Debian Server Base Configuration

From Bit Binary Wiki
(Difference between revisions)
Jump to: navigation, search
(Multi-Arch)
(Hostname)
 
(6 intermediate revisions by one user not shown)
Line 23: Line 23:
 
Disable recommended packages installing by default by creating the file {{ic|/etc/apt/apt.conf.d/10recommends}} with the following content.
 
Disable recommended packages installing by default by creating the file {{ic|/etc/apt/apt.conf.d/10recommends}} with the following content.
  
{{hc|/etc/apt/apt.conf.d/10recommends|<nowiki>
+
{{hc|editor /etc/apt/apt.conf.d/10recommends|<nowiki>
 
APT "";
 
APT "";
 
APT::Install-Recommends "false";
 
APT::Install-Recommends "false";
Line 32: Line 32:
 
  apt-get update
 
  apt-get update
 
<noinclude>
 
<noinclude>
 
 
===Sources===
 
===Sources===
  
Line 85: Line 84:
 
{{Tip|If you would like apt-file to sync after each apt-get update you can create a configuration file at {{ic|/etc/apt/apt.conf.d/90apt-file}} with the following content.  This only works for apt-get not aptitude.
 
{{Tip|If you would like apt-file to sync after each apt-get update you can create a configuration file at {{ic|/etc/apt/apt.conf.d/90apt-file}} with the following content.  This only works for apt-get not aptitude.
  
{{hc|/etc/apt/apt.conf.d/90apt-file|<nowiki>
+
{{hc|editor /etc/apt/apt.conf.d/90apt-file|<nowiki>
 
APT::Update::Post-Invoke {"/usr/bin/apt-file update"; };
 
APT::Update::Post-Invoke {"/usr/bin/apt-file update"; };
 
</nowiki>}}
 
</nowiki>}}
Line 161: Line 160:
  
 
  127.0.0.1    localhost.localdomain    localhost
 
  127.0.0.1    localhost.localdomain    localhost
  192.0.2.1    <span style="background-color: yellow">debserver.example.local</span>  <span style="background-color: yellow">debserver</span>
+
  192.0.2.1    <span style="background-color: yellow">debian.example.local</span>  <span style="background-color: yellow">debserver</span>
 
   
 
   
 
  # The following lines are desirable for IPv6 capable hosts
 
  # The following lines are desirable for IPv6 capable hosts
Line 179: Line 178:
  
 
{{hc|hostname|<nowiki>
 
{{hc|hostname|<nowiki>
debserver.example.local
+
debian.example.local
 
</nowiki>}}
 
</nowiki>}}
  
 
{{hc|hostname -f|<nowiki>
 
{{hc|hostname -f|<nowiki>
debserver.example.local
+
debian.example.local
 
</nowiki>}}
 
</nowiki>}}
  

Latest revision as of 10:22, 12 January 2014

Contents

[edit] Introduction

This document covers initial configuration of a newly installed Debian GNU/Linux system, currently based on Debian 7 (Wheezy). It presumes no options were selected during Tasksel.

[edit] Install SSH

Update and then install ssh. 

apt-get update
apt-get install --no-install-recommends ssh

Then connect via SSH from a workstation and continue the rest of the install by first installing some extra SSH recommends 

apt-get install --no-install-recommends tcpd openssh-blacklist openssh-blacklist-extra

[edit] APT Configuration

aptitude and apt-get will keep track of each other (except for held packages) so you can use both, but you should choose one and stick to it. I use apt-get for software management and aptitude for various things such as the aptitude why command.

[edit] Disable Recommends

Disable recommended packages installing by default by creating the file /etc/apt/apt.conf.d/10recommends with the following content. 

editor /etc/apt/apt.conf.d/10recommends
APT "";
APT::Install-Recommends "false";

Then update apt-get again. 

apt-get update

[edit] Sources

Update sources.list with a Debian mirror closer to our location by reviewing the available Debian mirrors.

I use the file /etc/apt/sources.list.d/wheezy.list for my Wheezy apt sources. 

mv /etc/apt/sources.list /etc/apt/sources.list.d/wheezy.list

cat > /etc/apt/sources.list.d/wheezy.list <<EOF
deb http://mirror.internode.on.net/pub/debian/ wheezy main non-free contrib
deb-src http://mirror.internode.on.net/pub/debian/ wheezy main non-free contrib

deb http://security.debian.org/ wheezy/updates main contrib non-free
deb-src http://security.debian.org/ wheezy/updates main contrib non-free

deb http://mirror.internode.on.net/pub/debian/ wheezy-updates main contrib non-free 
deb-src http://mirror.internode.on.net/pub/debian/ wheezy-updates main contrib non-free
EOF

Now update and upgrade. 

apt-get update
apt-get dist-upgrade

[edit] Backports

Using Debian backports might also be useful. 

cat > /etc/apt/sources.list.d/wheezy-backports.list <<EOF
deb http://mirror.internode.on.net/pub/debian/ wheezy-backports main non-free contrib
deb-src http://mirror.internode.on.net/pub/debian/ wheezy-backports main non-free contrib
EOF

You and then install backport packages using apt-get's --target-release option, e.g. 

apt-get update
apt-get install -t wheezy-backports linux-image-amd64 linux-headers-amd64


[edit] Utilities

Now install some useful apt tools (and recommended packages), Search the web for infromation on them or use apt-cache show packagename if you want to know more. 

apt-get install deborphan debfoster apt-file python-apt lsb-release file iso-codes dialog \
cruft apt-rdepends reportbug apt-show-versions dctrl-tools

Optional: If you would like to review bug reports related to packages before they are installed you can use apt-listbugs 

apt-get install apt-listbugs
Tip: If you would like apt-file to sync after each apt-get update you can create a configuration file at /etc/apt/apt.conf.d/90apt-file with the following content. This only works for apt-get not aptitude. 
editor /etc/apt/apt.conf.d/90apt-file
APT::Update::Post-Invoke {"/usr/bin/apt-file update"; };

This adds more time for apt-get update to run, but is handy. You can read more about it here.

Then update apt-file or simply run apt-get update if you used the tip above. 

apt-file update

[edit] Multi-Arch

Optionally add extra architecture repositories if required. For example to add i386 to an AMD64 system 

dpkg --add-architecture i386

Check architectures by running... 

cat /var/lib/dpkg/arch
amd64
i386

[edit] Editor and Pager

apt-get install vim vim-doc vim-scripts vim-addon-manager less

Select default text editor by selecting /usr/bin/vim.basic in the update-alternatives dialogue as follows. 

update-alternatives --config editor
There are 3 choices for the alternative editor (providing /usr/bin/editor).

  Selection    Path                Priority   Status
------------------------------------------------------------
* 0            /bin/nano            40        auto mode
  1            /bin/nano            40        manual mode
  2            /usr/bin/vim.basic   30        manual mode
  3            /usr/bin/vim.tiny    10        manual mode

Press enter to keep the current choice[*], or type selection number: 2

[edit] Networking

Because the Debian installer may have configured our system to get it's network settings via DHCP or added some un-required details if configured statically, we change it to fit our requirements (in this example the IP address 192.0.2.1 is used).

Note: allow-hotplug eth0 is replaced with auto eth0; otherwise restarting the network may fail, and we'd have to reboot the whole system.

Edit /etc/network/interfaces 

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
    address 192.0.2.1
    netmask 255.255.255.0
    gateway 192.0.2.254

Then restart networking. 

nohup sh -c "ifdown eth0 && ifup eth0"

You will need to reconnect your SSH session on the new IP unless you configure the network settings via the console.

[edit] Hostname

Edit /etc/hosts substituting the computers hostname where applicable. 

127.0.0.1     localhost.localdomain    localhost
192.0.2.1     debian.example.local  debserver

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Now run... 

echo debserver.example.local > /etc/hostname
invoke-rc.d hostname.sh start

Afterwards check the hostname and fqdn are correct. 

hostname
debian.example.local

hostname -f
debian.example.local
Tip: An alternative is to use the libnss-myhostname package

[edit] Firmware

Install the latest firmware packages to support your hardware. You are free to exclude any you don't need, I just install all of the available firmware to save headaches if the server has to be moved/restored to new hardware for example. 

apt-file update
apt-get update
apt-get install firmware-linux firmware-linux-nonfree

Running the following command will list the available firmware: 

apt-file --package-only search /lib/firmware/

If you want to install all firmware you can run: 

apt-get install $(apt-file --package-only search /lib/firmware/ | tr '\n' ' ')

[edit] Software

Base software to install. 

apt-get install htop build-essential module-assistant linux-headers-amd64 \
tofrodos dosfstools fakeroot hdparm ntfs-3g rsync dkms bash-doc hwdata unp psmisc \
bzip2 p7zip rar unrar unzip zip p7zip-full lzop lzip lzma ntp fontconfig lshw \
hwinfo syslinux dnsutils sshfs screen telnet lsof bash-completion parted gdisk atop \
ca-certificates
Note: locate/mlocate are excluded from server installations, use with caution on server installs and ensure you check your exclusiuons in /etc/updatedb.conf

[edit] Configuration Files

[edit] Bash

The Bash Section on this wiki includes example Bash startup files

[edit] Vim

[edit] Security

On servers, root SSH access is disallowed so I setup an "admin" user with sudo rights. 

apt-get install sudo

Add a standard user with sudo access 

useradd --comment "Admin Account" --groups sudo --create-home --shell /bin/bash --user-group myuser
passwd myuser

Or if you have an existing user account 

gpasswd -a myuser sudo

Logon as your new user via SSH and edit /etc/ssh/sshd_config

Alter PermitRootLogin to no 

PermitRootLogin no

Save the file, exit and restart SSH 

sudo invoke-rc.d ssh restart

You might also like to use the rootpw option for sudo which prompts sudo users for the root password instead of their own. If so create the file /etc/sudoers.d/rootpw by executing the following command: 

sudo visudo -f /etc/sudoers.d/rootpw

Insert the following into the file and save it. 

Defaults        rootpw
Tip: If you make a mistake just log on to the console as root an correct it.

[edit] Virtual Machine Requirements

The following needs to be done running as a Virtual Machine.

[edit] Disable CTRL+ALT+DEL on console

Disable CTRL-ALT-DEL (reboot) to prevent Windows Admins rebooting the server accidentally. 

sudo vi /etc/inittab

Locate and comment out the following line e.g. 

#ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now"

[edit] VMware Tools

Debian comes with open-vm-tools. if you'd like to use them follow these instructions. 

sudo apt-get install build-essential linux-headers-amd64 dkms
sudo apt-get install open-vm-dkms open-vm-tools ethtool zerofree
reboot && exit

Or to install VMWare's tools... 

sudo apt-get install build-essential linux-headers-$(uname -r)

Login to the console of the VM and mount the cdrom 

sudo mount /dev/sr0 /media/cdrom
cp /media/cdrom/vmwaretools.tar.gz /tmp/
cd /tmp/
tar -xvzf vmwaretools.tar.gz
cd vmware-tools-distrib
sudo .vmware-install.pl

Hit Enter to all prompts with the excpetion of the VM Sync driver which you may like to use.

[edit] Repeated Characters Fix

See the following link to resolve Repeated characters when typing in remote console

[edit] System Tweaks

[edit] atime and diratime

Edit /etc/fstab and add noatime and optionally nodiratime to it. For example... 

UUID=303a3234-0ba0-4779-ad1b-4d3bd095a224 / ext4 noatime,nodiratime,errors=remount-ro 0 1

Then reboot.

[edit] TTY Scrollback Buffer

To increase the TTY Scrollback see TTY Scrollback Buffer Size

Retrieved from "http://wiki.bitbinary.com/index.php?title=Debian_Server_Base_Configuration&oldid=1419"
Personal tools