Debian 8 initial server setup (SSH, users & firewall)

When you create a new Debian 8 server, there are a few steps required as part of the basic setup.

1) Install SSH (if not already configured)

You can use the package manager for Debian / Ubuntu via the dpkg command. To find out if SSH is installed run dpkg -s openssh-server . Alternatively, try ssh localhost . If you see command not found, it’s not installed. To install the service run apt-get install openssh-server

2) Create a new user account and add to the sudo group

It is often recommended that no one use root as their normal user account. Simple errors in entering commands can cause major damage to the system. Instead set up a super user. This will allow a normal user to run admin commands by putting the word sudo  before each command.

Debian 8 doesn’t normally come with sudo installed. You can check using dpkg -s sudo .

Update the apt package index first using apt-get update , then use apt-get install sudo to install sudo.

Next create a new user, for example “george” but use any name you like, using the adduser command. Enter a strong password and enter any other information (optional), just press enter to skip.

Linux Debian adduser command
Linux Debian adduser command

To grant sudo privileges to the new user, you need to add the user to the “sudo” group. By the way sudo is an abbreviation of “super user do”. Run this command as root to add the user “george” to the sudo group usermod -a -G sudo george

Disabling remote root login is recommend. To block remote SSH access to the root account, open the SSH daemon configuration file nano /etc/ssh/sshd_config and find the line PermitRootLogin yes . Change the “yes” to “no”, save the file (CTRL + o) and restart SSH using systemctl restart ssh or service ssh restart or /etc/init.d/ssh restart .

3) Firewall. Configuring iptables on Debian 8

Debian servers do not implement any restrictions by default. Check the current iptable rules using the following command iptables -L

Debian 8 iptables default
Debian 8 iptables default

There are three default chains: INPUT, OUTPUT and FORWARD. You don’t see any rules because Debian 8 doesn’t ship with a default rule set. The chain names indicate which traffic the rules in each list will be applied to: INPUT is for any connections coming in to the server, OUTPUT is for traffic leaving the server and FORWARD is for any pass through. Each chain also has a policy setting which determines how the traffic is handled, if it doesn’t match any specific rules, by default it is set to accept.

Note, iptables controls five different tables: filter, nat, mangle, raw and security. If you don’t specifiy a table, the filter table is used as the default. For example, the view the nat table use iptables -t nat -L

The recommended firewall approach is to define rules for allowed traffic and block everything else.

You can view the output in a format that reflects the commands necessary to enable each rule / policy by using the -S flag iptables -S

iptables S flag
iptables S flag

If you have rules configured and wish to start again, you can flush all current rules using iptables -F . Make sure the default policy on the INPUT and OUTPUT changes are set to ACCEPT before flushing the rules.

iptables -P INPUT ACCEPT
iptables -F

To begin using iptables you should first add rules for allowed inbound traffic. iptables can track the state of the connection, use this command to allow established connections (i.e. our SSH connection):

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -J ACCEPT

You can check that the rule was added using the iptables -L command.

Next allow traffic to a specified port to enable SSH connections with the following

iptables -A INPUT -p tcp --dport ssh -j ACCEPT

The ssh in the command translates to port 22. To enable traffic for FTP use

iptables -A INPUT -p tcp --dport 21 -j ACCEPT

It’s important to add a rule for the loopback interface

iptables -I INPUT 1 -i lo -j ACCEPT

After adding all the allowed rules, change the input policy to drop

iptables -P INPUT DROP
  • -A  flag appends a rule to the end of the chain
  • -I  flag inserts a rule, in our example -I INPUT 1 inserts the rule in the 1st position of the input chain.
  • -m conntrack  and –ctstate conntrack stores the connection state of known connections
  • –dport  is the destination port flag (requires -p tcp )

Now if you were to restart the server all of these iptable configurations would be wiped. To prevent this, save the rules to a file iptables-save > /etc/iptables/rules.v4 .

You can restore the saved rules after a reboot by reading the saved file with iptables-restore < /etc/iptables/rules.v4 .

You  can automate the restore process at reboot by installing an additional package for iptables via apt-get install iptables-persistent . After the installation the setup will ask to save IPv4 and IPv6 rules.

If you make changes to rules, remember to save them using the above command. The iptables-persistent  command looks for the files rules.v4  and rules.v6  under /etc/iptables/ .

Alternatively, you can save your filewall rules with this command invoke-rc.d iptables-persistent save


You May Also Like