October 7, 2021 Linux
Initial Linux Server Setup with Debian 10 or higher
Introduction
When we first create a new Debian 10 or higher linux server, there are a few configuration steps to increase the security and usability and will give us a solid foundation for subsequent actions.
In this tutorial, we will show how to create a new user with admin privileges, set up a basic firewall and install web server.
Creating a new user with admin privileges
When first logged into server as root user, we should consider to create a new and alternative user account with a reduced scope of influence for day-to-day work. Because root user is the administrative user in a Linux environment that has very broad privileges, you are discouraged from using it on a regular basis.
This example creates a new user called "lab", but you should replace it with a username that you like:
apt update
apt install -y sudo
adduser lab
usermod -aG sudo lab //granting Administrative privileges in Debian
usermod -aG wheel lab //granting Administrative privileges in Centos
su -l lab //switch new user and home directory
Installing useful and usual packages
Generally, new server OS is minimal version, lacking of some very useful and usual packages. We should make them up.
This example runs the command as user "lab"that types "sudo" before commands to get superuser privileges .
# upgrade OS
sudo apt update
sudo apt upgrade
# install tools
sudo apt install -y wget curl nano git lrzsz sudo loacte zip screen
# maybe future need
sudo apt install -y ufw nginx php-fpm mariadb
Setting Up a Basic Firewall
UFW firewall is popular and lightweight solution over iptables firewall. We will install and use the UFW firewall to help set firewall policies and manage exceptions.
# install ufw
sudo apt update
sudo apt install ufw
# allow usual ports
sudo ufw disable
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
# start ufw
sudo ufw enable
# monitor status
sudo ufw status
Logging in with ssh-keys for security
To enhance your server’s security, we strongly recommend setting up SSH keys instead of using password authentication.
When creating new server, there are options to select login method like password, ssh-keys, etc. Ssh-keys is the best choice for server security.
Of course, the new and alternative user account also need ssh-keys authentication.
sudo cp -r ~/.ssh /home/lab
sudo chown -R lab:lab /home/lab/.ssh
Installing Google TCP BBR for lightning speed
BBR means Congestion-Based Congestion Control, a TCP congestion control mechanism, interpreting packet loss as “congestion”. In short, the benefits of Google BBR are,
higher throughput and lower latency.
To install BBR, the linux kernel version need 4.9 or newer. For Debian 10 or higher version, its kernel is enough to fit demand.
# install bbr
echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf
sysctl -p
# verify bbr
lsmod | grep bbr
Installing packages form backports
Debian prefer stable. It is great, there is just one problem: the software is a little bit outdated compared to other distributions. This is where backports come in.
Backports are packages taken from the next Debian release (called "testing"), adjusted and recompiled for usage on Debian stable. You can easily upgrade your stable+backports system once the next Debian release comes out.
Backports cannot be tested as extensively as Debian stable, and backports are provided on an as-is basis, with risk of incompatibilities with other components in Debian stable. Use with care!
#### add source list
echo "deb http://deb.debian.org/debian buster-backports main" | sudo tee /etc/apt/sources.list.d/buster-backports2.list
sudo apt update
# install packages
sudo apt -t buster-backports install 'package name'
That's all.
Oct 7, 2021
References:
- https://www.digitalocean.com/community/tutorials/initial-server-setup-with-debian-10
- https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mariadb-php-lemp-stack-on-debian-10
- https://backports.debian.org/