When setting up a new Debian server, it’s essential to harden it before deploying any services. This guide walks you through foundational steps to secure your system — from system updates and user setup to SSH hardening, firewall configuration, and optional protection tools.
Note: Some commands must be run as
rootor withsudo. Adjust paths or commands slightly depending on your Debian version.
1. Prepare the System#
Start by updating the system to ensure all packages are current:
sudo apt-get update && sudo apt-get upgrade -y
If you prefer using Vim for editing configuration files:
sudo apt-get install vim -y
(Optional) Install Backup Tools: Restic & Rclone#
These tools help automate encrypted backups to local or cloud storage.
sudo apt-get install restic -y
sudo restic self-update
curl -fsSL https://rclone.org/install.sh | sudo bash
2. Set the Correct Timezone#
Having the correct time is essential for logs, cron jobs, and certificate validation.
sudo timedatectl set-timezone Europe/Berlin
sudo timedatectl
Replace Europe/Berlin with your timezone. You can list all available timezones using:
timedatectl list-timezones
3. Create a Secure Admin User#
Instead of using the root account, create a dedicated user with sudo privileges:
sudo useradd -m -U -s /bin/bash -G sudo sysadmin
sudo passwd sysadmin
Now you can log in as sysadmin instead of root.
4. Harden SSH Access#
SSH is your main remote access method — let’s make it more secure.
Open the SSH configuration file:
sudo vim /etc/ssh/sshd_config
Replace its contents with:
Include /etc/ssh/sshd_config.d/*.conf
Port 29
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
MaxSessions 4
AllowUsers sysadmin
PubkeyAuthentication no
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
PrintMotd no
PrintLastLog no
ClientAliveInterval 300
ClientAliveCountMax 1
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
Then test and restart SSH:
sudo sshd -t
sudo systemctl restart sshd
sudo systemctl status sshd
Tip: Using a non-standard port like
29reduces automated attacks on port22.
5. Configure SSH Key Authentication (Recommended)#
Password login works, but key-based authentication is far more secure.
On Your Local Machine#
Generate an Ed25519 SSH key:
ssh-keygen -t ed25519 -f ~/.ssh/server
Optionally, update its comment:
ssh-keygen -c -C "server.example.com" -f ~/.ssh/server
Edit your local SSH config:
vim ~/.ssh/config
Add:
Host server
HostName 0.0.0.0
User sysadmin
IdentityFile ~/.ssh/server
Port 29
Replace 0.0.0.0 with your server’s IP or domain name.
Copy the key to your server:
ssh-copy-id -i ~/.ssh/server.pub server
Back on the Server#
Re-edit the SSH config:
sudo vim /etc/ssh/sshd_config
Replace with this (note the key differences):
Include /etc/ssh/sshd_config.d/*.conf
Port 29
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
MaxSessions 4
AllowUsers sysadmin
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
PrintMotd no
PrintLastLog no
ClientAliveInterval 300
ClientAliveCountMax 1
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
Then run:
sudo sshd -t
sudo systemctl restart sshd
sudo systemctl status sshd
Password login is now disabled — only SSH keys are accepted.
6. (Optional) Protect with Fail2Ban#
Fail2Ban blocks IPs after repeated failed login attempts.
Install and enable it:
sudo apt-get install fail2ban -y
sudo systemctl enable fail2ban
Back up and edit the configuration:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo vim /etc/fail2ban/jail.local
Update the following lines:
bantime.increment = true
bantime.multipliers = 1 2 4 8 16 32 64
bantime = 300m
findtime = 10m
maxretry = 3
[sshd]
enabled = true
port = 29
logpath = %(sshd_log)s
backend = %(sshd_backend)s
Restart and check status:
sudo systemctl restart fail2ban
sudo systemctl status fail2ban
sudo fail2ban-client status sshd
7. (Optional) Set Up a Firewall with UFW#
UFW (Uncomplicated Firewall) is an easy and effective firewall for Debian.
Install and enable it:
sudo apt-get install ufw -y
Allow SSH (or your custom port):
sudo ufw allow 29/tcp
Check and enable:
sudo ufw status verbose
sudo ufw enable
sudo ufw status verbose
Now only whitelisted ports are reachable from the outside world.
8. Enable Automatic Security Updates#
Keeping security patches up to date is crucial for long-term safety.
sudo apt-get install unattended-upgrades apt-listchanges -y
sudo dpkg-reconfigure --priority=low unattended-upgrades
This enables daily automatic security updates.
9. (Optional) Check System Integrity#
Install a basic integrity monitoring tool:
sudo apt-get install debsums -y
sudo debsums -s
This checks for modified or corrupted system files.
Summary#
Your Debian system is now significantly more secure:
- Updated system packages
- Non-root sudo user
- Hardened SSH configuration
- SSH key authentication
- Fail2Ban protection
- UFW firewall
- Automatic security updates
These basic hardening steps form a strong foundation for any Debian-based server. For even higher security, consider adding tools like Lynis, rkhunter, or system auditing with auditd.
