debian-server, using public key authentication.debian-server.domain.test. Replace this value with your domain name in all code snippets that follow.m. Replace it with yours.Add the following section to your ~/.ssh/config.
Host debian-server
Hostname debian-server.domain.test
User root
ssh debian-server
apt -y update && apt -y upgrade
dpkg-reconfigure tzdata
hostnamectl set-hostname debian-server
NOTE: Make sure to replace the IP addresses and names below with your own!
cat << 'EOF' >> /etc/hosts
192.0.2.42 debian-server.domain.test debian-server
2001:db8::1234 debian-server.domain.test debian-server
EOF
sudo privilegesNOTE: Make sure to replace the m username below with your own!
adduser m
adduser m sudo
NOTE: Make sure to replace the m username and PUBLIC_SSH_KEY below with your own!
install -d -m 0700 -o m -g m /home/m/.ssh
echo "PUBLIC_SSH_KEY" > /home/m/.ssh/authorized_keys
chown m:m /home/m/.ssh/authorized_keys
chmod 600 /home/m/.ssh/authorized_keys
Update your local ~/.ssh/config entry to user the regular username.
Host debian-server
Hostname debian-server.domain.test
User m
Continue configuration from an interactive sudo -i shell from here on out.
cat << 'EOF' > /etc/ssh/sshd_config.d/local.conf
PermitRootLogin no
PasswordAuthentication no
EOF
Restart the SSH service
systemctl restart sshd
Default Fail2ban configuration on Debian includes sensible defaults for ssh
apt -y install fail2ban
cat << 'EOF' > /etc/fail2ban/fail2ban.d/local.conf
[DEFAULT]
# Whitelist known hosts
ignoreip = 127.0.0.1/8 ::1
EOF
systemctl enable --now fail2ban
msmtp for sending notification emailsapt -y install msmtp-mta bsd-mailx
NOTE: Make sure to configure this with your own MTA relay settings.
cat << 'EOF' > /etc/msmtprc
# Set default values for all following accounts.
defaults
auth on
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
syslog LOG_MAIL
account your-mta
host mail.domain.test
port 587
tls_starttls on
from no-reply@domain.test
user no-reply@domain.test
password YOURPASSWORD
# Set a default account
account default: your-mta
aliases /etc/aliases
EOF
chown root:msmtp /etc/msmtprc
chmod 0640 /etc/msmtprc
/etc/aliases fileNOTE: Make sure to configure a proper email address.
cat << 'EOF' > /etc/aliases
default: hostmaster@domain.test
EOF
systemctl enable msmtpd.service
systemctl start msmtpd.service
printf "Subject: msmtp test\n\nHello there!" | msmtp -a default root
apt -y install unattended-upgrades
dpkg-reconfigure unattended-upgrades
apt -y install apt-listchanges
apt -y install monit
cat << 'EOF' > /etc/monit/conf.d/local
set daemon 120
with start delay 60
set mail-format { from: monit@debian-server.domain.test }
set alert hostmaster@domain.test
set mailserver localhost
set httpd port 2812 and
use address localhost and
allow localhost
EOF
cat << 'EOF' > /etc/monit/conf.d/ssh
check process sshd matching /usr/sbin/sshd
group system
group sshd
start program = "/usr/bin/systemctl start ssh"
stop program = "/usr/bin/systemctl stop ssh"
if failed host localhost port 22 with proto ssh then restart
if 5 restarts with 5 cycles then timeout
depend on sshd_bin
depend on sftp_bin
depend on sshd_rc
depend on sshd_rsa_key
check file sshd_bin with path /usr/sbin/sshd
group sshd
include /etc/monit/templates/rootbin
check file sftp_bin with path /usr/lib/openssh/sftp-server
group sshd
include /etc/monit/templates/rootbin
check file sshd_rsa_key with path /etc/ssh/ssh_host_rsa_key
group sshd
include /etc/monit/templates/rootstrict
check file sshd_ecdsa_key with path /etc/ssh/ssh_host_ecdsa_key
group sshd
include /etc/monit/templates/rootstrict
check file sshd_ed25519_key with path /etc/ssh/ssh_host_ed25519_key
group sshd
include /etc/monit/templates/rootstrict
check file sshd_rc with path /etc/ssh/sshd_config
group sshd
include /etc/monit/templates/rootrc
EOF
cat << 'EOF' > /etc/monit/conf.d/disk
check device root with path /
if SPACE usage > 80% then alert
EOF
monit reload
apt -y install btop molly-guard etckeeper