Debian Server Base Configuration

Revision as of 10:12, 12 January 2014

Introduction

This document covers initial configuration of a newly installed Debian GNU/Linux system, currently based on Debian 7 (Wheezy). It presumes no options were selected during Tasksel.

Install SSH

Update and then install ssh.

apt-get update
apt-get install --no-install-recommends ssh

Then connect via SSH from a workstation and continue the rest of the install by first installing some extra SSH recommends

apt-get install --no-install-recommends tcpd openssh-blacklist openssh-blacklist-extra

APT Configuration

aptitude and apt-get will keep track of each other (except for held packages) so you can use both, but you should choose one and stick to it. I use apt-get for software management and aptitude for various things such as the aptitude why command.

Disable Recommends

Disable recommended packages installing by default by creating the file /etc/apt/apt.conf.d/10recommends with the following content.

editor /etc/apt/apt.conf.d/10recommends

APT "";
APT::Install-Recommends "false";

Then update apt-get again.

apt-get update

Sources

Update sources.list with a Debian mirror closer to our location by reviewing the available Debian mirrors.

I use the file /etc/apt/sources.list.d/wheezy.list for my Wheezy apt sources.

mv /etc/apt/sources.list /etc/apt/sources.list.d/wheezy.list

cat > /etc/apt/sources.list.d/wheezy.list <<EOF
deb http://mirror.internode.on.net/pub/debian/ wheezy main non-free contrib
deb-src http://mirror.internode.on.net/pub/debian/ wheezy main non-free contrib

deb http://security.debian.org/ wheezy/updates main contrib non-free
deb-src http://security.debian.org/ wheezy/updates main contrib non-free

deb http://mirror.internode.on.net/pub/debian/ wheezy-updates main contrib non-free 
deb-src http://mirror.internode.on.net/pub/debian/ wheezy-updates main contrib non-free
EOF

Now update and upgrade.

apt-get update
apt-get dist-upgrade

Backports

Using Debian backports might also be useful.

cat > /etc/apt/sources.list.d/wheezy-backports.list <<EOF
deb http://mirror.internode.on.net/pub/debian/ wheezy-backports main non-free contrib
deb-src http://mirror.internode.on.net/pub/debian/ wheezy-backports main non-free contrib
EOF

You and then install backport packages using apt-get's --target-release option, e.g.

apt-get update
apt-get install -t wheezy-backports linux-image-amd64 linux-headers-amd64

Utilities

Now install some useful apt tools (and recommended packages), Search the web for infromation on them or use apt-cache show packagename if you want to know more.

apt-get install deborphan debfoster apt-file python-apt lsb-release file iso-codes dialog \
cruft apt-rdepends reportbug apt-show-versions dctrl-tools

Optional: If you would like to review bug reports related to packages before they are installed you can use apt-listbugs

apt-get install apt-listbugs

Tip: If you would like apt-file to sync after each apt-get update you can create a configuration file at /etc/apt/apt.conf.d/90apt-file with the following content. This only works for apt-get not aptitude.

/etc/apt/apt.conf.d/90apt-file

APT::Update::Post-Invoke {"/usr/bin/apt-file update"; };

This adds more time for apt-get update to run, but is handy. You can read more about it here.

Then update apt-file or simply run apt-get update if you used the tip above.

apt-file update

Multi-Arch

Optionally add extra architecture repositories if required. For example to add i386 to an AMD64 system

dpkg --add-architecture i386

Check architectures by running...

cat /var/lib/dpkg/arch

amd64
i386

Editor and Pager

apt-get install vim vim-doc vim-scripts vim-addon-manager less

Select default text editor by selecting /usr/bin/vim.basic in the update-alternatives dialogue as follows.

update-alternatives --config editor

There are 3 choices for the alternative editor (providing /usr/bin/editor).

  Selection    Path                Priority   Status
------------------------------------------------------------
* 0            /bin/nano            40        auto mode
  1            /bin/nano            40        manual mode
  2            /usr/bin/vim.basic   30        manual mode
  3            /usr/bin/vim.tiny    10        manual mode

Press enter to keep the current choice[*], or type selection number: 2

Networking

Because the Debian installer may have configured our system to get it's network settings via DHCP or added some un-required details if configured statically, we change it to fit our requirements (in this example the IP address 192.0.2.1 is used).

Note: allow-hotplug eth0 is replaced with auto eth0; otherwise restarting the network may fail, and we'd have to reboot the whole system.

Edit /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
    address 192.0.2.1
    netmask 255.255.255.0
    gateway 192.0.2.254

Then restart networking.

nohup sh -c "ifdown eth0 && ifup eth0"

You will need to reconnect your SSH session on the new IP unless you configure the network settings via the console.

Hostname

Edit /etc/hosts substituting the computers hostname where applicable.

127.0.0.1     localhost.localdomain    localhost
192.0.2.1     debserver.example.local  debserver

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Now run...

echo debserver.example.local > /etc/hostname
invoke-rc.d hostname.sh start

Afterwards check the hostname and fqdn are correct.

hostname

debserver.example.local

hostname -f

debserver.example.local

Tip: An alternative is to use the libnss-myhostname package

Firmware

Install the latest firmware packages to support your hardware. You are free to exclude any you don't need, I just install all of the available firmware to save headaches if the server has to be moved/restored to new hardware for example.

apt-file update
apt-get update
apt-get install firmware-linux firmware-linux-nonfree

Running the following command will list the available firmware:

apt-file --package-only search /lib/firmware/

If you want to install all firmware you can run:

apt-get install $(apt-file --package-only search /lib/firmware/ | tr '\n' ' ')

Software

Base software to install.

apt-get install htop build-essential module-assistant linux-headers-amd64 \
tofrodos dosfstools fakeroot hdparm ntfs-3g rsync dkms bash-doc hwdata unp psmisc \
bzip2 p7zip rar unrar unzip zip p7zip-full lzop lzip lzma ntp fontconfig lshw \
hwinfo syslinux dnsutils sshfs screen telnet lsof bash-completion parted gdisk atop \
ca-certificates

Note: locate/mlocate are excluded from server installations, use with caution on server installs and ensure you check your exclusiuons in /etc/updatedb.conf

Configuration Files

Bash

The Bash Section on this wiki includes example Bash startup files

Vim

Security

On servers, root SSH access is disallowed so I setup an "admin" user with sudo rights.

apt-get install sudo

Add a standard user with sudo access

useradd --comment "Admin Account" --groups sudo --create-home --shell /bin/bash --user-group myuser
passwd myuser

Or if you have an existing user account

gpasswd -a myuser sudo

Logon as your new user via SSH and edit /etc/ssh/sshd_config

Alter PermitRootLogin to no

PermitRootLogin no

Save the file, exit and restart SSH

sudo invoke-rc.d ssh restart

You might also like to use the rootpw option for sudo which prompts sudo users for the root password instead of their own. If so create the file /etc/sudoers.d/rootpw by executing the following command:

sudo visudo -f /etc/sudoers.d/rootpw

Insert the following into the file and save it.

Defaults        rootpw

Tip: If you make a mistake just log on to the console as root an correct it.

Virtual Machine Requirements

The following needs to be done running as a Virtual Machine.

Disable CTRL+ALT+DEL on console

Disable CTRL-ALT-DEL (reboot) to prevent Windows Admins rebooting the server accidentally.

sudo vi /etc/inittab

Locate and comment out the following line e.g.

#ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now"

VMware Tools

Debian comes with open-vm-tools. if you'd like to use them follow these instructions.

sudo apt-get install build-essential linux-headers-amd64 dkms
sudo apt-get install open-vm-dkms open-vm-tools ethtool zerofree
reboot && exit

Or to install VMWare's tools...

sudo apt-get install build-essential linux-headers-$(uname -r)

Login to the console of the VM and mount the cdrom

sudo mount /dev/sr0 /media/cdrom
cp /media/cdrom/vmwaretools.tar.gz /tmp/
cd /tmp/
tar -xvzf vmwaretools.tar.gz
cd vmware-tools-distrib
sudo .vmware-install.pl

Hit Enter to all prompts with the excpetion of the VM Sync driver which you may like to use.

Repeated Characters Fix

See the following link to resolve Repeated characters when typing in remote console

System Tweaks

atime and diratime

Edit /etc/fstab and add noatime and optionally nodiratime to it. For example...

UUID=303a3234-0ba0-4779-ad1b-4d3bd095a224 / ext4 noatime,nodiratime,errors=remount-ro 0 1

Then reboot.

TTY Scrollback Buffer

To increase the TTY Scrollback see TTY Scrollback Buffer Size

@@ Line 23: / Line 23: @@
 Disable recommended packages installing by default by creating the file {{ic|/etc/apt/apt.conf.d/10recommends}} with the following content.
-{{hc|/etc/apt/apt.conf.d/10recommends|<nowiki>
+{{hc|editor /etc/apt/apt.conf.d/10recommends|<nowiki>
 APT "";
 APT::Install-Recommends "false";