Debian 6 (“Squeeze”) server initial setup

NOTE: Not yet complete!

This is a step-by-step guide on the initial setup and configuration of an unmanaged VPS or dedicated server running Debian 6 (“Squeeze”). It will include detailed explanations of all of the concepts and commands being run, and as such is written for people new to Linux administration. More advanced users can skim through the guide and simply enter in the commands (or write a script to automate this setup process).

What is covered in this guide

  • Initial updating of all software currently installed
  • Creation of a new user account with sudo privileges in order to run commands as root to administer the server
  • Securing SSH by switching the default port, disallowing direct root logins, and specifically allowing only certain users access (generating SSH keys for added security will be covered in a separate article)
  • iptables (firewall) setup and configuration
  • Creating a custom shell prompt that is much more informative and useful than the standard prompt
  • Creating aliases for commonly-used commands and options
  • Setting the correct time zone
  • Generating and selecting the correct locale
  • Installing essential tools for adding software, including build tools for software for which there are no pre-built packages

Initial Login via SSH

As soon as you have the IP address and root password for your new server, log in via SSH (replace 1.2.3.4 with the server’s IP address).

ssh -l root 1.2.3.4

Debian should have already set up the proper $PATH environment variable to run the commands in the rest of this guide, but we will first verify this. The $PATH environment variable defines a list of directories to search through when looking for a command to execute.

To check the current $PATH, run the following command:

echo $PATH

You should see the following:

/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

If you do not, this command will set the correct path:

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

With the path properly set, we can now begin setting up your new server. 

Changing the root password

You should immediately change the root password by using the passwd command.

passwd

You will be prompted to enter the root password twice. After completing this setup guide, logging on as the root user is not recommended for security reasons. In fact, later on we will be removing the ability to log in directly as root via SSH. Instead, an additional user account will be created with the ability to run commands as root with a tool called sudo.

Package managers and updating the server

The Debian operating system is frequently updated with new versions of installed software, security updates, and bug fixes. There is a good chance that the version which is installed on your server is out of date, so we will use the aptitude tool to update the system.

Aptitude is a package manager — a tool that allows you to easily install, update, or remove various software packages on your server. Often, a certain piece of software requires other software packages to be present on your system in order to run. These additional pieces of software are called dependencies, and in the past (before package managers existed) it could be a difficult and time-consuming task to find and install all of the dependencies. Often, one piece of software would depend on several other software packages, each of which had dependencies of their own, and so forth. Keeping track of all of the dependencies could quickly become close to impossible.

Things got even more complicated when you needed to remove a piece of software. It is never good to have pieces of software on your server that you do not need, because every piece of software is a potential security vulnerability or source of bugs. So when removing software packages, it is best to remove its dependencies as well. But more often than not, a dependency of abc is also a dependency of xyz, and removing that dependency will break xyz. So the trick is to only remove what are known as orphaned depedencies — dependencies that are only required by the package that is to be removed.

It should be obvious that keeping track of dependencies can quickly become overwhelmingly difficult and prone to errors. This is the reason why package managers such as Debian’s aptitude tool are essential to the system administrator. Package managers keep track of the dependencies of each piece of software installed on the system. When you install a new piece of software with a package manager, all of its dependencies (and all of each dependency’s own dependencies) are installed automatically. Similarly, package managers allow you to remove a piece of software without accidentally removing one of its dependencies required by other packages installed on your system.

So now that you know what a package manager does, let’s use Debian’s aptitude package manager to automatically update all of the software packages already installed on your server.

First, we need to update the package manager’s own list of available packages.

aptitude update

If you get a command not found error, it means that your system does not have the aptitude package manager already installed. This is not a major issue, because all Debian systems come with an additional package manager called apt-get. Just run the following command to install aptitude:

apt-get -y install aptitude

Why two different package managers (apt-get and aptitude)? Aptitude is a newer addition to Debian than apt-get, and offers several advantages over the older tool. Both tools can be used through the command line, but aptitude also includes a text-based user interface that allows you to easily browse through all of the available packages, while apt-get is strictly a command line-only tool. Aptitude also has (according to Debian) a more advanced dependency resolver than apt-get.

If aptitude is “better” than apt-get, why is apt-get still included? The major reason is that old habits die hard. Apt-get was released prior to aptitude, and people tend to use what they are most comfortable with. While both package managers can be used interchangeably, some Debian users suggest that you choose one and stick with it.

For new users, I would recommend using aptitude over apt-get. However, if you already have experience with Debian and want to use apt-get, that is perfectly fine. Simply replace any aptitude commands in this guide with the appropriate apt-get command.

With the matter of package manager preference settled, we now will update the system itself.

aptitude -y full-upgrade

The -y option will install the updates automatically without further prompting from you.

Creating a new user account with sudo privileges

Now that your server is up to date, we will create a new user account.

adduser justin

You will be asked to enter a password twice for the new account. Afterwards, you will be prompted to enter in information about the new user, all of which are optional — you can simply press enter until you are brought back to the SSH prompt.

Next, we need to give your next user account the ability to run administrative tasks as the root user, via the sudo command. A file called the sudoers file controls this access, and it is located at /etc/sudoers. However, this file need not (and should not) be edited directly. Instead, we will use the visudo command.

visudo

If you get a command not found error, the sudo tool might not be installed. This is rare, but still possible depending on the specific Debian image used by your VPS or dedicated server provider. Install the sudo package with the following command:

aptitude -y install sudo

Visudo launches the standard Debian text editor nano to edit the /etc/sudoers file. Add the following line at the end of the file:

justin ALL=(ALL) ALL

Exit the editor by pressing Ctrl-X, making sure to save the changes by pressing Y.

Configuring and securing SSH

SSH is a common target for attacks, because every server uses it, and it gives direct access to the filesystem. Therefore, there are measures that need to be taken to improve security. These include changing the default SSH port (22), disallowing direct root logins, and explicitly allowing direct logins using only the user account we just created.

There is another recommended security measure which requires user to use a key pair for authentication rather than a typical password. While this is more secure than using passwords, it is a bit more complex to set up and will be explained in a separate article.

To secure SSH, we need to edit its configuration file, which is located at /etc/ssh/sshd_config.

nano /etc/ssh/sshd_config

We will be searching for various configuration options and changing the values. In the event that your particular installation does not have one or more of the lines we are searching for, you can simply add it in a new line at the bottom of the file.

To change the SSH port, locate the following line:

Port 22

Change the 22 to a number of your choice between 1024 and 65535. Be careful not to use a port that will be used by any services you plan to run on your server (for example, the MySQL database server uses port 3306 by default). If you are not sure which port to use, you can reference this list of commonly-used ports on Wikipedia — simply choose a port between 1024 and 65535 not present on that list.

For this example, we will use port 3456, so the line in the SSH configuration file should look like this:

Port 3456

To disable direct root logins, locate the following line:

PermitRootLogin yes

And change it to:

PermitRootLogin no

Finally, we will restrict access to the server to only the user account we created earlier. Add the following line to the SSH configuration file:

AllowUsers justin

If you have additional user accounts that require SSH access, you can grant access by adding multiple usernames to the same line. For example, to give the user accounts justin and bob access, enter the following:

AllowUsers justin bob

Exit and save the new configuration by pressing Ctrl-X, then Y.

Now that the new, more secured SSH configuration is saved, we must reload the service to apply our changes. In Debian, there are scripts stored in the /etc/init.d directory which allow you to start, stop, and reload services — the SSH daemon, web server, database server, and so forth — installed on the system.

To reload the SSH configuration, run this command:

/etc/init.d/ssh reload

If you see the following message, the new configuration has been applied:

Reloading OpenBSD Secure Shell server's configuration: sshd.

Very important: We must test the new configuration before closing the terminal window. If you’ve made an error in the SSH configuration, you may lock yourself out of the system.

In a new terminal window, try to connect to your server with the new port and username. Replace 3456 with the alternative SSH port you chose above, justin with the new account username, and 1.2.3.4 with the IP address of your server.

ssh -p 3456 -l justin 1.2.3.4

If all goes well, you will enter your password when prompted and be brought to the command prompt. Next, we must verify that the new user account has sudo access.

sudo ls

This will run the ls command (lists the files in the current directory). Enter in your password when prompted.

Your home directory, where you are brought when you log in via SSH, will most likely be empty so you may not see any output. All that really matters is that you do not get any error message such as Permission denied or User is not in the sudoers file. This incident will be reported, you are good to go and can close the first terminal window where you initially logged in as root.

If you do see an error message, go through the earlier parts of this guide again, verifying that your new user account is properly set up with sudo access and that your SSH configuration is correct.

Now that you have got this far, you will never need to log in as the root user (in fact, you won’t even be able to since we disabled direct root logins). Whenever you need to run a command which requires root access, such as installing new software packages or editing configuration files, simply preface the command with sudo.

The Linux firewall: iptables

(much, much more to come)