---
title: Debian Server
breadcrumbs:
- title: Configuration
- title: Linux Server
---
{% include header.md %}

### Using
{:.no_toc}

- Debian 10 Buster

## Basic Setup

### Installation

- Always verify the downloaded installation image after downloading it.
- Use UEFI if possible.
- Use the non-graphical installer. It's basically the same as the graphical one.
- Localization:
  - Language: United States English.
  - Location: Your location.
  - Locale: United States UTF-8 (`en_US.UTF-8`).
  - Keymap: Your keyboard's keymap.
- Use an FQDN as the hostname. It'll set both the shortname and the FQDN.
- Use separate password for root and your personal admin user.
- Disk partitioning:
  - (Recommended) Manually partition the system drive(s). See [system storage](../storage/#system-storage).
  - Guided partitioning makes weird partition/volume sizes, try to avoid it.
  - For simple or temporary systems, just use "guided - use entire disk" with all files in one partition.
  - When using LVM: Create the partition for the volume group, configure LVM (separate menu), configure the LVM volumes (filesystem and mount).
- At the software selection menu, select only "SSH server" and "standard system utilities".
- If it asks to install non-free firmware, take note of the packages so they can be installed later.
- Install GRUB to the used disk.

### Basic Configuration

1. Login as root.
    - Since sudo is not installed yet, use `su -` if you log in through a non-root user.
1. Check the system status:
    - Check for failed services: `systemctl --failed`
    - Check that AppArmor is operational: `apparmor_status`
1. Localization:
    - Check current locale:
      - `locale` should return `en_US.UTF-8`.
      - Update if wrong: `update-locale LANG=en_US.UTF-8`
    - Check the keymap:
      - Try typing characters specific to your keyboard.
      - Update if wrong: `dpkg-reconfigure keyboard-configuration`
    - Comment `AcceptEnv LANG LC_*` in `/etc/ssh/sshd_config` to prevent clients bringing their own locale. Restart `sshd`.
1. Set the hostname:
    - Set the shortname: `hostnamectl set-hostname <shortname>`
    - Set both the shortname and FQDN in `/etc/hosts`.
    - Check the hostnames with `hostname` (shortname) and `hostname --fqdn` (FQDN).
1. Packages:
    - (Optional) Enable the `contrib` and `non-free` repo areas:
      - Add `contrib non-free` to every line in `/etc/apt/sources.list`.
    - Update, upgrade and auto-remove.
    - Install basics: `sudo ca-certificates`
    - Install extra tools: `tree vim screen curl net-tools htop iotop irqtop nmap`
    - Install per-user tmpdirs: `libpam-tmpdir`
    - Install Postfix: Install `postfix` and select "satellite system" if the system will only send email.
    - Install extra firmware:
      - Install `firmware-linux` or `firmware-linux-free` for some common firmware and microcode.
      - APT package examples: `firmware-atheros -bnx2 -bnx2x -ralink -realtek`
      - If it asked to install non-free firmware in the initial installation installation, try to install it now.
      - Install firmware from other sources (e.g. for some Intel NICs).
1. Add mount options:
    - Add PID monitor group: `groupadd -g 1500 pidmonitor`
    - Add your personal user to the PID monitor group: `usermod -aG pidmonitor <user>`
    - Set mount options in `/etc/fstab`:
      - See [Storage](system.md).
      - Enable hidepid: `proc /proc proc defaults,hidepid=2,gid=1500 0 0`
    - Run `mount -a` to validate fstab.
    - Restart the system for it to take effect.
1. Setup SSHd:
    - File: `/etc/ssh/sshd_config`
    - `PermitRootLogin no`
    - `PasswordAuthentication no`
    - `AllowTcpForwarding no`
    - `GatewayPorts no`
    - Restart `sshd`.
1. Update MOTD:
    - Clear `/etc/motd`.
1. Configure your personal user:
    - Add it to the sudo group (`usermod -aG sudo <user>`).
    - Add your personal SSH pubkey to `~/.ssh/authorized_keys` and fix the owner and permissions (700 for dir, 600 for file). (Hint: Get `https://github.com/<user>.keys` and filter the results.)
    - Try logging in remotely and gain root access through sudo.
1. (Optional) Prevent root login:
    - Alternatively, keep it enabled with a strong password as a local backdoor for recovery or similar.
    - Add a personal user first.
    - Check that the password field (the second field) for root in `/etc/shadow` is something invalid like "\*" or "!", but not empty and not valid password hash. This prevents password login.
    - Clear `/etc/securetty` to prevent root local/console login.
1. (Optional) Enable persistent logging:
    - The default journal directory is `/var/log/journal`. By default, it's not automatically created.
    - In `/etc/systemd/journald.conf`, under `[Journal]`, set `Storage=persistent`.
    - `auto` (the default) is like `persistent` but does not automatically create the log directory.

### Machine-Specic Configuration

#### Physical Host

1. **TODO** SSD optimizations.
1. (Optional) If using SSD, add `vm.swappiness=1` to `/etc/sysctl.conf` to minimize swapping.
1. Install `smartmontools` and run `smartctl -s on <dev>` for all physical drives to enable SMART monitoring.
1. Install `lm-sensors` and run `sensors-detect` to detect temperatur sensors etc. Add the modules to `/etc/modules` when asked.
1. Mask `ctrl-alt-del.target` to disable CTRL+ALT+DEL reboot at the login screen.

#### QEMU Virtual Host

1. Install `qemu-guest-agent`.

### Networking

1. **TODO** Security stuff.
1. (Alternative 1) (Recommended) Setup networkd network manager:
    - Add a simple network config:
      - Alternatively, add a complicated set of configs.
      - Create `/etc/systemd/network/lan.network` based on [main.network](https://github.com/HON95/misc-configs/blob/master/linux-server/networkd/main.network).
    - Disable/remove the ifupdown config: `mv /etc/network/interfaces /etc/network/interfaces.old`
    - Enable and start systemd-networkd: `systemctl enable systemd-networkd`
      - Restart it if already running.
    - Purge `ifupdown` and `ifupdown2`.
    - Check the status: `networkctl [status [-a]]`
    - Restart the system (now or later) and check if still working.
1. (Alternative 2) (Default) Setup ifupdown network manager:
    - Install `ifupdown2`.
      - This may take the network down, so do it locally.
      - Restart `networking.service` afterward.
    - For VLAN support, install `vlan`.
    - For bond support, install `ifenslave`.
    - **TODO**: DHCPv4, IPv6 (static, SLAAC, DHCPv6).
1. Setup DNS:
    - Enable and start `systemd-resolved.service`, the systemd resolver.
    - Point `/etc/resolv.conf` to the one generated by systemd: `ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf`
1. Setup NTP:
    - Set the timezone: `timedatectl set-timezone Europe/Oslo`
    - Enable network time: `timedatectl set-ntp true`
    - In `/etc/systemd/timesyncd.conf`, set `NTP=ntp.justervesenet.no`.
    - Restart `systemd-timesyncd`.
    - Check that NTP works: `timedatectl timesync-status`
1. Setup firewall:
    - Install: `iptables iptables-persistent netfilter-persistent`
      - Don't save the current rules.
    - Add som [simple](https://github.com/HON95/misc-configs/blob/master/linux-server/iptables/iptables-simple.sh) or [complex](https://github.com/HON95/misc-configs/blob/master/linux-server/iptables/iptables-complex.sh) rules.
1. Reboot and make sure it still works.

### Extra

1. Extra package security:
    - Install `apt-listbugs` and `apt-listchanges` and run them before upgrading a package.
    - Install `needrestart` and run it after upgrading.
    - Install `debsums` and run it after upgrading to check deb checksums.
    - Install `debsecan` to get automatically alerted when new vulnerabilities are discovered and security updates are available.
1. Postfix mail relay: **TODO**
1. Install `fail2ban`.
    - Fix the firewall first so it configures itself correctly wrt. which firewall is used.
    - Check the status with `fail2ban-client status [sshd]`.
    - See [Applications](applications.md#fail-2-ban) for more info.
1. Google Authenticator 2FA: **TODO**
1. Install and run Lynis:
    - Install `lynis`.
    - Run `lynis audit system`.
1. MOTD:
    - Clear `/etc/motd`.
    - Download [dmotd.sh](https://github.com/HON95/misc-configs/blob/master/linux-server/profile/dmotd.sh) to `/etc/profile.d/`.
    - Install the dependencies: `neofetch lolcat`
    - Add an ASCII art (or Unicode art) logo to `/etc/logo`, using e.g. [TAAG](http://patorjk.com/software/taag/).
    - (Optional) Add a MOTD to `/etc/motd`.
    - (Optional) Clear or change the pre-login message in `/etc/issue`.
    - Test it (as a normal user): `bash /etc/profile.d/dmotd.sh`
1. Monitor free disk space:
    - Download [disk-space-checker.sh](https://github.com/HON95/misc-configs/blob/master/linux-server/cron/disk-space-checker.sh) either to `/cron/cron.daily/` or to `/opt/bin` and create a cron job for it.
    - Example cron job (15 minutes past every 4 hours): `15 */4 * * * root /opt/bin/disk-space-checker`
    - Configure which disks/file systems it should exclude and how full they should be before it sends an email alert.

## Miscellaneous

### Cron

- Don't use periods (including file extensions) in the hourly/daily/weekly/monthly scripts.

## Troubleshooting

- `network-online.target` is stalling during boot:
  - See all services it depends on: `systemctl show -p WantedBy network-online.target`
  - Disable the unused services which stall.
- Firmware for the network card fails to load:
  - Causes a syslog record like "firmware: failed to load rtl\_nic/rtl8168g-3.fw (-2)" when trying to up the interface.
  - Might happen after installation even if working initially (for some reason).
  - Realtek solution: Enable the "non-free" repo and install "firmware-realtek".
- Perl complains about a locale error:
  - Test with `perl -e exit`. It will complain if there's an error.
  - Check the locale: `locale`
  - Comment `AcceptEnv LANG LC_*` in `/etc/ssh/sshd_config` to prevent clients bringing their own locale.

{% include footer.md %}