# From Fresh install## 1) update and upgrade as root```apt-get update && apt-

1. # From Fresh install
2. ## 1) update and upgrade as root
3. ```
4. apt-get update && apt-get upgrade -y
5. ```
6.  
7. * Setting up hostname, skip if done with installation
8.  
9. pico /etc/hosts
10. ```
11. 127.0.0.1 localhost
12. 127.0.1.1 name.example.com name
13.  
14. # The following lines are desirable for IPv6 capable hosts
15. ::1 localhost ip6-localhost ip6-loopback
16. ff02::1 ip6-allnodes
17. ff02::2 ip6-allrouters
18.  
19. yo.ur.ip.addy name.example.com
20. ```
21.  
22. pico /etc/hostname
23. ```
24. name.example.com
25. ```
26. ## 2) Disable ssh root login
27.  
28. * Add sudoer
29. ```
30. adduser tommy
31. usermod -aG sudo tommy
32. ```
33.  
34. * Disable root login
35. ```
36. pico /etc/ssh/sshd_config
37. ```
38.  
39. Change the port and disable root login
40. ```
41. Port 2210
42. PermitRootLogin no
43. ```
44.  
45. * Restart sshd
46. ```
47. service sshd restart
48. ```
49.  
50. * Open another local console/terminal and test your login
51. ```
52. ssh tommy@you-server -p 2210
53. ```
54.  
55. ## 3) Install fail2ban
56. Synchronize the system clock and fail2ban
57. ```
58. sudo apt-get -y install ntpdate fail2ban
59. ```
60.  
61. sudo pico /etc/fail2ban/jail.conf
62.  
63. Use ctrl+w to locate [sshd]:
64. ```
65. [sshd]
66.  
67. port = 2210
68. logpath = %(sshd_log)s
69. enabled = true
70. filter = sshd
71. maxretry = 3
72. ```
73.  
74. * Restart fail2ban
75. ```
76. sudo service fail2ban restart
77. ```
78.  
79. # 4) Disable IPv6 and hardening IPv4
80. ```
81. sudo ip6tables -P INPUT DROP
82. sudo ip6tables -P OUTPUT DROP
83. sudo ip6tables -P FORWARD DROP
84. mv /etc/sysctl.conf /etc/sysctl.conf.bak
85. pico /etc/sysctl.conf
86. ```
87.  
88. Edit sysctl.conf with:
89. ```
90. # IP Spoofing protection
91. net.ipv4.conf.all.rp_filter = 1
92. net.ipv4.conf.default.rp_filter = 1
93.  
94. # Ignore ICMP broadcast requests
95. net.ipv4.icmp_echo_ignore_broadcasts = 1
96.  
97. # Disable source packet routing
98. net.ipv4.conf.all.accept_source_route = 0
99. net.ipv6.conf.all.accept_source_route = 0
100. net.ipv4.conf.default.accept_source_route = 0
101. net.ipv6.conf.default.accept_source_route = 0
102.  
103. # Ignore send redirects
104. net.ipv4.conf.all.send_redirects = 0
105. net.ipv4.conf.default.send_redirects = 0
106.  
107. # Block SYN attacks
108. net.ipv4.tcp_syncookies = 1
109. net.ipv4.tcp_max_syn_backlog = 2048
110. net.ipv4.tcp_synack_retries = 2
111. net.ipv4.tcp_syn_retries = 5
112.  
113. # Log Martians
114. net.ipv4.conf.all.log_martians = 1
115. net.ipv4.icmp_ignore_bogus_error_responses = 1
116.  
117. # Ignore ICMP redirects
118. net.ipv4.conf.all.accept_redirects = 0
119. net.ipv6.conf.all.accept_redirects = 0
120. net.ipv4.conf.default.accept_redirects = 0
121. net.ipv6.conf.default.accept_redirects = 0
122.  
123. # Ignore Directed pings
124. net.ipv4.icmp_echo_ignore_all = 1
125.  
126. # Disable IPv6
127. net.ipv6.conf.all.disable_ipv6 = 1
128. net.ipv6.conf.default.disable_ipv6 = 1
129. net.ipv6.conf.lo.disable_ipv6 = 1
130. ```
131.  
132. * Restart and apply the config
133. ```
134. sudo sysctl -p
135. ```
136.  
137. # 5) Unattended security update
138. This step is to keep your server up-to-date with latest Security Updates. Only perform this step if Security is of highest concern. Even though security updates mostly has low system impact, as with any kind of software update/changes, there always will be the possibility of it affecting your system stability.
139.  
140. pico /etc/apt/apt.conf.d/10periodic
141. ```
142. APT::Periodic::Update-Package-Lists "1";
143. APT::Periodic::Download-Upgradeable-Packages "1";
144. APT::Periodic::AutocleanInterval "7";
145. APT::Periodic::Unattended-Upgrade "1";
146. ```