haredning_debian_server
This is an old revision of the document!
Table of Contents
Hardening Debian Server
Creating and import ssh key
ssh-keygen -t ed25519 -f /your-key-location/your-key-filename -C "your-key-comment" cat a.pub | ssh user@host "mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys && chmod -R go= ~/.ssh && cat >> ~/.ssh/authorized_keys" // or simply using command ssh-copy-id // ssh-copy-id -i /your-key-location/your-key-filename user@host
Edit ssh config
# nano /etc/ssh/sshd_config PermitRootLogin no PubkeyAuthentication yes PasswordAuthentication no # systemctl restart ssh # systemctl restart sshd
Creating basic iptables firewall
# touch /etc/firewall # nano /etc/firewall /usr/sbin/iptables -F /usr/sbin/iptables -F -t nat /usr/sbin/iptables -F -t mangle /usr/sbin/ip6tables -F /usr/sbin/ip6tables -X /usr/sbin/ip6tables -F -t mangle /usr/sbin/ip6tables -X -t mangle /usr/sbin/ip6tables -P INPUT DROP /usr/sbin/ip6tables -P OUTPUT DROP /usr/sbin/ip6tables -P FORWARD DROP /usr/sbin/ip6tables -A INPUT -i lo -j ACCEPT /usr/sbin/ip6tables -A OUTPUT -o lo -j ACCEPT for ip in insert_your_ips_here; do /usr/sbin/iptables -A INPUT -p tcp -s $ip --dport 22 -j ACCEPT done /usr/sbin/iptables -A INPUT -p tcp --dport 22 -j REJECT
Adding firewall script to autostart
# nano /etc/systemd/system/firewall.service [Unit] Description=firewall After=network.target [Service] RemainAfterExit=yes ExecStart=/etc/firewall start ExecStop=/etc/firewall stop [Install] WantedBy=multi-user.target # systemctl enable firewall # systemctl start firewall
haredning_debian_server.1772235131.txt.gz ยท Last modified: by tomek