My Linux Server Setup

About

This guide is meant for people who have bought/installed a Linux Server.
It is not a perfect guide. It is my personal guide on what I do after installation.
It will not go over the Installation of the OS itself.
We will use Debian 10 as the OS here.
If you have any CentOS Distro then please install epel-release.
If you have a CentOS 8 Server then please use dnf install to install packages instead.
If you have a CentOS 7 Server please use yum install instead.

Update & Install

When I first booted a new server I usually run sudo apt-get update and then sudo apt-get upgrade.
This makes everything my system fully up-to-date. Then I install some basic applications I use often.
My commonly used applications (except the ones later in this article) are:

sudo apt-get install nano vim screen htop zip unzip wget curl

User Management

It's not good to log in as root over SSH. Many spambots try to log in as root over SSH, your server is constantly under attack.
Create a new user and give him permission to use sudo. With sudo a user can get temporary admin-rights if needed.
On some systems sudo isn't preinstalled. For a user to be able to use sudo you just have to add him to the sudo group. (On CentOS the groupname is wheel instead)
adduser chris and then usermod -aG sudo chris.

I also recommend to create a user for every service you manually install. If you install git/jenkins/teamspeak then create a new user for those services.

Securing SSH

You don't want people to be able to log in on your server as root.
To edit the SSHd configuration of your server simply edit /etc/ssh/sshd_config. (SSHD is the server, SSH is the client)
Here at the bottom of the file you can add PermitRootLogin no , this makes the user root not able to login with SSH.
You can also write AllowUsers chris to only allow the user chris access to login via SSH.
I recommend to use both of these lines: Deny root login and only allow specific users login.

In this file you can also change the default port if you add the line Port 97 at the bottom.
Automated attacks on servers always use the Port 22 for SSH, so if you change it most bots on the internet won't be able to automatically attack you that easily anymore.
I don't change it from Port 22, because it's standardized on that port via IANA.

You can also use SSH Keys instead of a password authentication to log in.
It's more secure because nobody can brute-force the key easily.
But you don't have to use this to be secure, because we will install fail2ban later.
(Just a thought: Someone would have to guess the username and then the password, together with fail2ban it's highly unlikely that someone can get access.)

Monitoring with sysstat

It automatically logs CPU, network and disk usage.
The command for this is sar. If you use it without any flags it will show you the CPU usage in percent.

First install the sysstat package with sudo apt-get install sysstat.
To enable the logging edit /etc/default/sysstat and change the "false" to "true".
Now restart it with sudo systemctl restart sysstat.
You can now use the sar command to get your resource log. At first it needs a while (5min) to get the first log entry.
You can also generate a picture from these logs via sadf -g -- -A > today.svg.
(German) More at https://www.thomas-krenn.com/de/wiki/Linux_Performance_Aufzeichnung_und_Auswertung_mit_sar

Firewall

For me iptables is enough of a firewall. It blocks/allows protocols,states and IP addresses.
You can also look into firewalld or uncomplicated firewall (ufw). These are just applications that build ontop of iptables.

First install iptables and iptables-persistant via sudo apt-get install iptables iptables-persistant. (It doesn't matter if you save your current config or not if asked)
Now everytime you reboot it will take the rules from /etc/iptables/rules.v4 and apply them.
sudo nano /etc/iptables/rules.v4 and copy in this basic ruleset:

# sample configuration for iptables service
# from shira.at
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Now you can live-reload these rules into your system with sudo iptables-restore < /etc/iptables/rules.v4.
To save your current rules you can use sudo iptables-save > /etc/iptables/rules.v4.

Fail2ban

Fail2ban does what it says: It bans people after too many failed attempts.

Simply install it via sudo apt-get install fail2ban.
The default configuration is located at /etc/fail2ban/jail.conf. Do not edit this configuration directly, instead create a new file there called jail.local.
My default jail.local file for SSH:

[DEFAULT]
bantime = 900
maxretry = 3
[sshd]
enabled = true
It bans for 15 minutes upon 3 failed attempts at SSH Login.

Other Services

I also install other services on initial setup.
A big and important one is a webserver. There are 2 main webservers: apache2 and nginx.
The easier one for beginners is apache2, but if you want performance and aren't too scared of new stuff then nginx is your way to go.
sudo apt-get install nginx and for php sudo apt-get install php-fpm.

Don't forget to add new firewall rules if your new services require different ports than 80/443.