50 lines
1.1 KiB
Markdown
50 lines
1.1 KiB
Markdown
# Secure a debian server
|
|
|
|
## Deny ping response
|
|
|
|
In the file /etc/ufw/before.rules add the line after "ok icmp codes for INPUT"
|
|
|
|
> -A ufw-before-input -p icmp --icmp-type echo-request -j DROP
|
|
|
|
## Restraining SSH default behaviour
|
|
|
|
In the file /etc/ssh/sshd_config or /etc/sshd_config
|
|
|
|
> Port $SSH_PORT # Custom SSH port
|
|
> AddressFamily inet
|
|
> ChallengeResponseAuthentication no
|
|
> PasswordAuthentication no
|
|
> UsePAM no
|
|
> PermitRootLogin no
|
|
|
|
```bash
|
|
# Apply changes
|
|
systemctl restart sshd
|
|
```
|
|
|
|
## Enabling security features
|
|
|
|
In the file /etc/sysctl.conf, uncomment / add the lines :
|
|
|
|
> net.ipv4.conf.default.rp_filter = 1
|
|
> net.ipv4.conf.all.rp_filter = 1
|
|
> net.ipv4.conf.all.accept_redirects = 0
|
|
> net.ipv6.conf.all.accept_redirects = 0
|
|
> net.ipv4.conf.all.send_redirects = 0
|
|
> net.ipv4.conf.all.accept_source_route = 0
|
|
> net.ipv6.conf.all.accept_source_route = 0
|
|
> net.ipv4.conf.all.log_martians = 1
|
|
> net.ipv4.conf.all.arp_notify = 1
|
|
|
|
```bash
|
|
# Apply changes
|
|
sysctl -p
|
|
```
|
|
|
|
## Prevent IP Spoof
|
|
|
|
In the file /etc/host.conf, add / change the lines :
|
|
|
|
> order bind,hosts
|
|
> multi on
|