Secure a Debian-based server
In this guide, I'm gonna show you how to secure your server with:
- Secure passwords
- Key-based ssh login
- A restrictive firewall
- Ban people trying to access to your server
- HTTPS certificates
- Nginx configuration
Step 0 : Requirements
This guide assumes you already have a working server with SSH installed both on your computer and on the server.
- A Debian(-based) server (you can use a raspberry pi or an old server to get one for free)
- A domain name (you can use No-Ip to get one for free)
- An SSH access to the server
Step 1 : Change the default passwords
The best option for that would be to use a random password generator and a password manager.
passwd
sudo passwd
Step 2 : Add your ssh key
This will prevent other people than you to access the server (with the next step as well), even if they know the password. So run the following commands on your computer to generate a key:
ssh-keygen -t ed25519 -C "<your email address>"
ssh-copy-id <user on the server>@<ip address of the server>
Step 3 : Disable password authentication
This will disable basic password authentication, so only people with verified keys and correct password will get access to the server. After changing the configuration, we're going to restart ssh.
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
sudo sed -i 's/ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/g' /etc/ssh/sshd_config
sudo systemctl restart sshd
Step 4 : Install fail2ban
Fail2ban will block people that try to get into your server. You just have to install it, we're going to use the default configuration file.
sudo apt install fail2ban
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
Step 5 : Install ufw (firewall)
We're going to install ufw, which is a firewall rule parser.
sudo apt install ufw
Step 6 : Configure new rules with ufw
We're going to disallow any connection, except from three parts.
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow www
sudo ufw allow 443/tcp
sudo ufw enable
Step 7 : Install "let's encrypt"
This will install the tool to get the HTTPS certificates for our domain name:
sudo apt install letsencrypt
Step 8 : Certify the domain name
Now we can use "let's encrypt" to create our certificate, but we first need to stop nginx and/or apache2.
sudo systemctl stop nginx apache2
certbot certonly --standalone -d <your domain name>
sudo systemctl start nginx apache2
Step 9 : Move the configuration file
We're going to overwrite the default nginx configuration file, so let's backup the existing one.
sudo mv /etc/nginx/sites-available/default /etc/nginx/sites-available/old
sudo nano /etc/nginx/sites-available/default
Step 10 : Creating the default configuration
You just have to paste the following configuration and change the relevant information:
server {
listen 80;
server_name <domain> www.<domain>;
return 301 https://<domain>$request_uri;
}
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_certificate /etc/letsencrypt/live/<domain>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<domain>/privkey.pem;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
try_files $uri $uri/ =404;
}
}
Step 11 : Restart nginx to apply the configuration
Congratulation, you now finished this tutorial, you'll just have to restart nginx for your last changes to take effect:
sudo systemctl restart nginx
Conclusion
Congrats! You now secured your server, to summarize, you now have:
- A secure root and user password
- A one-user only access to ssh (using keys)
- A restricive firewall (ufw)
- A way to ban people trying to get access to your server without authorization (fail2ban)
- A secure connection for users (letsencrypt), with an auto-redirection of http to https (nginx)