Here’s how to setup a Debian web server using as little extra software repositories and custom-compiled software as possible. I share my server with a few friends, and it is hosted at SharedLayer.
apt-get install sudo screen irssi oidentd
- Get Debian Linux installed – minimal install, without anything else
- Run “apt-get upgrade” as root user; if a new kernel was installed, reboot into the new kernel
- Run “adduser <username>” to create an unprivileged user account.
- Add sudo access for that user by running “visudo” – find the line labeled “root ALL=(ALL) ALL”, and add a line under with the username of your unprivileged user above.
- Disable root SSH login and enable a few security settings by editing /etc/ssh/sshd_config:
- LoginGraceTime 15
- PermitRootLogin no
- PrintMotd yes
- Restart the SSH server and verify that you are unable to login as “root” over SSH
- /etc/init.d/sshd restart
- Enter the following firewall table to /etc/firewall.conf
:INPUT DROP [121262:35669320]
:FORWARD ACCEPT [5171418:2511260895]
:OUTPUT ACCEPT [13692255:5696622228]
-A INPUT -i eth0 -p tcp -m tcp –dport 22 -m state –state NEW -m recent –update –seconds 120 –hitcount 4 –name DEFAULT –rsource -j DROP
-A INPUT -i eth0 -p tcp -m tcp –dport 22 -m state –state NEW -m recent –set –name DEFAULT –rsource
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state –state NEW -j ACCEPT
-A INPUT -i eth0 -p tcp -m state –state NEW -m multiport –dports 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state –state NEW -m multiport –dports 113 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state –state NEW -m multiport –dports 80 -j ACCEPT
Perhaps you also want to review http://csrc.nist.gov/groups/SMA/fasp/documents/network_security/USAIDTechSafeBSP/USAIDTechSafeBSPI1.html as well as http://csrc.nist.gov/groups/SMA/fasp/documents/network_security/USAIDTechSafeBSP/USAIDTechSafeBSPI6.html ?