Debian Server Base Configuration

From Bit Binary Wiki
(Difference between revisions)
Jump to: navigation, search
(6 intermediate revisions by one user not shown)
Line 23: Line 23:
Disable recommended packages installing by default by creating the file {{ic|/etc/apt/apt.conf.d/10recommends}} with the following content.
Disable recommended packages installing by default by creating the file {{ic|/etc/apt/apt.conf.d/10recommends}} with the following content.
{{hc|editor /etc/apt/apt.conf.d/10recommends|<nowiki>
APT "";
APT "";
APT::Install-Recommends "false";
APT::Install-Recommends "false";
Line 32: Line 32:
  apt-get update
  apt-get update
Line 85: Line 84:
{{Tip|If you would like apt-file to sync after each apt-get update you can create a configuration file at {{ic|/etc/apt/apt.conf.d/90apt-file}} with the following content.  This only works for apt-get not aptitude.
{{Tip|If you would like apt-file to sync after each apt-get update you can create a configuration file at {{ic|/etc/apt/apt.conf.d/90apt-file}} with the following content.  This only works for apt-get not aptitude.
{{hc|editor /etc/apt/apt.conf.d/90apt-file|<nowiki>
APT::Update::Post-Invoke {"/usr/bin/apt-file update"; };
APT::Update::Post-Invoke {"/usr/bin/apt-file update"; };
Line 161: Line 160:    localhost.localdomain    localhost    localhost.localdomain    localhost    <span style="background-color: yellow">debserver.example.local</span>  <span style="background-color: yellow">debserver</span>
+    <span style="background-color: yellow">debian.example.local</span>  <span style="background-color: yellow">debserver</span>
  # The following lines are desirable for IPv6 capable hosts
  # The following lines are desirable for IPv6 capable hosts
Line 179: Line 178:
{{hc|hostname -f|<nowiki>
{{hc|hostname -f|<nowiki>

Latest revision as of 10:22, 12 January 2014


[edit] Introduction

This document covers initial configuration of a newly installed Debian GNU/Linux system, currently based on Debian 7 (Wheezy). It presumes no options were selected during Tasksel.

[edit] Install SSH

Update and then install ssh.

apt-get update
apt-get install --no-install-recommends ssh

Then connect via SSH from a workstation and continue the rest of the install by first installing some extra SSH recommends

apt-get install --no-install-recommends tcpd openssh-blacklist openssh-blacklist-extra

[edit] APT Configuration

aptitude and apt-get will keep track of each other (except for held packages) so you can use both, but you should choose one and stick to it. I use apt-get for software management and aptitude for various things such as the aptitude why command.

[edit] Disable Recommends

Disable recommended packages installing by default by creating the file /etc/apt/apt.conf.d/10recommends with the following content.

editor /etc/apt/apt.conf.d/10recommends
APT "";
APT::Install-Recommends "false";

Then update apt-get again.

apt-get update

[edit] Sources

Update sources.list with a Debian mirror closer to our location by reviewing the available Debian mirrors.

I use the file /etc/apt/sources.list.d/wheezy.list for my Wheezy apt sources.

mv /etc/apt/sources.list /etc/apt/sources.list.d/wheezy.list
cat > /etc/apt/sources.list.d/wheezy.list <<EOF
deb wheezy main non-free contrib
deb-src wheezy main non-free contrib

deb wheezy/updates main contrib non-free
deb-src wheezy/updates main contrib non-free

deb wheezy-updates main contrib non-free 
deb-src wheezy-updates main contrib non-free

Now update and upgrade.

apt-get update
apt-get dist-upgrade

[edit] Backports

Using Debian backports might also be useful.

cat > /etc/apt/sources.list.d/wheezy-backports.list <<EOF
deb wheezy-backports main non-free contrib
deb-src wheezy-backports main non-free contrib

You and then install backport packages using apt-get's --target-release option, e.g.

apt-get update
apt-get install -t wheezy-backports linux-image-amd64 linux-headers-amd64

[edit] Utilities

Now install some useful apt tools (and recommended packages), Search the web for infromation on them or use apt-cache show packagename if you want to know more.

apt-get install deborphan debfoster apt-file python-apt lsb-release file iso-codes dialog \
cruft apt-rdepends reportbug apt-show-versions dctrl-tools

Optional: If you would like to review bug reports related to packages before they are installed you can use apt-listbugs

apt-get install apt-listbugs
Tip: If you would like apt-file to sync after each apt-get update you can create a configuration file at /etc/apt/apt.conf.d/90apt-file with the following content. This only works for apt-get not aptitude.
editor /etc/apt/apt.conf.d/90apt-file
APT::Update::Post-Invoke {"/usr/bin/apt-file update"; };

This adds more time for apt-get update to run, but is handy. You can read more about it here.

Then update apt-file or simply run apt-get update if you used the tip above.

apt-file update

[edit] Multi-Arch

Optionally add extra architecture repositories if required. For example to add i386 to an AMD64 system

dpkg --add-architecture i386

Check architectures by running...

cat /var/lib/dpkg/arch

[edit] Editor and Pager

apt-get install vim vim-doc vim-scripts vim-addon-manager less

Select default text editor by selecting /usr/bin/vim.basic in the update-alternatives dialogue as follows.

update-alternatives --config editor
There are 3 choices for the alternative editor (providing /usr/bin/editor).

  Selection    Path                Priority   Status
* 0            /bin/nano            40        auto mode
  1            /bin/nano            40        manual mode
  2            /usr/bin/vim.basic   30        manual mode
  3            /usr/bin/vim.tiny    10        manual mode

Press enter to keep the current choice[*], or type selection number: 2

[edit] Networking

Because the Debian installer may have configured our system to get it's network settings via DHCP or added some un-required details if configured statically, we change it to fit our requirements (in this example the IP address is used).

Note: allow-hotplug eth0 is replaced with auto eth0; otherwise restarting the network may fail, and we'd have to reboot the whole system.

Edit /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static

Then restart networking.

nohup sh -c "ifdown eth0 && ifup eth0"

You will need to reconnect your SSH session on the new IP unless you configure the network settings via the console.

[edit] Hostname

Edit /etc/hosts substituting the computers hostname where applicable.     localhost.localdomain    localhost     debian.example.local  debserver

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Now run...

echo debserver.example.local > /etc/hostname
invoke-rc.d start

Afterwards check the hostname and fqdn are correct.

hostname -f
Tip: An alternative is to use the libnss-myhostname package

[edit] Firmware

Install the latest firmware packages to support your hardware. You are free to exclude any you don't need, I just install all of the available firmware to save headaches if the server has to be moved/restored to new hardware for example.

apt-file update
apt-get update
apt-get install firmware-linux firmware-linux-nonfree

Running the following command will list the available firmware:

apt-file --package-only search /lib/firmware/

If you want to install all firmware you can run:

apt-get install $(apt-file --package-only search /lib/firmware/ | tr '\n' ' ')

[edit] Software

Base software to install.

apt-get install htop build-essential module-assistant linux-headers-amd64 \
tofrodos dosfstools fakeroot hdparm ntfs-3g rsync dkms bash-doc hwdata unp psmisc \
bzip2 p7zip rar unrar unzip zip p7zip-full lzop lzip lzma ntp fontconfig lshw \
hwinfo syslinux dnsutils sshfs screen telnet lsof bash-completion parted gdisk atop \
Note: locate/mlocate are excluded from server installations, use with caution on server installs and ensure you check your exclusiuons in /etc/updatedb.conf

[edit] Configuration Files

[edit] Bash

The Bash Section on this wiki includes example Bash startup files

[edit] Vim

[edit] Security

On servers, root SSH access is disallowed so I setup an "admin" user with sudo rights.

apt-get install sudo

Add a standard user with sudo access

useradd --comment "Admin Account" --groups sudo --create-home --shell /bin/bash --user-group myuser
passwd myuser

Or if you have an existing user account

gpasswd -a myuser sudo

Logon as your new user via SSH and edit /etc/ssh/sshd_config

Alter PermitRootLogin to no

PermitRootLogin no

Save the file, exit and restart SSH

sudo invoke-rc.d ssh restart

You might also like to use the rootpw option for sudo which prompts sudo users for the root password instead of their own. If so create the file /etc/sudoers.d/rootpw by executing the following command:

sudo visudo -f /etc/sudoers.d/rootpw

Insert the following into the file and save it.

Defaults        rootpw
Tip: If you make a mistake just log on to the console as root an correct it.

[edit] Virtual Machine Requirements

The following needs to be done running as a Virtual Machine.

[edit] Disable CTRL+ALT+DEL on console

Disable CTRL-ALT-DEL (reboot) to prevent Windows Admins rebooting the server accidentally.

sudo vi /etc/inittab

Locate and comment out the following line e.g.

#ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now"

[edit] VMware Tools

Debian comes with open-vm-tools. if you'd like to use them follow these instructions.

sudo apt-get install build-essential linux-headers-amd64 dkms
sudo apt-get install open-vm-dkms open-vm-tools ethtool zerofree
reboot && exit

Or to install VMWare's tools...

sudo apt-get install build-essential linux-headers-$(uname -r)

Login to the console of the VM and mount the cdrom

sudo mount /dev/sr0 /media/cdrom
cp /media/cdrom/vmwaretools.tar.gz /tmp/
cd /tmp/
tar -xvzf vmwaretools.tar.gz
cd vmware-tools-distrib

Hit Enter to all prompts with the excpetion of the VM Sync driver which you may like to use.

[edit] Repeated Characters Fix

See the following link to resolve Repeated characters when typing in remote console

[edit] System Tweaks

[edit] atime and diratime

Edit /etc/fstab and add noatime and optionally nodiratime to it. For example...

UUID=303a3234-0ba0-4779-ad1b-4d3bd095a224 / ext4 noatime,nodiratime,errors=remount-ro 0 1

Then reboot.

[edit] TTY Scrollback Buffer

To increase the TTY Scrollback see TTY Scrollback Buffer Size

Personal tools