Mustafa Can Yücel
blog-post-1

Setting Up Your Debian Server 1: SSH, UFW, VSFTPD

There are a lot of reasons to have your virtual private server; from creating your own DNS server to having your mail server. This tutorial will show you how to set up your Debian server, and how to install some of the most popular applications on it. In this first part, we will set up the server, and install and configure a firewall and an sftp server.

For editing files remotely, I am going to use Vim-tiny because it is the smallest version of Vim, and it comes with Debian by default. If you are not familiar with Vim, you can use Nano instead. These are quite different from regular text editors, so you might want to check out some tutorials on how to use them. Unlike Vim, vim-tiny is initialized by the vi command.

First and foremost, you are going to need a server. If you have one, you can have a physical server of your own, but in this case, we will use a virtual server. There are a lot of companies that provide virtual servers; I am using Kamatera because they have one of the cheapest options ($4 per month) for a 1-core server with 1GB RAM, 20 GB SSD, and 5000GBit bandwidth; also they have a lot of locations to choose from.

Once you have created a server from your provider's web console, you will have the SSH connection details. The local machine I am using is a Windows 11 machine, and I am using the Windows Terminal. It is one of the best terminal applications for Windows, and it is free. You can download it from the Microsoft Store. The default user for Debian is the root, and the password is the one you have set up when creating the server. However, we do not want to use the root user for security reasons. We will create a new user and give it sudo privileges:

ssh root@ip_address
adduser username
adduser sudo_user
usermod -aG sudo username
To verify that the user has sudo privileges, you can run the following command and see if the user is in the sudo group:
getent group sudo

Now we close the root connection and connect to the server with our new user:

ssh username@ip_address
It is a good idea to update the server before installing any applications. Note that you need sudo privileges to run the following command:
sudo apt update && sudo apt upgrade -y

Installing ufw

ufw is a firewall application that is easy to use. It is not installed by default, so we need to install it first:

sudo apt install ufw
However, if we enable the firewall before allowing SSH, we will lose the connection. Therefore first we enable the SSH access, and then enable the firewall:
sudo ufw allow ssh
sudo ufw enable
As you install new applications that require inbound or outbound traffic, do not forget to allow them in the firewall. For example, if you want to install a web server, you need to allow HTTP and HTTPS traffic:
sudo ufw allow http
sudo ufw allow https
To add a rule to the firewall, you can use the following command:
sudo ufw allow port_number

Installing an SFTP Server

If you want to transfer files to your server, you can use SFTP. It is a secure way to transfer files. To install an SFTP server, you can use the following command:

sudo apt install vsftpd
sudo systemctl enable vsftpd
It is a good idea to create a new user for SFTP who does not have shell access. In this way, you can limit the access of the user to the SFTP directory. To create a new user and disable shell access, you can use the following command:
sudo adduser ftp_user
chsh -s /sbin/nologin ftp_user
Next, we add the FTP user to the list of allowed login users:
echo "ftpuser" | sudo tee -a  /etc/vsftpd.userlist
Now we create a user directory and give the ownership to the FTP user:
sudo mkdir -p /home/ftpuser/ftp_dir/upload
sudo chmod 550 /home/ftpuser/ftp_dir
sudo chmod -R 750 /home/ftpuser/ftp_dir/upload
sudo chown -R ftpuser: /home/ftpuser/ftp_dir
Then we create an SSL certificate for the FTP server:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
Now we configure the FTP server by editing the vsftpd.conf file:
sudo vim /etc/vsftpd.conf
The file contents should be as follows (for detailed explanations, refer to the online documentation):
listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
user_sub_token=$USER
local_root=/home/$USER/ftp
userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
userlist_deny=NO
Then we restart the service and verify that it is running:
sudo systemctl restart vsftpd
sudo systemctl status vsftpd
Now we configure the firewall to allow FTP traffic:
sudo ufw allow 20/tcp
sudo ufw allow 21/tcp
sudo ufw reload
Finally, we can use an SFTP client such as FileZilla to connect to the server. Note that you need to use the FTP user credentials to connect to the server.

If you are getting the following error when you try to connect to the server:

Received message too long 1416128883 Ensure the remote shell produces no output for non-interactive sessions.
Then you need to update the sftp internal subsystem by editing /etc/ssh/sshd_config file; add/change the following line:
Subsystem sftp internal-sftp
And then restart the service:
sudo systemctl restart sshd.service
Now the sftp connection should work either with FileZilla or Windows Terminal command sftp.

In the next part, we will install git, add an ssh key, and install a web server (Apache 2).