====== Hardening Debian Server ======
[[https://www.youtube.com/watch?v=t8LS3F5Iu8Y]]

===== Creating and import ssh key =====
<code>
ssh-keygen -t ed25519 -f /your-key-location/your-key-filename -C "your-key-comment"

cat a.pub | ssh user@host "mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys && chmod -R go= ~/.ssh && cat >> ~/.ssh/authorized_keys"

// or simply using command ssh-copy-id //

ssh-copy-id -i /your-key-location/your-key-filename user@host
</code>

===== Edit ssh config =====
<code>
# nano /etc/ssh/sshd_config
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no

# systemctl restart ssh
# systemctl restart sshd
</code>

===== Creating basic iptables firewall =====
<code>
# touch /etc/firewall
# nano /etc/firewall

/usr/sbin/iptables -F
/usr/sbin/iptables -F -t nat
/usr/sbin/iptables -F -t mangle

/usr/sbin/ip6tables -F
/usr/sbin/ip6tables -X
/usr/sbin/ip6tables -F -t mangle
/usr/sbin/ip6tables -X -t mangle

/usr/sbin/ip6tables -P INPUT DROP
/usr/sbin/ip6tables -P OUTPUT DROP
/usr/sbin/ip6tables -P FORWARD DROP

/usr/sbin/ip6tables -A INPUT -i lo -j ACCEPT
/usr/sbin/ip6tables -A OUTPUT -o lo -j ACCEPT

for ip in insert_your_ips_here; do
  /usr/sbin/iptables -A INPUT -p tcp -s $ip  --dport 22 -j ACCEPT
done
/usr/sbin/iptables -A INPUT -p tcp --dport 22 -j REJECT
</code>

===== Adding firewall script to autostart =====
<code>
# nano /etc/systemd/system/firewall.service
[Unit]
Description=firewall
After=network.target

[Service]
RemainAfterExit=yes
ExecStart=/etc/firewall start
ExecStop=/etc/firewall stop

[Install]
WantedBy=multi-user.target

# systemctl enable firewall
# systemctl start firewall
</code>