02 Sep 2014 Debian server - Configuration notes


A freshly installed debian Wheezy with an SSH access and an SSH key.

Note that I usually start with the following partition scheme.

Mount pointTypeSize
/primary10 GiB
swapswap2 * memory size
/tmplogical volume2 GiB
/optlogical volume1 GiB
/srvlogical volume1 GiB
/varlogical volume1 GiB
/var/loglogical volume1 GiB
/homelogical volume1 GiB

Generate an SSH key (if you do not already have one)

ssh-keygen -t rsa -b 4096

Links :

Create a user for administrative tasks and disable root login

apt-get install sudo

adduser --shell /bin/bash <user>
adduser <user> adm
adduser <user> sudo

su - <user>
mkdir ~/.ssh
chmod 700 ~/.ssh
echo <your-ssh-key> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

# Log out and test ssh login to <user>

sudo passwd -l root
sudo vi /etc/ssh/sshd_config # PermitRootLogin no
sudo service ssh restart

Ensure your server is up-to-date

sudo apt-get update
sudo apt-get upgrade

Log users activities

This is done using the Snoopy Logger.

sudo apt-get install snoopy

Links :

Keep track of configuration changes

This is done using etckeeper.

sudo apt-get install etckeeper

Links :

Set your hostname

Set your hostname in /etc/hostname.


Add an entry in /etc/hosts.

w.x.y.z            server.domain.com        server

Apply your hostname change.

sudo /etc/init.d/hostname.sh


sudo apt-get install ntp
sudo dpkg-reconfigure locales
sudo dpkg-reconfigure tzdata

Warn unauthorized users

In some countries sending a warning while accessing to a given system about unauthorized access should be added to have legal protection.

To do that put the following text in /etc/motd.

This system is for the use of authorized users only. Usage of this
system may be monitored and recorded by system personnel.

Anyone using this system expressly consents to such monitoring and is 
advised that if such monitoring reveals possible evidence of criminal 
activity, system personnel may provide the evidence from such monitoring
to law enforcement officials.

The commit your changes.

sudo etckeeper commit "Warn unauthorized users"

Links :

Secure SSH daemon

Secure SSH daemon in /etc/ssh/sshd_config

Have ssh listen only on a given interface.

ListenAddress <w.x.y.z<

Disable root login and empty password login.

PermitRootLogin no
PermitEmptyPasswords no

Allow only certain users to have access via SSH to this machine.

AllowUsers <user>

Disable any form of authentication we do not really need.

PasswordAuthentication no
HostbasedAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no

Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon.

MaxStartups 10:30:60

Disable the protocol version 1 (flawed).

Protocol 2

Then commit your changes and reload configuration.

sudo service ssh restart
sudo etckeeper commit "secure sshd"

Links :

Set up iptables (using shorewall)

sudo apt-get install shorewall shorewall6

Then setup shorewall using one of the example provided in /usr/share/doc/shorewall/examples/Universal/.

Finally you can activate shorewall (do not forget to set startup to 1 in /etc/default/shorewall and /etc/default/shorewall6).

sudo etckeeper commit "configure shorewall"
sudo service shorewall start
sudo service shorewall6 start

Links :

Prevent intrusions

sudo apt-get install fail2ban
sudo vi /etc/fail2ban/jail.conf
sudo etckeeper commit "configure fail2ban"
sudo service fail2ban restart

Setup email

sudo apt-get install exim4
sudo dpkg-reconfigure exim4-config

Links :

Monitor your server

sudo apt-get install monit

Links :

Keep your server up-to-date

apt-get install cron-apt
echo '
MAILTO="root"' > /etc/cron-apt/config

Install some basic utility programs

apt-get install uptimed htop iotop iftop lsb-release netcat netcat6 bzip2 p7zip zip unzip bash-completion deborphan localepurge lynx ncftp gnupg hexedit screen tree vim wget wput

01 Sep 2013 Jekyll

Jekyll is a simple, blog aware, static site generator. It takes a template directory (representing the raw form of a website), runs it through Textile or Markdown and Liquid converters, and spits out a complete, static website suitable for serving with Apache or your favorite web server.

The Jekyll README

Starting a new website has never been so simple (at least for a developer) :

~ $ gem install jekyll
~ $ jekyll new awesome-site
~ $ cd awesome-site
~/my-awesome-site $ git init
~/my-awesome-site $ jekyll serve -w
# => Now browse to http://localhost:4000

The icing on the cake: Jekyll is also very well documented. Check out the Jekyll docs for more information on how to get the most out of it.