This article is going to go over the first things I’ll do when logging into a Debian server for the first time. For me, this will be a VPS that has been deployed by a web host, almost always with the latest Debian release. The first things I want to do are update and secure it. Much of should apply to other Linux Distributions.

The system is assumed to have a public facing IP and be accessible to the internet, being a VPS I have provisioned. This informs the use of SSH keys and firewalls.

Depending on your use case the steps that follow after this will differ. Being a VPS I usually end up installing NGINX as a web server and going from there, but there may be cases where this isn’t necessary. I’ve intentionally left that and other common activities such as perhaps a MySQL or Docker install out given they vary case by case.

Update Root Login

Change the root account password.

passwd root

I’ll always reset this first, usually to something very long that my password manager can remember for me. Later on we’ll set up SSH keys for password-less login, although generally we don’t want to SSH to the server as root.

Run Update

Update the repository and perform any upgrades needed upfront.

apt update
apt upgrade

If there is a major OS update, I may choose to just do this now before I go any further. Ideally the server is built with the latest OS, but sometimes what’s available is a version behind. If an OS update is needed I’ll accept the defaults while generally opting to retain the current SSH config file (which we’ll modify later).

Add Non-Root User

Install sudo to allow non-root users to elevate access.

apt install sudo

First add a new non root user, replacing my name with one of your choice. When prompted set the password. Any other value such as name and location can be left blank.

adduser richard

Add this user to the sudo group to allow the account to perform elevated commands.

usermod -aG sudo richard

Setup SSH and Disable Password Login

To improve security we will enable SSH login on the server and disable remote access via password. At this point I’ll assume you have generates a private/public key on your PC. If not, here’s some guides to get you started on Windows and Mac. You will need to id_rsa.pub file with your public key. 

If you have multiple PCs you’d like to enable SSH login for, have an id_rsa.pub file for each and then you need to supply this to the authorized_keys file, put each public key on its own line

The following steps should be completed for any account that will be used for authenticating a remote session. This should only be the new user created above, but you may opt to do this for the root user.

If you are going to configure SSH for the root user, and assuming this account is still logged in, create a new authorised_keys file. The .ssh folder should exist for this account already.

nano ~/.ssh/authorized_keys

Paste into the editor the entirety of your local PC’s id_rsa.pub file then save (ctrl+x then ‘y’). Now update the permissions of this file.

chmod 600 ~/.ssh/authorized_keys

Now perform for the non-root user. First log into the account, either by launching a new SSH session or typing:

su richard

Now create a .ssh folder and authorized_keys file, and add the same id_rsa.pub key as before.

mkdir ~/.ssh && chmod 700 ~/.ssh
nano ~/.ssh/authorized_keys

After adding the ssh keys, again use chmod to update permissions.

chmod 600 ~/.ssh/authorized_keys

Test that you can log in. When connecting via SSH, do not supply a password. You should be logged in automatically due to the server trusting your public key.

Now disable password login to the server. Open the ssh config file using the following command. Sudo is being used on the assumption we are no longer logged in as root and because this file requires additional privileges to edit.

sudo nano /etc/ssh/sshd_config

At minimum set the following values. Uncomment the lines if needed. All values should be present already.

PasswordAuthentication no
KbdInteractiveAuthentication no
UsePAM no

It is also recommended to disable root server login.

PermitRootLogin no

Note at the top there may be an includes path that looks like the following. If so note the path which will look like the following.

Include /etc/ssh/sshd_config.d/*.conf

Save the SSH config file. If you saw an Include path in the file then check that folder for any further SSH config files. If present update them to match the above or delete conflicting config. Generally, no files will be present, but I have seen at least one VPS provider where newly deployed Debian images had a config file that would enable password authentication by overriding the sshd_config file. 

Reboot the VPS and make sure everything is OK. If not and you can’t log in, you may be able to use a console from your VPS providers web page. Ideally test and confirm that password logins are no longer possible by attempting to access the server from another PC or via some other option that will not leverage your SSH certificate.

Note that while you disabled the root SSH login above (you did, didn’t you?), you can always access the account by logging in as another user and then typing

su root

Supply the root users password when prompted.

Firewall

We’ll enable a basic firewall next. There are probably other ways to go about this, but for the purpose of getting set up this will suffice. Do not skip the steps to whitelist SSH access otherwise you’ll have trouble getting back onto the server.

sudo apt install ufw
sudo ufw allow OpenSSH
sudo ufw enable
sudo ufw status

Verify that the firewall has SSH ports open (OpenSSH and OpenSSH (v6) are ‘allow’).

Local TimeZone

Not essentially, but I generally want to set a local timezone for the system to make monitoring times etc simpler. For a list of timezones see this Wikipedia article.

sudo timedatectl set-timezone Australia/Canberra

Summary

We’ve now patched the OS, added a non-root user, updated authentication to SSH (and disabled remote password access!), added a firewall and got the server displaying local times. Pretty good start.

From here I’ll normally go off to install NGINX, PHP, SQL or Docker, but that’s all very much project specific. The above steps are a pretty good staring point before progressing onto those funner activities.