Debian security setup
Restrict ports
- Edit the file
/etc/nftables.conf.
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# 1. Essential: Allow established/related traffic
ct state { established, related } accept
ct state invalid drop
# 2. Localhost & ICMP (Ping/IPv6 Discovery)
iifname "lo" accept
icmp type echo-request accept
icmpv6 type { echo-request, nd-neighbor-solicit, nd-neighbor-advert, nd-router-solicit, nd-router-advert } accept
# 3. SSH (Port 2047) with basic rate limiting
# Allows 10 new connections in a burst, then 2 per minute
tcp dport 2047 ct state new limit rate 2/minute burst 10 packets accept
# 4. Web services
tcp dport { 80, 443 } ct state new accept
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
- Run the following script:
# check/validate config
nft -c -f /etc/nftables.conf
# load and apply ruleset to the kernel
nft -f /etc/nftables.conf
# start service at boot
systemctl enable nftables
# start the service immediately
systemctl start nftables
Configure SSH
Run this script to harden SSH.
# Set custom port
sed -i 's/^#\?Port .*/Port 2047/' /etc/ssh/sshd_config
# Only allow Ed25519 host keys
sed -i 's|^HostKey /etc/ssh/ssh_host_.*_key|# &|' /etc/ssh/sshd_config
echo "HostKey /etc/ssh/ssh_host_ed25519_key" >> /etc/ssh/sshd_config
# Disable password authentication
sed -i 's/^#\?PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config
# Disable empty passwords
sed -i 's/^#\?PermitEmptyPasswords .*/PermitEmptyPasswords no/' /etc/ssh/sshd_config
# Disable root login (Best practice)
sed -i 's/^#\?PermitRootLogin .*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
# Enable Public Key Authentication (Usually on by default)
sed -i 's/^#\?PubkeyAuthentication .*/PubkeyAuthentication yes/' /etc/ssh/sshd_config
# Verify syntax and reload
sshd -t && systemctl restart sshd