Setting Up a Secure Debian VPS: SSH User and Security Configuration
Setting Up a Secure Debian VPS: SSH User and Security Configuration
In this guide, we'll walk you through the steps to set up a secure SSH environment on Debian 12. Secure Shell (SSH) is a vital tool for remote access and administration of servers, and configuring it properly is crucial for system security.
Prerequisites
Step 1: Update Your System
First, ensure your system is up-to-date:
sudo apt update -y sudo apt upgrade -y
Step 2: Create a New User
Log in as the root user and create a new user. Replace your_new_user with your desired username:
adduser your_new_user
Follow the prompts to set the password and other details for the new user.
Step 3: Add the New User to the Sudo Group
Give the new user sudo privileges by adding them to the sudo group:
usermod -aG sudo your_new_user
Step 4: Verify the New User
Switch to the new user to verify it has been created successfully and has sudo privileges:
su - your_new_user
Test sudo access:
sudo ls /root
If prompted, enter the new user's password to ensure it can use sudo commands.
Installing and Configuring OpenSSH Server
Step 1: Install OpenSSH Server
Install the OpenSSH server if it's not already installed:
sudo apt install openssh-server
Step 2: Generate SSH Key Pair on Your Local Machine
For multiple configurations, create the following directories:
mkdir -p ~/.ssh/config.d/myserver
If you haven't already generated an SSH key pair, do so now. When asked where to save the new key, specify: config.d/myserver/yourusername_id_ed25519
ssh-keygen -t ed25519 -f ~/.ssh/config.d/myserver/yourusername_id_ed25519
Step 3: Copy Your Public Key to the New User on the Server
ssh-copy-id -i ~/.ssh/config.d/myserver/yourusername_id_ed25519.pub your_new_user@your_server_ip
Step 4: Manually Create .ssh Directory and Authorized Keys File (Optional)
If you encounter errors, you may need to manually create the .ssh directory and authorized_keys file:
-
Create the .ssh directory and set appropriate permissions:
mkdir -p ~/.ssh chmod 700 ~/.ssh -
Create the authorized_keys file and set appropriate permissions:
touch ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys -
Copy your public key to the authorized_keys file. Open the authorized_keys file in a text editor and paste your public key:
vi ~/.ssh/authorized_keys
Step 5: Verify SSH Configuration
Log out from the server and test the new configuration by connecting as the new user:
ssh -p 22 your_new_user@your_server_ip
Step 6: Update Your Local SSH Configuration
Update your local ~/.ssh/config file to include the new user configuration:
Host myserver HostName your_server_ip Port 22 User your_new_user IdentityFile ~/.ssh/config.d/myserver/yourusername_id_ed25519 IdentitiesOnly yes StrictHostKeyChecking no LogLevel INFO Compression yes Host myserver_root HostName your_server_ip Port 22 User root IdentityFile ~/.ssh/config.d/myserver/root_id_ed25519 IdentitiesOnly yes StrictHostKeyChecking no LogLevel INFO Compression yes
Usage
To connect as the new user, you can use the new host alias:
ssh myserver
For root user:
ssh myserver_root
Hardening Your SSH Configuration
Step 1: Configure SSH Server
Edit the SSH configuration file:
sudo vi /etc/ssh/sshd_config
Make the following changes to enhance security:
-
Disable Root Login: Find the line
PermitRootLoginand set it tono.PermitRootLogin no -
Disable Password Authentication: Find the line
PasswordAuthenticationand set it tono.PasswordAuthentication no -
Allow Only Specific Users: Add a line to specify which users can log in via SSH.
AllowUsers your_new_user -
Use Public Key Authentication: Ensure the following lines are set:
PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys -
Disable X11 Forwarding: Find the line
X11Forwardingand set it tono.X11Forwarding no -
Set SSH Protocol to 2: Ensure the following line is present:
Protocol 2 -
Change SSH Port (Optional): Change the default SSH port from
22to another port.Port 2222
Step 2: Restart SSH Service
Restart the SSH service to apply the changes:
sudo systemctl restart ssh
Step 3: Verify SSH Configuration
Try logging into your server to verify that the settings are correct and that you can only log in using your public key:
ssh -p 2222 your_new_user@your_server_ip
Additional Security Measures (Optional)
Install and Configure UFW (Uncomplicated Firewall)
sudo apt install ufw sudo ufw allow 2222/tcp sudo ufw enable
Install and Configure Fail2Ban
sudo apt install fail2ban
Create a local configuration file:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Edit /etc/fail2ban/jail.local to add SSH protection:
[sshd] enabled = true port = 2222 logpath = %(sshd_log)s maxretry = 3
Restart Fail2Ban:
sudo systemctl restart fail2ban
Following these steps will significantly enhance the security of your SSH setup on Debian 12.
References
By following these steps, you'll be able to securely connect to your server as a non-root user, ensuring that root login is disabled to enhance security.
Suggested Articles
Automate System and Blocklist Updates on Debian
This comprehensive guide explores how to automate system updates and maintain blocklists on a Debian system. We'll cover essential tools and scripts to ensure your server remains secure and up-to-date with minimal manual intervention. Learn how to schedule automatic updates, manage your blocklists effectively, and enhance your system's security posture. This tutorial is ideal for system administrators and users looking to streamline their update processes and safeguard their Debian environments from potential threats.
Read MoreInstallation of WireGuard & Unbound on Debian
In this detailed guide, we will walk you through the installation and configuration of WireGuard and Unbound on a Debian system. You'll learn how to set up WireGuard as a secure VPN solution and Unbound as a DNS resolver, enhancing both your privacy and network performance. This tutorial is perfect for users looking to bolster their security and optimize DNS queries on their Debian server, whether for personal use or small-scale networking needs.
Read More