming &amp;&amp;
ufw default allow outgoing &amp;&amp;
ufw default allow 2020 &amp;&amp;
ufw allow 2020 &amp;&amp;
ufw enable</code></pre>
<p>If there are any other ports that need to be opened in the future this can be done with:</p>
<pre><code>ufw allow $PORT</code></pre>
<p>or</p>
<pre><code>sudo ufw allow $PORT</code></pre>
<p>Then enable it, <strong>making sure you've allowed ssh first</strong></p>
<pre><code>sudo ufw enable</code></pre>
<h2>Set hostname</h2>
<p>Setting the name for a server is an important step, but the name doesn't need to be serious</p>
<p>Setting the name for a server is not an important step, but it's nice to have each server easily identifable.</p>
<p>Simply change the hostname within the two files below. Ensure they share the same name between files.</p>
<pre><code>vim /etc/hosts</code></pre>
<p>and</p>
<pre><code>vim /etc/hostname</code></pre>
<p>Within both of these files the hostname should be changed to the same thing</p>
</section>
<section>
<p>This next section can be done via a terminal, or an SSH client e.g. PuTTY for Windowss. For the sake of the guide, this assume you're using a Unix terminal</p>
<h2>Create an SSH key</h2>
<p>We'll create an ed25519 ssh-key, as it's more secure, and performant than the defaultrsa</p>
<pre><code>ssh-keygen -t ed25519</code></pre>
<hr>
<p>This next section is to be done via a terminal, or an SSH client e.g. PuTTY for Windows. This part of the guide is written for a Unix terminal.</p>
<h2>SSH into the server</h2>
<p>This is a two part section, and I recommend using this every time you SSH into a server from a new PC</p>
<p>This is a two part section, and I recommend using this every time you SSH into a server from a new PC.</p>
<pre><code>ssh $USER$@$HOST$ -p 2020</code></pre>
<p>This will likely display a message asking to verify the key for the server. This is to prevent man-in-the-middle attacks, so I reccommend verifying this whenever asked.</p>
<p>To check the key for the server, you need to run this command on the server.</p>
<p>This will likely display a message asking to verify the key for the server. This is to prevent man-in-the-middle attacks, so I recommend verifying this whenever asked.</p>
<h3>Verify SSH</h3>
<p>To verify, you'll need to run the following command on the server.</p>
<pre><code>ssh-keygen -l -f /etc/ssh/ssh_host_$KEY$_key.pub</code></pre>
<pre><code>ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key.pub</code></pre>
<p>Then if the key the server shows matches that on your PC's SSH prompt, type <strong>yes</strong> and hit enter from your PC.</p>
<h2>SSH without a password</h2>
<p>To be more secure, and to SSH faster we can setup an SSH key, and use that for user authentication.</p>
<h3>Create an SSH key</h3>
<p>We'll create an ed25519 ssh-key, as it's more secure, and performant than the default rsa.</p>
<pre><code>ssh-keygen -t ed25519</code></pre>
<p>Replace $KEY$ with the key the message is asking about (e.g. ecdsa, rsa, ed25519). Then if key the server shows matches that on your PC you are SSHing from, type <strong>yes</strong> and hit enter</p>
<h3>Copy the SSH key onto the server</h3>
<p>From the terminal there's a nifty command to copy ssh keys to a server.</p>
<pre><code>ssh-copy-id -p 2020 -i ~/.ssh/id_ed25519 USER@HOST</code></pre>
<h2>TODO:(Optional) Fail2Ban</h2>
<p>Alternatively you can add the key to the server manually. This is recommended, especially when adding other users.</p>
<p>First on your PC you need to run the following, and take note of the output.</p>
<pre><code>cat ~/.ssh/id_ed25519.pub</pre></code>
<p>Then on the server, open the following file, and add the output to a new line.</p>
<pre><code>vim /home/USER/.ssh/authorized_keys</code></pre>
<h3>SSH again</h3>
<p>Now simply run the same ssh command as before, and you shouldn't get a password prompt.</p>
<pre><code>ssh $USER$@$HOST$ -p 2020</code></pre>
<h2>(Optional) Fail2Ban</h2>
<p>Fail2ban is used to periodically check server logs, and bans IPs that appear to be trying to brute-force into your server. It's only "required" for servers exposed to the internet.</p>
<pre><code>apt install fail2ban -y</code></pre>
<pre><code>systemctl enable fail2ban</code></pre>
<p>There's a lot of options for fail2ban, this just installs it. For a little more detail checkout <a href="https://wiki.crowncloud.net/?How_To_Protect_SSH_With_Fail2Ban_on_Debian_12" target="_blank" rel="noopener">Crownclouds fail2ban guide</a>.</p>
<h2>TODO:(Optional) Unattended Upgrades</h2>
<p>Updates to a server typically want to be done by a human in case things go wrong, but smaller updates can be set to be done automatically</p>
<p>Updates to a server typically want to be done by a human in case things go wrong, but smaller updates can be set to be done automatically.</p>
<pre><code>apt install unattended-upgrades</pre></code>
<p>The above downlads, and starts unattended-upgrades with some good defaults, but if you want a some more details check cyberciti's<a href="https://www.cyberciti.biz/faq/how-to-keep-debian-linux-patched-with-latest-security-updates-automatically/" target="_blank" rel="noopener">unattended upgrades guide</a>.</p>
<h2>(Optional) Setup User preferences</h2>
<p>These are a few things I personally like to have on a basic server. If you have your own preferences, dotfiles, or intend to use oh-my-zsh fell free to skip over this.</p>
@ -142,27 +169,12 @@ ufw enable</code></pre>
<pre><code>set -o vi</code></pre>
<h3>Aliases</h3>
<p>Instead of typing out long commands you can alias them, and type a shorthand version.I've written an <a href="#">article about aliases</a> that explains setting up, and aliases I use. Below are some essentials for those that don't want to jump to another article.</p>
<p>Instead of typing out long commands you can alias them, and type a shorthand version. I've written an <a href="#">article about aliases</a> that explains setting up, and aliases I use. Below are some essentials for those that don't want to jump to another article.</p>
<pre><code>alias ll="ls -lhtr"
alias df="df -h"
alias ta="tmux attach || tmux new"
alias ipe="curl ifconfig.co"</code></pre>
<h3>Ctrl-L clear-screen</h3>
<p>Sometimes a new system doesn't have this by default, and it's probably the thing I use most after ls.</p>
<p>Add, or create an .inputrc file</p>
<pre><code>vim ~/.inputrc</code></pre>
<p>Add the following line to the file</p>
<pre><code>"C-l": clear-screen</code></pre>
<h3>BashRC PS1</h3>
<p>This will make your terminal look a little nicer, and display a directory path, user, and hostname. A ridiculously useful feature if you're managing multiple servers, or virtual machines</p>
<p>This is also in the .bashrc file, so open that up</p>
<pre><code>vim ~/.bashrc</code></pre>
<p>Then add the following to the bottom of the file</p>
<pre><code>export PS1="\[\e[01;33m\]\u\[\e[0m\]\[\e[00;37m\]@\[\e[0m\]\[\e[01;36m\]\h\[\e[0m\]\[\e[00;37m\] \t \[\e[0m\]\[\e[01;35m\]\w\[\e[0m\]\[\e[01;37m\] \[\e[0m\]\n$ "</code></pre>
<p>If you want to customise your terminal, you can do so with <a href="https://bashrcgenerator.com/" target="_blank" rel="noopener">.bashrc PS1 generator</a>.
<h2>Reads shouldn't write!</h2>
<p>Another personal opinion, and change is to enable noatime, and nodiratime. Be careful with this change! And ignore if you followed my Debian install guide, as they're already enabled.</p>
<p>Basically without these, when a file is opened (read) on your filesystem, a write is invoked to update the time it was opened, which causes unwanted writes, and CPU cycles.</p>

Write Preview
Loading…
Cancel
Save