Contents

Debian Server Installation

I have prepared a recipe to install a Debian server from scratch. It is the way I do that for my projects. This time I will use an old laptop as the hardware.

As always I have prepared this because I always forgot the my-way to do this. I know there are many tutorials out there but my way enables to have a lightweight installation on reused/repurposed hardware and enable remote connection and check the basics like temperature and load.

What we are going to do?

  • Create a bootsable USB with Debian from the ISO available at debian.org
  • Install the system with wifi support
  • Install an SSH server and do the harddening of the installation
  • Install a Firewall program and enable SSH, HTTP and HTTPS
  • Deactivate the options to sleep when close the laptop’s lid
  • Install Zsh to the place the bash shell
  • Install powerlevel10k as theme for Zsh
  • Install lm_sensors and ACPI to monitor the temperature
  • Install fwupd to keep up-to-date the firmware

Create a bootsable USB

To install the server we initially need a pendrive and an ISO image of debian. The ISO image should be availabe at debian.org and we will look for the one that includes the non-free packages as we want support for the WiFi modules. You can choose the version you like with or without graphics environment,but I will choose the “debian-live-x.x.x-amd64-standard+nonfree.iso” as I will use mainly SSH. At the time I am writing the version availabe is “debian-live-10.8.0-amd64-standard+nonfree.iso” (important: checku out the iso-hybrid as we want to make it bootable)

Once downloaded plug you USB into your machiine and make sure is not automatically mounted, if so, just eject it.

Now check where is your device attached, for that you can use:

1
lsblk

To burn the image to the pendrive use one of the commands:

1
sudo dd bs=4M if=/path/to/debian.iso of=/dev/device status=progress;sync

or

1
sudo dd bs=4M if=/path/to/debian.iso of=/dev/device status=progress oflag=sync 

basically both are the same, just the way it finish with the synchonization is different.

Install the system with wifi support

At this point you are ready to boot the system via the USB stick and proceed with the installation. Make sure you boot the machine and select to boot from the USB stick. You will see few intallation options, in my case as this will be a little server, I will use the text based installation, not the graphical one. Select the language and the keyboard layout, after that the name of this installation, root password, add the first users and then select the partitioning, I will select all files in the same partition, select the mirror server to get the updates and wait.

Just before the installation ask to remove the media, don’t do anythig and got o another console using ctrl+Atl+F# (in my case F2, F1 is where the installation is running). Hit enter to get the prompt and execute the following:

1
apt-install network-manager

This is an installer command to ask for the network manager to be installed (don’t worry if a warnign appears) you can check more details here: https://d-i.debian.org/doc/internals/ch02.html

Go back to the installation screen with Ctrl + Atl + F1 and finist the installation process and boot your system. If all was done correctly, you should have network connection and nmcli/nmtui installed for any tweak.

Installing a SSH serer

The SSH server we will use is openssh, this comes as standard package in Debian an can be installed with:

1
2
apt update
apt install openssh-server

let’s do a basic config and hardening

I like do the following changes to the file /etc/ssh/sshd_config this will help to preven default behaivour and increase the security by disabling some functionalities: Change the defaul port to something different, like 2020 or 2200

1
Port 2200

Disable the protocol 1 and enable only connections with protocol 2

1
Protocol 2

Never, Never permit root login (in fact disable it)

1
PermitRootLogin no

Some other option on how to handle connections:

1
2
3
4
5
6
7
StrictModes yes
MaxAuthTries 3
MaxSessions 6
IgnoreRhosts yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes

The following are a bunch of best practices and config that should be allowed only to specific user with a Match rule, but disabled server wide

1
2
3
4
5
6
7
AllowAgentForwarding no
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
PrintMotd no
Compression delayed
AcceptEnv LANG LC_*

For your user for example, if you want to inlude some specifics use

1
2
Match User <youruser>
      AllowTcpForwarding yes

this rule for example allows you to SSH into other server from this server

Now restart the ssh server, you will not loose your connection

1
sudo service ssh restart

and check that is all working with:

1
sudo service ssh status

you should see one of the lines saying “… Server listening on 0.0.0.0 port 2200.”, now you should be able to reconnect using the new port 2200, or the one you used.

Install a Firewall program and enable SSH, HTTP and HTTPS

Debian comes with an utility program to allow Administrator to configure the IP packet filter rules, this is known as iptables. To manage that in a simple way we will use the ufw utility.

To install ufw use:

1
sudo apt install ufw

if you changed the port for sshd allow the incoming connections using:

1
sudo ufw allow 2200/tcp

Use the port you defined as Port in the config file. If you are hosting some http/https app, you will need to allow that trafic in the ufw:

1
2
sudo ufw allow http
sudo ufw allow https

If you are hosting postgress and you want to restrict connection only to the internal network use:

1
sudo ufw allow from 192.168.1.0/24 to any port 5432

To enable the firewall use:

1
sudo ufw enable

by this point you shuld not lose connection if you have reconected using the new port after installing the SSH server. (you can check more on this reference and here)

Deactivate the options to sleep when close the laptop’s lid

For this small/test server I am using an old laptop, I want to prevent this to go to sleep when close the lid, so I can use this headless. To start lets configure the service logind, open the file /etc/systemd/logind.conf with:

1
sudo vi /etc/systemd/logind.conf

and change the entries for:

1
2
HandleLidSwitch=ignore 
HandleLidSwitchDocked=ignore

Now to make sure all is ignored, we need to mask the target of the logind service, for that execute the following:

1
sudo systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target

and restart the service with:

1
sudo systemctl restart systemd-logind.service

you can check that the changes were made using

1
sudo systemctl status sleep.target suspend.target hibernate.target hybrid-sleep.target

(you can check more on this reference)

Install Zsh to the place the bash shell

Changing the default bash shell for zsh

1
sudo apt install zsh

And lets make it nicer with Oh My ZSH, to install you need to have cURL installed to do so:

1
sudo apt install curl

now to install Oh My ZSH, execute:

1
sh -c "$(curl -fsSL https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"

during this install you will be ask if you want to replace your current shell, respond yes and provide your admin credentials, or do it manually using $sudo chsh -s $(which zsh) $(whoami)

Install powerlevel10k as theme for Zsh

To install this theme you will need to clone the git repo, so you need git installed:

1
sudo apt install git

now to clone the repor use:

1
git clone --depth=1 https://github.com/romkatv/powerlevel10k.git ${ZSH_CUSTOM:-$HOME/.oh-my-zsh/custom}/themes/powerlevel10k

activate the theme, edit the .zshrc file on your profile home directory and replace the value of ZSH_THEME as

1
ZSH_THEME="powerlevel10k/powerlevel10k"

logoff/login again to trigger the configuration or run the config command p10k configure.

You probably will need to install the Meslo Nerd fonts in the client side to make sure you can see all the characters and icons, here the link to the .ttf files. Download an install the fonts in you OS and make sure are selected in the connection profile in your client program (putty/iterm/term)

Install lm_sensors and ACPI to monitor the temperature

Now lets get some info from the machine like temperature via sensors. To install lm_sensors lets trigger:

1
sudo apt install lm-sensors

then to configure lets do

1
sudo sensors-detect

follow the interactive script and test for all the sensors, if is a new system there is n risk as you can always reboot, in prodution you are not going to do that when finish inlcude all the modules needed and reboot. once done you will be able to check the temperature of all element and the fan speed with:

1
sensors

for the batery we will use acpi, and to install we will need

1
sudo apt install acpi

then you can check if is reporting properly with:

1
acpi

or

1
acpi -V

ACPI also report basic thermal information.

Install fwupd to keep up-to-date the firmware

Lets prepare the system for any upcoming firmware upgrade. For that lets install fwupd with:

1
sudo apt install fwupd

this utility will depend in a service that we will need to start with

1
sudo service fwupd start

then we will need to refresh the db with:

1
sudo fwupdmgr refresh

now to check for updates we need to execute:

1
sudo fwupdmgr update

Install htop to monitor the workload

To see an overview of the load use the htop, installing it via

1
sudo apt install htop

then execute it via:

1
htop

Now in press F5 to customise and get the Tree view. You can do more customisation via F2, to inlude or remove any field.

Buy me a Coffee
Hope you find this useful, if you have any question please visit my twitter @bigg_blog and if you have a couple of pounds buy me a coffee.
G