jcdebianserver
🛡️ jcdebianserver — Hardened Debian Home Server
A fully hardened home server running Debian GNU/Linux 13 (Trixie), built from a clean reinstall with a layered security stack, a MariaDB database backend, and a live GitHub Pages monitoring dashboard.
📋 Table of Contents
- Hardware
- Software Stack
- Security Architecture
- Network & Firewall
- Database
- Security Tools
- Monitoring Dashboard
- Hardening Phases
- SSH Access
🖥️ Hardware
| Component | Details |
|---|---|
| Model | GMKtec NucBox G10 |
| Processor | AMD Ryzen 5 3500U (8 threads) with Radeon Vega Mobile |
| RAM | 32 GiB DDR4 |
| Storage | 1 TB SSD (single partition) |
| Graphics | AMD Radeon Integrated Graphics |
| Firmware | NucBox G10 v1.04 |
💻 Software Stack
| Component | Version / Details |
|---|---|
| OS | Debian GNU/Linux 13 (Trixie) — 64-bit, fresh install |
| Kernel | 6.12.73+deb13-amd64 |
| Desktop | KDE Plasma (Wayland) |
| Database | MariaDB 11.8.3 |
| Firewall | UFW 0.36.2 |
| Intrusion Detection | Fail2Ban 1.1.0 |
| Shell | bash |
🔐 Security Architecture
This server uses a layered defense model — multiple independent systems that each catch different types of threats. If one layer is bypassed, the next layer is waiting.
Internet
│
▼
┌─────────────────────────────────────┐
│ UFW Firewall │ ← Default DENY all incoming
│ Only ports 62999 (SSH) and │
│ 8080 (dashboard) open to internet │
└─────────────────────────────────────┘
│
▼
┌─────────────────────────────────────┐
│ Fail2Ban IDS │ ← Permanent ban after 3 failed attempts
│ Watches SSH on port 62999 │
│ Aggressive mode, maxretry=3 │
└─────────────────────────────────────┘
│
▼
┌─────────────────────────────────────┐
│ SSH Hardening │ ← Key-only auth, no root, no passwords
│ Port 62999 (non-standard) │
│ ED25519 key authentication only │
└─────────────────────────────────────┘
│
▼
┌─────────────────────────────────────┐
│ System (Debian 13) │ ← Hardened sysctl, minimal services
│ auditd, rkhunter, ClamAV, │
│ Lynis, logwatch, debsums │
└─────────────────────────────────────┘
🌐 Network & Firewall
Firewall: UFW (Uncomplicated Firewall) Default policy: Deny all incoming, allow all outgoing, deny forwarding
Active Rules
| Rule # | Port / Protocol | Action | Source | Purpose |
|---|---|---|---|---|
| 1 | 62999/tcp | ALLOW IN | Anywhere | SSH (non-standard port) |
| 2 | 8080/tcp | ALLOW IN | Anywhere | Monitoring dashboard |
| 3 | 3306/tcp | ALLOW IN | 192.168.0.0/24 | MariaDB (LAN only) |
| 4 | 62999/tcp (v6) | ALLOW IN | Anywhere | SSH (IPv6) |
| 5 | 8080/tcp (v6) | ALLOW IN | Anywhere | Dashboard (IPv6) |
Note: MariaDB is intentionally restricted to the local home network only (192.168.0.x). Port 3306 is not accessible from the internet.
Note: UFW logging is intentionally disabled. On Debian 13, enabling UFW logging causes kernel module conflicts that break internet connectivity on this hardware.
🗄️ Database
Engine: MariaDB 11.8.3
| Setting | Value |
|---|---|
| Database name | debian_secured_johnc |
| App user | johnc |
| Host access | LAN only (192.168.0.0/24 via UFW) |
| Bind address | 0.0.0.0 (accepts LAN connections) |
| Port | 3306 |
| Config file | /etc/mysql/mariadb.conf.d/50-server.cnf |
Security settings applied:
- Root password set
- Anonymous users removed
- Remote root login disabled
- Test database removed
- Privilege tables reloaded
🔒 Security Tools
Installed & Configured
| Tool | Purpose | Status |
|---|---|---|
| UFW | Firewall — blocks all unauthorized incoming connections | ✅ Active |
| Fail2Ban | Intrusion detection — permanently bans IPs after 3 failed SSH attempts | ✅ Active |
| OpenSSH (hardened) | Remote access — key auth only, non-standard port, no root login | ✅ Active |
| MariaDB (secured) | Database — anonymous users removed, remote root blocked | ✅ Active |
Planned (Phase 3+)
| Tool | Purpose |
|---|---|
| unattended-upgrades | Auto-applies security patches |
| rkhunter | Rootkit scanner — daily 3am cron job |
| ClamAV | Antivirus scanner |
| Lynis | Full security audit tool — generates a hardening score |
| auditd | System call auditing — logs who did what and when |
| logwatch | Daily log digest |
| debsums | Verifies system file integrity |
| apt-show-versions | Tracks packages with pending updates |
| Kernel hardening (sysctl) | Hardens low-level OS networking and memory settings |
📊 Monitoring Dashboard
A live monitoring dashboard is hosted via GitHub Pages and auto-updates every 5 minutes via a root cron job pushing JSON data from the server.
Live Dashboard: https://iamkarmakazi115.github.io/jcdebianserver/
Local Dashboard (LAN only): http://192.168.0.32:8080
The dashboard displays:
- CPU usage and temperature
- RAM and disk usage
- Active network connections
- Fail2Ban intrusion attempts and bans
- System uptime
- Security tool status
📦 Hardening Phases
✅ Phase 0 — Clean Install
- Fresh Debian 13 (Trixie) installed
jonathanuser added to sudo group- EFI
/boot/efifstab corrected (pass=0) - initramfs updated clean
✅ Phase 1 — SSH + Firewall + Intrusion Detection
- ED25519 SSH key pair generated and deployed
sshd_configfully hardened:- Port changed from 22 → 62999
- Root login disabled
- Password authentication disabled (key-only)
AllowUsers jonathan(whitelist)- MaxAuthTries 3, MaxSessions 2
- TCP forwarding, X11, agent forwarding all disabled
- LogLevel VERBOSE
- UFW configured: deny all incoming by default
- Rules added for SSH (62999) and dashboard (8080)
- Fail2Ban configured with permanent bans, aggressive mode, maxretry=3
✅ Phase 2 — Database
- MariaDB 11.8.3 installed and secured
debian_secured_johncdatabase createdjohncuser created with LAN-accessible credentials- Remote root access disabled
- MariaDB firewall rule restricted to LAN only
🔲 Phase 3 — Security Monitoring Tools
- unattended-upgrades, rkhunter, ClamAV, Lynis
- auditd, logwatch, debsums, apt-show-versions
- Kernel hardening (sysctl)
- Disable unused services (cups, avahi-daemon)
- SSH login banner
🔲 Phase 4 — GitHub Dashboard
- Auto-push server stats to GitHub Pages every 5 minutes
🔲 Phase 5 — Lynis Final Audit
- Run full Lynis scan, apply all suggestions
🔲 Phase 6 — DBeaver GUI
- Install DBeaver on Windows and server for database management
🔑 SSH Access
SSH is configured on a non-standard port with key-based authentication only. Password logins are disabled at the server level.
Host: 192.168.0.32
Port: 62999
Auth: ED25519 key only (no password)
User: jonathan
Windows shortcut (via ~/.ssh/config):
ssh jcdebianserver
🗒️ Known Hardware Notes
| Issue | Resolution |
|---|---|
kernel.modules_disabled=1 breaks UFW |
Never use this sysctl on this hardware — it prevents UFW from loading kernel modules |
ufw logging on breaks internet |
Intentionally omitted — causes kernel module conflicts on Debian 13 + GMKtec NucBox |
| hwmon0 temp sensor reads -273200°C | Invalid sensor — use hwmon1/temp1_input for correct Ryzen CPU temperature |
EFI fstab pass value |
Must be 0, not 1 or 2, on this hardware |
Built and maintained by iamkarmakazi115