Debian Web Server

Here’s how to setup a Debian web server using as little extra software repositories and custom-compiled software as possible. I share my server with a few friends, and it is hosted at SharedLayer.

apt-get install sudo screen irssi oidentd

  1. Get Debian Linux installed – minimal install, without anything else
  2. Run “apt-get upgrade” as root user; if a new kernel was installed, reboot into the new kernel
  3. Run “adduser <username>” to create an unprivileged user account.
  4. Add sudo access for that user by running “visudo” – find the line labeled “root    ALL=(ALL) ALL”, and add a line under with the username of your unprivileged user above.
  5. Disable root SSH login and enable a few security settings by editing /etc/ssh/sshd_config:
    • LoginGraceTime 15
    • PermitRootLogin no
    • PrintMotd yes
  6. Restart the SSH server and verify that you are unable to login as “root” over SSH
    • /etc/init.d/sshd restart
  7. Enter the following firewall table to /etc/firewall.conf

*filter
:INPUT DROP [121262:35669320]
:FORWARD ACCEPT [5171418:2511260895]
:OUTPUT ACCEPT [13692255:5696622228]
-A INPUT -i eth0 -p tcp -m tcp –dport 22 -m state –state NEW -m recent –update –seconds 120 –hitcount 4 –name DEFAULT –rsource -j DROP
-A INPUT -i eth0 -p tcp -m tcp –dport 22 -m state –state NEW -m recent –set –name DEFAULT –rsource
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state –state NEW -j ACCEPT
-A INPUT -i eth0 -p tcp -m state –state NEW -m multiport –dports 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state –state NEW -m multiport –dports 113 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state –state NEW -m multiport –dports 80 -j ACCEPT
COMMIT

*filter

:INPUT DROP [121262:35669320]

:FORWARD ACCEPT [5171418:2511260895]

:OUTPUT ACCEPT [13692255:5696622228]

-A INPUT -i eth0 -p tcp -m tcp –dport 22 -m state –state NEW -m recent –update –seconds 120 –hitcount 4 –name DEFAULT –rsource -j DROP

-A INPUT -i eth0 -p tcp -m tcp –dport 22 -m state –state NEW -m recent –set –name DEFAULT –rsource

-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -i lo -m state –state NEW -j ACCEPT

-A INPUT -i eth0 -p tcp -m state –state NEW -m multiport –dports 22 -j ACCEPT

-A INPUT -i eth0 -p tcp -m state –state NEW -m multiport –dports 113 -j ACCEPT

-A INPUT -i eth0 -p tcp -m state –state NEW -m multiport –dports 80 -j ACCEPT

COMMIT

3 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *