Table of Contents

Initial System Setup

Debian / Ubuntu

Fedora / Rocky / RHEL

Overview

Post installation configuration for a freshly spun Linux server.

Assumptions

  • Logged in as root user.

Update

Before getting started, update package repositories. Consider upgrading them as well for the latest patches.

# Debian
apt update
apt upgrade
# Fedora
dnf check-update
dnf upgrade

Create Admin User

Create a non-root, administrative, sudo user for everyday use.

Verify Sudo

Sudo is included in many Linux distributions by default, verify it is installed.

# Debian
apt install sudo
# Fedora
dnf install sudo

Add User

Add a new user to the server; create a strong password when prompted. After creating the user password you will be asked for some optional user information (name, email, etc).

adduser exampleuser

Add Sudo Group

Add the newly created user to the sudo group, granting them administrative privileges.

# Debian
usermod -aG sudo exampleuser
# Fedora
usermod -aG wheel exampleuser

After adding the user to the group, execute a given command with root privileges by prefacing it with sudo.

Limit SU Access

The substitute user su command allows users to gain the privileges of another system user. To prevent any abuse of this, limit which users can utilize this command.

su - exampleuser

Create a new system group and add your administrative user(s) to the group.

sudo groupadd suallow
sudo usermod -aG suallow exampleuser

Debian

Limit su command usage to the root user and suallow group using dpkg.

sudo dpkg-statoverride --update --add root suallow 4750 /bin/su

Fedora

Using your editor of choice, create a new su-suallow-access file in the /etc/security directory.

sudo nano /etc/security/su-suallow-access

Add the exampleuser, and any other suallow group members, to the su-suallow-access file.

exampleuser

Open the su PAM configuration file.

sudo nano /etc/pam.d/su

Limit su command usage to the root user and suallow group by adding the following PAM rules.

auth required pam_wheel.so use_uid group=suallow
auth required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-suallow-access

Secure OpenSSH

Secure the OpenSSH configuration. If setting up OpenSSH for the first time, verify the openssh-server package is on the system.

# Debian
sudo apt install openssh-server
# Fedora
sudo dnf install openssh-server

OpenSSH Config

Open the OpenSSH configuration file /etc/ssh/sshd_config.

sudo nano /etc/ssh/sshd_config

Below the port and listen address definitions, specify SSH protocol version 2.

Protocol 2

Disable SSH logins as the root user. Verify an administrative user has access via SSH if remote.

PermitRootLogin no

Limit the maximum number of login attempts for a single session.

MaxAuthTries 3

Enable client inactivity disconnection. This will automatically disconnect any SSH connections that have been inactive for a specified amount of time (in seconds).

# 10 Minutes
ClientAliveInterval 120
ClientAliveCountMax 3

Restart the SSH service for changes to take effect.

sudo systemctl restart sshd

Login Banner

The login banner presents a warning to any users who attempts to connect via SSH. This provides no tangible security benefit but may act as a deterrent. Set it however you like.

Open the /etc/issue.net file in your text editor of choice.

sudo nano /etc/issue.net

Populate the file with your desired login banner text. An example is provided below.

************************************************************
*                  AUTHORIZED ACCESS ONLY                  *
*                                                          *
*         All connections are logged and monitored         *
*       Disconnect if you are not an authorized user       *
*                                                          *
*                Thank you, have a nice day.               *
************************************************************

Enable the login banner in the OpenSSH config file.

sudo nano /etc/ssh/sshd_config

Search for the the text #Banner none in the file, uncomment the line, and specify the banner file path.

Banner /etc/issue.net

Restart the SSH service for changes to take effect.

sudo systemctl restart sshd

Firewall Setup

A firewall is your first line of defense against a malicious third-party. You should only allow connections on the ports you need for the services your server is serving. Reference common ports on Wikipedia’s port list.

Install Firewall Manager

Install a firewall policy manager for iptables/nftables configuration. On Debian-based systems use UFW (Uncomplicated Firewall), and on Fedora-based systems use Firewalld.

# Debian
sudo apt install ufw
# Fedora
sudo dnf install firewalld

Allow Remote SSH

If you are connecting to the server remotely, allow connections to the system SSH port - 22 by default.

# Debian
sudo ufw allow 22/tcp
# Fedora
sudo firewall-cmd --permanent --zone=public --add-port=22/tcp

Enable the Firewall

Enable the firewall to start enforcing the created rules. All incoming connections that aren’t explicitly allowed in the firewall will be denied. Check the firewall status to see what connections are currently being accepted.

# Debian
sudo ufw enable
sudo ufw status
# Fedora
sudo systemctl start firewalld && sudo firewall-cmd --reload
sudo firewall-cmd --permanent --list-all