Recently I've been deploying Debian 6.0 (Squeeze) and 7.0 (Wheezy) servers for some personal projects. These servers are provisioned in different ways:
- Open Media Vault using a Squeeze pre-seed
- VPS powered by LXC deployed via
- VPS powered by KVM using the hosting providers Wheezy pre-seed
Consequently the basic install differs on each instance and requires a little bit of post install tweaking to get them all consistent. This blog post is a quick reference for the post install steps I complete on Debian servers.
Timezone & Locale
Select your timezone.
Select your locale(s).
Make sure the locales are correctly generated. Replace
en_GB.UTF-8 with your
update-locale LANG=en_GB.UTF-8 LANGUAGE=en_GB.UTF-8 LC_ALL=en_GB.UTF-8 LC_TIME=en_GB.UTF-8 LC_CTYPE=en_GB.UTF-8 locale -a locale-gen
echo box.example.org > /etc/hostname /bin/hostname -F /etc/hostname
Keeping time is essential.
apt-get install ntp ntpdate
Force a clock sync.
service ntp stop ntpdate -s pool.ntp.org service ntp start
If your VPS is a Xen DomU then checkout the following.
These are the essential tools I require.
apt-get install build-essential curl git htop less \ lsb-release nano rsync screen sudo tree whois
The following will create a user with
useradd user_a --create-home --shell /bin/bash --user-group \ --groups adm,dialout,cdrom,plugdev,sudo
This will create a regular user.
useradd user_b --create-home --shell /bin/bash --user-group --groups adm,dialout,cdrom,plugdev
Assign a password.
echo user_a:mypassword | chpasswd
An existing user can be made a sudoer by simply adding them to the
adduser user_b sudo
I use firewall my VPS server with
ufw. This is my initial configuration that
allow access via SSH only.
sudo apt-get install ufw
ufw is simple but make sure you have console access to the host
you are configuring just in case you lock yourself out.
NOTE! When enabling
ufw the chains are flushed and connections may be
dropped. You can add rules to the firewall before enabling it however, so if you
ufw on a remote machine it is recommended you perform...
ufw allow ssh/tcp
sudo ufw enable. Once the firewall is enabled, adding and
removing rules will not flush the firewall, although modifying an existing rule
Set the default behaviour to deny all incoming connections.
sudo ufw default deny
Open up TCP port 22 but with rate limiting enabled which will deny connections
from an IP address that has attempted to initiate 6 or more connections in the
last 30 seconds. Ideal for protecting
sshd but you should conisder other
SSH brute force defense
techniques as well.
sudo ufw limit ssh
To enable the firewall you also have to do the following.
sudo ufw enable
On low-end servers it might be beneficial to disable logging.
sudo ufw logging off
You can see the status of the firewall using
sudo ufw status.
I use either
sudo apt-get install denyhosts
Purge entries older than 5 days, denied hosts will only be purged twice and disable email alerts.
sudo sed -i 's/#PURGE_DENY = 5d/PURGE_DENY = 5d/' /etc/denyhosts.conf sudo sed -i 's/#PURGE_THRESHOLD = 2/PURGE_THRESHOLD = 2/' /etc/denyhosts.conf sudo sed -i 's/root@localhost//' /etc/denyhosts.conf
sudo service denyhosts restart
Also see SSH brute force defence.
These servers are headless and often remote, therefore I enable
fsck auto repair.
sed -i 's/FSCKFIX=no/FSCKFIX=yes/' /etc/default/rcS
sed -i 's/#FSCKFIX=no/FSCKFIX=yes/' /etc/default/rcS
lsb-release was installed earlier.
This is what I put in
cat >/etc/apt/sources.list<<EOF deb http://ftp.uk.debian.org/debian/ $(lsb_release -cs) main contrib non-free deb-src http://ftp.uk.debian.org/debian/ $(lsb_release -cs) main contrib non-free deb http://security.debian.org/ $(lsb_release -cs)/updates main contrib non-free deb-src http://security.debian.org/ $(lsb_release -cs)/updates main contrib non-free # $(lsb_release -cs)-updates, previously known as 'volatile' deb http://ftp.uk.debian.org/debian/ $(lsb_release -cs)-updates main contrib non-free deb-src http://ftp.uk.debian.org/debian/ $(lsb_release -cs)-updates main contrib non-free EOF
ftp.us for servers located in the United States.
sed -i 's/ftp\.uk/ftp\.us/g' /etc/apt/sources.list
I add the Backports repository in order to access some updated packages.
cat >/etc/apt/sources.list.d/backports.list <<EOF deb http://ftp.uk.debian.org/debian-backports $(lsb_release -cs)-backports main contrib non-free deb-src http://ftp.uk.debian.org/debian-backports $(lsb_release -cs)-backports main contrib non-free EOF
cat >/etc/apt/sources.list.d/backports.list <<EOF deb http://ftp.uk.debian.org/debian $(lsb_release -cs)-backports main contrib non-free deb-src http://ftp.uk.debian.org/debian $(lsb_release -cs)-backports main contrib non-free EOF
sudo apt-get update
All backports are deactivated by default (i.e. the packages are pinned to 100 by using ButAutomaticUpgrades: yes in the Release files. If you want to install something from backports run:
apt-get -t wheezy-backports install "package"
sSMTP is a simple MTA to deliver mail from a computer to a mail hub. sSMTP is simple and lightweight.
Some VPS Debian templates from VPS providers have exim4 installed and running by default. Remove it.
sudo service exim4 stop sudo apt-get purge exim4 exim4-base exim4-config
apt-get install ssmtp bsd-mailx
sSMTP Gmail Configuration
I use Gmail as my smart host, here is an example configuration for
# # Config file for sSMTP sendmail # # The person who gets all mail for userids < 1000 # Make this empty to disable rewriting. firstname.lastname@example.org # The place where the mail goes. The actual machine name is required no # MX records are consulted. Commonly mailhosts are named mail.domain.com mailhub=smtp.gmail.com:587 # Where will the mail seem to come from? rewriteDomain= # The full hostname hostname=box.example.org # Are users allowed to set their own From: address? # YES - Allow the user to specify their own From: address # NO - Use the system generated From: address FromLineOverride=YES # Gmail requires TLS UseTLS=YES UseSTARTTLS=YES # Username and password for Gmail servers AuthUseremail@example.com AuthPass=youpassword AuthMethod=LOGIN
Then add each account that you want to be able to send mail from by editing
root:firstname.lastname@example.org:smtp.gmail.com:587 user_a:email@example.com:smtp.gmail.com:587 user_b:firstname.lastname@example.org:smtp.gmail.com:587
Log and package monitoring
My personal VPS server are dotted about the place but I like to keep an eye on
them and I find
logwatch are very useful for that.
apticron is a simple tool to mail about pending package updates.
sudo apt-get install apticron
Logwatch is a modular log analyser that runs every night and mails you the results.
sudo apt-get install logwatch
Some of my servers have fairly low resources, these are some simple changes that can save a bit of RAM or disk space.
I don't use it.
sudo apt-get purge aptitude
D-Bus is a message bus, used for sending messages between applications. Some VPS provider Debian templates have D-Bus and avahi install. I don't require these on Internet facing servers so I remove them. If an application pull in D-Bus as a requirement that is fine, but for this initial server state I remove it.
sudo apt-get purge dbus
at provides delayed job execution and batch processing. I don't use it.
sudo service atd stop sudo apt-get purge at
Ngetty is a single-process
getty replacement, so instead of running 6
processes consuming up to 3MB of RAM each, you can use a single
using less than 1MB of RAM total.
sudo apt-get install ngetty
/etc/inittab, comment out
getty and add
ngetty like so.
#1:2345:respawn:/sbin/getty 38400 tty1 #2:23:respawn:/sbin/getty 38400 tty2 #3:23:respawn:/sbin/getty 38400 tty3 #4:23:respawn:/sbin/getty 38400 tty4 #5:23:respawn:/sbin/getty 38400 tty5 #6:23:respawn:/sbin/getty 38400 tty6 ng:2345:respawn:/sbin/ngetty 1 2 3 4 5 6
That about covers the general post installation step I complete on my Debian servers.
Remove any packages that are no longer required and clean up the package cache.
sudo apt-get autoremove sudo apt-get autoclean sudo apt-get clean