A list of the first commands I run on a new Debian LXC to homogenize and secure my new environment.
Utilities
1
| apt update && apt upgrade -y
|
1
| apt install curl nano openssl rsync fail2ban unattended-upgrades apt-listchanges lm-sensors command-not-found sudo -y
|
Don’t use root
It is critical that you don’t use root for SSH or for typical CLI tasks. I always create a new user for that reason.
1
2
3
| useradd -m -g users -G sudo patrick
chsh -s /bin/bash patrick
passwd patrick
|
Make the CLI more fun
Add the following lines to add color to bash:
1
2
3
| export LS_OPTIONS='--color=auto'
eval "`dircolors`"
alias ls='ls $LS_OPTIONS'
|
SSH Configuration
I always disallow login for root over SSH and allow password logins for other users. To do this, edit /etc/ssh/sshd_config. You’re looking to uncomment and modify the following lines:
1
| nano /etc/ssh/sshd_config
|
1
2
3
4
5
6
7
8
9
10
11
12
| # Authentication:
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 6
MaxSessions 2
-----
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no
|
Use sudo without prompt
To allow a user to execute sudo commands without being prompted for a password, create the following file.
1
| nano /etc/sudoers.d/patrick
|
1
| patrick ALL=(ALL) NOPASSWD: ALL
|
Once you’ve made the changes, you can restart the LXC and use SSH with your new user
Unattended Upgrades Configuration
Edit the following file.
1
| sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
|
Uncomment the following line
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| Unattended-Upgrade::Origins-Pattern {
+ "origin=*";
- "origin=Debian,codename=${distro_codename}-updates";
-// "origin=Debian,codename=${distro_codename}-proposed-updates";
- "origin=Debian,codename=${distro_codename},label=Debian";
- "origin=Debian,codename=${distro_codename},label=Debian-Security";
- "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
- // Archive or Suite based matching:
- // Note that this will silently match a different release after
- // migration to the specified archive (e.g. testing becomes the
- // new stable).
-// "o=Debian,a=stable";
-// "o=Debian,a=stable-updates";
-// "o=Debian,a=proposed-updates";
-// "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
};
<--->
+ Unattended-Upgrade::InstallOnShutdown "false";
- Unattended-Upgrade::InstallOnShutdown "true";
<--->
+ Unattended-Upgrade::Remove-Unused-Dependencies "true";
- Unattended-Upgrade::Remove-Unused-Dependencies "false";
+ Unattended-Upgrade::Automatic-Reboot "true";
- Unattended-Upgrade::Automatic-Reboot "false";
|
