tutes-dump/site-tutorials/VPS_Debian.html

<style type="text/css">
pre {
  margin-left: 2em;
}
</style>

<!--
Debian-swirl logo used by permission as follows:

The logo with "Debian" is released under the following license, due to ongoing concerns about trademarks. 

Copyright (c) 1999 Software in the Public Interest 
This logo or a modified version may be used by anyone to refer to the Debian project, but does not indicate endorsement by the project. 

http://www.debian.org/logos/
-->

<div style="float:right;margin-right:1em;">
<img src="http://sdf.org/tutorials/images/Debian.png"/>
</div>

<h1>Debian on SDF VPS</h1>

<h2>Contents</h2>
<ul>
  <li><a href="#basics">Basics</a></li>
  <li><a href="#timezone">Timezone</a></li>
  <li><a href="#networking">Networking</a></li>
  <li><a href="#ssh">Setting up SSH</a></li>
  <li><a href="#pkg-mgt">Package Management</a></li>
  <li><a href="#firewall">Firewall Setup</a></li>
  <li><a href="#upgrading">Software and Distribution Updating</a></li>
  <li><a href="#memreduce">Reducing Memory Usage</a></li>
</ul>

<h2 id="basics">Basics</h2>

<p>The root user on a fresh Debian VPS has the default password "rootroot".</p>

<p>After logging in to your VPS for the first time, please change this password
to something more secure.  Type <code>passwd</code> at the prompt and follow
the instructions.  Don't forget this password as there is currently no way to
recover it.</p>

<p>It is a good habit to create a regular user account for
working, using <code>su</code> to obtain root privileges as needed.
To create a regular user account:</p>

<pre>useradd -m &lt;username&gt;
</pre>

<p>This user will be able to perform administrative tasks by runing
<code>su</code> to obtain superuser privileges using the root
password.</p>

<h2 id="timezone">Set Your Timezone</h2>

<pre>dpkg-reconfigure tzdata</pre>

<h2 id="networking">Networking</h2>

<p>In your control panel at vps.sdf.org, note YOUR_IP
(e.g. 205.166.94.255) on the top line, and YOUR_HOSTNAME
(e.g. debian99).</p>

<p>Start your server, and log in via the console. (default= root:rootroot)</p>

<p>Open /etc/network/interfaces in an editor and add the following, replacing the text YOUR_IP with your own actual IP number, add:</p>

<pre>auto eth0
iface eth0 inet static
address YOUR_IP
netmask 255.255.255.0
network 205.166.94.0
broadcast 205.166.94.255
gateway 205.166.94.1
dns-nameservers 205.166.94.20
</pre>

<p><i>Note: For VPS installations of Debian 8.4 (jesse) on VPS3, please omit the above dns-nameservers line from the interfaces file, and 
instead add this line to </i><b>/etc/resolv.conf</b>:</p>

<pre>nameserver 205.166.94.20</pre>

<p>Add this to /etc/hosts:</p>

<pre>YOUR_IP 	YOUR_HOSTNAME.sdf.org 	YOUR_HOSTNAME
</pre>

<p>Change /etc/hostname to:</p>

<pre>YOUR_HOSTNAME
</pre>

<p>Run/Type:</p>

<pre>/etc/init.d/networking restart
</pre>

<h2 id="ssh">Setting up SSH</h2>
<p>You may wish to add ssh access to your VPS.  It is
<b><i>highly</i></b> recommended that you disable root
login via ssh and use a normal user account to login.</p>

<h3>Install SSH</h3>
<p>Run/Type:</p>
<pre>apt-get install openssh-server</pre>

<h3>Disable root Login</h3>
<p>Edit <i>/etc/ssh/sshd_config</i> and change the line:</p>
<pre>PermitRootLogin yes</pre>
<p>To:</p>
<pre>PermitRootLogin no</pre>

<p>Now restart sshd by running/typing:</p>
<pre>/etc/init.d/ssh restart</pre>

<p>You can now test ssh by running
<code>ssh user@localhost</code>.

<h2 id="pkg-mgt">Package Management</h2>

<p>Refer to the following article to see how to clean up (remove packages) from your VPS:</p>
<ul><li><a href="http://www.debian-administration.org/articles/462">Cleaning up a Debian GNU/Linux system</a></li></ul>

<h2 id="firewall">Firewall Setup</h2>

<p>Disable IPv6:</p>
<pre># echo "blacklist ipv6" &gt;&gt; /etc/modprobe.d/blacklist</pre>

<p>Edit rules:</p>
<pre># vi /etc/firewall

*filter

-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

-A OUTPUT -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT
</pre>

<p>Load rules (now):</p>
<pre># iptables -F
# iptables-restore &lt; /etc/firewall
</pre>

<p>Load rules (boot):</p>
<pre># vi /etc/network/if-pre-up.d/firewall

#!/bin/sh
/sbin/iptables-restore &lt; /etc/firewall

# chmod 755 /etc/network/if-pre-up.d/firewall
</pre>
<h2 id="upgrading">Software and Distribution Updating</h2>
<p>To update your system, run the following commands:
<li> apt-get update
<li> apt-get dist-upgrade -y
<p>

<h2 id="memreduce">Reducing Memory Usage</h2>
<p>If you are using a 128MB slice, it's a good idea to reduce the memory usage of some processes or even disable them.</p>

<h3>cron and at</h3>
You might not need one or both of those, so you can deactivate them with
<pre>
# update-rc.d -f atd remove
# update-rc.d -f cron remove
</pre>

This frees up ca. 7MB (if both are deactivated).

<h3>getty / virtual terminals</h3>
This being a virtual system, you won't need getty on tty1-6. In order to eliminate them, edit /etc/inittab and modify the corresponding lines like this:
<pre>
co:2345:respawn:/sbin/getty hvc0 9600 linux

#1:2345:respawn:/sbin/getty 38400 tty1
#2:23:respawn:/sbin/getty 38400 tty2
#3:23:respawn:/sbin/getty 38400 tty3
#4:23:respawn:/sbin/getty 38400 tty4
#5:23:respawn:/sbin/getty 38400 tty5
#6:23:respawn:/sbin/getty 38400 tty6
</pre>
You need to keep the line with hvc0 so you can attach a serial console from vps.sdf.org to your vps.

This frees up ca. 10MB.

<h3>rsyslogd</h3>
rsyslogd eats a lot of memory by default (26MB on my vps) which can be reduced by the usage of ulimit. Edit /etc/init.d/rsyslog and include the following line just before the command where rsyslogd will be started:
<pre>
ulimit -s 256
</pre>

Example:
<pre>
case "$1" in
  start)
        ulimit -s 256
        log_daemon_msg "Starting $DESC" "$RSYSLOGD"
        create_xconsole
        do_start
        case "$?" in
                0) sendsigs_omit
                   log_end_msg 0 ;;
                1) log_progress_msg "already started"
                   log_end_msg 0 ;;
                *) log_end_msg 1 ;;
        esac

        ;;
</pre>
This frees up about 23MB.

<h3>portmap</h3>
I don't need portmap, so i removed it completely:
<pre>
apt-get remove --purge portmap
</pre>

<h3>openssh vs. dropbear</h3>
If you dont need all the extra features openssh has compared to dropbear, you can reduce memory consumption from 23MB to 5MB while being connected with 1 non-root user to the system by replacing openssh with dropbear.
<pre>
apt-get install dropbear
</pre>
Edit /etc/defaults/dropbear and set NO_START to 0 and add the extra args "-w -s -g" to disallow root and password logins (You'll be only able to login with a non root user and ssh keys):
<pre>
# disabled because OpenSSH is installed
# change to NO_START=0 to enable Dropbear
NO_START=0

# the TCP port that Dropbear listens on
DROPBEAR_PORT=22

# any additional arguments for Dropbear
DROPBEAR_EXTRA_ARGS="-w -s -g"

# specify an optional banner file containing a message to be
# sent to clients before they connect, such as "/etc/issue.net"
DROPBEAR_BANNER=""

# RSA hostkey file (default: /etc/dropbear/dropbear_rsa_host_key)
#DROPBEAR_RSAKEY="/etc/dropbear/dropbear_rsa_host_key"

# DSS hostkey file (default: /etc/dropbear/dropbear_dss_host_key)
#DROPBEAR_DSSKEY="/etc/dropbear/dropbear_dss_host_key"

# Receive window size - this is a tradeoff between memory and
# network performance
DROPBEAR_RECEIVE_WINDOW=65536

</pre>

Afterwards, you can deactivate openssh with
<pre>
update-rc.d ssh remove
</pre>
or uninstall it:
<pre>
apt-get remove openssh-server
</pre>

<hr />
$Id: VPS_Debian.html,v 1.19 2018/02/22 02:06:34 slugmax Exp $