Disable root login to SSH
Allowing root logins to your SSH damon is a big security threat. If the SSH port is open, hackers will probably at some time attempt to brute force your root password. It's a good idea to disable root logins to SSH and instead use a normal user to login and type "su -" to enter the super user shell or sudo to perform tasks that require root privileges.
1. Open the SSH daemon config file and change this line: (pico /etc/ssh/sshd_config)
PermitRootLogin no
Adding a sudoer to use sudo on Debian
Sudo allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.
1. Create a new user (optional)
adduser user1
Securing unencrypted traffic with stunnel
Stunnel can be used to provide secure encrypted connections for clients or servers that do not speak TLS or SSL natively. In this tutorial we'll secure Samba connection but you could use this for other services like SMTP, IMAP, POP3 etc.
If you are securing a service where the client supports encrypting like SMTP, IMAP and POP3 you can skip the client step.
Server
1. Install stunnel
apt-get install stunnel
Port forwarding with iptables
In this tutorial we'll set up a simple port forwarding (NAT) using iptables.
1. Enable ip forward
echo "1" > /proc/sys/net/ipv4/ip_forward
Loading iptables rules on startup
By default iptables is setup on Debian etch but there are no rules configured. In this tutorial we'll configure some rules and load them into iptables on startup.
1. Rules file
Create a new file that will contain a shell script to insert rules into iptables (pico /etc/firewall-rules.sh) and add this content as template:
Create your private certificate authority (CA)
Creating a private CA can be useful if you have a lot of services encrypting data for internal use but don't need the domain to be verified by a public CA like Verisign, Thawte etc. By importing the CA to all computers that will use these services users won't get the a popup in IE and Firefox saying that the certificate is invalid.
1. Create a CA certificate
Create a private key for your CA:
openssl genrsa -des3 -out ca.key 4096