How to setup an unmanaged Debian server

Thanks to http://jesin.tk/how-to-setup-an-unmanaged-debian-server/

So you’ve bought a shiny new VPS or dedicated unmanaged server to cut costs on hosting but don’t know how to begin ? Read this post to make this easier.  This tutorial will cover the instructions for a basic setup of a Debian unmanaged VPS or dedicated server. The following are covered in this article

  • Configuring the Timezone
  • Selecting locales
  • Creating a sudo user
  • Securing SSH
  • Adding firewall rules

The first task is to update the apt database and check if any installed packages can be upgraded.

apt-get update && apt-get upgrade

 

Configuring the Timezone

The dpkg-reconfigure command is used to reconfigure the timezone

dpkg-reconfigure tzdata

Selecting locales

The same dpkg-reconfigure is used to select the locales too.

dpkg-reconfigure locales

Creating a sudo user

Using a production server as a root user is the most dangerous thing you can do. So create a normal user and add it to the list of sudoers.

useradd --shell /bin/bash username
passwd username
visudo

Now add the following line to the end of this file

username ALL=(ALL) ALL

Securing SSH

To secure SSH the default port 22 has to be changed and root user login via SSH has to be disabled. Open the SSH configuration

vi /etc/ssh/sshd_config

and edit the following

Port 22

change this to any number between 49152 and 65535

Port 53474

Also search for

PermitRootLogin yes

and change this to

PermitRootLogin no

For the changes to take place you have to restart the SSH service. If you’ve been doing all these things via SSH you should add the exit command so that the current SSH session closes.

/etc/init.d/ssh restart && exit

Reconnect to the server as the newly created sudo user through the new port.

ssh username@servername -p 53474

Now whenever you want to execute commands as root add the word “sudo” to the beginning of the command

Adding firewall rules

A server becomes to attack vulnerable if it allows access to all open ports in the system, so configuring the firewall is very crucial. Most new Debian installations have no firewall rules. But it is better to flush all rules. Since you’re logged in as the sudo user add the word sudo before each command

sudo iptables -F

Now lets add the rules

sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT ! -i lo -d 127.0.0.1/8 -j REJECT
sudo iptables -N MYRULES
sudo iptables -A INPUT -j MYRULES
sudo iptables -A MYRULES -m state --state NEW -p tcp --dport 53474 -j ACCEPT
sudo iptables -A MYRULES -m state --state NEW -p tcp --dport 80 -j ACCEPT
sudo iptables -A MYRULES -m state --state NEW -p tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -j DROP

You can probably replace “DROP” in the last line with “REJECT” but I personally prefer “DROP” because when you reject packets the system sends the rejected packets back which might , but “DROP” just ignores the packets. The rules above drop icmp packets also which means you won’t get any reply if you ping the server. If you want the the server to reply to incoming pings execute the following command also

sudo iptables -A MYRULES -p icmp -m icmp --icmp-type 8 -j ACCEPT

Anymore rules you want to add can be appended to the MYRULES table. Time to save the rules and make sure they load when the server reboots

iptables-save > /etc/iptables.rules
sudo vi /etc/network/if-pre-up.d/firewall

Add the following lines to this file

#!/bin/bash
/sbin/iptables-restore < /etc/iptables.rules

Save the file and make it executable

sudo chmod +x /etc/network/if-pre-up.d/firewall

Conclusion

This is just the basic setup guide for a Debian server, expect to see more articles on setting up other flavors of Linux and advanced guides on setting up network services. Here is an interactive shell script coded by me which automates all the processes outlined above.

Download unmanaged Debian VPS/Dedicated server basic setup script

To use this script upload it to your server, login as the root user

chmod +x /path/to/script/unmanaged-debian-server-basic-setup.sh
/path/to/script/unmanaged-debian-server-basic-setup.sh

I tested the script with the following Linux flavors

  • Debian 6 (Squeeze): This script works perfectly
  • Debian 5 (Lenny): Except setting up locales everything works
  • Ubuntu 11.04 (Natty Narwhal): Except locales everything works

This script was tested on a Rackspace cloud server and a Virtual Machine in VMware player. It should work on all VPSes and dedicated servers if you’re facing any problems please write about it in the comment form or contact me.