Pim de Greef

Debian webserver I: basic configuration

This tutorial, part of a series that will guide you in making a Debian webserver, will show you how to prepare your fresh Debian server installation. The tutorials work on Debian 10 (Buster) but will probably work on older versions and newer versions to come. Let’s start with some basic configuration: SSH, setting up an admin account, a firewall and fail2ban.

1. SSH
SSH into your server and update. Then, if needed (in case of a VPS you’ll get a root password from your provider) change the root password. 
# apt update && sudo apt upgrade
# passwd

Create a user with root privileges (sudo).
# adduser admin
# usermod -aG sudo admin

Switch to the new user (admin), whoami should return that this user is a Administrator. Check if it works by opening a new session with the new user in a new tab or screen (ssh admin@serveripordomain). Do not close the old connection untill you verify that the new user works!
# su – admin
$ sudo whoami

Logged in as the user, change the default SSH port by removing the comment (#) in the line before ‘port’ and change the port number (for example to 10000). Then change ‘PermitRootLogin’ to ‘no’.
$ sudo vim /etc/ssh/sshd_config

Restart the service again and then test if it works by making a new connection in a new screen or tab with ‘ssh admin@serveripordomain -p 10000’. Close the old connection if it works.
$ sudo systemctl restart ssh

2. SSH keygen (optional but strongly recommended!)
Create a ssh key on the client computer and choose a password.
$ ssh-keygen -b 4096

Copy the key to the server.
$ ssh-copy-id admin@server -p 1000 (the port you chose in step 3)

Log in with the new key. If this works, change the SSH config again to dissalow password login. Set ‘PasswordAuthentication’ to ‘no’.
$ sudo vim /etc/ssh/sshd_config

Now restart the service. You should test this again.
$ sudo systemctl restart ssh

3. ufw (firewall)
Install ufw (Uncomplicated Firewall), a simple firewall solution.
$ sudo apt install ufw

Add the SSH port from step 3.
$ sudo ufw allow 1000/tcp

Enable IPv6 if your provider supports it.
$ sudo sed -i ‘s/IPV6=no/IPV6=yes/g’ /etc/default/ufw

Set default rules.
$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing

Set logging to low.
$ sudo ufw logging low

Enable the firewall and check the status. You should again check if this works by making a new SSH connection.
$ sudo ufw enable
$ sudo ufw status

4. fail2ban (intrusion prevention)
5. Install fail2ban, enable it and active it at boot. This is fairly simple but effective intrusion prevention software.
$ sudo apt install fail2ban
$ sudo systemctl enable fail2ban
$ sudo systemctl start fail2ban

I recommend to make a portscan ‘definition’. This will help mitigate brute force attacks and (automated) scans. I recommend to learn more about fail2ban.

First let’s create a ‘action rule’. This will actually block perpetrators. If this file already exists, leave it as it is.
$ sudo vim /etc/fail2ban/action.d/ufw.conf

actionstart =
actionstop =
actioncheck =
actionban = ufw deny in from <ip>
actionunban = ufw delete deny in from <ip>

Then we’ll have to make a ‘filter’. This will scan the firewall logs for blocked connections.
$ sudo vim /etc/fail2ban/filter.d/portscan.conf

failregex = UFW BLOCK.* SRC=<HOST>
ignoreregex =

Create your own added configuration file. This will make up the configuration together with the basic configuration in ‘/etc/fail2ban/jail.conf’. This will also be persitent througout fail2ban updates. Enable the portscan jail and whitelist the local IP addresses (and your own?).
$ sudo vim /etc/fail2ban/jail.local

enabled = true
filter = portscan
logpath = /var/log/ufw.log
action = ufw
maxretry = 5

# local IPs
ignoreip =

I suggest that you add the following basic jails to the ‘/etc/fail2ban/jail.conf’ too, above the changes you made just now. We’ll talk about more fail2ban jails (for software we will install later) in a other tutorial.

enabled = true
port = 10000 # or whichever port you chose in step 3 

enabled = true
maxretry = 3

Now reload the configuration.
$ sudo systemctl reload fail2ban

Check the status of the fail2ban service and the status of the jails.
$ sudo systemctl status fail2ban.service
$ sudo fail2ban-client status
$ sudo fail2ban-client status sshd

That’s it for now.

Leave a Reply

Your email address will not be published.