Hetzner Cloud Debian Grundeinstellung

MOD

In der motd Datei kann eine Nachricht konfiguriert werden die bei einem erfolgreichem Login angezeigt wird, motd steht für „message of the day“:

vi /etc/motd
*******************************************************************

       This computer system is for authorized users only.

All activity is logged and regulary checked by systems personal.
Individuals using this system without authority or in excess of
their authority are subject to having all their services revoked.
Any illegal services run by user or attempts to take down this
server or its services will be reported to local law enforcement,
and said user will be punished to the full extent of the law.
Anyone using this system consents to these terms.

*******************************************************************

SSH

Beim SSH Dienst muss das Root-Login deaktiviert werden und Benutzer dürfen sich nur mit der Public-Key Methode authentifizieren, die DNS Auflösung ebenfalls deaktivieren und nur Strenge Cipher-Algorithmen erlauben (rot markierte Elemente sind Änderungen der Rest neu hinzufügen):

vi /etc/ssh/sshd_config
# Authentication:
Port 32869
PermitRootLogin no
PasswordAuthentication no

Zu unterst in der SSHD Konfiguration folgendes hinzufügen:

# Specifies whether sshd(8) should look up the remote host name and
# check that the resolved host name for the remote IP address maps
# back to the very same IP address.
UseDNS no
 
# Specifies the ciphers allowed for protocol version 2. Multiple
# ciphers must be comma-separated.
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
 
# Specifies the available MAC (message authentication code) algo-
# rithms.  The MAC algorithm is used in protocol version 2 for data
# integrity protection.  Multiple algorithms must be comma-sepa-
# rated.  The algorithms that contain ``-etm'' calculate the MAC
# after encryption (encrypt-then-mac).
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
 
# Specifies the available KEX (Key Exchange) algorithms.  Multiple
# algorithms must be comma-separated.
KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
 
# Specifies whether the distribution-specified extra version suffix
# is included during initial protocol handshake. The default is yes.
DebianBanner no
 
# List of user name patterns, separated by spaces. login is allowed
# only for user names that match one of the patterns
#AllowUsers admin
systemctl restart ssh

root .bashrc

cp .bashrc .bashrc-hetzner
cp .bashrc.orig .bashrc

Backports deaktivieren

Backports deaktivieren:

vi /etc/apt/sources.list.d/hetzner-mirror.list
deb http://mirror.hetzner.de/debian/packages stretch main contrib non-free
deb http://mirror.hetzner.de/debian/packages stretch-updates main contrib non-free
#deb http://mirror.hetzner.de/debian/packages stretch-backports main contrib non-free

Paketliste neu laden und System akutalisieren:

apt-get update && apt-get upgrade

User erstellen

useradd -c "Max Mustermann <mmustermann@gmail.com>" -m -s /bin/bash mmustermann

Sie haben weitere Fragen zu dieser Anleitung und möchten gerne mehr Informationen oder brauchen Unterstützung? Wir helfen Ihnen gerne, unsere Kontaktdaten finden Sie hier: https://df-informatik.ch/kontakt/