Debian 12 Server Cheatsheet

Enable Automatic Updates

From: https://www.linode.com/docs/guides/how-to-configure-automated-security-updates-ubuntu/

Installation

sudo apt update && sudo apt upgrade

sudo apt install unattended-upgrades

sudo systemctl enable unattended-upgrades
sudo systemctl start unattended-upgrades

Configuration

nano /etc/apt/apt.conf.d/50unattended-upgrades

Remove // from the “security” line if it’s there: "${distro_id}:${distro_codename}-security";.

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}";
    "${distro_id}:${distro_codename}-security";
    // Extended Security Maintenance; doesn't necessarily exist for
    // every release and this system may not have it installed, but if
    // available, the policy for updates is such that unattended-upgrades
    // should also install from here by default.
    "${distro_id}ESMApps:${distro_codename}-apps-security";
    "${distro_id}ESM:${distro_codename}-infra-security";
//    "${distro_id}:${distro_codename}-updates";
//    "${distro_id}:${distro_codename}-proposed";
//    "${distro_id}:${distro_codename}-backports";
};

To automatically delete unused dependencies, change the following options as needed.

// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";

// Do automatic removal of newly unused dependencies after the upgrade
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";

// Do automatic removal of unused packages after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";

To enable the automatic upgrades, create/edit the auto-upgrade file at /etc/apt/apt.conf.d/20auto-upgrades to contain the following:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";

• Update-Package-Lists: 1 enables auto-update, 0 disables.
• Unattended-Upgrade: 1 enables auto-upgrade, 0 disables.
• AutocleanInterval: Enables auto clean packages for X days. The above configuration displays 7 days
  • For example, APT::Periodic::AutocleanInterval “7”; means that the system clears the download archive every seven days.

To test the configuration, run the following command:

sudo unattended-upgrades --dry-run --debug

Install fail2ban

From: https://www.linuxcapable.com/how-to-install-fail2ban-on-debian-linux/

Installation

sudo apt update && sudo apt upgrade
sudo apt install fail2ban
sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Configuration

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

# To use UFW instead of iptables
[DEFAULT]
banaction = ufw
# For Debian 12 switch to the systemd backend,
# otherwise fail2ban will fail to start because
# it can't find the ssh log file
backend = systemd

# Enable SSHD jail
[sshd]
enabled = true

sudo systemctl restart fail2ban
sudo fail2ban-client status

Administration

# Unban an IP address
sudo fail2ban-client set sshd unbanip <ip address>

# Check the status of a specific jail
sudo fail2ban-client status sshd

# Reload the configuration without restarting
# the fail2ban service
sudo fail2ban-client reload

# Check the list of currently banned IP
# addresses for a specific jail
sudo fail2ban-client get sshd banned

# Monitoring Logs in Real-Time
tail -f /var/log/fail2ban.log

# Searching Logs for Specific Information
grep "error" /var/log/fail2ban.log

This post is Tagged with  the following keywords:

• #Linux
• #Debian
• #Server