HON95-wiki/config/linux-server/debian-server.md

---

title: Debian Server toc_enable: yes breadcrumbs:

• title: Home url: /
• title: Configuration
• title: Linux Server --- {% include header.md %}

Using

{:.no_toc} Debian 10 Buster

TODO: Clean up.

Initial Setup

• Installation:
  • Always verify the downloaded installation image after downloading it.
  • Use UEFI if given the option.
  • Use the United States UTF-8 locale (en_US.UTF-8).
  • Use an FQDN as the hostname.
  • Disk partitioning:
  • (Recommended) Manually partition the boot/main drive(s). See the storage page for suggestions.
  • Guided partitioning makes weird partition/volume sizes, try to avoid it.
  • For simple or temporary systems, just use "guided - use entire disk" with all files in one partition.
  • At the software selection menu, select only "SSH server" and "standard system utilities".
  • If it asks to install non-free firmware, take note of the packages so they can be installed later.
  • Use a separate password for root, not your personal one.
• To log in as root, use the login prompt or su - from another user.
• Check for failed services: systemctl --failed
• Check that AppArmor is operational: apparmor_status
• Check the locale:
  • Check current locale: locale
  • Set new locale if wrong: update-locale LANG=en_US.UTF-8
  • Comment AcceptEnv LANG LC_* in /etc/ssh/sshd_config to prevent clients bringing their own locale.
• Check the keymap:
  • Try typing characters like æ, ø, å.
  • Fix it if broken: dpkg-reconfigure keyboard-configuration
• Check the hostname:
  • Use a shortname as the hostname.
  • Set the hostname: hostnamectl set-hostname <hostname>
  • Update /etc/hosts with all variants of the hostname (including shortname and FQDN).
• Packages:
  • Update, upgrade and auto-remove.
  • Install: sudo ca-certificates mailutils
  • Install extra tools: screen vim htop tree curl nmap net-tools
  • Enable the contrib and non-free repo areas:
  • Add contrib non-free to every line in /etc/apt/sources.list.
  • Install free and non-free firmware: firmware-linux
  • If it asked to install non-free firmware in the initial installation installation, try to install it now using APT (hint: search for firmware-).
• Configure your personal user:
  • Add it to the sudo group (usermod -aG sudo <user>).
  • Add your personal SSH pubkey to ~/.ssh/authorized_keys and fix the owner and permissions (700 for dir, 600 for file).
  • Test it.
• Postfix: TODO

Networking

• Setup network manager:

  • If you need VLAN and/or bonding support for ifupdown, install vlan and/or ifenslave.

  If you want to use systemd-networkd instead, see System.

• Setup DNS:

  • Enable systemd-resolved.service, the systemd resolver.
  • Point /etc/resolv.conf to the one generated by systemd: ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

• Setup NTP:

  • Check the timezone: timedatectl
  • If wrong: timedatectl set-timezone Europe/Oslo
  • timedatectl set-ntp true
  • Add ntp.justervesenet.no to /etc/systemd/timesyncd.conf.
  • Restart and see status for service systemd-timesyncd.

• Setup firewall:

  • Install: iptables iptables-persistent netfilter-persistent
  • Add basic rules (it defaults to accepting everything).

• Reboot and make sure it still works.

Security

• Add mount options:
  • Add PID monitor group: groupadd -g 1500 pidmonitor
  • Add your personal user to the PID monitor group: usermod -aG pidmonitor <user>
  • Set mount options in /etc/fstab:
  • See Storage.
  • Enable hidepid: proc /proc proc defaults,hidepid=2,gid=1500 0 0
  • Run mount -a to validate fstab.
  • Restart the system for it to take effect.
• Setup SSHD:
  • PermitRootLogin no
  • PasswordAuthentication no
  • AllowTcpForwarding no
  • GatewayPorts no
  • Restart sshd.
• (Optional) Prevent root login:
  • Alternatively, keep it enabled with a strong password as a local backdoor for recovery or similar.
  • Add a personal user first.
  • Check that the password field (the second field) for root in /etc/shadow is something invalid like "*" or "!", but not empty and not valid password hash. This prevents password login.
  • Clear /etc/securetty to prevent root local/console login.
• Extra tools:
  • Install libpam-tmpdir.
  • (Optional) Install fail2ban.
  • Fix the firewall first so it configures itself correctly wrt. firewall blocking.
  • Check the status with fail2ban-client status [sshd].
  • See Applications for more info.
  • (Optional) Install and run Lynis:
  • Install lynis.
  • Run lynis audit system.

• (Optional) Extra package security:

  • Install apt-listbugs and apt-listchanges and run them before upgrading a package.
  • Install needrestart and run it after upgrading.

  Install debsums and run it after upgrading to check deb checksums.

  Install debsecan to get automatically alerted when new vulnerabilities are discovered and security updates are available.

• 2FA with Google Authenticator: TODO

Machine Configuration

Physical Host

• If using SSD, add vm.swappiness = 10 to /etc/sysctl.conf to reduce swappiness.
• Install smartmontools and run smartctl -s on <dev> for all physical drives to enable SMART monitoring.
• Install lm-sensors and run sensors-detect to detect temperatur sensors etc. Add the modules to /etc/modules when asked.
• Mask ctrl-alt-del.target to disable CTRL+ALT+DEL reboot at the login screen.

QEMU Virtual Host

• Install qemu-guest-agent.

Networking

Setup

• Update the DNS servers in /etc/resolv.conf.
• Install extra functionality for ifupdown:
  • VLAN: vlan
  • Bonding/LACP: ifenslave

Replace ifupdown with systemd-networkd

• Make the new networkd configs.
  • Extra network device configs: /etc/systemd/network/*.netdev
  • Network configs: /etc/systemd/network/*.network
• (Re)move the ifupdown config: mv /etc/network/interfaces /etc/network/interfaces.disabled
• Enable systemd-networkd: systemctl enable systemd-networkd
• Reboot and test.
• Check the status: networkctl [status [-a]]

Setup Router

• Set the following in /etc/sysctl.conf, then run sysctl -p:
  • net.ipv4.ip_forward=1
  • net.ipv6.conf.all.forwarding=1
• Setup the firewall for forwarded traffic.
• Setup the firewall for NAT.
• Setup radvd for IPv6 NDP.
• (Optional) Setup a DHCPv6 server like the ISC DHCP Server.
• Setup a DHCP server like the ISC DHCP Server.
• (Optional) Setup a DNS server, like Unbound.

Storage

System Storage

• Main drive:
  • Doesn’t need to be super fast.
  • SSD: 1 or 2 mirrored, overprovisioned.
  • HDD: 2 mirrored.
• Use LVM or ZFS (if supported/stable) for the whole main disk, except the boot and EFI partitions.
• Use EXT4 for general filesystems if ZFS is nor supported or appropriate.
• Some semi-guided installers automatically add the boot or EFI partition when adding the first one.
• Partitioning:
  • If BIOS:
  • MBR partitioning table.
  • /boot: 500MB, FAT32 (?)
  • If UEFI (preferred):
  • /boot/efi: 500MB, FAT32/EFI
  • /boot: 500MB, EXT4
  • (Optional) Swap. Alternatively, add it as an LVM volume.
  • LVM (or ZFS). For / and other volumes.
  • (Optional) ZFS. So that LVM uses the first half and ZFS the last.
  • If SSD: Reserve around 10% at the end of the drive (no partition).
• Configure LVM:
  • Finish the partitioning before entering the LVM configuration.
  • Create a volume group (call it vg0 or something) and add the partition you created earlier for it.
  • Create as many logical volumes as you want. See the table below for a suggestion. Call them something like var-lib for the /var/lib volume.
  • Mount points etc. are configured after you finish the LVM configuration.
• Set mount points and file system formats and stuff for all the volumes.

Volumes

This table is just for reference, everything about it is supposed to be suggestive. All of these are specified in /etc/fstab. Volumes/mounts like /dev are not mentioned.

Volume/Mount	Minimal Size (GB)	Mount Options
/proc	N/A	hidepid=2,gid=1500
/boot	0.5	nodev,nosuid,noexec
/boot/efi	0.5	nodev,nosuid,noexec
/	10	nodev
/tmp	5	nodev,nosuid,noexec
/var	5	nodev,nosuid
/var/lib	5	nodev,nosuid
/var/log	5	nodev,nosuid,noexec
/var/log/audit	1	nodev,nosuid,noexec
/var/tmp	5	nodev,nosuid,noexec
/home	10	nodev,nosuid
/srv	10	nodev,nosuid
SWAP	16	N/A

Miscellaneous

Cron

• Don't use periods (including file extensions) in the hourly/daily/weekly/monthly scripts.

Extra Configuration

• MOTD:
  • Clear /etc/motd.
  • Download dmotd.sh to /etc/profile.d/ and install the dependencies neofetch and lolcat.
  • Add an ASCII art (or Unicode art) logo to /etc/logo, using e.g. TAAG.
  • (Optional) Add a MOTD to /etc/motd.
  • (Optional) Clear or change the pre-login message in /etc/issue.
• Free disk space checking:
  • Download disk-space-checker.sh either to /cron/cron.daily/ or to /opt/bin and create a cron job for it.
  • Example cron job (15 minutes past every 4 hours): 15 */4 * * * root /opt/bin/disk-space-checker
  • Configure which disks/file systems it should exclude and how full they should be before it sends an email alert.

Troubleshooting

• network-online.target is stalling during boot:
  • See all services it depends on: systemctl show -p WantedBy network-online.target
  • Disable the unused services which stall.
• Firmware for the network card fails to load:
  • Causes a syslog record like "firmware: failed to load rtl_nic/rtl8168g-3.fw (-2)" when trying to up the interface.
  • Might happen after installation even if working initially (for some reason).
  • Realtek solution: Enable the "non-free" repo and install "firmware-realtek".
• Perl complains about a locale error:
  • Test with perl -e exit. It will complain if there's an error.
  • Check the locale: locale
  • Comment AcceptEnv LANG LC_* in /etc/ssh/sshd_config to prevent clients bringing their own locale.

{% include footer.md %}