NOTE: Not yet complete!
This is a step-by-step guide on the initial setup and configuration of an unmanaged VPS or dedicated server running Debian 6 (“Squeeze”). It will include detailed explanations of all of the concepts and commands being run, and as such is written for people new to Linux administration. More advanced users can skim through the guide and simply enter in the commands (or write a script to automate this setup process).
What is covered in this guide
- Initial updating of all software currently installed
- Creation of a new user account with sudo privileges in order to run commands as root to administer the server
- Securing SSH by switching the default port, disallowing direct root logins, and specifically allowing only certain users access (generating SSH keys for added security will be covered in a separate article)
- iptables (firewall) setup and configuration
- Creating a custom shell prompt that is much more informative and useful than the standard prompt
- Creating aliases for commonly-used commands and options
- Setting the correct time zone
- Generating and selecting the correct locale
- Installing essential tools for adding software, including build tools for software for which there are no pre-built packages
Initial Login via SSH
As soon as you have the IP address and root password for your new server, log in via SSH (replace 1.2.3.4 with the server’s IP address).
ssh -l root 1.2.3.4
Debian should have already set up the proper $PATH environment variable to run the commands in the rest of this guide, but we will first verify this. The $PATH environment variable defines a list of directories to search through when looking for a command to execute.
To check the current $PATH, run the following command:
echo $PATH
You should see the following:
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
If you do not, this command will set the correct path:
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
With the path properly set, we can now begin setting up your new server.
Changing the root password
You should immediately change the root password by using the passwd command.
passwd
You will be prompted to enter the root password twice. After completing this setup guide, logging on as the root user is not recommended for security reasons. In fact, later on we will be removing the ability to log in directly as root via SSH. Instead, an additional user account will be created with the ability to run commands as root with a tool called sudo.
Package managers and updating the server
The Debian operating system is frequently updated with new versions of installed software, security updates, and bug fixes. There is a good chance that the version which is installed on your server is out of date, so we will use the aptitude tool to update the system.
Aptitude is a package manager — a tool that allows you to easily install, update, or remove various software packages on your server. Often, a certain piece of software requires other software packages to be present on your system in order to run. These additional pieces of software are called dependencies, and in the past (before package managers existed) it could be a difficult and time-consuming task to find and install all of the dependencies. Often, one piece of software would depend on several other software packages, each of which had dependencies of their own, and so forth. Keeping track of all of the dependencies could quickly become close to impossible.
Things got even more complicated when you needed to remove a piece of software. It is never good to have pieces of software on your server that you do not need, because every piece of software is a potential security vulnerability or source of bugs. So when removing software packages, it is best to remove its dependencies as well. But more often than not, a dependency of abc is also a dependency of xyz, and removing that dependency will break xyz. So the trick is to only remove what are known as orphaned depedencies — dependencies that are only required by the package that is to be removed.
It should be obvious that keeping track of dependencies can quickly become overwhelmingly difficult and prone to errors. This is the reason why package managers such as Debian’s aptitude tool are essential to the system administrator. Package managers keep track of the dependencies of each piece of software installed on the system. When you install a new piece of software with a package manager, all of its dependencies (and all of each dependency’s own dependencies) are installed automatically. Similarly, package managers allow you to remove a piece of software without accidentally removing one of its dependencies required by other packages installed on your system.
So now that you know what a package manager does, let’s use Debian’s aptitude package manager to automatically update all of the software packages already installed on your server.
First, we need to update the package manager’s own list of available packages.
aptitude update
If you get a command not found error, it means that your system does not have the aptitude package manager already installed. This is not a major issue, because all Debian systems come with an additional package manager called apt-get. Just run the following command to install aptitude:
apt-get -y install aptitude
Why two different package managers (apt-get and aptitude)? Aptitude is a newer addition to Debian than apt-get, and offers several advantages over the older tool. Both tools can be used through the command line, but aptitude also includes a text-based user interface that allows you to easily browse through all of the available packages, while apt-get is strictly a command line-only tool. Aptitude also has (according to Debian) a more advanced dependency resolver than apt-get.
If aptitude is “better” than apt-get, why is apt-get still included? The major reason is that old habits die hard. Apt-get was released prior to aptitude, and people tend to use what they are most comfortable with. While both package managers can be used interchangeably, some Debian users suggest that you choose one and stick with it.
For new users, I would recommend using aptitude over apt-get. However, if you already have experience with Debian and want to use apt-get, that is perfectly fine. Simply replace any aptitude commands in this guide with the appropriate apt-get command.
With the matter of package manager preference settled, we now will update the system itself.
aptitude -y full-upgrade
The -y option will install the updates automatically without further prompting from you.
Creating a new user account with sudo privileges
Now that your server is up to date, we will create a new user account.
adduser justin
You will be asked to enter a password twice for the new account. Afterwards, you will be prompted to enter in information about the new user, all of which are optional — you can simply press enter until you are brought back to the SSH prompt.
Next, we need to give your next user account the ability to run administrative tasks as the root user, via the sudo command. A file called the sudoers file controls this access, and it is located at /etc/sudoers. However, this file need not (and should not) be edited directly. Instead, we will use the visudo command.
visudo
If you get a command not found error, the sudo tool might not be installed. This is rare, but still possible depending on the specific Debian image used by your VPS or dedicated server provider. Install the sudo package with the following command:
aptitude -y install sudo
Visudo launches the standard Debian text editor nano to edit the /etc/sudoers file. Add the following line at the end of the file:
justin ALL=(ALL) ALL
Exit the editor by pressing Ctrl-X, making sure to save the changes by pressing Y.
Configuring and securing SSH
SSH is a common target for attacks, because every server uses it, and it gives direct access to the filesystem. Therefore, there are measures that need to be taken to improve security. These include changing the default SSH port (22), disallowing direct root logins, and explicitly allowing direct logins using only the user account we just created.
There is another recommended security measure which requires user to use a key pair for authentication rather than a typical password. While this is more secure than using passwords, it is a bit more complex to set up and will be explained in a separate article.
To secure SSH, we need to edit its configuration file, which is located at /etc/ssh/sshd_config.
nano /etc/ssh/sshd_config
We will be searching for various configuration options and changing the values. In the event that your particular installation does not have one or more of the lines we are searching for, you can simply add it in a new line at the bottom of the file.
To change the SSH port, locate the following line:
Port 22
Change the 22 to a number of your choice between 1024 and 65535. Be careful not to use a port that will be used by any services you plan to run on your server (for example, the MySQL database server uses port 3306 by default). If you are not sure which port to use, you can reference this list of commonly-used ports on Wikipedia — simply choose a port between 1024 and 65535 not present on that list.
For this example, we will use port 3456, so the line in the SSH configuration file should look like this:
Port 3456
To disable direct root logins, locate the following line:
PermitRootLogin yes
And change it to:
PermitRootLogin no
Finally, we will restrict access to the server to only the user account we created earlier. Add the following line to the SSH configuration file:
AllowUsers justin
If you have additional user accounts that require SSH access, you can grant access by adding multiple usernames to the same line. For example, to give the user accounts justin and bob access, enter the following:
AllowUsers justin bob
Exit and save the new configuration by pressing Ctrl-X, then Y.
Now that the new, more secured SSH configuration is saved, we must reload the service to apply our changes. In Debian, there are scripts stored in the /etc/init.d directory which allow you to start, stop, and reload services — the SSH daemon, web server, database server, and so forth — installed on the system.
To reload the SSH configuration, run this command:
/etc/init.d/ssh reload
If you see the following message, the new configuration has been applied:
Reloading OpenBSD Secure Shell server's configuration: sshd.
Very important: We must test the new configuration before closing the terminal window. If you’ve made an error in the SSH configuration, you may lock yourself out of the system.
In a new terminal window, try to connect to your server with the new port and username. Replace 3456 with the alternative SSH port you chose above, justin with the new account username, and 1.2.3.4 with the IP address of your server.
ssh -p 3456 -l justin 1.2.3.4
If all goes well, you will enter your password when prompted and be brought to the command prompt. Next, we must verify that the new user account has sudo access.
sudo ls
This will run the ls command (lists the files in the current directory). Enter in your password when prompted.
Your home directory, where you are brought when you log in via SSH, will most likely be empty so you may not see any output. All that really matters is that you do not get any error message such as Permission denied or User is not in the sudoers file. This incident will be reported, you are good to go and can close the first terminal window where you initially logged in as root.
If you do see an error message, go through the earlier parts of this guide again, verifying that your new user account is properly set up with sudo access and that your SSH configuration is correct.
Now that you have got this far, you will never need to log in as the root user (in fact, you won’t even be able to since we disabled direct root logins). Whenever you need to run a command which requires root access, such as installing new software packages or editing configuration files, simply preface the command with sudo.
The Linux firewall: iptables
(much, much more to come)
WRT giving a user sudo privileges, some people may prefer to run
sudo usermod -a -G sudo username
Which adds the user to the sudo group, instead of modifying the sudo configuration directly.
That’s actually what I do personally too. I just wanted to include editing the sudoers file in this walkthrough to give a new user a bit more insight into how the sudo system works.
Hi there Justin,
first of all I would like to say thank you for the initial setup with updating and of creating a user account and visudo. I am well versed in this as I use Mint on my desktop and have used Ubuntu on my servers for several years now, but for the life of me couldn’t work out why I couldn’t install any packages using this distro. Thanks to you explaining the -y switch I no longer have to pull my hair out. 😀
Look forward to the progress of this how-to and I have bookmarked it for future reference. 😉
Thank you for the kind words. I have just added a section on securing SSH by changing the default port, disallowing direct root logins, and removing all access except for the new user account(s) created. Further SSH security by using key pairs in lieu of passwords will have its own article.
Next up is getting a good default set of firewall (iptables) rules, followed by the other items (mostly convenience) listed at the top of the article. I expect this all to be completed within a couple of days, and then I will work on how-to articles on setting up a web server, email server, DNS server, and other common tasks.
I have a lot of articles planned and I hope you check back often to see what I have added.
Thanks again!
-Justin
Thanks a lot for the guide! Helped me a lot …
Glad to hear!
I’m almost finished with the rest of this guide; it will be posted within the next couple of days. Be sure to check back, as this completed guide (and many others that I am writing) should be an even bigger help to you.
Ahhhh, I need the other tutorials!
Hi Brandon,
I’m in the process of writing a number of tutorials, and have been working a little bit on each one every day.
I’ve decided to concentrate on 1 guide at a time now, so I can post new tutorials much more frequently.
I think this would be more beneficial than having a long wait and posting several guides at once. A new guide once a week should be a good pace.
If there is anything specific that you need help with, feel free to ask.
-Justin
I just wanted to add:
You can use nano for editing the visudoers file. Just do:
EDITOR=nano visudo
That may be helpful to those who have a hard time with vi.
Hello,
Are you going to continue?
Hi Maxime,
Yes, I will be continuing and finishing this guide, hopefully within the next week or two. In the meantime, if there is anything specific that you need help with, feel free to reply here. Alternatively, you can email me directly at justin.franks@gmail.com.
Ok, that’s great, I will be waiting so 🙂
Great article….Keep updating!
You should finish this guide. It’s the nicest one around.
Obviously a lot of time has passed since I wrote this. In the interim, Debian 7 was released, and now Debian 8 has just been released. I have been very busy with other projects, and just did not have the time to work on this personal project.
I have some free time coming up in another month, so I will be updating this guide to work with Debian 7 and Debian 8, as well as complete it.
It will be very nice to actually have a personal website that I can be proud of, *and* have enough free time to frequently add to it.