<p>There will likely be many option for adding records, but all we need is to add a singular A record</p>
<p>There will likely be many option for adding records, but all we need is to add a singular A record</p>
<p>Find the box that allows you to "Add a new record" and input the below, changing <IP> and <DOMAIN> with your IP address, and domain name</p>
<p>Find the box that allows you to "Add a new record" and input the below, changing <IP> and <DOMAIN> with your IP address, and domain name</p>
<pre>
<code>
<pre><code></code></pre>
</code>
</pre>
<p>If there are not multiple boxes, but instead a single box to input your record into, this will be what you add instead</p>
<p>If there are not multiple boxes, but instead a single box to input your record into, this will be what you add instead</p>
<pre>
<code>
<pre><code></code></pre>
</code>
</pre>
<h2>Wait for propagation</h2>
<h2>Wait for propagation</h2>
<p>Now there's a bit of a waiting game, as you need to wait for the new DNS record to propagate (get updated) for all nameservers. This can be anywhere from instantly to 72 hours, but typically takes an hour or two.</p>
<p>Now there's a bit of a waiting game, as you need to wait for the new DNS record to propagate (get updated) for all nameservers. This can be anywhere from instantly to 72 hours, but typically takes an hour or two.</p>
<p>Even with a fresh install of Debian from the latest ISO, there may be some updates you're missing, and it's a good idea to have these, especially in case they're security updates.</p>
<p>Even with a fresh install of Debian from the latest ISO, there may be some updates you're missing, and it's a good idea to have these, especially in case they're security updates.</p>
<pre>
<code>
<pre><code>apt update && apt upgrade</code></pre>
root$ apt update && apt upgrade
</code>
</pre>
<h2>Install essential packages</h2>
<h2>Install essential packages</h2>
<p>These are packages that are needed for accessing, and controlling the server</p>
<p>These are packages that are needed for accessing, and controlling the server</p>
<pre>
<code>
<pre><code>apt install sudo ssh</code></pre>
root$ apt install sudo ssh
</code>
</pre>
<h3>Some useful packages too</h3>
<h3>Some useful packages too</h3>
<pre>
<pre><code>apt install vim htop wget curl tmux</code></pre>
<code>
root$ apt install vim htop wget curl tmux
</code>
</pre>
<h2>Add a user, and give super user privilleges</h2>
<h2>Add a user, and give super user privilleges</h2>
<p>You want to avoid using root as much as possible in regular use, so a new user for yourself is a must</p>
<p>You want to avoid using root as much as possible in regular use, so a new user for yourself is a must</p>
<pre>
<code>
<pre><code>adduser <USERNAME>
root$ adduser <USERNAME>
usermod -aG sudo <USERNAME></code></pre>
root$ usermod -aG sudo <USERNAME>
</code>
</pre>
<p>*replace <USERNAME> with the user you want to create, e.g. nathan</p>
<p>*replace <USERNAME> with the user you want to create, e.g. nathan</p>
<h2>(Local server) Set static IP</h2>
<h2>(Local server) Set static IP</h2>
@ -74,53 +63,38 @@
<h2>Secure ssh</h2>
<h2>Secure ssh</h2>
<p>Although this is optional, I recommend it, as SSH (secure shell) will be the primary means of access to the server.</p>
<p>Although this is optional, I recommend it, as SSH (secure shell) will be the primary means of access to the server.</p>
<pre>
<code>
<pre><code>vim /etc/ssh/sshd_config</code></pre>
root$ vim /etc/ssh/sshd_config
</code>
</pre>
<p>Within the editor you will need to search for <strong>PermitRootLogin</strong> and set it to <strong>no</strong>, this prevents ssh as root</p>
<p>Within the editor you will need to search for <strong>PermitRootLogin</strong> and set it to <strong>no</strong>, this prevents ssh as root</p>
<p>Search for <strong>Port</strong> and set it to a different port to 22, a port over 1024 prevents basic nmap scans, and therefor a lot of bruteforcing, so let's go with 2020 so it's easy to remember</p>
<p>Search for <strong>Port</strong> and set it to a different port to 22, a port over 1024 prevents basic nmap scans, and therefor a lot of bruteforcing, so let's go with 2020 so it's easy to remember</p>
<p>Below the <strong>Port</strong> line, add a new line with <strong>Protocol 2</strong> this enables ssh2, which is more secure</p>
<p>Below the <strong>Port</strong> line, add a new line with <strong>Protocol 2</strong> this enables ssh2, which is more secure</p>
<p>(Optional) Comment/Add a <strong>#<strong> to the beginning of the <strong>passwordlogin</strong> line. This will prevent sshing to the server from any PC that doesn't have it's SSH key on the server already. I recommend only doing this if your sshkeys are on the server, or you're comfortable adding them.</p>
<p>(Optional) Comment/Add a <strong>#</strong> to the beginning of the <strong>passwordlogin</strong> line. This will prevent sshing to the server from any PC that doesn't have it's SSH key on the server already. I recommend only doing this if your sshkeys are on the server, or you're comfortable adding them.</p>
<pre>
<code>
<pre><code>systemctl reload sshd</code></pre>
root$ systemctl reload sshd
</code>
</pre>
<p>This reloads the ssh daemon, and enables all the changes we've made</p>
<p>This reloads the ssh daemon, and enables all the changes we've made</p>
<h2>Setup UFW</h2>
<h2>Setup UFW</h2>
<p>UFW (Uncomplicated Firewall) is a simple to use firewall, that can be used to easily open/close ports on your server.</p>
<p>UFW (Uncomplicated Firewall) is a simple to use firewall, that can be used to easily open/close ports on your server.</p>
<p>We'll install ufw, deny access inwards to all ports, but allow our server to access any ports outwards. We will then manually allow inwards traffic to the SSH port we set, in this case 2020</p>
<p>We'll install ufw, deny access inwards to all ports, but allow our server to access any ports outwards. We will then manually allow inwards traffic to the SSH port we set, in this case 2020</p>
<pre>
<code>
<pre><code>apt install ufw
root$ apt install ufw
ufw deny incoming
root$ ufw deny incoming
ufw allow outgoing
root$ ufw allow outgoing
ufw allow 2020
root$ ufw allow 2020
ufw enable</code></pre>
root$ ufw enable
</code>
</pre>
<p>If there are any other ports that need to be opened in the future this can be done with:</p>
<p>If there are any other ports that need to be opened in the future this can be done with:</p>
<pre>
<pre><code>ufw allow <PORT></code></pre>
<code>
<p>or</p>
root$ ufw allow <PORT>
<pre><code>sudo ufw allow <PORT></code></pre>
</code>
or
<code>
root$ sudo ufw allow <PORT>
</code>
</pre>
<h2>Set hostname</h2>
<h2>Set hostname</h2>
<p>Setting the name for a server is an important step, but the name doesn't need to be serious</p>
<p>Setting the name for a server is an important step, but the name doesn't need to be serious</p>
<pre>
<code>
<pre><code>vim /etc/hosts
root$ vim /etc/hosts
vim /etc/hostname</code></pre>
root$ vim /etc/hostname
</code>
</pre>
<p>Within both of these files the hostname should be changed to the same thing</p>
<p>Within both of these files the hostname should be changed to the same thing</p>
</section>
</section>
@ -129,25 +103,17 @@
<p>This next section can be done via a terminal, or an SSH client e.g. PuTTY for Windowss. For the sake of the guide, this assume you're using a Unix terminal</p>
<p>This next section can be done via a terminal, or an SSH client e.g. PuTTY for Windowss. For the sake of the guide, this assume you're using a Unix terminal</p>
<h2>Create an SSH key</h2>
<h2>Create an SSH key</h2>
<p>We'll create an ed25519 ssh-key, as it's more secure, and performant than the defaultrsa</p>
<p>We'll create an ed25519 ssh-key, as it's more secure, and performant than the defaultrsa</p>
<pre>
<pre><code>ssh-keygen -t ed25519</code></pre>
<code>
$ ssh-keygen -t ed25519
</code>
</pre>
<h2>SSH into the server</h2>
<h2>SSH into the server</h2>
<p>This is a two part section, and I recommend using this every time you SSH into a server from a new PC</p>
<p>This is a two part section, and I recommend using this every time you SSH into a server from a new PC</p>
<pre>
<pre><code>ssh <USER>@<HOST> -p 2020</code></pre>
<code>
$ ssh <USER>@<HOST> -p 2020
</code>
</pre>
<p>This will likely display a message asking to verify the key for the server. This is to prevent man-in-the-middle attacks, so I reccommend verifying this whenever asked.</p>
<p>This will likely display a message asking to verify the key for the server. This is to prevent man-in-the-middle attacks, so I reccommend verifying this whenever asked.</p>
<p>To check the key for the server, you need to run this command on the server.</p>
<p>To check the key for the server, you need to run this command on the server.</p>
<p>Replace <KEY> with the key the message is asking about. Then if key the server shows matches that on your PC you are SSHing from, type <strong>yes</strong> and hit enter</p>
<p>Replace <KEY> with the key the message is asking about. Then if key the server shows matches that on your PC you are SSHing from, type <strong>yes</strong> and hit enter</p>
Nathan Steel
4 years ago