Debian server

1. Description
2. Connecting to the remote
3. Server configuration

1. Description

Setting up the base of a new Debian server

2. Connecting to the remote

Before connecting to the remote we need to setup SSH on the localhost

2.1. Generating a new SSH key pair

For example when creating a new key pair for the foobar server

ssh-keygen -t ed25519 -f ~/.ssh/foobar_id_ed25519 -C "alan@$hostname to alan@foobar"

2.2. SSH client configuration

The configuration to enable connecting with this command: ssh foobar

NOTE: Set User to root if needed

# ~/.ssh/config
Host foobar
  User alan
  Hostname 192.168.1.29
  Port 22
  IdentityFile /home/alan/.ssh/foobar_id_ed25519
  IdentitiesOnly yes

2.3. Copy the public key

The idea is to connect using public key authentication, for that we need to copy the public key to foobar

Writing foobar on the command line will use the config for foobar in ~/.ssh/config
Specifying -i to only copy this specific public key to foobar

ssh-copy-id -i ~/.ssh/foobar_id_ed25519.pub foobar

2.4. Connect to the remote

ssh foobar

3. Server configuration

3.1. Configure the non-`root` user if needed

3.1.1. Install `sudo` package

apt update
apt install sudo

3.1.2. Create the user’s home directory, add additional groups and set the login shell to `bash`

useradd -m -G adm,sudo -s /bin/bash alan

3.1.3. Enter new password

passwd alan

3.2. Configure `sshd`

3.2.1. Edit `/etc/ssh/sshd_config.d/00-HOSTNAME.conf`

See sshd template from ansible-dotfiles repository

3.2.2. Restart `sshd` to apply the changes

NOTE: Before restarting the sshd.service it might be a good idea to have another window connected to the foobar server

systemctl restart ssh

3.2.3. Test the configuration changes

To make sure everything works, connect to the foobar server in another window while following the logs

journalctl -fu ssh

3.3. Configure the firewall with `ufw`

See ufw

3.3.1. Install `ufw` package

apt update
apt install ufw

3.3.2. Explicitly block incoming traffic by default

ufw default deny incoming

3.3.3. Allow incoming traffic to specific port

ufw allow proto tcp from any to any port 1234

3.3.4. Enable and start `ufw`

ufw enable
systemctl enable --now ufw
systemctl status ufw

3.3.5. Restart `ufw` to make sure everything works

Before restarting ufw it might be a good idea to have another window connected to the foobar server

ufw reload
systemctl restart ufw

3.4. Check for any unwanted open ports

ss -taup

3.5. Configure `unattended-upgrades`

See Unattended Upgrades notes

3.6. General configuration

3.6.1. System clock synchronization

sudo apt install systemd-timesyncd

Can check the change with this command

timedatectl

3.6.2. Timezone

sudo timedatectl set-timezone Europe/Paris

3.6.3. Locales

Reconfigure the locales package with dpkg-reconfigure(8) to generate new locales

sudo dpkg-reconfigure locales

3.6.4. Hostname

sudo hostnamectl set-hostname foobar

Might need to edit /etc/hostname and /etc/hosts/

Example of /etc/hosts content

127.0.0.1 localhost
127.0.1.1 foobar.localhost foobar

3.6.5. Default editor

Select the default editor when using sudo

https://manpages.debian.org/stable/dpkg/update-alternatives.1

sudo update-alternatives --config editor

3.6.6. Install packages

sudo apt install htop man-db rsync

3.7. Install any pending updates and reboot

apt update
apt upgrade
reboot