When exposing a Debian server to the internet, a deny-by-default firewall policy is critical. While raw iptables provide granular control, beginners may find tools like ufw (Uncomplicated Firewall) or firewalld more approachable. Here's a basic iptables ruleset to block all traffic except SSH (port 22) and HTTP/HTTPS:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
COMMIT

Changing the default SSH port reduces automated scanning noise. Combine this with key-based authentication and Fail2Ban:

# /etc/ssh/sshd_config
Port 49281
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3

Fail2Ban scans log files for brute-force patterns and updates firewall rules dynamically. Example jail configuration for SSH:

[sshd]
enabled = true
port = 49281
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 86400

Configure unattended-upgrades for critical security patches:

# /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
    "${distro_id}:${distro_codename}-updates";
};
Unattended-Upgrade::Automatic-Reboot "true";

• Install and configure aide for file integrity monitoring
• Enable AppArmor for process confinement: sudo aa-enforce /etc/apparmor.d/*
• Set up log rotation with logrotate to prevent disk filling
• Implement two-factor authentication for administrative access

When setting up a Debian server with direct internet exposure, start with these fundamental security measures:

# Update all packages
sudo apt update && sudo apt upgrade -y

# Install essential security tools
sudo apt install -y unattended-upgrades fail2ban ufw

The most effective firewall strategy follows the principle of least privilege. I recommend using UFW (Uncomplicated Firewall) as it provides a simpler interface to iptables while maintaining robust security:

# Enable UFW
sudo ufw enable

# Default deny all incoming, allow all outgoing
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (consider changing port first - see next section)
sudo ufw allow 22/tcp

# Allow other necessary services (adjust as needed)
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Verify rules
sudo ufw status numbered

SSH is a primary attack vector. Implement these measures:

# Edit SSH config
sudo nano /etc/ssh/sshd_config

Key configuration changes:

Port 22222  # Change from default 22
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
LoginGraceTime 1m
AllowUsers yourusername
UsePAM yes

After changes:

sudo systemctl restart sshd
# Update firewall rule for new port
sudo ufw allow 22222/tcp

Fail2Ban monitors logs and bans IPs showing malicious signs:

sudo nano /etc/fail2ban/jail.local

Configure for SSH protection:

[sshd]
enabled = true
port = 22222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 1h
findtime = 1h

Enable and start:

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Consider implementing these:

# Install and configure rkhunter for rootkit detection
sudo apt install -y rkhunter
sudo rkhunter --update
sudo rkhunter --propupd
sudo rkhunter --check

# Configure automatic security updates
sudo dpkg-reconfigure -plow unattended-upgrades

# Install and configure AppArmor
sudo apt install -y apparmor apparmor-utils
sudo aa-enforce /etc/apparmor.d/*

Set up regular security checks:

# Add to crontab
0 3 * * * /usr/bin/apt update && /usr/bin/apt upgrade -y
0 4 * * * /usr/bin/rkhunter --check --report-warnings-only
0 5 * * 0 /usr/bin/aide --check

For comprehensive log monitoring, consider installing:

sudo apt install -y logwatch