Debian Server Installation
I have prepared a recipe to install a Debian server from scratch. It is the way I do that for my projects. This time I will use an old laptop as the hardware.
As always I have prepared this because I always forgot the my-way to do this. I know there are many tutorials out there but my way enables to have a lightweight installation on reused/repurposed hardware and enable remote connection and check the basics like temperature and load.
What we are going to do?
- Create a bootsable USB with Debian from the ISO available at debian.org
- Install the system with wifi support
- Install an SSH server and do the harddening of the installation
- Install a Firewall program and enable SSH, HTTP and HTTPS
- Deactivate the options to sleep when close the laptop’s lid
- Install Zsh to the place the bash shell
- Install powerlevel10k as theme for Zsh
- Install lm_sensors and ACPI to monitor the temperature
- Install fwupd to keep up-to-date the firmware
Create a bootsable USB
To install the server we initially need a pendrive and an ISO image of debian. The ISO image should be availabe at debian.org and we will look for the one that includes the non-free packages as we want support for the WiFi modules. You can choose the version you like with or without graphics environment,but I will choose the “debian-live-x.x.x-amd64-standard+nonfree.iso” as I will use mainly SSH. At the time I am writing the version availabe is “debian-live-10.8.0-amd64-standard+nonfree.iso” (important: checku out the iso-hybrid as we want to make it bootable)
Once downloaded plug you USB into your machiine and make sure is not automatically mounted, if so, just eject it.
Now check where is your device attached, for that you can use:
|
|
To burn the image to the pendrive use one of the commands:
|
|
or
|
|
basically both are the same, just the way it finish with the synchonization is different.
Install the system with wifi support
At this point you are ready to boot the system via the USB stick and proceed with the installation. Make sure you boot the machine and select to boot from the USB stick. You will see few intallation options, in my case as this will be a little server, I will use the text based installation, not the graphical one. Select the language and the keyboard layout, after that the name of this installation, root password, add the first users and then select the partitioning, I will select all files in the same partition, select the mirror server to get the updates and wait.
Just before the installation ask to remove the media, don’t do anythig and got o another console using ctrl+Atl+F# (in my case F2, F1 is where the installation is running). Hit enter to get the prompt and execute the following:
|
|
This is an installer command to ask for the network manager to be installed (don’t worry if a warnign appears) you can check more details here: https://d-i.debian.org/doc/internals/ch02.html
Go back to the installation screen with Ctrl + Atl + F1 and finist the installation process and boot your system. If all was done correctly, you should have network connection and nmcli/nmtui installed for any tweak.
Installing a SSH serer
The SSH server we will use is openssh, this comes as standard package in Debian an can be installed with:
|
|
let’s do a basic config and hardening
I like do the following changes to the file /etc/ssh/sshd_config this will help to preven default behaivour and increase the security by disabling some functionalities: Change the defaul port to something different, like 2020 or 2200
|
|
Disable the protocol 1 and enable only connections with protocol 2
|
|
Never, Never permit root login (in fact disable it)
|
|
Some other option on how to handle connections:
|
|
The following are a bunch of best practices and config that should be allowed only to specific user with a Match rule, but disabled server wide
|
|
For your user for example, if you want to inlude some specifics use
|
|
this rule for example allows you to SSH into other server from this server
Now restart the ssh server, you will not loose your connection
|
|
and check that is all working with:
|
|
you should see one of the lines saying “… Server listening on 0.0.0.0 port 2200.”, now you should be able to reconnect using the new port 2200, or the one you used.
Install a Firewall program and enable SSH, HTTP and HTTPS
Debian comes with an utility program to allow Administrator to configure the IP packet filter rules, this is known as iptables. To manage that in a simple way we will use the ufw utility.
To install ufw use:
|
|
if you changed the port for sshd allow the incoming connections using:
|
|
Use the port you defined as Port in the config file.
If you are hosting some http/https app, you will need to allow that trafic in the ufw:
|
|
If you are hosting postgress and you want to restrict connection only to the internal network use:
|
|
To enable the firewall use:
|
|
by this point you shuld not lose connection if you have reconected using the new port after installing the SSH server. (you can check more on this reference and here)
Deactivate the options to sleep when close the laptop’s lid
For this small/test server I am using an old laptop, I want to prevent this to go to sleep when close the lid, so I can use this headless. To start lets configure the service logind, open the file /etc/systemd/logind.conf with:
|
|
and change the entries for:
|
|
Now to make sure all is ignored, we need to mask the target of the logind service, for that execute the following:
|
|
and restart the service with:
|
|
you can check that the changes were made using
|
|
(you can check more on this reference)
Install Zsh to the place the bash shell
Changing the default bash shell for zsh
|
|
And lets make it nicer with Oh My ZSH, to install you need to have cURL installed to do so:
|
|
Lets make sure we have git installed, for that do:
|
|
now to install Oh My ZSH, execute:
|
|
during this install you will be ask if you want to replace your current shell, respond yes and provide your admin credentials, or do it manually using $sudo chsh -s $(which zsh) $(whoami)
Install powerlevel10k as theme for Zsh
To install this theme you will need to clone the git repo, so you need git installed (see previous step), now to clone the repor use:
|
|
activate the theme, edit the .zshrc file on your profile home directory and replace the value of ZSH_THEME as
|
|
logoff/login again to trigger the configuration or run the config command p10k configure.
You probably will need to install the Meslo Nerd fonts in the client side to make sure you can see all the characters and icons, here the link to the .ttf files. Download an install the fonts in you OS and make sure are selected in the connection profile in your client program (putty/iterm/term)
Install lm_sensors and ACPI to monitor the temperature
Now lets get some info from the machine like temperature via sensors. To install lm_sensors lets trigger:
|
|
then to configure lets do
|
|
follow the interactive script and test for all the sensors, if is a new system there is n risk as you can always reboot, in prodution you are not going to do that when finish inlcude all the modules needed and reboot. once done you will be able to check the temperature of all element and the fan speed with:
|
|
for the batery we will use acpi, and to install we will need
|
|
then you can check if is reporting properly with:
|
|
or
|
|
ACPI also report basic thermal information.
Install fwupd to keep up-to-date the firmware
Lets prepare the system for any upcoming firmware upgrade. For that lets install fwupd with:
|
|
this utility will depend in a service that we will need to start with
|
|
then we will need to refresh the db with:
|
|
now to check for updates we need to execute:
|
|
Install htop to monitor the workload
To see an overview of the load use the htop, installing it via
|
|
then execute it via:
|
|
Now in press F5 to customise and get the Tree view. You can do more customisation via F2, to inlude or remove any field.
G