| README.md | README.md aktualisiert | |
TL;TR:
VPS / SSH initial setup (simple and fundamental harding; debian-based OS)
SET NEW USER
login → change root password
ssh root@123.123.123.123
passwd
create a non-root user
sudo adduser <username>
add admin privileges
adduser <username> sudo
change to (new) user
sudo su - <username>
⚠️ keep terminal (ssh connection) open and login to a new terminal:
→ verify that you can login with your new
→ keep it also open as backup connection
FUNDAMENTAL SSH HARDING
sudo nano /etc/ssh/sshd_config
- change ssh port (
#Port 22) i.e. to 54321:
→ Port 54321
- do not allow, root and password login, only ssh key(s)
→ PubkeyAuthentication yes
→ PasswordAuthentication no
→ PermitRootLogin no
save, close and restart ssh service
add (your) public ssh key(s) to the server
cd /home/<username>
mkdir .ssh && cd .ssh
nano authorized_keys
copy & paste your PUBLIC ssh key(s)
sudo service sshd restart
check and verify all allowed and forbidden logins
UPDATE AND PURGE OS
sudo apt update && sudo apt upgrade --yes && sudo apt autoremove --yes && sudo apt autoclean
INSTALL RKHUNTER & SCAN OS
sudo apt install rkhunter --yes
a configuration will pop up; for the Postfix select "No configuration".
sudo rkhunter --check
INSTALL FAIL2BAN
sudo apt install fail2ban --yes
AUTOMATICALLY INSTALL APT SECURITY PACKAGES (unattended-upgrades)
sudo apt install unattended-upgrades --yes
unattended-upgrades: configuration files
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
sudo nano /etc/apt/apt.conf.d/20auto-upgrades
# i.e. add auto clean 7 days interval
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
start and enable service
sudo systemctl start unattended-upgrades
sudo systemctl enable unattended-upgrades
check service (ctrl+c to exit)
sudo systemctl status unattended-upgrades
check configuration
sudo unattended-upgrades --dry-run --debug