Initial Server Setup with Debian 10

Estimated reading time: 5 min

Introduction

In this tutorial, we will have a look at a few important tasks to perform in the server for setting up the server and basic server hardening. These steps will increase the security of your server as well as usability. We will perform a series of tasks such as creating a new sudo user, updating packages, setting timezone and securing SSH servers, etc.

Prerequisites

Step 1: Log in via SSH

When your server is created Snel sends you an email with the default username, password, and server IP address. For first time login, you need to use those credentials to log in to your server.

If you’re not familiar with how to connect please have a look at our “How to connect to your server with SSH” article.

Step 2: Change Logged in User Password

Upon the first login, it is very important to change the password of the current user. Use the following command for the same.

passwd

It will ask you to provide your existing password unless you are logged in as the root user.

Step 3: Create a New Sudo User

If you are logged in as root user, it is recommended to create a sudo user. If you are logged in as sudo user with username in format client_xxxxxx_x, which Snel already created for you, it is still a best practice to create a new sudo user.

A Sudo user is a user having superuser privileges. In simple terms, this user can perform administrative commands and tasks as the root user.

To create a new user, run the following command. You can replace the example username happysnel with anything you like.

sudo adduser happysnel

Note: You can omit using sudo command if you are logged in as root user. Provide the required information such as your name and password and a user will be created for you.

[email protected]:~$ sudo adduser happysnel
Adding user `happysnel' ...
Adding new group `happysnel' (1001) ...
Adding new user `happysnel' (1001) with group `happysnel' ...
Creating home directory `/home/happysnel' ...
Copying files from `/etc/skel' ...
New password: 
Retype new password: 
passwd: password updated successfully
Changing the user information for happysnel
Enter the new value, or press ENTER for the default
	Full Name []: Happy Snel
	Room Number []: 
	Work Phone []: 
	Home Phone []: 
	Other []: 
Is the information correct? [Y/n] y

Add your newly created user to the sudo group. Users in the sudo group are sudo user in Debian 10.

sudo usermod -aG sudo happysnel

Step 4: Logging in as the Newly Created User

Exit from the current terminal session by running the logout command and log in again using ssh as the new user.

ssh [email protected]

192.168.0.1 is an example IP address.

Step 5: Disable Root Login via SSH

Find the current setting for root login via SSH by running the following command.

sudo cat /etc/ssh/sshd_config | grep PermitRootLogin

You might see the following output.

[[email protected] ~]$ sudo cat /etc/ssh/sshd_config | grep PermitRootLogin
PermitRootLogin without-password
# the setting of "PermitRootLogin without-password".

As in the above output, it is set to without-password. It means that password authentication is disabled, however, public-key authentication is enabled. Which is fine in most cases. Make sure, it should not be commented out or should not be set to yes.

To completely disable root login, edit the file by running the following command.

sudo nano /etc/ssh/sshd_config

And change the line to the following.

PermitRootLogin no

Save the file and restart the SSH server by running the following command.

sudo systemctl restart sshd

Now, if you will try to login as the root user, it will not let you in.

Step 6: Update Your Server

It is important to install the latest security patches and updates to your server. Run the following command to update the local package lists.

sudo apt-get update

Now, update the packages.

sudo apt-get -y upgrade

Note: If you get any prompts saying an updated package or file is available, but the installed version is modified. Choose keep the local version currently installed option.

Step 7: Setting timezone

You may want your server in the same timezone as you. Run the following command to get a list of available timezones.

timedatectl list-timezones

The list of available timezones is also available here.

Once you have identified your timezone, set it using the following command.

sudo timedatectl set-timezone Europe/Amsterdam

You can confirm the timezone by running the following command.

timedatectl

Step 8: Set Hostname

Check your existing hostname by running the following command.

hostnamectl

You should see a similar output.

[email protected]:~$ hostnamectl
   Static hostname: vps.snelexample.site
         Icon name: computer-vm
           Chassis: vm
        Machine ID: cfc70e29ed8440108dfa33dd59160dc9
           Boot ID: 3ccca50362244cf7a001d1c45d41223f
    Virtualization: kvm
  Operating System: Debian GNU/Linux 10 (buster)
            Kernel: Linux 4.19.0-5-amd64
      Architecture: x86-64

To set a hostname, run the following command.

sudo hostnamectl set-hostname host.snelexample.site

Replace host.snelexample.site with your actual hostname. Preferably, it should be an FQDN(Fully Qualified Domain Name). But, if you are not sure if you want to add an FQDN, a label to identify the server also works.

To resolve the hostname in your local server, you will need to add it to /etc/hosts file. Edit the hosts file by running the following command.

sudo /etc/hosts

Append your hostname at the end of the line that starts with 127.0.0.1. For example.

127.0.0.1    localhost host.snelexample.site

Step 9: Configure a Firewall

Debian 10 does not come with a default firewall installed. You can install UFW(Uncomplicated Firewall) by running the following command.

sudo apt-get -y install ufw

First, deny access to all incoming traffic by running the command.

sudo ufw default deny incoming

Also, allow access to all outgoing traffic by running the command.

sudo ufw default allow outgoing

Now, that our default policy is created, let’s allow default SSH port 22 through the firewall. Run the command.

sudo ufw allow 22

You can also run :

sudo ufw allow ssh

As UFW knows that the default port for SSH is 22.

Now, that all our rules are in place, start the UFW firewall by running.

sudo ufw enable

It will ask you for the confirmation, as enabling UFW may disrupt the existing SSH connection. You can go ahead and press y as we already opened port 22 through the firewall. You will get a similar output.

[email protected]:~$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

You can view the status of the firewall by running the command.

sudo ufw status

You should see a similar output.

[email protected]:~$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere                  
22/tcp                     ALLOW       Anywhere                  
22 (v6)                    ALLOW       Anywhere (v6)             
22/tcp (v6)                ALLOW       Anywhere (v6)             

Step 10: SSH Port Change (Optional)

Malicious bots on the internet continuously target the default SSH port 22. You can change it to any other port so that your server is not a victim of continues attacks of bots on port 22. To change the SSH port, open the SSH configuration file again by running the following command.

sudo nano /etc/ssh/sshd_config

Find the line which says

#Port 22

Uncomment it and change it to any port you like between 1024 to 65535.

Eg.

Port 2200

Save the file and exit from the editor.

Open port 2200 from the firewall by running the command.

sudo ufw allow 2200

Since, we no longer need port 22 open, block it using the command.

sudo ufw delete allow 22
sudo ufw delete allow ssh

Now, restart the SSH server by running the following command.

sudo systemctl restart sshd

Also, reload the UFW firewall rules by running the command.

sudo ufw reload

Now, if you will try to login from another terminal without specifying a port, it will not let you in. Modify the SSH command to log in to include the port number.

ssh -p 2200 [email protected]

192.168.0.1 is an example IP address.

Step 11: Reboot

Now that we have gone through updating the packages and configuring the server. Give the server a reboot so that if there are any pending changes, it will be applied.

sudo reboot

Conclusion

In this tutorial, we have learned how to set up a sudo user on newly created Debian 10 instances. We configured hostname, time zone and updated the packages. We also secured our SSH server from basic break-ins.

Was this article helpful?
Dislike 0
Views: 14

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *

snel-knowledgebase