Here are the steps I use to set up and configure a fresh install of Debian on a server.
- Log in as root:
ssh root@<ip or domain.tld>
- Change the root password:
passwd
- Update the system:
apt update && apt upgrade
- Configure timezone:
dpkg-reconfigure tzdata
- Configure locales:
dpkg-reconfigure locales
- Install your favourite text editor (here nano) and make it the default:
apt install nano
update-alternatives --config editor
Now, create a user for yourself that you will be using and give this user rights to run commands that require root privileges:
- Create new user:
adduser <username>
- If sudo is not installed:
apt install sudo
- Add your user to the sudo group:
usermod -aG sudo <username>
- Now, try to log in from a second terminal using that user
- Optional (but strongly recommended): Add your public key to log in without a password:
ssh-copy-id <username>@<server IP/domain>
Now that you have your own user, let’s harden the SSH daemon by changing the port and restricting root access from the outside.
- Edit the SSHD config:
nano /etc/ssh/sshd_config
- Change
Port
to something other than the default22
- Change
PermitRootLogin
tono
- If you want to disable logins by password and only allow key-based authentication, change
PasswordAuthentication
tono
- Restart SSHD:
sudo systemctl restart ssh
- Important: Try to log in from another terminal first to ensure it is working as intended (use
ssh -p <newPort>
if you changed the port)
Now, install a firewall (here ufw) to only open the ports that you really need:
- Install ufw:
apt install ufw
- Create rule to allow SSH port:
ufw allow <sshPort>/tcp
(if you use the default port you can also useufw allow OpenSSH
) - You can also rate limit a port (6 or more connections within 30 seconds):
ufw limit <port>/tcp
- Ensure that your rule is correct, otherwise you will lock yourself out in the next step
- Enable ufw:
ufw enable
- Try to log in from another terminal to verify it is still working.
That’s pretty much it. You might also want to set up msmtp so that you receive email from your system, cron etc. There are also the following packages I find useful and install:
- htop: Allows to interactively monitor the system resources and processes.
- icdiff: A nice tool providing side-by-side comparison with color highlighting.
- dnsutils: Essential for diagnosing/testing network stuff. For example, it provides dig.
- ntp: Time synchronization.
- curl
- ncdu: Nice tool to find big files.
- tree: A nice tool to show directories in a tree-like format.