Complete Initial Security Configuration Guide for Linux Servers (Debian/Ubuntu)

Complete Initial Security Configuration Guide for Linux Servers (Debian/Ubuntu)

This guide outlines the essential initial security configuration steps for Debian/Ubuntu Linux servers. While commands may differ slightly for other distributions (e.g., CentOS/RHEL), the core principles remain the same.

Step 1: Log in as Root and Change Password

Connect to your server via SSH as the root user (replace the example IP with your server's actual IP address).

ssh root@your_server_ip

Accept the host key warning upon first connection by typing yes. Once logged in, immediately change the root password:

passwd

Step 2: Create a Standard User with Sudo Privileges

For security, avoid using the root account for daily tasks. Create a new standard user and grant administrative privileges.

1. Create a new user group (e.g., admin):

groupadd admin

2. Create a new user (e.g., bill), specifying home directory and default shell:

useradd -d /home/bill -s /bin/bash -m bill

Parameter explanation: -d sets home directory, -s sets login shell, -m creates the home directory.

3. Set a password for the new user:

passwd bill

4. Add the user to the admin group:

usermod -a -G admin bill

5. Configure sudo privileges. Use the visudo command to safely edit the /etc/sudoers file:

visudo

Find a line similar to root ALL=(ALL:ALL) ALL and add a line below it to grant privileges. Two common configurations:

• sudo without password (convenient but less secure):

  bill    ALL=(ALL) NOPASSWD: ALL

• sudo with password (recommended, more secure):

  bill    ALL=(ALL:ALL) ALL

6. After configuration, exit the root session and log in with the new user to test permissions:

exit
ssh bill@your_server_ip

Step 3: Harden SSH Security Configuration

1. Configure SSH Key Authentication: Ensure your local machine has an SSH key pair (~/.ssh/id_rsa.pub and ~/.ssh/id_rsa). If not, generate one locally with ssh-keygen.

Upload your public key to the server. Use ssh-copy-id if available:

ssh-copy-id -p 22 bill@your_server_ip

Alternatively, manually append the public key to the server's ~/.ssh/authorized_keys file.

2. Modify SSH Configuration: Log in as the new user (bill), backup and edit the SSH daemon configuration file:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
sudo nano /etc/ssh/sshd_config

Apply these key changes (ensure lines are uncommented, i.e., no # at the start):

# Change default port (e.g., to 25000)
Port 25000

# Use only SSH protocol version 2
Protocol 2

# Disable direct root login via SSH
PermitRootLogin no

# Disable password authentication, enforce key-based login
PasswordAuthentication no

# Enable public key authentication
PubkeyAuthentication yes

# Specify authorized keys file location
AuthorizedKeysFile .ssh/authorized_keys

# Optional: Disable DNS reverse lookup for faster connections
UseDNS no

# Optional: Allow only specific users (e.g., bill)
AllowUsers bill

Important: Before setting PasswordAuthentication to no, ensure your SSH key login is fully configured and tested, otherwise you may be locked out.

3. Set Correct File Permissions:

sudo chmod 700 ~/.ssh
sudo chmod 600 ~/.ssh/authorized_keys

4. Restart SSH Service:

sudo systemctl restart ssh  # For systemd systems
# Or
sudo service ssh restart     # For SysV init systems

5. (Optional) Configure Local SSH Client: Add the following to your local machine's ~/.ssh/config file to simplify connections:

Host your_server_alias
    HostName your_server_ip
    User bill
    Port 25000

After configuration, connect using ssh your_server_alias.

Step 4: Basic System Configuration

1. Set System Locale: Ensure the system locale uses UTF-8 encoding to prevent software character issues.

sudo locale-gen en_US.UTF-8  # Generate required locale
sudo update-locale LANG=en_US.UTF-8  # Set default locale (English example)

2. Update System Packages:

sudo apt update
sudo apt upgrade -y

Additional Security Recommendations

After completing the basic configuration, consider these steps to further enhance server security:

• Configure a Firewall: Use ufw (Uncomplicated Firewall) or iptables to open only necessary ports (e.g., new SSH port, HTTP/HTTPS).
• Install Fail2Ban: Automatically block IP addresses with repeated failed login attempts.
• Regular Updates and Monitoring: Set up automatic security updates and monitor system logs.

Note: The configurations provided are general recommendations. In a production environment, adjust them according to your specific security policies and requirements. Before making any critical configuration changes (especially to SSH), keep an active SSH session open to allow recovery if the new settings prevent connection.