Basic configurations after installing a Debian server

Table of Contents

Introduction

In this article I will try to show you what basic configurations I do after installing a Debian server.

Repository

In the first place I configure the official Debian repository, insert these lines to your sources.list file:

vi /etc/apt/sources.list

deb http://deb.debian.org/debian/ bullseye main
deb http://security.debian.org/debian-security bullseye-security main
deb http://deb.debian.org/debian/ bullseye-updates main

Then resynchronize the package index files from their sources:

apt-get update

After that, upgrade all packages to their newest versions:

apt-get upgrade -y && apt-get dist-upgrade -y

Firewall

One of the most important thing to do first is to configure the firewall. Without it you left your server exposed to all kind of threats.

On Debian I used iptables and iptables-persistent for a long time, but I recently switched to UFW (Uncomplicated FireWall).

Before installing UFW, make sure your server is up-to-date:

apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y

Then install UFW:

apt-get install ufw -y

First thing to do is to allow SSH from your IP address:

ufw allow from XX.XX.XX.XX proto tcp to any port 22 comment "SSH from my IP address"

If you do not have a static IP address you can allow everyone on port 22:

ufw allow ssh

To reduce your exposure to brute force attacks I will show you how to configure fail2ban later.

Next we enable logging:

ufw logging on

Finally we can enable the firewall:

ufw enable

You will have to confirm by typing “y“:

Output of ufw enable

For those of you who do not have a static IP address and have to let everyone allowed on port 22 you can install fail2ban to minimize the risk of brute force attacks:

apt-get install fail2ban -y

The configuration is pretty simple:

vi /etc/fail2ban/jail.local

[DEFAULT]

# "bantime" is the number of seconds that a host is banned.
bantime  = 1d

# A host is banned if it has generated "maxretry" during the last "findtime"
findtime  = 1h

# "maxretry" is the number of failures before a host get banned.
maxretry = 2

After that, we configure the jail:

vi /etc/fail2ban/jail.d/sshd.local

[sshd]
enabled = true
banaction = ufw

Finally, we restart fail2ban to apply the configuration:

systemctl restart fail2ban

To check the status of your jail:

fail2ban-client status sshd

Output of fail2ban-client status sshd — Output of `fail2ban-client status sshd`

Timezone

At first you can check your current timezone with the timedatectl utility:

timedatectl

The output will look like this:

               Local time: Sat 2022-02-19 14:32:05 CET
           Universal time: Sat 2022-02-19 13:32:05 UTC
                 RTC time: Sat 2022-02-19 13:32:06
                Time zone: Europe/Paris (CET, +0100)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no

Here we can see that my timezone is Europe/Paris CET and that the system clock is synchronized.

If your current timezone is incorrect you can change it with timedatectl:

timedatectl set-timezone Europe/Paris

You can list all available timezone with:

timedatectl list-timezones

Hostname

Hostnames are important because they identify devices on a network. The terminal prompt also shows it which reminds you which system you are working on.

The best way to change your hostname is to use the systemd command hostnamectl.

With this commande you do not have to restart your server to apply changes.

hostnamectl set-hostname systechtls.com

Logout then login and type:

hostname

Public key

One other thing to increase security and avoid typing passwords is to add your public key to login to your server.

Add your public key to the root user:

mkdir /root/.ssh
cat <<EOF > /root/.ssh/authorized_keys
ssh-ed25519 AAAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX0 user@hostname
EOF
chown root: /root/.ssh/authorized_keys
chmod 644 /root/.ssh/authorized_keys

Make sure that only root can write to the authorized_keys file.

Custom Bash shell

Here is a few customization I have for the Bash shell:

cat <<EOF > /etc/profile.d/custom_bash.sh
export HISTTIMEFORMAT='%F %T '
export HISTSIZE=10000
export HISTFILESIZE=50000
PROMPT_COMMAND='history -a'
EOF

Explanations:

HISTTIMEFORMAT: prints the timestamps of history entries
HISTSIZE: number of lines stored in memory
HISTFILESIZE: number of lines allowed in the history file
PROMPT_COMMAND: contents of this variable are executed as a regular Bash command just before Bash displays a prompt
history -a: append to the history file immediately

Here is what it looks like:

history

Output of history

Logrotate

logrotate is a useful tool that automatically rotate, compress and removes logs.

/etc/logrotate.conf is the main configuration file, I like to tweak it a little bit.

This file also includes a directory (/etc/logrotate.d) where packages can drop log rotation information.

vi /etc/logrotate.conf

[...]
#rotate log files weekly
weekly

#keep 52 weeks worth of backlogs
rotate 52

#create new (empty) log files after rotating old ones
create

#use date as a suffix of the rotated file
dateext

#uncomment this if you want your log files compressed
compress
compresscmd /bin/bzip2
uncompresscmd /bin/bunzip2
compressoptions -9
compressext .bz2
[...]

Likewise, I make some changes to other packages configuration, like nginx or UFW.

vi /etc/logrotate.d/nginx

/var/log/nginx/*.log {
	weekly
	missingok
	rotate 52
	compress
	notifempty
	create 0640 www-data adm
	sharedscripts
	prerotate
		if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
			run-parts /etc/logrotate.d/httpd-prerotate; \
		fi \
	endscript
	postrotate
		invoke-rc.d nginx rotate >/dev/null 2>&1
	endscript
}

vi /etc/logrotate.d/ufw

/var/log/ufw.log
{
	rotate 52
	weekly
	missingok
	notifempty
	compress
	sharedscripts
	postrotate
		invoke-rc.d rsyslog rotate >/dev/null 2>&1 || true
	endscript
}

Conclusion

In summary, in this article I showed you what basic configurations I like to do on a fresh Debian server installation.