We will quickly recap all firsts security steps to install a Debian server quickly & cleanly. I will update these snippets over time,  keep in mind it's just snippets :).

Set user

# Server root : create & add to sudo
sudo adduser user
sudo usermod -aG sudo user

# Server root : enable ssh
sudo nano /etc/ssh/sshd_config
>> AllowUsers user

# Local user : create sshkey
cd .
ssh-keygen -t rsa -b 4096 -C "mail"
cat .ssh/id_rsa.pub 
# Local user : copy sshkey

# Server user : add sshkey
su user 
cd
mkdir .ssh
echo "ssh-rsa .... past" >> .ssh/authorized_keys
chmod -R go= ~/.ssh


# exit and try login with new user
ssh user@host

SSHD config

# Server user
sudo nano /etc/ssh/sshd_config
>> Port 22333
>> PermitRootLogin no
sudo /etc/init.d/ssh restart 

# exit and check connexion
ssh host -p 22333 -l user

Chmod

# Server user
sudo chmod o-x /usr/bin/apt-get
sudo chmod o-x /usr/bin/aptitude
sudo chmod o-x /usr/bin/dpkg

ZSH & ohmyzsh

# Server user
sudo apt-get install zsh curl git
sh -c "$(curl -fsSL https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"

Custom term

# Server user
nano .zshrc
>> alias ls='ls $LS_OPTIONS --color=auto'
>> alias ll='ls $LS_OPTIONS -al --color=auto'
>> alias vi='vim'
 source .zshrc

Firewall

# Server user
sudo apt-get install firewalld
sudo systemctl start firewalld
sudo systemctl enable firewalld 

# Select our content
sudo firewall-cmd --permanent --add-port=22333/tcp
sudo firewall-cmd --add-service={http,https} --permanent --zone=public
sudo firewall-cmd --add-service=openvpn --permanent

# list services preconf available 
sudo firewall-cmd --get-services
# list rules set
sudo firewall-cmd --list-all

  • or iptables
# Server user
sudo nano /etc/init.d/firewall


# Select our content

#!/bin/sh

# Vider les tables actuelles & règles personnelles
iptables -t filter -F
iptables -t filter -X

# Interdire toute connexion entrante et sortante
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP

# ---

# Ne pas casser les connexions etablies
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Autoriser loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT

# ICMP (Ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

# ---

# SSH In
iptables -t filter -A INPUT -p tcp --dport 22333 -j ACCEPT

# SSH Out
iptables -t filter -A OUTPUT -p tcp --dport 22333 -j ACCEPT

# DNS In/Out
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT

# NTP Out
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT

############################# WEB

# HTTP + HTTPS Out
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT

# HTTP + HTTPS In
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 8443 -j ACCEPT
 

############################# FTP

# FTP Out
#iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT

# FTP In
#modprobe ip_conntrack_ftp # ligne facultative avec les serveurs OVH
#iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
#iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

############################# MAIL

# Mail SMTP:25
#iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
#iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT

# Mail POP3:110
#iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
#iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT

# Mail IMAP:143
#iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
#iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT

# Mail POP3S:995
#iptables -t filter -A INPUT -p tcp --dport 995 -j ACCEPT
#iptables -t filter -A OUTPUT -p tcp --dport 995 -j ACCEPT

############################# Docker if no iptables option

#iptables -A FORWARD -i docker0 -o eth0 -j ACCEPT
#iptables -A FORWARD -i eth0 -o docker0 -j ACCEPT

#iptables -t filter -A FORWARD -i eth0 -j ACCEPT
#iptables -t filter -A FORWARD -o eth0 -j ACCEPT

############################# OpenVPN

#iptables -t filter -A INPUT -p udp --dport 1194 -j ACCEPT
#iptables -t filter -A OUTPUT -p udp --dport 1194 -j ACCEPT

# règles obligatoires pour ouvrir déverrouiller accès :
#iptables -I FORWARD -i tun0 -j ACCEPT
#iptables -I FORWARD -o tun0 -j ACCEPT
#iptables -I OUTPUT -o tun0 -j ACCEPT

# autres règles : Translation d'adresses
#iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 10.8.0.2/24 -o eth0 -j MASQUERADE
# Server user
sudo chmod +x /etc/init.d/firewall    
update-rc.d firewall defaults
# remove : update-rc.d firewall remove

Fail2ban

# Server user
sudo apt-get install fail2ban 
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local  
# change ssh = 22333
# change destemail = yourmail
sudo systemctl restart fail2ban

rkHunter

# Server user
sudo apt-get install rkhunter
sudo nano /etc/default/rkhunter
# change CRON_DAILY_RUN="yes"
# change CRON_DB_UPDATE="yes"
# change REPORT_EMAIL="yourmail"
sudo nano /etc/rkhunter.conf
# change UPDATE_MIRRORS=1
# change MIRRORS_MODE=0
# change WEB_CMD=""
sudo rkhunter --update 
sudo rkhunter -c

Glances

# Server user
curl -L https://bit.ly/glances | /bin/bash

+ format disk

# Server root
apt-get install fdisk
fdisk -l
fdisk /dev/sdx
#p show partitions
#d delete all
#n write one
#w save
mkfs.ext4 -b 4096 /dev/sdx1
mount /dev/sdbx /mnt/ddx
nano /etc/fstab
>> /dev/sdbx /mnt/ddx ext4 defaults,errors=remount-ro 0 1

+ OpenVpn easy script

# Server user
git clone https://github.com/Nyr/openvpn-install.git
cd openvpn-install 
chmod +x openvpn-install.sh 
sudo ./openvpn-install.sh 

+ Docker

# Server user
sudo apt-get update
sudo apt-get install apt-transport-https ca-certificates curl gnupg-agent software-properties-common
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
sudo add-apt-repository \
   "deb [arch=amd64] https://download.docker.com/linux/debian \
   $(lsb_release -cs) \
   stable"
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io
sudo usermod -aG docker user

+ Sendmail via Gmail (rkHunter / Fail2ban alerts)

# require a dedicated email gmail with Less secure app access activated
# Server root
apt-get install sendmail mailutils sendmail-bin 
mkdir -m 700 /etc/mail/authinfo/
cd /etc/mail/authinfo/
nano gmail-auth
>> AuthInfo: "U:root" "I:USER@gmail.com" "P:GMAIL_USER_PASSWORD"
makemap hash gmail-auth < gmail-auth
nano /etc/mail/sendmail.mc
>> dnl #
>> dnl # Defining Gmail Smarthost for sendmail
>> define(`SMART_HOST',`[smtp.gmail.com]')dnl
>> define(`RELAY_MAILER_ARGS', `TCP $h 587')dnl
>> define(`ESMTP_MAILER_ARGS', `TCP $h 587')dnl
>> define(`confAUTH_OPTIONS', `A p')dnl
>> TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
>> define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 >> LOGIN PLAIN')dnl
>> FEATURE(`authinfo',`hash -o /etc/mail/authinfo/gmail-auth.db')dnl
>> dnl #
>> dnl # Default Mailer setup
>> MAILER_DEFINITIONS
>> MAILER(`local')dnl
>> MAILER(`smtp')dnl
make -C /etc/mail
/etc/init.d/sendmail reload
echo "This is a test for sendmail gmail relay" | sendmail test-user@gmail.com