Step 1: Initialize

sudo nano /etc/motd
sudo apt install -y fail2ban unattended-upgrades
sudo dpkg-reconfigure locales
sudo dpkg-reconfigure unattended-upgrades

Step 2: Remove password verification for sudo user

Run sudo visudo to change.

/etc/sudoers
## %sudo   ALL=(ALL:ALL) ALL
%sudo   ALL=(ALL:ALL) NOPASSWD:ALL

Step 3: Change package mirror

Remove any content in /etc/apt/sources.list.

/etc/apt/sources.list.d/debian.sources
Types: deb
URIs: https://deb.debian.org/debian
Suites: bookworm bookworm-updates bookworm-backports
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

Types: deb
URIs: https://security.debian.org/debian-security
Suites: bookworm-security
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

Run sudo apt update to sync latest packages.

(Optional) Set proxy for apt

/etc/apt/apt.conf.d/50proxy
Acquire::http::Proxy "socks5h://127.0.0.1:12345";
Acquire::https::Proxy "socks5h://127.0.0.1:12345";
Acquire::socks::Proxy "socks5h://127.0.0.1:12345";

Step 4: Set static IP

/etc/network/interfaces
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
auto ens5
iface ens5 inet static
    address IP/MASK
    gateway GATEWAY
iface ens5 inet6 static
    address IP/MASK
    gateway GATEWAY
/etc/resolv.conf
nameserver 1.1.1.1
nameserver 2606:4700:4700::1111
nameserver 1.0.0.1
nameserver 2606:4700:4700::1001
sudo chattr +i /etc/resolv.conf
sudo systemctl restart networking

Step 5: Harden sshd

/etc/ssh/sshd_config
Port PORT
LogLevel INFO
LoginGraceTime 20
PermitRootLogin no
MaxAuthTries 3
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
KerberosAuthentication no
GSSAPIAuthentication no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
PermitUserEnvironment no
ClientAliveInterval 300
ClientAliveCountMax 2
PermitTunnel no
ChallengeResponseAuthentication no
DebianBanner no
Protocol 2

Run sudo systemctl restart sshd to make change in effect.
Remember to open specific port in firewall.

Step 6: Setup fail2ban

/etc/fail2ban/jail.d/defaults-debian.conf
[sshd]
enabled = true
port = PORT
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

Run sudo systemctl enable --now fail2ban to enable fail2ban.

Step 7: Enable BBR congestion

sudo update-ca-certificates
wget "https://cdn.jsdelivr.net/gh/ylx2016/Linux-NetSpeed/tcpx.sh" -O tcpx.sh
chmod +x tcpx.sh
sudo ./tcpx.sh

Choose these options in order:

  • 21. 系统配置优化
  • 22. 应用优化方案2
  • 24. 开启IPv6
  • 12. 使用BBR+FQ_PIE加速

Finally reboot to save changes.

License

This work is licensed under CC BY-NC-SA 4.0

Comment Area