Smart Debian Setup

I wrote this tutorial so that people can get an idea how to install this wonderful OS. This isn’t the easiest distribution to install but one thing is for sure – once Debian is setup properly it’s a killer OS that just refuses to crash 😉 Did i also mention that Debian is my favorite Linux distro? Lets get to the nitty gritty then. A lot of GUI fans are going to be pissed off because Debian supports in a text based install and doesn’t have a graphical installer as of this writing.

Requirements

To install such a system you will need the following:

1 The Base System

Insert your Sarge Netinstall CD into your system and boot from it (enter linux26 at the boot prompt to install a 2.6 kernel). The installation starts, and first you have to choose your language.

Select your country.

Choose a keyboard layout.

Enter the host name.

Enter your domain name.

Now you have to partition your hard disk. For newbies, it makes more sense to erase the entire hard disk and make one large partition on it.

A little note on mount points –

When you make one big partition make sure that you select / as your mount point.

If you are an advanced user u might want to consider making seperate partitions for boot and home.

Lay back as the base system installs itself.

1 The Next Phase

Install a boot loader. Personally, i prefer GRUB as my choice of a boot loader.

Remove the Sarge Netinstall CD from your system and reboot.

Configure your time zone.

Enter a root password.

Create a second user admin.

Choose your installation method. Since I want to do an installtion over the network I select http or ftp.

Select a mirror for your installation.

Enter a proxy for the installtion (if necessary). Normally you can leave this field empty.

Under Debian software selection I only choose Desktop Environment. I will install all other packages manually later on.

Be patient while the network installation completes.

3 Installing And Configuring The Rest Of The System

Configure The Network

Because the Debian Sarge installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.0.100):

# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)  # The loopback interface auto lo iface lo inet loopback  # The first network card - this entry was created during the Debian installation # (network, broadcast and gateway are optional) auto eth0 iface eth0 inet static         address 192.168.0.100         netmask 255.255.255.0         network 192.168.0.0         broadcast 192.168.0.255         gateway 192.168.0.1

If you want to add the IP address 192.168.0.101 to the interface eth0 you should change the file to look like this:

# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)  # The loopback interface auto lo iface lo inet loopback  # The first network card - this entry was created during the Debian installation # (network, broadcast and gateway are optional) auto eth0 iface eth0 inet static         address 192.168.0.100         netmask 255.255.255.0         network 192.168.0.0         broadcast 192.168.0.255         gateway 192.168.0.1  auto eth0:0 iface eth0:0 inet static         address 192.168.0.101         netmask 255.255.255.0         network 192.168.0.0         broadcast 192.168.0.255         gateway 192.168.0.1

Then restart your network:

/etc/init.d/networking restart

Edit /etc/resolv.conf and add some nameservers:

search server nameserver 145.253.2.75 nameserver 193.174.32.18 nameserver 194.25.0.60

Edit /etc/hosts and add your new IP addresses:

127.0.0.1       localhost.localdomain   localhost       server1 192.168.0.100   server1.example.com     server1 192.168.0.101   virtual-ip1.example.com     virtual-ip1   # The following lines are desirable for IPv6 capable hosts ::1     ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts

Setting The Hostname

echo server1.example.com > /etc/hostname
/bin/hostname -F /etc/hostname

Install/Remove Some Software

Now let’s install some software we need later on and remove some packages that we do not need:

apt-get install wget bzip2 rdate fetchmail libdb3++-dev unzip zip ncftp xlispstat libarchive-zip-perl zlib1g-dev libpopt-dev nmap openssl lynx fileutils
apt-get remove lpr nfs-common portmap pidentd pcmcia-cs pppoe pppoeconf ppp pppconfig

update-rc.d -f exim remove
update-inetd –remove daytime
update-inetd –remove telnet
update-inetd –remove time
update-inetd –remove finger
update-inetd –remove talk
update-inetd –remove ntalk
update-inetd –remove ftp
update-inetd –remove discard

/etc/init.d/inetd reload
Quota

apt-get install quota quotatool

Edit /etc/fstab to look like this (I added ,usrquota,grpquota to the partition with the mount point /):

# /etc/fstab: static file system information. # #
 proc            /proc           proc    defaults        0       0 /dev/sda1       /               ext3    defaults,errors=remount-ro,usrquota,grpquota 0       1 /dev/sda5       none            swap    sw              0       0 /dev/hdc        /media/cdrom0   iso9660 ro,user,noauto  0       0 /dev/fd0        /media/floppy0  auto    rw,user,noauto  0       0

Then run:

touch /quota.user /quota.group
chmod 600 /quota.*
mount -o remount /
quotacheck -avugm
quotaon -avug

DNS-Server

apt-get install bind9

For security reasons we want to run BIND chrooted so we have to do the following steps:

/etc/init.d/bind9 stop

Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user ‘bind‘, chrooted to /var/lib/named. Modify the line: OPTS=”-u bind so that it reads OPTS=”-u bind -t /var/lib/named”:

OPTIONS="-u bind -t /var/lib/named"

Create the necessary directories under /var/lib:

mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run

Then move the config directory from /etc to /var/lib/named/etc:

mv /etc/bind /var/lib/named/etc

Create a symlink to the new config directory from the old location (to avoid problems when bind is upgraded in the future):

ln -s /var/lib/named/etc/bind /etc/bind

Make null and random devices, and fix permissions of the directories:

mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind

We need to modify the startup script /etc/init.d/sysklogd of sysklogd so that we can still get important messages logged to the system logs. Modify the line: SYSLOGD=”” so that it reads: SYSLOGD=”-a /var/lib/named/dev/log”:

#! /bin/sh # /etc/init.d/sysklogd: start the system log daemon.  PATH=/bin:/usr/bin:/sbin:/usr/sbin  pidfile=/var/run/syslogd.pid binpath=/sbin/syslogd  test -x $binpath || exit 0  # Options for start/restart the daemons #   For remote UDP logging use SYSLOGD="-r" # SYSLOGD="-a /var/lib/named/dev/log"  create_xconsole() {     if [ ! -e /dev/xconsole ]; then         mknod -m 640 /dev/xconsole p     else         chmod 0640 /dev/xconsole     fi     chown root:adm /dev/xconsole }  running() {     # No pidfile, probably no daemon present     #     if [ ! -f $pidfile ]     then         return 1     fi      pid=`cat $pidfile`      # No pid, probably no daemon present     #     if [ -z "$pid" ]     then         return 1     fi      if [ ! -d /proc/$pid ]     then         return 1     fi      cmd=`cat /proc/$pid/cmdline | tr "00" "n"|head -n 1`      # No syslogd?     #     if [ "$cmd" != "$binpath" ]     then         return 1     fi      return 0 }  case "$1" in   start)     echo -n "Starting system log daemon: syslogd"     create_xconsole     start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD     echo "."     ;;   stop)     echo -n "Stopping system log daemon: syslogd"     start-stop-daemon --stop --quiet --exec $binpath --pidfile $pidfile     echo "."     ;;   reload|force-reload)     echo -n "Reloading system log daemon: syslogd"     start-stop-daemon --stop --quiet --signal 1 --exec $binpath --pidfile $pidfile     echo "."     ;;   restart)     echo -n "Restarting system log daemon: syslogd"     start-stop-daemon --stop --quiet --exec $binpath --pidfile $pidfile     sleep 1     start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD     echo "."     ;;   reload-or-restart)     if running     then         echo -n "Reloading system log daemon: syslogd"         start-stop-daemon --stop --quiet --signal 1 --exec $binpath --pidfile $pidfile     else         echo -n "Restarting system log daemon: syslogd"         start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD     fi     echo "."     ;;   *)     echo "Usage: /etc/init.d/sysklogd {start|stop|reload|restart|force-reload|reload-or-restart}"     exit 1 esac  exit 0

Restart the logging daemon:

/etc/init.d/sysklogd restart

Start up BIND, and check /var/log/syslog for any errors:

/etc/init.d/bind9 start

MySQL

apt-get install mysql-server mysql-client libmysqlclient12-dev

mysqladmin -u root password yourrootsqlpassword

When you run netstat -tap you should now see a line like this:

tcp        0      0 localhost.localdo:mysql *:*                     LISTEN     2449/mysqld

which means that MySQL is accessible on 127.0.0.1 on port 3306. You can go to the next section (Postfix). If you do not see this line, edit /etc/mysql/my.cnf and comment out skip-networking:

# skip-networking

If you want MySQL to listen on all available IP addresses, edit /etc/mysql/my.cnf and comment out bind-address = 127.0.0.1:

#bind-address            = 127.0.0.1

If you had to edit /etc/mysql/my.cnf you have to restart MySQL:

/etc/init.d/mysql restart

Postfix/POP3/IMAP

In order to install Postfix with SMTP-AUTH and TLS as well as a POP3 server that also does POP3s (port 995) and an IMAP server that is also capable of IMAPs (port 993) do the following steps:

apt-get install postfix postfix-tls libsasl2 sasl2-bin libsasl2-modules ipopd-ssl uw-imapd-ssl (1 line!)

postconf -e ‘smtpd_sasl_local_domain =’
postconf -e ‘smtpd_sasl_auth_enable = yes’
postconf -e ‘smtpd_sasl_security_options = noanonymous’
postconf -e ‘broken_sasl_auth_clients = yes’
postconf -e ‘smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination’
postconf -e ‘inet_interfaces = all’
echo ‘pwcheck_method: saslauthd’ >> /etc/postfix/sasl/smtpd.conf
echo ‘mech_list: plain login’ >> /etc/postfix/sasl/smtpd.conf

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

postconf -e ‘smtpd_tls_auth_only = no’
postconf -e ‘smtp_use_tls = yes’
postconf -e ‘smtpd_use_tls = yes’
postconf -e ‘smtp_tls_note_starttls_offer = yes’
postconf -e ‘smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key’
postconf -e ‘smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt’
postconf -e ‘smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem’
postconf -e ‘smtpd_tls_loglevel = 1’
postconf -e ‘smtpd_tls_received_header = yes’
postconf -e ‘smtpd_tls_session_cache_timeout = 3600s’
postconf -e ‘tls_random_source = dev:/dev/urandom’

The file /etc/postfix/main.cf should now look like this:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version  smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no  # appending .domain is the MUA's job. append_dot_mydomain = no  # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h  myhostname = server1.example.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = server1.example.com, localhost.example.com, localhost relayhost = mynetworks = 127.0.0.0/8 mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all smtpd_sasl_local_domain = $myhostname smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination smtpd_tls_auth_only = no smtp_use_tls = yes smtpd_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom

/etc/init.d/postfix restart

Authentication will be done by saslauthd. We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have to do the following:

mkdir -p /var/spool/postfix/var/run/saslauthd
rm -fr /var/run/saslauthd

Now we have to edit /etc/default/saslauthd in order to activate saslauthd. Remove # in front of START=yes and add the line PARAMS=”-m /var/spool/postfix/var/run/saslauthd”:

# This needs to be uncommented before saslauthd will be run automatically START=yes  PARAMS="-m /var/spool/postfix/var/run/saslauthd"  # You must specify the authentication mechanisms you wish to use. # This defaults to "pam" for PAM support, but may also include # "shadow" or "sasldb", like this: # MECHANISMS="pam shadow"  MECHANISMS="pam"

Finally we have to edit /etc/init.d/saslauthd. Change the line

dir=`dpkg-statoverride --list $PWDIR`

to

#dir=`dpkg-statoverride --list $PWDIR`

Then change the variables PWDIR and PIDFILE and add the variable dir at the beginning of the file:

PWDIR="/var/spool/postfix/var/run/${NAME}" PIDFILE="${PWDIR}/saslauthd.pid" dir="root sasl 755 ${PWDIR}"

/etc/init.d/saslauthd should now look like this:

#!/bin/sh -e  NAME=saslauthd DAEMON="/usr/sbin/${NAME}" DESC="SASL Authentication Daemon" DEFAULTS=/etc/default/saslauthd PWDIR="/var/spool/postfix/var/run/${NAME}" PIDFILE="${PWDIR}/saslauthd.pid" dir="root sasl 755 ${PWDIR}"  createdir() { # $1 = user # $2 = group # $3 = permissions (octal) # $4 = path to directory         [ -d "$4" ] || mkdir -p "$4"         chown -c -h "$1:$2" "$4"         chmod -c "$3" "$4" }  test -f "${DAEMON}" || exit 0  # Source defaults file; edit that file to configure this script. if [ -e "${DEFAULTS}" ]; then     . "${DEFAULTS}" fi  # If we're not to start the daemon, simply exit if [ "${START}" != "yes" ]; then     exit 0 fi  # If we have no mechanisms defined if [ "x${MECHANISMS}" = "x" ]; then     echo "You need to configure ${DEFAULTS} with mechanisms to be used"     exit 0 fi  # Add our mechanimsms with the necessary flag PARAMS="${PARAMS} -a ${MECHANISMS}"  START="--start --quiet --pidfile ${PIDFILE} --startas ${DAEMON} --name ${NAME} -- ${PARAMS}"  # Consider our options case "${1}" in   start)         echo -n "Starting ${DESC}: "         #dir=`dpkg-statoverride --list $PWDIR`         test -z "$dir" || createdir $dir         if start-stop-daemon ${START} >/dev/null 2>&1 ; then                 echo "${NAME}."         else                 if start-stop-daemon --test ${START} >/dev/null 2>&1; then                         echo "(failed)."                         exit 1                 else                         echo "${DAEMON} already running."                         exit 0                 fi         fi         ;;   stop)         echo -n "Stopping ${DESC}: "         if start-stop-daemon --stop --quiet --pidfile "${PIDFILE}"                  --startas ${DAEMON} --retry 10 --name ${NAME}                  >/dev/null 2>&1 ; then                         echo "${NAME}."         else                 if start-stop-daemon --test ${START} >/dev/null 2>&1; then                         echo "(not running)."                         exit 0                 else                         echo "(failed)."                         exit 1                 fi         fi         ;;   restart|force-reload)           $0 stop         exec $0 start         ;;   *)         echo "Usage: /etc/init.d/${NAME} {start|stop|restart|force-reload}" >&2         exit 1         ;; esac  exit 0

Now start saslauthd:

/etc/init.d/saslauthd start

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH

everything is fine.

Type

quit

to return to the system’s shell.

Courier-IMAP/Courier-POP3

If you want to use a POP3/IMAP daemon that has Maildir support (if you do not want to use the traditional Unix mailbox format) you can install Courier-IMAP/Courier-IMAP-SSL (for IMAPs on port 993) and Courier-POP3/Courier-POP3-SSL (for POP3s on port 995). Otherwise you can proceed with the Apache configuration.

apt-get install courier-imap courier-imap-ssl courier-pop courier-pop-ssl

ipopd and UW-IMAP will then be replaced.

Then configure Postfix to deliver emails to a user’s Maildir*:

postconf -e ‘home_mailbox = Maildir/’
postconf -e ‘mailbox_command =’
/etc/init.d/postfix restart

*Please note: You do not have to do this if you intend to use ISPConfig on your system as ISPConfig does the necessary configuration using procmail recipes. But please go sure to enable Maildir under Management -> Settings -> EMail in the ISPConfig web interface.

Apache

Run

apt-get install apache2 apache2-doc
apt-get install libapache2-mod-php4 libapache2-mod-perl2 php4 php4-cli php4-common php4-curl php4-dev php4-domxml php4-gd php4-imap php4-ldap php4-mcal php4-mhash php4-mysql php4-odbc php4-pear php4-xslt curl libwww-perl imagemagick
(1 line!)

Edit /etc/apache2/apache2.conf. Change

DirectoryIndex index.html index.cgi index.pl index.php index.xhtml

to

DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl index.xhtml

Edit /etc/mime.types and comment out the following lines:

#application/x-httpd-php                                phtml pht php #application/x-httpd-php-source                 phps #application/x-httpd-php3                       php3 #application/x-httpd-php3-preprocessed          php3p #application/x-httpd-php4                       php4

Edit /etc/apache2/mods-enabled/php4.conf and comment out the following lines:

 #  AddType application/x-httpd-php .php .phtml .php3 #  AddType application/x-httpd-php-source .phps 

Edit /etc/apache2/ports.conf and add Listen 443:

Listen 80 Listen 443

Now we have to enable some Apache modules (SSL, rewrite and suexec):

cd /etc/apache2/mods-enabled
ln -s /etc/apache2/mods-available/ssl.conf ssl.conf
ln -s /etc/apache2/mods-available/ssl.load ssl.load
ln -s /etc/apache2/mods-available/rewrite.load rewrite.load
ln -s /etc/apache2/mods-available/suexec.load suexec.load
ln -s /etc/apache2/mods-available/include.load include.load

Restart Apache:

/etc/init.d/apache2 restart

Proftpd

apt-get install proftpd

For security reasons you can add the following lines to /etc/proftpd.conf (thanks to Reinaldo Carvalho; more information can be found here: http://proftpd.linux.co.uk/localsite/Userguide/linked/userguide.html):

DefaultRoot ~ IdentLookups off ServerIdent on "FTP Server ready."

and restart Proftpd:

/etc/init.d/proftpd restart

Webalizer

apt-get install webalizer

Synchronize the System Clock

If you want to have the system clock synchronized with an NTP server you can add the following lines to /var/spool/cron/crontabs/root (if the file does not exist, create it by running

touch /var/spool/cron/crontabs/root):

# update time with ntp server
0 3,9,15,21 * * * /usr/sbin/rdate 128.2.136.71 | logger -t NTP

Then run

chmod 600 /var/spool/cron/crontabs/root
/etc/init.d/cron restart

Install some Perl Modules needed by SpamAssassin (comes with ISPConfig)

Installation using the Perl Shell

Login to your command line as root and run the following command to start the Perl shell:

perl -MCPAN -e shell

If you run the Perl shell for the first time you will be asked some questions. In most cases the default answers are ok.

Please note: If you run a firewall on your system you might have to turn it off while working on the Perl shell in order for the Perl shell to be able to fetch the needed modules without a big delay. You can switch it on afterwards.

The big advantage of the Perl shell compared to the two other methods described here is that it cares about dependencies when installing new modules. I.e., if it turns out that a prerequisite Perl module is missing when you install another module the Perl shell asks you if it should install the prerequisite module for you. You should answer that question with “Yes”.

Run the following commands to install the modules needed by SpamAssassin:

install HTML::Parser
install DB_File
install Net::DNS
(when prompted to enable tests, choose no)
q
(to leave the Perl shell)

If a module is already installed on your system you will get a message similar to this one:

HTML::Parser is up to date.

Successful installation of a module looks like this:

/usr/bin/make install — OK

Compile a Custom Kernel

If you need to compile a new kernel for some reason (e.g. because you want to use the latest bleeding-edge kernel or need a feature that the standard Debian kernel does not offer), you can find more information here: Debian-Kernel-Compile-Howto.
The End

The configuration of the server is now finished, and if you wish you can now install ISPConfig on it.

A Note On SuExec

If you want to run CGI scripts under suExec, you should specify /var/www as the home directory for websites created by ISPConfig as Debian’s suExec is compiled with /var/www as Doc_Root. Run /usr/lib/apache2/suexec2 -V, and the output should look like this:

To select /var/www as the home directory for websites during the installation of ISPConfig do the following: When you are asked for the installation mode, select the expert mode.

Later during the installation you are asked if the default directory /home/www should be the directory where ISPConfig will create websites in. Answer n and enter /var/www as the home directory for websites.

Links

Advertisements

About synapse
Programming, motorcycles and photography. Want to do more, but only have time for so much!

3 Responses to Smart Debian Setup

  1. Dee Aah Quimby says:

    If you want to have the system clock synchronized with an NTP server you can add the following lines to /var/spool/cron/crontabs/root

    I might be missing something, but isn’t ‘/var/spool/cron/crontabs’ for crontabs managed by the crontab command? Mine says:

    # DO NOT EDIT THIS FILE - edit the master and reinstall

    Which, I don’t believe is even meant for end-user consumption. i.e., “edit the master” is something that the “crontab” command or some other tool is supposed to do. I believe the crontab command also does “safe” file creation and some other security related things.

  2. Pingback: buy and sell bc

  3. Pingback: group ass fucking

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: