Keep the system up to date. Unattended upgrades is not new debian but more often used by ubuntu users. But from time to time you need the system check done by hand. Security leaks by misconfiguration or baseconfig update is not fixed by unattended upgrades!
apt -y update apt -y upgrade apt -y dist-upgrade
No need to operate as root. Root can do
rm -Rf /*
the user can't - try it - you will do it only once! Second argument is that the most common attack brute force vector tries first to access as root. Disallow ssh root access combined with iptables ( ufw ) and fail2ban saves you a lot of headaches.
apt install sudo adduser m0r4k Adding user `m0r4k' ... Adding new group `m0r4k' (1001) ... Adding new user `m0r4k' (1001) with group `m0r4k' ... Creating home directory `/home/m0r4k' ... Copying files from `/etc/skel' ... New password: Retype new password: passwd: password updated successfully Changing the user information for m0r4k Enter the new value, or press ENTER for the default Full Name : Room Number : Work Phone : Home Phone : Other : Is the information correct? [Y/n] adduser m0r4k sudo
The most important part of base setup is the reconfiguration of the sshd. Restrict the ssh login and turn on the firewall. After installing fail2ban we've build a good base for headless OS.
ATTENTION - before you restrict the ssh daemon you need to login as user [ m0r4k ] and try [ sudo su ]. If this doesn't work you won't get su privileges anymore and you are locked out as superuser!
cat /etc/group | grep sudo # check user is in sudo group sudo:x:27:m0r4k sed 's/PermitRootLogin yes/PermitRootLogin no/g' -i /etc/ssh/sshd_config sed 's/\#StrictModes yes/StrictModes yes/g' -i /etc/ssh/sshd_config systemctl restart sshd
apt -y install fail2ban ufw ufw default allow outgoing ufw default deny incoming ufw allow ssh/tcp ufw allow http/tcp ufw allow https/tcp ufw limit ssh/tcp ufw logging on ufw enable