Small process when we get a new installed with more eye-candy staff and security.

Core configuration

Locales configuration

To setup the appropates locales on the system: the one that will be available for the users.

# dpkg-reconfigure locales

Select the local according to the language you want and the different encodings. The more languages encoding you will selected the more time it will need to generate them and the more disk space it will use.

For example, to get French messages select the locales starting by fr_FR (French from France) for all encoding. The best encoding on Unix system is UTF-8. On the second screen select the default language and encoding that will be used by the system for example fr_FR.UTF-8, to get message in French by default.

Bash configuration

The creation of a new user take the default configuration files that are present in the /etc/skel/ folder. However, by default the root user do not get these files. Therefore to get a better bash shell for root with color prompt and auto-completion we have to copy the .bashrc manually:

# cp /etc/skel/.bashrc $HOME

By default the bash auto-completion is activated in that file.

To activate the color prompt uncomment the line 39:

39  #force_color_prompt=yes

to get

39  force_color_prompt=yes

Some commands can use color. To use it by default some alias could be activated in the lines 78 and following:

if [ -x /usr/bin/dircolors ]; then
    test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
    alias ls='ls --color=auto'
    alias dir='dir --color=auto'
    alias vdir='vdir --color=auto'

    alias grep='grep --color=auto'
    alias fgrep='fgrep --color=auto'
    alias egrep='egrep --color=auto'

Logout and login again to get it active, or source it to get active in the current shell:

# source $HOME/.bashrc

Set a alias address for root account

By default all system email are send to the root user. However, to avoid uneeded root login it is a godd idea to redirect this email to an other account or address. For that we need to modify /etc/aliases so it contain the following line:


All email send to root will be send to this address.

Increase the security of the system

System upgrade

# aptitude update
# aptitude dist-upgrade

To receive by email automatically available system upgrade, you need to install apticron package

# aptitude install apticron

The message of possible upgrade will be send by email on a daily basis to root by default

fail2ban installation

fail2ban is a daemon that is monitoring connexion attempt and blacklist temporarily IP addresses after a certain amount of failed connexion from this IP. This prevent brute force attack s, that try all possible password to enter the system.

# aptitude install fail2ban

To configure it you have to edit the /etc/fail2ban/fail.conf file. Several modules are available for fail2ban and to activate them you need to go to the end of the configuration file (around the line 74). Each module is called a JAIL.

Each JAIL is setup the same way, like for example for ssh:

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 6

Its name is in between [], and the option enable is set to true to activate it. The port that have to be monitored is set with the port option, like the log file (logpath) and the filter to use to interpret it (filter). Finally the number of error that is allowed before an IP ban (maxretry).

By default the ssh JAIL is activated. The pam-generic JAIL allow to block the user after error on the PAM module. The ssh-ddos JAIL to protect against deny of service attacks.

To take into account the new configuration you need to restart the service with the following command:

# service fail2ban restart

rkhunter installation

It is a software that search for rootkit by searching for modification of main programs compared to safe stat and signature and to identify already known rootkits.

# aptitude install rkhunter

debsecan installation

Check for security alerts on the web in relation with the system.

# aptitude install debsecan

To configure it run

# dpkg-reconfigure debsecan

Select the correct distribution, so the alert will be in relation to it.

debsecan web site

Firewall configuration with ferm

See the corresponding article about ferm

SSH connexion limitation

Do not deactivate the SSH connexion for the root user without any other account on the system: you will not be able to connect to the server anymore.

First create a user (admin in this example) that will be able to connect as root after the deactivation of the SSH connexion for root user.

# adduser admin

When configured, the SSH connexion for root user can be deactivated in the /etc/ssh/sshd_config file:

26  PermitRootLogin no

Restart SSH server to take it into account.

# /etc/init.d/ssh restart

Limitation of the su command only to certain users

It is highly suggested to keep a connected root console on the server until the configuration is working et to confirmed that we can become root before closing it. In case of error, it might prevent any connexion as root.

The su command allow to change user in a console to execute a program. The main case is the switch to root for administration tasks. However, it could be nice to limit this possibility to certain user. By default su can be executed by any user, assuming he knows the password of the targeted user. It is possible to limit this possibility to a particular group by modifying the PAM configuration file of su (/etc/pam.d/su). The following should be uncommented:

15  auth       required

By default, the user should belong to the root group to be able to use su. Historically, the super-user group is called wheel therefore the name of the PAM module (see [[!wikipedia Wheel_(Unix_term)]] for more info). It is possible to change the wheel group to consider by adding the group=group_name option to the command. Therefore to set the adm group as wheel group:

15  auth       required group=adm

Then you just have to add the user you want to allow to connect as root in the correct group. For example to add the admin user to the root group:

# adduser admin root