Initial Server Setup

Updated: 2022.11.23

Overview

Debian / Ubuntu

Fedora / Rocky / RHEL

After installing Linux on your Server, there are some initial configuration tasks that should be completed to create a solid framework for your given application.

Assumptions

  • Linux OS installation completed.
  • Logged in as root user.
  • User exampleuser is used as example.

Update

Before getting started, update package repositories.

# Debian
apt update
# Fedora
dnf check-update

Create Admin User

Create a non-root, administrative, sudo user for everyday use.

Verify Sudo

Sudo is included in many Linux distributions by default, verify it is installed.

# Debian
apt install sudo
# Fedora
dnf install sudo

Add User

Add a new user to the server; create a strong password when prompted. After creating the user password you will be asked for some optional user information (name, email, etc).

adduser exampleuser

Add Sudo Group

Add the newly created user to the sudo group, granting them administrative privileges.

# Debian
usermod -aG sudo exampleuser
# Fedora
usermod -aG wheel exampleuser

After adding the user to the group, you will be able to execute a given command with root privileges by prefacing it with sudo.

Limit SU Access

The substitute user command is used to switch to a different system user. Switch over to the non-root user for continued system configuration.

su - exampleuser

Usage of the su command allows users to gain the privileges of another system user. To prevent any abuse of this, limit which users can utilize this command. Refer to the

Create a new system group and add your administrative user to the group.

sudo groupadd suallow && sudo usermod -aG suallow exampleuser

Debian

Limit su command usage to the root user and suallow group using dpkg .

sudo dpkg-statoverride --update --add root suallow 4750 /bin/su

Fedora

Using your editor of choice, create a new su-suallow-access file in the /etc/security directory.

sudo nano /etc/security/su-suallow-access

Add the exampleuser, and any other suallow group members, to the su-suallow-access file.

exampleuser

Open the su PAM configuration file.

sudo nano /etc/pam.d/su

Limit su command usage to the root user and suallow group by adding the following PAM rules.

auth required pam_wheel.so use_uid group=suallow
auth required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-suallow-access

Firewall Setup

A firewall is your first line of defense against a malicious third-party. You should only allow connections on the ports you need for the services your server is serving. Common ports include: 22 (SSH), 80 (HTTP), 443 (HTTPS).

Install Firewall Manager

Install a firewall policy manager for iptables/nftables configuration. On Debian-based systems use UFW (Uncomplicated Firewall) and on Fedora-based systems use Firewalld .

# Debian
sudo apt install ufw
# Fedora
sudo dnf install firewalld

Allow Remote SSH

If you are connecting to the server remotely, allow connections to the system SSH port - 22 by default.

# Debian
sudo ufw allow 22/tcp
# Fedora
sudo firewall-cmd --permanent --zone=public --add-port=22/tcp

Enable the Firewall

Enable the firewall to start enforcing the created rules. All incoming connections that aren’t explicitly allowed in the firewall will be denied. Check the firewall status to see what connections are currently being accepted.

Debian

sudo ufw enable
sudo ufw status

Fedora

sudo systemctl start firewalld && sudo firewall-cmd --reload
sudo firewall-cmd --permanent --list-all

Secure OpenSSH

Verify the openssh-server package is on the system.

# Debian
sudo apt install openssh-server
# Fedora
sudo dnf install openssh-server

OpenSSH Config

Open the OpenSSH configuration file /etc/ssh/sshd_config.

sudo nano /etc/ssh/sshd_config

Un-comment (#) any modified or added configuration options.

Below the port and listen address definitions, specify SSH protocol version 2.

Protocol 2

Disable SSH logins as the root user. Verify you are not currently root if remote.

PermitRootLogin no

Limit the maximum number of login attempts for a single session.

MaxAuthTries 3

Enable client inactivity disconnection. This will automatically disconnect any SSH connections that have been inactive for a specified amount of time (in seconds).

# 10 Minutes
ClientAliveInterval 200
ClientAliveCountMax 3

At the end of the configuration file, specify which users are allowed to login via SSH.

# Allowed Users
AllowUsers exampleuser

Restart the SSH service for changes to take effect.

sudo systemctl restart sshd

Login Banner

The login banner presents a warning to any users who attempts to connect via SSH. This provides no tangible security benefit but may act as a deterrent. Set it however you like.

Open the /etc/issue.net file in your text editor of choice.

sudo nano /etc/issue.net

Populate the file with your desired login banner text. An example is provided below.

************************************************************
*                  AUTHORIZED ACCESS ONLY                  *
*                                                          *
*         All connections are logged and monitored         *
*       Disconnect if you are not an authorized user       *
*                                                          *
*                Thank you, have a nice day.               *
************************************************************

Enable the login banner in the OpenSSH config file.

sudo nano /etc/ssh/sshd_config

Search for the the text #Banner none in the file, uncomment the line, and specify the banner file path.

Banner /etc/issue.net

Restart the SSH service for changes to take effect.

sudo systemctl restart sshd