< Grimoire

Debian 12 Post-Installation Steps

A collection of instructions to help a user make their Debian installation a bit more secure and user friendly. This is _NOT_ about installing Debian: it is for after Debian has been installed. The following information is a collection from the following sources:

Debian 12 Server Setup: Essential Post-Installation Steps

Reconfigure Software Repositories

Delete the file '/etc/apt/sources.list' and then recreate the file with the following in its body:

#deb cdrom:[Debian GNU/Linux 12.8.0 _Bookworm_ - Official amd64 NETINST with firmware 20241109-11:04]/ bookworm contrib main non-free-fir>

deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
deb-src http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware

# bookworm-updates, to get updates before a point release is made;
# see https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports
deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
deb-src http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware

deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
deb-src http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware

# This system was installed using small removable media
# (e.g. netinst, live or single CD). The matching "deb cdrom"
# entries were disabled at the end of the installation process.
# For information about how to configure apt package sources,
# see the sources.list(5) manual.

This will make sure that our 'apt' repositories are using up-to-date stuff. Speaking of, we will also need to run the following:

apt update

Update/Upgrade Existing Packages

We just want to make sure we have everything up-to-date at this point.

apt upgrade -y
apt full-upgrade -y

Install Sudo

Debian 12, at least the way I installed it, does not have this installed. We want this so we're not always needing to be root when we do things on our server.

apt install sudo -y

Create new User

This might have occurred while installing Debian. If so, we can just ignore the first of these commands.

adduser <username>
usermod -aG sudo <username>

At this point, if you are following these points concurrently you should log in (or re-log in, if applicable) with this new user.

Setting Up SSH Keys

This is our first major foray into hardening this server. We will need these keys for SSHing into the server. The assumption is that this will be run as your normal user, _NOT AS ROOT_.

ssh-keygen

These generated keys will be located in '~/.ssh/'.

Strengthening SSH

Now we want to do a little more strengthening of SSH's security. So we will update its configuration file. Find the following configuration items and replace them with the provided values. If the items are not present, then add them to the configuration file. Remember that any line with a # prefix will be treated as comments and their # must be removed.

PermitRootLogin no
PasswordAuthentication no
AllowUsers <username>
Port <port_number>  # Change to any port that isn't the normal (22)

Finally, we need to restart the SSH daemon.

sudo systemctl restart ssh

Install Essential Packages

These are a few essentials that are helpful while using Linux in general. So let's go ahead and grab them now.

sudo apt install -y vim htop net-tools curl wget git

Configure Time Synchronization

In my experience, the Debian installation will set this up for us. That said, in the chance it did not, this will do the trick.

sudo apt install systemd-timesyncd
sudo timedatectl set-ntp true
timedatectl

Setting up a Firewall

We're going to be using UFW for our firewall. The following will install the UFW firewall and set some good defaults for us.

sudo apt install ufw -y
sudo ufw default deny incoming
sudo ufw default allow outgoing

Next, the following command will allow us to open up ports as needed. Take stock of what port number was used for SSH strenghening: this is the time to open that port up.

sudo ufw allow <port_number>/<protocol> # for example, 1042/tcp

Finally, we need to enable UFW.

sudo ufw enable

Useful Information

If you want to check the status of the UFW firewall, the following can be used:

sudo ufw enable

If you ever allow or deny more ports, then the following will need to be run in order to put the new policy into place.

sudo ufw status

Set Up Automatic Security Updates

Obviously, we want our server to keep up-to-date with security updates. This will set up the server to install security updates without our intervention.

sudo apt install -y unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

Reboot

At this point, we reboot the system. Just good practice after doing so many modifications to the system.

sudo reboot

^
🦊 gemini://eltheria.org/grimoire/debian/2024_11_22_Debian_Post_Installation.gmi