--- title: Debian Server toc_enable: yes breadcrumbs: - title: Home url: / - title: Configuration - title: Linux Server --- {% include header.md %} ### Using {:.no_toc} Debian 10 Buster **TODO:** Clean up. ## Initial Setup - Installation: - Always verify the downloaded installation image after downloading it. - Use UEFI if given the option. - Use the United States UTF-8 locale (`en_US.UTF-8`). - Use an FQDN as the hostname. - Disk partitioning: - (Recommended) Manually partition the boot/main drive(s). See [the storage page](system.md) for suggestions. - Guided partitioning makes weird partition/volume sizes, try to avoid it. - For simple or temporary systems, just use "guided - use entire disk" with all files in one partition. - At the software selection menu, select only "SSH server" and "standard system utilities". - If it asks to install non-free firmware, take note of the packages so they can be installed later. - Use a separate password for root, not your personal one. - To log in as root, use the login prompt or `su -` from another user. - Check for failed services: `systemctl --failed` - Check that AppArmor is operational: `apparmor_status` - Check the locale: - Check current locale: `locale` - Set new locale if wrong: `update-locale LANG=en_US.UTF-8` - Comment `AcceptEnv LANG LC_*` in `/etc/ssh/sshd_config` to prevent clients bringing their own locale. - Check the keymap: - Try typing characters like æ, ø, å. - Fix it if broken: `dpkg-reconfigure keyboard-configuration` - Check the hostname: - Use a shortname as the hostname. - Set the hostname: `hostnamectl set-hostname ` - Update `/etc/hosts` with all variants of the hostname (including shortname and FQDN). - Packages: - Update, upgrade and auto-remove. - Install: `sudo ca-certificates mailutils` - Install extra tools: `screen vim htop tree curl nmap net-tools` - Enable the `contrib` and `non-free` repo areas: - Add `contrib non-free` to every line in `/etc/apt/sources.list`. - Install free and non-free firmware: `firmware-linux` - If it asked to install non-free firmware in the initial installation installation, try to install it now using APT (hint: search for `firmware-`). - Configure your personal user: - Add it to the sudo group (`usermod -aG sudo `). - Add your personal SSH pubkey to `~/.ssh/authorized_keys` and fix the owner and permissions (700 for dir, 600 for file). - Test it. - Postfix: **TODO** ### Networking - Setup network manager: - If you need VLAN and/or bonding support for ifupdown, install `vlan` and/or `ifenslave`. If you want to use systemd-networkd instead, see [System](system.md#replace-ifupdown-with-systemd-networkd). - Setup DNS: - Enable `systemd-resolved.service`, the systemd resolver. - Point `/etc/resolv.conf` to the one generated by systemd: `ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf` - Setup NTP: - Check the timezone: `timedatectl` - If wrong: `timedatectl set-timezone Europe/Oslo` - `timedatectl set-ntp true` - Add `ntp.justervesenet.no` to `/etc/systemd/timesyncd.conf`. - Restart and see status for service `systemd-timesyncd`. - Setup firewall: - Install: `iptables iptables-persistent netfilter-persistent` - Add basic rules (it defaults to accepting everything). - Reboot and make sure it still works. ### Security - Add mount options: - Add PID monitor group: `groupadd -g 1500 pidmonitor` - Add your personal user to the PID monitor group: `usermod -aG pidmonitor ` - Set mount options in `/etc/fstab`: - See [Storage](system.md). - Enable hidepid: `proc /proc proc defaults,hidepid=2,gid=1500 0 0` - Run `mount -a` to validate fstab. - Restart the system for it to take effect. - Setup SSHD: - `PermitRootLogin no` - `PasswordAuthentication no` - `AllowTcpForwarding no` - `GatewayPorts no` - Restart `sshd`. - (Optional) Prevent root login: - Alternatively, keep it enabled with a strong password as a local backdoor for recovery or similar. - Add a personal user first. - Check that the password field (the second field) for root in `/etc/shadow` is something invalid like "\*" or "!", but not empty and not valid password hash. This prevents password login. - Clear `/etc/securetty` to prevent root local/console login. - Extra tools: - Install `libpam-tmpdir`. - (Optional) Install `fail2ban`. - Fix the firewall first so it configures itself correctly wrt. firewall blocking. - Check the status with `fail2ban-client status [sshd]`. - See [Applications](applications.md#fail-2-ban) for more info. - (Optional) Install and run Lynis: - Install `lynis`. - Run `lynis audit system`. - (Optional) Extra package security: - Install `apt-listbugs` and `apt-listchanges` and run them before upgrading a package. - Install `needrestart` and run it after upgrading. Install `debsums` and run it after upgrading to check deb checksums. Install `debsecan` to get automatically alerted when new vulnerabilities are discovered and security updates are available. - 2FA with Google Authenticator: **TODO** ## Machine Configuration ### Physical Host - If using SSD, add `vm.swappiness = 10` to `/etc/sysctl.conf` to reduce swappiness. - Install `smartmontools` and run `smartctl -s on ` for all physical drives to enable SMART monitoring. - Install `lm-sensors` and run `sensors-detect` to detect temperatur sensors etc. Add the modules to `/etc/modules` when asked. - Mask `ctrl-alt-del.target` to disable CTRL+ALT+DEL reboot at the login screen. ### QEMU Virtual Host - Install `qemu-guest-agent`. ## Networking ### Setup - Update the DNS servers in `/etc/resolv.conf`. - Install extra functionality for ifupdown: - VLAN: `vlan` - Bonding/LACP: `ifenslave` ### Replace ifupdown with systemd-networkd - Make the new networkd configs. - Extra network device configs: `/etc/systemd/network/*.netdev` - Network configs: `/etc/systemd/network/*.network` - (Re)move the ifupdown config: `mv /etc/network/interfaces /etc/network/interfaces.disabled` - Enable systemd-networkd: `systemctl enable systemd-networkd` - Reboot and test. - Check the status: `networkctl [status [-a]]` ### Setup Router - Set the following in `/etc/sysctl.conf`, then run `sysctl -p`: - `net.ipv4.ip_forward=1` - `net.ipv6.conf.all.forwarding=1` - Setup the firewall for forwarded traffic. - Setup the firewall for NAT. - Setup radvd for IPv6 NDP. - (Optional) Setup a DHCPv6 server like the ISC DHCP Server. - Setup a DHCP server like the ISC DHCP Server. - (Optional) Setup a DNS server, like Unbound. ## Storage ### System Storage - Main drive: - Doesn’t need to be super fast. - SSD: 1 or 2 mirrored, overprovisioned. - HDD: 2 mirrored. - Use LVM or ZFS (if supported/stable) for the whole main disk, except the boot and EFI partitions. - Use EXT4 for general filesystems if ZFS is nor supported or appropriate. - Some semi-guided installers automatically add the boot or EFI partition when adding the first one. - Partitioning: - If BIOS: - MBR partitioning table. - `/boot`: 500MB, FAT32 (?) - If UEFI (preferred): - `/boot/efi`: 500MB, FAT32/EFI - `/boot`: 500MB, EXT4 - (Optional) Swap. Alternatively, add it as an LVM volume. - LVM (or ZFS). For `/` and other volumes. - (Optional) ZFS. So that LVM uses the first half and ZFS the last. - If SSD: Reserve around 10% at the end of the drive (no partition). - Configure LVM: - Finish the partitioning before entering the LVM configuration. - Create a volume group (call it `vg0` or something) and add the partition you created earlier for it. - Create as many logical volumes as you want. See the table below for a suggestion. Call them something like `var-lib` for the `/var/lib` volume. - Mount points etc. are configured after you finish the LVM configuration. - Set mount points and file system formats and stuff for all the volumes. #### Volumes This table is just for reference, everything about it is supposed to be suggestive. All of these are specified in `/etc/fstab`. Volumes/mounts like `/dev` are not mentioned. | Volume/Mount | Minimal Size (GB) | Mount Options | | :--- | :--- | :--- | | `/proc` | N/A | hidepid=2,gid=1500 | | `/boot` | 0.5 | nodev,nosuid,noexec | | `/boot/efi` | 0.5 | nodev,nosuid,noexec | | `/` | 10 | nodev | | `/tmp` | 5 | nodev,nosuid,noexec | | `/var` | 5 | nodev,nosuid | | `/var/lib` | 5 | nodev,nosuid | | `/var/log` | 5 | nodev,nosuid,noexec | | `/var/log/audit` | 1 | nodev,nosuid,noexec | | `/var/tmp` | 5 | nodev,nosuid,noexec | | `/home` | 10 | nodev,nosuid | | `/srv` | 10 | nodev,nosuid | | SWAP | 16 | N/A | ## Miscellaneous ### Cron - Don't use periods (including file extensions) in the hourly/daily/weekly/monthly scripts. ## Extra Configuration - MOTD: - Clear `/etc/motd`. - Download [dmotd.sh](https://github.com/HON95/misc-scripts/blob/master/linux-server/profile/dmotd.sh) to `/etc/profile.d/` and install the dependencies `neofetch` and `lolcat`. - Add an ASCII art (or Unicode art) logo to `/etc/logo`, using e.g. [TAAG](http://patorjk.com/software/taag/). - (Optional) Add a MOTD to `/etc/motd`. - (Optional) Clear or change the pre-login message in `/etc/issue`. - Free disk space checking: - Download [disk-space-checker.sh](https://github.com/HON95/misc-scripts/blob/master/linux-server/cron/disk-space-checker.sh) either to `/cron/cron.daily/` or to `/opt/bin` and create a cron job for it. - Example cron job (15 minutes past every 4 hours): `15 */4 * * * root /opt/bin/disk-space-checker` - Configure which disks/file systems it should exclude and how full they should be before it sends an email alert. ## Troubleshooting - `network-online.target` is stalling during boot: - See all services it depends on: `systemctl show -p WantedBy network-online.target` - Disable the unused services which stall. - Firmware for the network card fails to load: - Causes a syslog record like "firmware: failed to load rtl\_nic/rtl8168g-3.fw (-2)" when trying to up the interface. - Might happen after installation even if working initially (for some reason). - Realtek solution: Enable the "non-free" repo and install "firmware-realtek". - Perl complains about a locale error: - Test with `perl -e exit`. It will complain if there's an error. - Check the locale: `locale` - Comment `AcceptEnv LANG LC_*` in `/etc/ssh/sshd_config` to prevent clients bringing their own locale. {% include footer.md %}