This guide is meant for people who have bought/installed a Linux Server.
It is not a perfect guide. It is my personal guide on what I do after installation.
It will not go over the Installation of the OS itself.
We will use Debian 12 as the OS here.
If you use a RedHat based Distribution then please install epel-release and use dnf install to install packages instead.
The first command is usually sudo apt-get update and then sudo apt-get upgrade. (on redhat the "upgrade" command is not needed)
After that the system is up to date.
Then install some commonly used tools, mine are:
sudo apt-get install nano vim screen htop zip unzip wget curl tmux
It's not good to log in as root over SSH. Many spambots try to log in as root, your server is constantly under attack.
Create a new user and give him permission to use sudo. With sudo a user can get temporary admin-rights if needed.
On some systems sudo isn't preinstalled. For a user to be able to use sudo you just have to add him to the sudo group. (On RedHat-based systems the groupname is wheel instead)
adduser chris and then usermod -aG sudo chris.
I also recommend to create a user for other services you manually install. If you install git/jenkins/teamspeak then create a new user for those services or start them as a systemd service with a "nologin" user.
You don't want people to be able to log in on your server as root.
To edit the sshd configuration of your server simply edit /etc/ssh/sshd_config. (SSHD is the server, SSH is the client)
Here at the bottom of the file you can add PermitRootLogin no , this makes the user root not able to login with SSH.
You can also write AllowUsers chris to only allow the user chris access to login via SSH.
I recommend to use both of these lines: Deny root login and only allow specific users login.
In this file you can also change the default port if you add the line Port 97 at the bottom.
Automated attacks on servers always use the Port 22 for SSH, so if you change it most bots on the internet won't be able to automatically attack you that easily anymore.
I don't change it from Port 22, because it's standardized on that port via IANA.
You can also use SSH Keys instead of a password authentication to log in.
It's more secure because nobody can brute-force the key easily.
But you don't have to use this to be secure, because we will install fail2ban later.
(Hint: Someone would have to guess the username and the password to login, together with fail2ban it's highly unlikely that someone can get access even if you do not use keys.)
I recommend installing Grafana and Prometheus (and node_exporter) for monitoring your server.
For a quick installer you can use my script at https://shira.at/stash/grafana/_installer.sh.txt or just search on the internet for a guide.
Grafana and Prometheus let you easily monitor anything and everything. It also enables you to receive notifications via email/msteams/discord if your configured alert is triggered.
If you use a RedHat-based OS and want to keep it minimal for now then use firewalld with the following commands to open http/https:
firewall-cmd --zone=public --add-service=http --permanent firewall-cmd --zone=public --add-service=https --permanent firewall-cmd --reload
# sample configuration for iptables service # from shira.at *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT COMMITNow you can live-reload these rules into your system with sudo iptables-restore < /etc/iptables/rules.v4.
Fail2ban does what it says: It bans people after too many failed attempts.
Simply install it via sudo apt-get install fail2ban.
The default configuration is located at /etc/fail2ban/jail.conf. Do not edit this configuration directly, instead create a new file there called jail.local.
My default jail.local file for SSH:
[DEFAULT] bantime = 900 maxretry = 3 [sshd] enabled = true port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)sIt bans for 15 minutes upon 3 failed attempts at SSH Login.
I also install other services on initial setup.
A big and important one is a webserver. There are 2 main webservers: apache2 and nginx.
I personally use and recommend nginx.
My guide for nginx can be found here: nginx.html
Don't forget to add new firewall rules if your new services require different ports than 80/443.