Эхлэл Бүгдийг харах Тусламж
Бүртгүүлэх Нэвтрэх
jeremy
/
HON95-wiki
-ын хуулбар https://github.com/HON95/wiki
1
0
Салаа 0
Файлууд Асуудлууд 0 Мэдлэгийн сан
Мод: 8a071e02b7
Салаанууд Тагууд
HON95-wiki
/
config
/
linux-server
/
debian.md

debian.md 9.9 KB
Түүх Анхны өгөгдөл

title: Debian Server breadcrumbs:

  • title: Configuration
  • title: Linux Server --- {% include header.md %}

Using

{:.no_toc}

  • Debian 10 Buster

Basic Setup

Installation

  • Always verify the downloaded installation image after downloading it.
  • Use UEFI if possible.
  • Use the non-graphical installer. It's basically the same as the graphical one.
  • Localization:
    • Language: United States English.
    • Location: Your location.
    • Locale: United States UTF-8 (en_US.UTF-8).
    • Keymap: Your keyboard's keymap.
  • Use an FQDN as the hostname. It'll set both the shortname and the FQDN.
  • Use separate password for root and your personal admin user.
  • Disk partitioning:
    • (Recommended) Manually partition the system drive(s). See system storage.
    • Guided partitioning makes weird partition/volume sizes, try to avoid it.
    • For simple or temporary systems, just use "guided - use entire disk" with all files in one partition.
    • When using LVM: Create the partition for the volume group, configure LVM (separate menu), configure the LVM volumes (filesystem and mount).
  • At the software selection menu, select only "SSH server" and "standard system utilities".
  • If it asks to install non-free firmware, take note of the packages so they can be installed later.
  • Install GRUB to the used disk.

Basic Configuration

  1. Login as root.
    • Since sudo is not installed yet, use su - if you log in through a non-root user.
  2. Check the system status:
    • Check for failed services: systemctl --failed
    • Check that AppArmor is operational: apparmor_status
  3. Localization:
    • Check current locale:
      • locale should return en_US.UTF-8.
      • Update if wrong: update-locale LANG=en_US.UTF-8
    • Check the keymap:
      • Try typing characters specific to your keyboard.
      • Update if wrong: dpkg-reconfigure keyboard-configuration
    • Comment AcceptEnv LANG LC_* in /etc/ssh/sshd_config to prevent clients bringing their own locale. Restart sshd.
  4. Set the hostname:
    • Set the shortname: hostnamectl set-hostname <shortname>
    • Set both the shortname and FQDN in /etc/hosts.
    • Check the hostnames with hostname (shortname) and hostname --fqdn (FQDN).
  5. Packages:
    • (Optional) Enable the contrib and non-free repo areas:
      • Add contrib non-free to every line in /etc/apt/sources.list.
    • Update, upgrade and auto-remove.
    • Install basics: sudo ca-certificates
    • Install extra tools: tree vim screen curl net-tools htop iotop irqtop nmap
    • Install per-user tmpdirs: libpam-tmpdir
    • Install Postfix: Install postfix and select "satellite system" if the system will only send email.
    • Install extra firmware:
      • Install firmware-linux or firmware-linux-free for some common firmware and microcode.
      • APT package examples: firmware-atheros -bnx2 -bnx2x -ralink -realtek
      • If it asked to install non-free firmware in the initial installation installation, try to install it now.
      • Install firmware from other sources (e.g. for some Intel NICs).
  6. Add mount options:
    • Add PID monitor group: groupadd -g 1500 pidmonitor
    • Add your personal user to the PID monitor group: usermod -aG pidmonitor <user>
    • Set mount options in /etc/fstab:
      • See Storage.
      • Enable hidepid: proc /proc proc defaults,hidepid=2,gid=1500 0 0
    • Run mount -a to validate fstab.
    • Restart the system for it to take effect.
  7. Setup SSHd:
    • File: /etc/ssh/sshd_config
    • PermitRootLogin no
    • PasswordAuthentication no
    • AllowTcpForwarding no
    • GatewayPorts no
    • Restart sshd.
  8. Update MOTD:
    • Clear /etc/motd.
  9. Configure your personal user:
    • Add it to the sudo group (usermod -aG sudo <user>).
    • Add your personal SSH pubkey to ~/.ssh/authorized_keys and fix the owner and permissions (700 for dir, 600 for file). (Hint: Get https://github.com/<user>.keys and filter the results.)
    • Try logging in remotely and gain root access through sudo.
  10. (Optional) Prevent root login:
    • Alternatively, keep it enabled with a strong password as a local backdoor for recovery or similar.
    • Add a personal user first.
    • Check that the password field (the second field) for root in /etc/shadow is something invalid like "*" or "!", but not empty and not valid password hash. This prevents password login.
    • Clear /etc/securetty to prevent root local/console login.
  11. (Optional) Enable persistent logging:
    • The default journal directory is /var/log/journal. By default, it's not automatically created.
    • In /etc/systemd/journald.conf, under [Journal], set Storage=persistent.
    • auto (the default) is like persistent but does not automatically create the log directory.

Machine-Specic Configuration

Physical Host

  1. TODO SSD optimizations.
  2. (Optional) If using SSD, add vm.swappiness=1 to /etc/sysctl.conf to minimize swapping.
  3. Install smartmontools and run smartctl -s on <dev> for all physical drives to enable SMART monitoring.
  4. Install lm-sensors and run sensors-detect to detect temperatur sensors etc. Add the modules to /etc/modules when asked.
  5. Mask ctrl-alt-del.target to disable CTRL+ALT+DEL reboot at the login screen.

QEMU Virtual Host

  1. Install qemu-guest-agent.

Networking

  1. TODO Security stuff.
  2. (Alternative 1) (Recommended) Setup networkd network manager:
    • Add a simple network config:
      • Alternatively, add a complicated set of configs.
      • Create /etc/systemd/network/lan.network based on main.network.
    • Disable/remove the ifupdown config: mv /etc/network/interfaces /etc/network/interfaces.old
    • Enable and start systemd-networkd: systemctl enable systemd-networkd
      • Restart it if already running.
    • Purge ifupdown and ifupdown2.
    • Check the status: networkctl [status [-a]]
    • Restart the system (now or later) and check if still working.
  3. (Alternative 2) (Default) Setup ifupdown network manager:
    • Install ifupdown2.
      • This may take the network down, so do it locally.
      • Restart networking.service afterward.
    • For VLAN support, install vlan.
    • For bond support, install ifenslave.
    • TODO: DHCPv4, IPv6 (static, SLAAC, DHCPv6).
  4. Setup DNS:
    • Enable and start systemd-resolved.service, the systemd resolver.
    • Point /etc/resolv.conf to the one generated by systemd: ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
  5. Setup NTP:
    • Set the timezone: timedatectl set-timezone Europe/Oslo
    • Enable network time: timedatectl set-ntp true
    • In /etc/systemd/timesyncd.conf, set NTP=ntp.justervesenet.no.
    • Restart systemd-timesyncd.
    • Check that NTP works: timedatectl timesync-status
  6. Setup firewall:
    • Install: iptables iptables-persistent netfilter-persistent
      • Don't save the current rules.
    • Add som simple or complex rules.
  7. Reboot and make sure it still works.

Extra

  1. Extra package security:
    • Install apt-listbugs and apt-listchanges and run them before upgrading a package.
    • Install needrestart and run it after upgrading.
    • Install debsums and run it after upgrading to check deb checksums.
    • Install debsecan to get automatically alerted when new vulnerabilities are discovered and security updates are available.
  2. Postfix mail relay: TODO
  3. Install fail2ban.
    • Fix the firewall first so it configures itself correctly wrt. which firewall is used.
    • Check the status with fail2ban-client status [sshd].
    • See Applications for more info.
  4. Google Authenticator 2FA: TODO
  5. Install and run Lynis:
    • Install lynis.
    • Run lynis audit system.
  6. MOTD:
    • Clear /etc/motd.
    • Download dmotd.sh to /etc/profile.d/.
    • Install the dependencies: neofetch lolcat
    • Add an ASCII art (or Unicode art) logo to /etc/logo, using e.g. TAAG.
    • (Optional) Add a MOTD to /etc/motd.
    • (Optional) Clear or change the pre-login message in /etc/issue.
    • Test it (as a normal user): bash /etc/profile.d/dmotd.sh
  7. Monitor free disk space:
    • Download disk-space-checker.sh either to /cron/cron.daily/ or to /opt/bin and create a cron job for it.
    • Example cron job (15 minutes past every 4 hours): 15 */4 * * * root /opt/bin/disk-space-checker
    • Configure which disks/file systems it should exclude and how full they should be before it sends an email alert.

Miscellaneous

Cron

  • Don't use periods (including file extensions) in the hourly/daily/weekly/monthly scripts.

Troubleshooting

  • network-online.target is stalling during boot:
    • See all services it depends on: systemctl show -p WantedBy network-online.target
    • Disable the unused services which stall.
  • Firmware for the network card fails to load:
    • Causes a syslog record like "firmware: failed to load rtl_nic/rtl8168g-3.fw (-2)" when trying to up the interface.
    • Might happen after installation even if working initially (for some reason).
    • Realtek solution: Enable the "non-free" repo and install "firmware-realtek".
  • Perl complains about a locale error:
    • Test with perl -e exit. It will complain if there's an error.
    • Check the locale: locale
    • Comment AcceptEnv LANG LC_* in /etc/ssh/sshd_config to prevent clients bringing their own locale.

{% include footer.md %}