UFW is a good default for servers with simple inbound rules.
sudo apt install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow OpenSSH
sudo ufw enable
sudo ufw status verbose
For tighter SSH access, allow only your admin IP:
sudo ufw delete allow OpenSSH
sudo ufw allow from 203.0.113.10 to any port 22 proto tcp
If you prefer native nftables, Debian provides nftables and a default unit.
sudo apt install nftables
sudo systemctl enable --now nftables
sudo nft list ruleset
Put custom hardening sysctls into a dedicated file so upgrades do not overwrite them.
Create /etc/sysctl.d/99-hardening.conf:
kernel.kptr_restrict = 2
kernel.dmesg_restrict = 1
kernel.perf_event_paranoid = 3
kernel.unprivileged_bpf_disabled = 1
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.tcp_syncookies = 1
Apply:
sudo sysctl --system
Notes:
kernel.unprivileged_bpf_disabled may not exist on older kernels; if sysctl --system reports an unknown key, remove it.Do not disable IPv6 unless you are sure you do not need it (disabling can break modern networks and dual-stack services).
If you must disable IPv6 via sysctl:
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1