# Debian - [Debian](#debian) - [Setup SSH](#setup-ssh) - [Fail2Ban](#fail2ban) - [Automatic Updates](#automatic-updates) - [Extras](#extras) Note these instructions differentiate between an `operator` and a `server`. The operator can be any machine that configure the server. A pipeline, laptop, dedicated server, etc. are all options. The server can be its own operator, though that's not recommended since servers should be ephemeral and the operator will store information about each server. ## Setup SSH On the operator: ```bash export SSH_HOST=kube ssh-keygen -t rsa -b 4096 -C ducoterra@${SSH_HOST}.reeselink.com -f ~/.ssh/id_${SSH_HOST}_rsa # Note: If you get "too many authentication failures" it's likely because you have too many private # keys in your ~/.ssh directory. Use `-o PubkeyAuthentication` to fix it. ssh-copy-id -o PubkeyAuthentication=no -i ~/.ssh/id_${SSH_HOST}_rsa.pub ducoterra@${SSH_HOST}.reeselink.com ssh -i ~/.ssh/id_${SSH_HOST}_rsa -o 'PubkeyAuthentication=yes' ducoterra@${SSH_HOST}.reeselink.com ``` On the server: ```bash # Copy authorized_keys to root sudo cp ~/.ssh/authorized_keys /root/.ssh/authorized_keys # Change your password passwd sudo su - echo "PasswordAuthentication no" > /etc/ssh/sshd_config.d/01-prohibit-password.conf echo '%sudo ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/01-nopasswd-sudo systemctl restart ssh ``` On the operator: ```bash cat <> ~/.ssh/config Host $SSH_HOST Hostname ${SSH_HOST}.reeselink.com User root ProxyCommand none ForwardAgent no ForwardX11 no Port 22 KeepAlive yes IdentityFile ~/.ssh/id_${SSH_HOST}_rsa EOF # Test if you can SSH with a password ssh -o PubkeyAuthentication=no ducoterra@${SSH_HOST}.reeselink.com # Test that you can log into the server with ssh config ssh $SSH_HOST ``` ## Fail2Ban On the server: ```bash apt update apt install -y fail2ban ``` Edit /etc/fail2ban/jail.d/defaults-debian.conf and add `backend = systemd` ```conf [sshd] enabled = true # Add backend backend = systemd ``` Enable the service ```bash systemctl enable fail2ban --now ``` ## Automatic Updates On the server: ```bash apt install -y unattended-upgrades systemctl enable --now unattended-upgrades.service ``` ## Extras On the server: ```bash # Install glances for system monitoring apt install -y glances net-tools vim # Install zsh with autocomplete and suggestions apt install -y zsh zsh-autosuggestions zsh-syntax-highlighting cat < ~/.zshrc # Basic settings autoload bashcompinit && bashcompinit autoload -U compinit; compinit zstyle ':completion:*' menu select # Prompt settings autoload -Uz promptinit promptinit prompt redhat PROMPT_EOL_MARK= # Syntax Highlighting source /usr/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh source /usr/share/zsh-autosuggestions/zsh-autosuggestions.zsh ### Custom Commands and Aliases ### EOF chsh -s $(which zsh) && chsh -s $(which zsh) ducoterra # Cockpit apt install -y cockpit systemctl enable --now cockpit ```