Old post detected!
This post is roughly 11 years old; originally published on August 6, 2013! The information presented here may be out of date and inaccurate.
Please read this page but do keep its age in mind.
Recently I’ve been deploying Debian 6.0 (Squeeze) and 7.0 (Wheezy) servers for some personal projects. These servers are provisioned in different ways:
- Open Media Vault using a Squeeze pre-seed
- VPS powered by LXC deployed via
debootstrap - VPS powered by KVM using the hosting providers Wheezy pre-seed
Consequently the basic install differs on each instance and requires a little bit of post install tweaking to get them all consistent. This blog post is a quick reference for the post install steps I complete on Debian servers.
Timezone & Locale
Select your timezone.
dpkg-reconfigure tzdata
Select your locale(s).
dpkg-reconfigure locales
Make sure the locales are correctly generated. Replace en_GB.UTF-8 with your
default locale.
update-locale LANG=en_GB.UTF-8 LANGUAGE=en_GB.UTF-8 LC_ALL=en_GB.UTF-8 LC_TIME=en_GB.UTF-8 LC_CTYPE=en_GB.UTF-8
locale -a
locale-gen
Hostname
echo box.example.org > /etc/hostname
/bin/hostname -F /etc/hostname
Update /etc/hosts accordingly.
Time
Keeping time is essential.
apt-get install ntp ntpdate
Force a clock sync.
service ntp stop
ntpdate -s pool.ntp.org
service ntp start
If your VPS is a Xen DomU then checkout the following.
Essentials
These are the essential tools I require.
apt-get install build-essential curl git htop less lsb-release nano \
rsync screen sudo tree whois
Users
The following will create a user with sudo capabilities.
useradd user_a --create-home --shell /bin/bash --user-group \
--groups adm,dialout,cdrom,plugdev,sudo
This will create a regular user.
useradd user_b --create-home --shell /bin/bash --user-group --groups adm,dialout,cdrom,plugdev
Assign a password.
echo user_a:mypassword | chpasswd
An existing user can be made a sudoer by simply adding them to the sudo group.
adduser user_b sudo
Firewall
I use firewall my VPS server with ufw. This is my initial configuration that
allow access via SSH only.
sudo apt-get install ufw
Configuring ufw is simple but make sure you have console access to the host
you are configuring just in case you lock yourself out.
NOTE! When enabling ufw the chains are flushed and connections may be
dropped. You can add rules to the firewall before enabling it however, so if you
are testing ufw on a remote machine it is recommended you perform…
ufw allow ssh/tcp
…before running sudo ufw enable. Once the firewall is enabled, adding and
removing rules will not flush the firewall, although modifying an existing rule
will.
Set the default behaviour to deny all incoming connections.
sudo ufw default deny
Open up TCP port 22 but with rate limiting enabled which will deny connections
from an IP address that has attempted to initiate 6 or more connections in the
last 30 seconds. Ideal for protecting sshd but you should conisder other
SSH brute force defense
techniques as well.
sudo ufw limit ssh
To enable the firewall you also have to do the following.
sudo ufw enable
On low-end servers it might be beneficial to disable logging.
sudo ufw logging off
You can see the status of the firewall using sudo ufw status.
Intrusion prevention
I use either denyhosts
sudo apt-get install denyhosts
Purge entries older than 5 days, denied hosts will only be purged twice and disable email alerts.
sudo sed -i 's/#PURGE_DENY = 5d/PURGE_DENY = 5d/' /etc/denyhosts.conf
sudo sed -i 's/#PURGE_THRESHOLD = 2/PURGE_THRESHOLD = 2/' /etc/denyhosts.conf
sudo sed -i 's/root@localhost//' /etc/denyhosts.conf
Restart denyhosts.
sudo service denyhosts restart
Also see SSH brute force defence.
Boot options
These servers are headless and often remote, therefore I enable fsck auto repair.
Squeeze
sed -i 's/FSCKFIX=no/FSCKFIX=yes/' /etc/default/rcS
Wheezy
sed -i 's/#FSCKFIX=no/FSCKFIX=yes/' /etc/default/rcS
Repositories
lsb-release was installed earlier. This is what I put in /etc/apt/sources.list.
cat >/etc/apt/sources.list<<EOF
deb http://ftp.uk.debian.org/debian/ $(lsb_release -cs) main contrib non-free
deb-src http://ftp.uk.debian.org/debian/ $(lsb_release -cs) main contrib non-free
deb http://security.debian.org/ $(lsb_release -cs)/updates main contrib non-free
deb-src http://security.debian.org/ $(lsb_release -cs)/updates main contrib non-free
# $(lsb_release -cs)-updates, previously known as 'volatile'
deb http://ftp.uk.debian.org/debian/ $(lsb_release -cs)-updates main contrib non-free
deb-src http://ftp.uk.debian.org/debian/ $(lsb_release -cs)-updates main contrib non-free
EOF
I replace ftp.uk with ftp.us for servers located in the United States.
sed -i 's/ftp\.uk/ftp\.us/g' /etc/apt/sources.list
Backports
I add the Backports repository in order to access some updated packages.
Squeeze
cat >/etc/apt/sources.list.d/backports.list <<EOF
deb http://ftp.uk.debian.org/debian-backports $(lsb_release -cs)-backports main contrib non-free
deb-src http://ftp.uk.debian.org/debian-backports $(lsb_release -cs)-backports main contrib non-free
EOF
Wheezy
cat >/etc/apt/sources.list.d/backports.list <<EOF
deb http://ftp.uk.debian.org/debian $(lsb_release -cs)-backports main contrib non-free
deb-src http://ftp.uk.debian.org/debian $(lsb_release -cs)-backports main contrib non-free
EOF
Update.
sudo apt-get update
All backports are deactivated by default (i.e. the packages are pinned to 100 by using ButAutomaticUpgrades: yes in the Release files. If you want to install something from backports run:
apt-get -t wheezy-backports install "package"
MTA
sSMTP is a simple MTA to deliver mail from a computer to a mail hub. sSMTP is simple and lightweight.
Remove exim4
Some VPS Debian templates from VPS providers have exim4 installed and running by default. Remove it.
sudo service exim4 stop
sudo apt-get purge exim4 exim4-base exim4-config
Install sSMTP
apt-get install ssmtp bsd-mailx
sSMTP Gmail Configuration
I use Gmail as my smart host, here is an example configuration for
/etc/ssmtp/ssmtp.conf.
#
# Config file for sSMTP sendmail
#
# The person who gets all mail for userids < 1000
# Make this empty to disable rewriting.
root=root@example.org
# The place where the mail goes. The actual machine name is required no
# MX records are consulted. Commonly mailhosts are named mail.domain.com
mailhub=smtp.gmail.com:587
# Where will the mail seem to come from?
rewriteDomain=
# The full hostname
hostname=box.example.org
# Are users allowed to set their own From: address?
# YES - Allow the user to specify their own From: address
# NO - Use the system generated From: address
FromLineOverride=YES
# Gmail requires TLS
UseTLS=YES
UseSTARTTLS=YES
# Username and password for Gmail servers
AuthUser=yourgmailname@gmail.com
AuthPass=youpassword
AuthMethod=LOGIN
Then add each account that you want to be able to send mail from by editing
/etc/ssmtp/revaliases:
root:username@gmail.com:smtp.gmail.com:587
user_a:username@gmail.com:smtp.gmail.com:587
user_b:username@gmail.com:smtp.gmail.com:587
Log and package monitoring
My personal VPS server are dotted about the place but I like to keep an eye on
them and I find apticron and logwatch are very useful for that.
apticron
apticron is a simple tool to mail about pending package updates.
sudo apt-get install apticron
logwatch
Logwatch is a modular log analyser that runs every night and mails you the results.
sudo apt-get install logwatch
Lighter
Some of my servers have fairly low resources, these are some simple changes that can save a bit of RAM or disk space.
aptitude
I don’t use it.
sudo apt-get purge aptitude
D-Bus
D-Bus is a message bus, used for sending messages between applications. Some VPS provider Debian templates have D-Bus and avahi installed. I don’t require these on Internet facing servers so I remove them. If an application pull in D-Bus as a requirement that is fine, but for this initial server state I remove it.
sudo apt-get purge dbus
at
at provides delayed job execution and batch processing. I don’t use it.
sudo service atd stop
sudo apt-get purge at
ngetty
Ngetty is a single-process getty replacement, so instead of running 6 getty
processes consuming up to 3MB of RAM each, you can use a single ngetty process
using less than 1MB of RAM total.
sudo apt-get install ngetty
Edit /etc/inittab, comment out getty and add ngetty like so.
#1:2345:respawn:/sbin/getty 38400 tty1
#2:23:respawn:/sbin/getty 38400 tty2
#3:23:respawn:/sbin/getty 38400 tty3
#4:23:respawn:/sbin/getty 38400 tty4
#5:23:respawn:/sbin/getty 38400 tty5
#6:23:respawn:/sbin/getty 38400 tty6
ng:2345:respawn:/sbin/ngetty 1 2 3 4 5 6
Restart inittab
telinit q
That about covers the general post installation step I complete on my Debian servers.
Clean up.
Remove any packages that are no longer required and clean up the package cache.
sudo apt-get autoremove
sudo apt-get autoclean
sudo apt-get clean