User Tools

Site Tools

Trace:
vps_-_debian

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
vps_-_debian [2021/04/02 09:09] – [Firewall Setup] hc9vps_-_debian [2021/04/02 18:51] (current) – [Networking] hc9
Line 1: Line 1:
 +{{:vps_-_debian:debian.png?nolink&100|}}
 +
 +====== Debian on SDF VPS ======
 +
 +===== Basics =====
 +
 +The root user on a fresh Debian VPS has the default password "rootroot".
 +
 +After logging in to your VPS for the first time, please change this password to something more secure. Type ''passwd'' at the prompt and follow the instructions. Don't forget this password as there is currently no way to recover it.
 +
 +It is a good habit to create a regular user account for working, using ''su'' to obtain root privileges as needed. To create a regular user account:
 +
 +  useradd -m <username>
 +
 +This user will be able to perform administrative tasks by runing ''su'' to obtain superuser privileges using the root password.
 +
 +===== Set Your Timezone =====
 +
 +  dpkg-reconfigure tzdata
 +
 +===== Networking =====
 +
 +In your control panel at vps.sdf.org, note YOUR_IP (e.g. 205.166.94.255) on the top line, and YOUR_HOSTNAME (e.g. debian99).
 +
 +Start your server, and log in via the console. (default= root:rootroot)
 +
 +Open /etc/network/interfaces in an editor and add the following, replacing the text YOUR_IP with your own actual IP number, add:
 +
 +<file config /etc/network/interfaces>
 +  auto eth0
 +  iface eth0 inet static
 +  address YOUR_IP
 +  netmask 255.255.255.0
 +  network 205.166.94.0
 +  broadcast 205.166.94.255
 +  gateway 205.166.94.1
 +  dns-nameservers 205.166.94.20
 +</file>
 +
 +//Note: For VPS installations of Debian 8.4 (jesse) on VPS3, please omit the above dns-nameservers line from the interfaces file, and instead add this line to //**/etc/resolv.conf**:
 +
 +<file config /etc/resolv.conf>
 +nameserver 205.166.94.20
 +</file>
 +
 +Add this to /etc/hosts:
 +
 +<file config /etc/hosts>
 +YOUR_IP YOUR_HOSTNAME.sdf.org YOUR_HOSTNAME
 +</file>
 +
 +Change /etc/hostname to:
 +
 +<file config /etc/hostname>
 +YOUR_HOSTNAME
 +</file>
 +
 +Run/Type:
 +
 +  /etc/init.d/networking restart
 +
 +===== Setting up SSH =====
 +
 +You may wish to add ssh access to your VPS. It is **//highly//** recommended that you disable root login via ssh and use a normal user account to login.
 +
 +==== Install SSH ====
 +
 +Run/Type:
 +
 +  apt-get install openssh-server
 +
 +==== Disable root Login ====
 +
 +Edit ///etc/ssh/sshd_config// and change the line:
 +
 +<file config /etc/ssh/sshd_config>
 +PermitRootLogin yes
 +</file>
 +
 +To:
 +
 +<file config /etc/ssh/sshd_config>
 +PermitRootLogin no
 +</file>
 +
 +Now restart sshd by running/typing:
 +
 +  /etc/init.d/ssh restart
 +
 +You can now test ssh by running ''ssh user@localhost''.
 +
 +===== Package Management =====
 +
 +Refer to the following article to see how to clean up (remove packages) from your VPS:
 +
 +  * [[http://www.debian-administration.org/articles/462|Cleaning up a Debian GNU/Linux system]]
 +
 +===== Firewall Setup =====
 +
 +Disable IPv6:
 +
 +  # echo "blacklist ipv6" >> /etc/modprobe.d/blacklist
 +
 +Edit rules:
 +
 +  # vi /etc/firewall
 +
 +<file config /etc/firewall>
 +  *filter
 +
 +  -A INPUT -i lo -j ACCEPT
 +  -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
 +
 +  -A OUTPUT -j ACCEPT
 +  -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 +
 +  -A INPUT -p tcp --dport 80 -j ACCEPT
 +  -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
 +
 +  -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
 +
 +  -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
 +
 +  -A INPUT -j REJECT
 +  -A FORWARD -j REJECT
 +
 +  COMMIT
 +</file>
 +
 +Load rules (now):
 +
 +<file config now>
 +# iptables -F
 +# iptables-restore < /etc/firewall
 +</file>
 +
 +Load rules (boot):
 +
 +<file config boot>
 +# vi /etc/network/if-pre-up.d/firewall
 +
 +#!/bin/sh
 +/sbin/iptables-restore < /etc/firewall
 +
 +# chmod 755 /etc/network/if-pre-up.d/firewall
 +</file>
 +
 +
 +===== Software and Distribution Updating =====
 +
 +To update your system, run the following commands:
 +
 +  * apt-get update <code> apt-get update
 +</code>
 +  * apt-get dist-upgrade -y <code> apt-get dist-upgrade -y
 +</code>
 +
 +===== Reducing Memory Usage =====
 +
 +If you are using a 128MB slice, it's a good idea to reduce the memory usage of some processes or even disable them.
 +
 +==== cron and at ====
 +
 +You might not need one or both of those, so you can deactivate them with
 +
 +<file config cron and at>
 +  # update-rc.d -f atd remove
 +  # update-rc.d -f cron remove
 +</file>
 +
 +This frees up ca. 7MB (if both are deactivated).
 +
 +==== getty / virtual terminals ====
 +
 +This being a virtual system, you won't need getty on tty1-6. In order to eliminate them, edit /etc/inittab and modify the corresponding lines like this:
 +
 +<file config /etc/inittab>
 +  co:2345:respawn:/sbin/getty hvc0 9600 linux
 +
 +  #1:2345:respawn:/sbin/getty 38400 tty1
 +  #2:23:respawn:/sbin/getty 38400 tty2
 +  #3:23:respawn:/sbin/getty 38400 tty3
 +  #4:23:respawn:/sbin/getty 38400 tty4
 +  #5:23:respawn:/sbin/getty 38400 tty5
 +  #6:23:respawn:/sbin/getty 38400 tty6
 +</file>
 +
 +You need to keep the line with hvc0 so you can attach a serial console from vps.sdf.org to your vps. This frees up ca. 10MB.
 +
 +==== rsyslogd ====
 +
 +rsyslogd eats a lot of memory by default (26MB on my vps) which can be reduced by the usage of ulimit. Edit /etc/init.d/rsyslog and include the following line just before the command where rsyslogd will be started:
 +
 +<file config /etc/init.d/rsyslog>
 +ulimit -s 256
 +</file>
 +
 +Example:
 +
 +<file config /etc/init.d/rsyslog>
 +    case "$1" in
 +      start)
 +            ulimit -s 256
 +            log_daemon_msg "Starting $DESC" "$RSYSLOGD"
 +            create_xconsole
 +            do_start
 +            case "$?" in
 +                    0) sendsigs_omit
 +                       log_end_msg 0 ;;
 +                    1) log_progress_msg "already started"
 +                       log_end_msg 0 ;;
 +                    *) log_end_msg 1 ;;
 +            esac
 +            ;;
 +</file>
 +
 +This frees up about 23MB.
 +
 +==== portmap ====
 +
 +I don't need portmap, so i removed it completely:
 +
 +  apt-get remove --purge portmap
 +  
 +==== openssh vs. dropbear ====
 +
 +If you dont need all the extra features openssh has compared to dropbear, you can reduce memory consumption from 23MB to 5MB while being connected with 1 non-root user to the system by replacing openssh with dropbear.
 +
 +  apt-get install dropbear
 +  
 +Edit /etc/defaults/dropbear and set NO_START to 0 and add the extra args "-w -s -g" to disallow root and password logins (You'll be only able to login with a non root user and ssh keys):
 +
 +<code>
 +    # disabled because OpenSSH is installed
 +    # change to NO_START=0 to enable Dropbear
 +    NO_START=0
 +
 +    # the TCP port that Dropbear listens on
 +    DROPBEAR_PORT=22
 +
 +    # any additional arguments for Dropbear
 +    DROPBEAR_EXTRA_ARGS="-w -s -g"
 +
 +    # specify an optional banner file containing a message to be
 +    # sent to clients before they connect, such as "/etc/issue.net"
 +    DROPBEAR_BANNER=""
 +
 +    # RSA hostkey file (default: /etc/dropbear/dropbear_rsa_host_key)
 +    #DROPBEAR_RSAKEY="/etc/dropbear/dropbear_rsa_host_key"
 +
 +    # DSS hostkey file (default: /etc/dropbear/dropbear_dss_host_key)
 +    #DROPBEAR_DSSKEY="/etc/dropbear/dropbear_dss_host_key"
 +
 +    # Receive window size - this is a tradeoff between memory and
 +    # network performance
 +    DROPBEAR_RECEIVE_WINDOW=65536
 +</code>
 +
 +Afterwards, you can deactivate openssh with
 +
 +  update-rc.d ssh remove
 +
 +or uninstall it:
 +
 +  apt-get remove openssh-server
 +
 +----
 +$Id: VPS_Debian.html,v 1.19 2018/02/22 02:06:34 slugmax Exp $ [[http://sdf.org/?tutorials/VPS_Debian|Debian on SDF VPS]] - traditional link (using [[wp>Revision_Control_System|RCS]])
 +