🏗️ Server Setup Guide

This guide walks through the initial setup of a fresh Linux Debian server.
It’s a practical, solid baseline focused on security, usability, and keeping things predictable from day one.

The examples assume a Hetzner server, but the steps apply to most VPS or dedicated setups.

Booting Into Rescue Mode

Start by booting the server into Hetzner Rescue Mode from the control panel.

Once connected, run:

Copy
installimage

Follow the installer prompts:

• Set the hostname to whatever you prefer
• When prompted, press 2 to save the configuration
• Press 10 to quit and continue

After the installation finishes, reboot the server and SSH into it normally.

🔄 System Updates and Timezone Configuration

Before doing anything else, bring the system up to date.

Update system packages

Copy
apt update && apt upgrade -y && apt autoremove -y

Set timezone, lets assume you are in Berlin

Copy
timedatectl set-timezone Europe/Berlin

Install basic utilities

Copy
apt install curl wget git htop unzip fail2ban libguestfs-tools -y

These cover most day-to-day needs and basic monitoring.

👤 Creating a Non-Root User

Set a password for the root user, it is advisable to use a none root user for day to day operations.

Then create a regular user and grant sudo access:

Copy
adduser <username>
usermod -aG sudo <username>

🔑 Configuring SSH Access

Switch to the newly created user and set up SSH keys:

Copy
su - <username>
mkdir -p ~/.ssh
chmod 700 ~/.ssh
nano ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

At this point, paste your public SSH key into authorized_keys. From here on, you should work as this user instead of root whenever possible.

🔒 Hardening SSH

Edit the SSH daemon configuration:

Copy
nano /etc/ssh/sshd_config

Using a non-default port is optional, but it does reduce noise from automated scans. Recommended changes:

Copy
Port <NEW-SSH-PORT>
PermitRootLogin prohibit-password
PasswordAuthentication no
PermitEmptyPasswords no
UsePAM yes
X11Forwarding no

Restart SSH to apply changes:

Copy
systemctl restart sshd

Important: Make sure you can log in with your SSH key before closing your current session.

🔥 Firewall Configuration

Install persistent firewall rules, with 123 being port set above:

IPv4 rules

Copy
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT

iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

IPv6 rules

Copy
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -p tcp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -p icmpv6 -j ACCEPT

ip6tables -P INPUT DROP
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT

Save and verify the rules:

Copy
netfilter-persistent save
iptables -L -v -n
ip6tables -L -v -n

🔁 Final Reboot

Once everything is in place, reboot the server:

Copy
reboot

After reboot, reconnect using your new SSH user and port.

✅ What You Have Now

At this point, the server has:

— Updated system packages

— A non-root sudo user

— SSH key-only access

— Reduced SSH attack surface

— Basic firewall rules

— A clean, predictable baseline

From here, you can safely move on to installing Docker, Proxmox, Kubernetes, or whatever stack you need next.