After installing your operating system, you will want to clean up a bit some pre-installed applications
$ apt-get -q -y remove --purge portmap $ apt-get -q -y remove --purge apache2* $ apt-get -q -y remove --purge bind9 $ apt-get -q -y remove --purge samba* $ apt-get -q -y remove --purge nscd $ invoke-rc.d sendmail stop $ apt-get -q -y remove --purge sendmail*
$ adduser javaguyAnd fill up accordingly.
If your desktop user has no SSH key yet, do the following on your desktop:
$ ssh-keygen
And upload your keys to the server
$ ssh-copy-id javaguy@server-ip-address
After that, you can test to login to the server without supplying any password
$ ssh javaguy@server-ip-address
For security by obscurity, you will want to change the SSH port of your server to a very high value. E.g. 66155 or any very high number less than 65535. This is how you do it.
$ sed -i "/Port/cPort 66155" /etc/ssh/sshd_config
Then disable root login and password based login:
$ sed -i "/PermitRootLogin/cPermitRootLogin no" /etc/ssh/sshd_config $ sed -i "/PasswordAuthentication/cPasswordAuthentication no" /etc/ssh/sshd_config
Restart ssh server to take effect:
$ server ssh restart
You can test connection by:
$ ssh javaguy@server-ip-address -p 66155
You may want to edit your desktop ssh config file, to define the new port to connect to in the server. Edit $HOME/.ssh/config and add the following:
Host server-ip-address-or-domain-name Port 66155
And then try to connect without supplying the port.
$ ssh javaguy@server-ip-address
Create the files to contain the rules. Create a file /etc/iptables.rules with this contents:
*filter # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT # Accepts all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allows all outbound traffic -A OUTPUT -j ACCEPT # Allows SSH connections to our new ssh port -A INPUT -p tcp --dport 66155 -j ACCEPT # Open Other TCP Ports (like 80 if you will install a webserver). add more lines like this and change 80 to the port number that you like -A INPUT -p tcp --dport 80 -j ACCEPT # Allow ping -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT
Apply it:
$ iptables -F $ /sbin/iptables-restore < /etc/iptables.rules
Setup to automatically apply the firewall rules on start up of the server. Create /etc/network/if-pre-up.d/iptables with this contents:
#!/bin/sh /sbin/iptables-restore < /etc/iptables.rules
And then make it executable:
$ chmod +x /etc/network/if-pre-up.d/iptables