Some commands must be run as root or with sudo.
Adjust paths or commands slightly depending on your Debian version.
Prepare the System#
Start by updating the system to ensure all packages are current:
sudo apt-get update && sudo apt-get upgrade -yIf you prefer using Vim for editing configuration files:
sudo apt-get install vim -ySet the Correct Timezone#
Having the correct time is essential for logs, cron jobs, and certificate validation.
sudo timedatectl set-timezone Europe/Berlin
sudo timedatectlReplace Europe/Berlin with your timezone. You can list all available timezones using:
timedatectl list-timezonesCreate a Secure Admin User#
Instead of using the root account, create a dedicated user with sudo privileges:
sudo useradd -m -U -s /bin/bash -G sudo sysadmin
sudo passwd sysadminNow you can log in as sysadmin instead of root.
Securing SSH#
SSH is your main remote access method — let’s make it more secure.
Open the SSH configuration file:
sudo vim /etc/ssh/sshd_configReplace its contents with:
Include /etc/ssh/sshd_config.d/*.conf
Port 29
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
MaxSessions 4
AllowUsers sysadmin
PubkeyAuthentication no
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
PrintMotd no
PrintLastLog no
ClientAliveInterval 300
ClientAliveCountMax 1
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-serverThen test and restart SSH:
sudo sshd -t
sudo systemctl restart sshd
sudo systemctl status sshdUsing a non-standard port like 29 reduces automated attacks on port 22.
Configure SSH Key Authentication (Recommended)#
On Your Local Machine#
Generate an Ed25519 SSH key:
ssh-keygen -t ed25519 -f ~/.ssh/serverOptionally, update its comment:
ssh-keygen -c -C "server.example.com" -f ~/.ssh/serverEdit your local SSH config:
vim ~/.ssh/configAdd:
Host server
HostName 0.0.0.0
User sysadmin
IdentityFile ~/.ssh/server
Port 29Replace 0.0.0.0 with your server’s IP or domain name.
Copy the key to your server:
ssh-copy-id -i ~/.ssh/server.pub serverBack on the Server#
sudo vim /etc/ssh/sshd_configReplace with this (note the key differences):
Include /etc/ssh/sshd_config.d/*.conf
Port 29
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
MaxSessions 4
AllowUsers sysadmin
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
PrintMotd no
PrintLastLog no
ClientAliveInterval 300
ClientAliveCountMax 1
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-serverThen run:
sudo sshd -t
sudo systemctl restart sshd
sudo systemctl status sshdPassword login is now disabled — only SSH keys are accepted.
(Optional) Protect with Fail2Ban#
Fail2Ban blocks IPs after repeated failed login attempts.
sudo apt-get install fail2ban -y
sudo systemctl enable fail2banBack up and edit the configuration:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo vim /etc/fail2ban/jail.localUpdate the following lines:
bantime.increment = true
bantime.multipliers = 1 2 4 8 16 32 64
bantime = 300m
findtime = 10m
maxretry = 3
[sshd]
enabled = true
port = 29
logpath = %(sshd_log)s
backend = %(sshd_backend)sRestart and check status:
sudo systemctl restart fail2ban
sudo systemctl status fail2ban
sudo fail2ban-client status sshd(Optional) Set Up a Firewall with UFW#
UFW (Uncomplicated Firewall) is an easy and effective firewall for Debian.
Install and enable it:
Allow SSH (or your custom port):
```bash
sudo ufw allow 29/tcpCheck and enable:
sudo ufw status verbose
sudo ufw enable
sudo ufw status verboseNow only whitelisted ports are reachable from the outside world.
Enable Automatic Security Updates#
Keeping security patches up to date is crucial for long-term safety.
sudo apt-get install unattended-upgrades apt-listchanges -y
sudo dpkg-reconfigure --priority=low unattended-upgrades