A list of the first commands I run on a new Debian LXC to homogenize and secure my new environment.
Utilities
apt update && apt upgrade -y && apt install curl nano openssl rsync fail2ban unattended-upgrades apt-listchanges lm-sensors command-not-found sudo -yDon’t use root
It is critical that you don’t use root for SSH or for typical CLI tasks. I always create a new user for that reason.
useradd -m -g users -G sudo patrick
chsh -s /bin/bash patrick
passwd patrickEnable Fail2ban
sudo systemctl enable --now fail2ban && sudo systemctl status fail2ban
sudo fail2ban-client statusMake the CLI more fun
Add the following lines to add color to bash:
cat <<EOF >> /etc/bash.bashrc
export LS_OPTIONS='--color=auto'
eval "`dircolors`"
alias ls='ls \$LS_OPTIONS'
EOFSSH Configuration
I always disallow login for root over SSH and allow password logins for other users. To do this, edit /etc/ssh/sshd_config. You’re looking to uncomment and modify the following lines:
nano /etc/ssh/sshd_config# Authentication:
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 6
MaxSessions 2
-----
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords noUse sudo without prompt (probably a bad idea)
To allow a user to execute sudo commands without being prompted for a password, create the following file.
nano /etc/sudoers.d/patrickpatrick ALL=(ALL) NOPASSWD: ALLOnce you’ve made the changes, you can restart the LXC and use SSH with your new user
Unattended Upgrades Configuration
Update every package by default
sudo sed -i '/Unattended-Upgrade::Origins-Pattern {/a\ "origin=*";' /etc/apt/apt.conf.d/50unattended-upgradesVerify the change
sudo head 50 /etc/apt/apt.conf.d/50unattended-upgrades