# Secure a debian server

## Deny ping response

In the file /etc/ufw/before.rules add the line after "ok icmp codes for INPUT"

> -A ufw-before-input -p icmp --icmp-type echo-request -j DROP

## Restraining SSH default behaviour

In the file /etc/ssh/sshd_config or /etc/sshd_config

> Port $SSH_PORT # Custom SSH port
> AddressFamily inet
> ChallengeResponseAuthentication no
> PasswordAuthentication no
> UsePAM no
> PermitRootLogin no

```bash
# Apply changes
systemctl restart sshd
```

## Enabling security features

In the file /etc/sysctl.conf, uncomment / add the lines :

> net.ipv4.conf.default.rp_filter = 1
> net.ipv4.conf.all.rp_filter = 1
> net.ipv4.conf.all.accept_redirects = 0
> net.ipv6.conf.all.accept_redirects = 0
> net.ipv4.conf.all.send_redirects = 0
> net.ipv4.conf.all.accept_source_route = 0
> net.ipv6.conf.all.accept_source_route = 0
> net.ipv4.conf.all.log_martians = 1
> net.ipv4.conf.all.arp_notify = 1

```bash
# Apply changes
sysctl -p
```

## Prevent IP Spoof

In the file /etc/host.conf, add / change the lines :

> order bind,hosts
> multi on