This post is roughly 11 years old; originally published on August 6, 2013! The information presented here may be out of date and inaccurate.
Recently I’ve been deploying Debian 6.0 (Squeeze) and 7.0 (Wheezy) servers for some personal projects. These servers are provisioned in different ways:
debootstrap
Consequently the basic install differs on each instance and requires a little bit of post install tweaking to get them all consistent. This blog post is a quick reference for the post install steps I complete on Debian servers.
Select your timezone.
dpkg-reconfigure tzdata
Select your locale(s).
dpkg-reconfigure locales
Make sure the locales are correctly generated. Replace en_GB.UTF-8
with your
default locale.
update-locale LANG=en_GB.UTF-8 LANGUAGE=en_GB.UTF-8 LC_ALL=en_GB.UTF-8 LC_TIME=en_GB.UTF-8 LC_CTYPE=en_GB.UTF-8
locale -a
locale-gen
echo box.example.org > /etc/hostname
/bin/hostname -F /etc/hostname
Update /etc/hosts
accordingly.
Keeping time is essential.
apt-get install ntp ntpdate
Force a clock sync.
service ntp stop
ntpdate -s pool.ntp.org
service ntp start
If your VPS is a Xen DomU then checkout the following.
These are the essential tools I require.
apt-get install build-essential curl git htop less lsb-release nano \
rsync screen sudo tree whois
The following will create a user with sudo
capabilities.
useradd user_a --create-home --shell /bin/bash --user-group \
--groups adm,dialout,cdrom,plugdev,sudo
This will create a regular user.
useradd user_b --create-home --shell /bin/bash --user-group --groups adm,dialout,cdrom,plugdev
Assign a password.
echo user_a:mypassword | chpasswd
An existing user can be made a sudoer by simply adding them to the sudo
group.
adduser user_b sudo
I use firewall my VPS server with ufw
. This is my initial configuration that
allow access via SSH only.
sudo apt-get install ufw
Configuring ufw
is simple but make sure you have console access to the host
you are configuring just in case you lock yourself out.
NOTE! When enabling ufw
the chains are flushed and connections may be
dropped. You can add rules to the firewall before enabling it however, so if you
are testing ufw
on a remote machine it is recommended you perform…
ufw allow ssh/tcp
…before running sudo ufw enable
. Once the firewall is enabled, adding and
removing rules will not flush the firewall, although modifying an existing rule
will.
Set the default behaviour to deny all incoming connections.
sudo ufw default deny
Open up TCP port 22 but with rate limiting enabled which will deny connections
from an IP address that has attempted to initiate 6 or more connections in the
last 30 seconds. Ideal for protecting sshd
but you should conisder other
SSH brute force defense
techniques as well.
sudo ufw limit ssh
To enable the firewall you also have to do the following.
sudo ufw enable
On low-end servers it might be beneficial to disable logging.
sudo ufw logging off
You can see the status of the firewall using sudo ufw status
.
I use either denyhosts
sudo apt-get install denyhosts
Purge entries older than 5 days, denied hosts will only be purged twice and disable email alerts.
sudo sed -i 's/#PURGE_DENY = 5d/PURGE_DENY = 5d/' /etc/denyhosts.conf
sudo sed -i 's/#PURGE_THRESHOLD = 2/PURGE_THRESHOLD = 2/' /etc/denyhosts.conf
sudo sed -i 's/root@localhost//' /etc/denyhosts.conf
Restart denyhosts
.
sudo service denyhosts restart
Also see SSH brute force defence.
These servers are headless and often remote, therefore I enable fsck
auto repair.
sed -i 's/FSCKFIX=no/FSCKFIX=yes/' /etc/default/rcS
sed -i 's/#FSCKFIX=no/FSCKFIX=yes/' /etc/default/rcS
lsb-release
was installed earlier. This is what I put in /etc/apt/sources.list
.
cat >/etc/apt/sources.list<<EOF
deb http://ftp.uk.debian.org/debian/ $(lsb_release -cs) main contrib non-free
deb-src http://ftp.uk.debian.org/debian/ $(lsb_release -cs) main contrib non-free
deb http://security.debian.org/ $(lsb_release -cs)/updates main contrib non-free
deb-src http://security.debian.org/ $(lsb_release -cs)/updates main contrib non-free
# $(lsb_release -cs)-updates, previously known as 'volatile'
deb http://ftp.uk.debian.org/debian/ $(lsb_release -cs)-updates main contrib non-free
deb-src http://ftp.uk.debian.org/debian/ $(lsb_release -cs)-updates main contrib non-free
EOF
I replace ftp.uk
with ftp.us
for servers located in the United States.
sed -i 's/ftp\.uk/ftp\.us/g' /etc/apt/sources.list
I add the Backports repository in order to access some updated packages.
cat >/etc/apt/sources.list.d/backports.list <<EOF
deb http://ftp.uk.debian.org/debian-backports $(lsb_release -cs)-backports main contrib non-free
deb-src http://ftp.uk.debian.org/debian-backports $(lsb_release -cs)-backports main contrib non-free
EOF
cat >/etc/apt/sources.list.d/backports.list <<EOF
deb http://ftp.uk.debian.org/debian $(lsb_release -cs)-backports main contrib non-free
deb-src http://ftp.uk.debian.org/debian $(lsb_release -cs)-backports main contrib non-free
EOF
Update.
sudo apt-get update
All backports are deactivated by default (i.e. the packages are pinned to 100 by using ButAutomaticUpgrades: yes in the Release files. If you want to install something from backports run:
apt-get -t wheezy-backports install "package"
sSMTP is a simple MTA to deliver mail from a computer to a mail hub. sSMTP is simple and lightweight.
Some VPS Debian templates from VPS providers have exim4 installed and running by default. Remove it.
sudo service exim4 stop
sudo apt-get purge exim4 exim4-base exim4-config
apt-get install ssmtp bsd-mailx
I use Gmail as my smart host, here is an example configuration for
/etc/ssmtp/ssmtp.conf
.
#
# Config file for sSMTP sendmail
#
# The person who gets all mail for userids < 1000
# Make this empty to disable rewriting.
root=root@example.org
# The place where the mail goes. The actual machine name is required no
# MX records are consulted. Commonly mailhosts are named mail.domain.com
mailhub=smtp.gmail.com:587
# Where will the mail seem to come from?
rewriteDomain=
# The full hostname
hostname=box.example.org
# Are users allowed to set their own From: address?
# YES - Allow the user to specify their own From: address
# NO - Use the system generated From: address
FromLineOverride=YES
# Gmail requires TLS
UseTLS=YES
UseSTARTTLS=YES
# Username and password for Gmail servers
AuthUser=yourgmailname@gmail.com
AuthPass=youpassword
AuthMethod=LOGIN
Then add each account that you want to be able to send mail from by editing
/etc/ssmtp/revaliases
:
root:username@gmail.com:smtp.gmail.com:587
user_a:username@gmail.com:smtp.gmail.com:587
user_b:username@gmail.com:smtp.gmail.com:587
My personal VPS server are dotted about the place but I like to keep an eye on
them and I find apticron
and logwatch
are very useful for that.
apticron is a simple tool to mail about pending package updates.
sudo apt-get install apticron
Logwatch is a modular log analyser that runs every night and mails you the results.
sudo apt-get install logwatch
Some of my servers have fairly low resources, these are some simple changes that can save a bit of RAM or disk space.
I don’t use it.
sudo apt-get purge aptitude
D-Bus is a message bus, used for sending messages between applications. Some VPS provider Debian templates have D-Bus and avahi installed. I don’t require these on Internet facing servers so I remove them. If an application pull in D-Bus as a requirement that is fine, but for this initial server state I remove it.
sudo apt-get purge dbus
at
provides delayed job execution and batch processing. I don’t use it.
sudo service atd stop
sudo apt-get purge at
Ngetty is a single-process getty
replacement, so instead of running 6 getty
processes consuming up to 3MB of RAM each, you can use a single ngetty
process
using less than 1MB of RAM total.
sudo apt-get install ngetty
Edit /etc/inittab
, comment out getty
and add ngetty
like so.
#1:2345:respawn:/sbin/getty 38400 tty1
#2:23:respawn:/sbin/getty 38400 tty2
#3:23:respawn:/sbin/getty 38400 tty3
#4:23:respawn:/sbin/getty 38400 tty4
#5:23:respawn:/sbin/getty 38400 tty5
#6:23:respawn:/sbin/getty 38400 tty6
ng:2345:respawn:/sbin/ngetty 1 2 3 4 5 6
Restart inittab
telinit q
That about covers the general post installation step I complete on my Debian servers.
Remove any packages that are no longer required and clean up the package cache.
sudo apt-get autoremove
sudo apt-get autoclean
sudo apt-get clean