Francois Marier: Usual Debian Server Setup
I manage a few servers for myself, friends and
family
as well as for the Libravatar project. Here is
how I customize recent releases of Debian on those servers.
Hardware tests
Hardware tests
apt-get install memtest86+ smartmontools e2fsprogs
Prior to spending any time configuring a new physical server, I like to
ensure that the hardware is fine.
To check memory, I boot into memtest86+ from the grub menu and let it run
overnight.
Then I check the hard drives using:
smartctl -t long /dev/sdX
badblocks -swo badblocks.out /dev/sdX
Configuration
apt-get install etckeepr git sudo vim
To keep track of the configuration changes I make in /etc/
, I use etckeeper
to keep that directory in a git repository and make the following changes to
the default /etc/etckeeper/etckeeper.conf
:
- turn off daily auto-commits
- turn off auto-commits before package installs
To get more control over the various packages I install, I change the
default debconf level to medium:
dpkg-reconfigure debconf
Since I use vim for all of my configuration file editing, I make it the
default editor:
update-alternatives --config editor
ssh
apt-get install openssh-server mosh fail2ban
Since most of my servers are set to UTC time, I like to use my local
timezone
when sshing into them. Looking at file timestamps is much less
confusing that way.
I also ensure that the locale I use is available on the server by adding it
the list of generated locales:
dpkg-reconfigure locales
Other than that, I harden the ssh configuration
and end up with the following settings in /etc/ssh/sshd_config
(jessie):
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
UsePrivilegeSeparation sandbox
AuthenticationMethods publickey
PasswordAuthentication no
PermitRootLogin no
AcceptEnv LANG LC_* TZ
LogLevel VERBOSE
AllowGroups sshuser
or the following for wheezy servers:
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512,hmac-sha2-256
On those servers where I need duplicity/paramiko to
work, I also add the following:
KexAlgorithms ...,diffie-hellman-group-exchange-sha1
MACs ...,hmac-sha1
Then I remove the "Accepted" filter in /etc/logcheck/ignore.d.server/ssh
(first line) to get a notification whenever anybody successfully logs into
my server.
I also create a new group and add the users that need ssh access to it:
addgroup sshuser
adduser francois sshuser
and add a timeout for root sessions by putting this in /root/.bash_profile
:
TMOUT=600
Security checks
apt-get install logcheck logcheck-database fcheck tiger debsums corekeeper
apt-get remove john john-data rpcbind tripwire
Logcheck is the main tool I use to keep an eye on log files, which is why I
add a few additional log files to the default list in
/etc/logcheck/logcheck.logfiles
:
/var/log/apache2/error.log
/var/log/mail.err
/var/log/mail.warn
/var/log/mail.info
/var/log/fail2ban.log
while ensuring that the apache logfiles are readable by logcheck:
chmod a+rx /var/log/apache2
chmod a+r /var/log/apache2/*
and fixing the log rotation configuration by adding the following to
/etc/logrotate.d/apache2
:
create 644 root adm
I also modify the main logcheck configuration file
(/etc/logcheck/logcheck.conf
):
INTRO=0
FQDN=0
Other than that, I enable daily checks in /etc/default/debsums
and
customize a few tiger settings in /etc/tiger/tigerrc
:
Tiger_Check_RUNPROC=Y
Tiger_Check_DELETED=Y
Tiger_Check_APACHE=Y
Tiger_FSScan_WDIR=Y
Tiger_SSH_Protocol='2'
Tiger_Passwd_Hashes='sha512'
Tiger_Running_Procs='rsyslogd cron atd /usr/sbin/apache2 postgres'
Tiger_Listening_ValidProcs='sshd mosh-server ntpd'
General hardening
apt-get install harden-clients harden-environment harden-servers apparmor apparmor-profiles apparmor-profiles-extra
While the harden packages are configuration-free, AppArmor must be manually enabled:
perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub
update-grub
Entropy and timekeeping
apt-get install haveged rng-tools ntp
To keep the system clock accurate and increase the amount of entropy
available to the server, I install the above packages and add the tpm_rng
module to /etc/modules
.
Preventing mistakes
apt-get install molly-guard safe-rm sl
The above packages are all about catching mistakes (such as
accidental deletions).
However, in order to extend the molly-guard protection to mosh sessions, one needs to
manually apply a patch.
Package updates
apt-get install apticron unattended-upgrades deborphan debfoster apt-listchanges update-notifier-common aptitude popularity-contest
These tools help me keep packages up to date and remove unnecessary or
obsolete packages from servers. On Rackspace servers, a small configuration
change
is needed to automatically update the monitoring tools.
In addition to this, I use the update-notifier-common
package along with
the following cronjob in /etc/cron.daily/reboot-required
:
#!/bin/sh
cat /var/run/reboot-required 2> /dev/null true
to send me a notification whenever a kernel update requires a reboot to take
effect.
Handy utilities
apt-get install renameutils atool iotop sysstat lsof mtr-tiny
Most of these tools are configure-free, except for sysstat, which requires
enabling data collection in /etc/default/sysstat
to be useful.
Apache configuration
apt-get install apache2-mpm-event
While configuring apache is often specific to each server and the services
that will be running on it, there are a few common changes I make.
I enable these in /etc/apache2/conf.d/security
:
<Directory />
AllowOverride None
Order Deny,Allow
Deny from all
</Directory>
ServerTokens Prod
ServerSignature Off
and remove cgi-bin directives from /etc/apache2/sites-enabled/000-default
.
I also create a new /etc/apache2/conf.d/servername
which contains:
ServerName machine_hostname
Mail
apt-get install postfix
Configuring mail properly is tricky but the following has worked for me.
In /etc/hostname
, put the bare hostname (no domain), but in
/etc/mailname
put the fully qualified hostname.
Change the following in /etc/postfix/main.cf
:
inet_interfaces = loopback-only
myhostname = (fully qualified hostname)
smtp_tls_security_level = may
smtp_tls_protocols = !SSLv2, !SSLv3
Set the following aliases in /etc/aliases
:
- set
francois
as the destination of root
emails
- set an external email address for
francois
- set
root
as the destination for www-data
emails
before running newaliases
to update the aliases database.
Create a new cronjob (/etc/cron.hourly/checkmail
):
#!/bin/sh
ls /var/mail
to ensure that email doesn't accumulate unmonitored on this box.
Finally, set reverse DNS for the server's IPv4 and IPv6 addresses and then
test the whole setup using mail root
.
Network tuning
To reduce the server's contribution to
bufferbloat I change the default kernel
queueing discipline (jessie or later) by putting the following in /etc/sysctl.conf
:
net.core.default_qdisc=fq_codel
apt-get install memtest86+ smartmontools e2fsprogs
smartctl -t long /dev/sdX
badblocks -swo badblocks.out /dev/sdX
apt-get install etckeepr git sudo vim
To keep track of the configuration changes I make in /etc/
, I use etckeeper
to keep that directory in a git repository and make the following changes to
the default /etc/etckeeper/etckeeper.conf
:
- turn off daily auto-commits
- turn off auto-commits before package installs
dpkg-reconfigure debconf
Since I use vim for all of my configuration file editing, I make it the
default editor:
update-alternatives --config editor
ssh
apt-get install openssh-server mosh fail2ban
Since most of my servers are set to UTC time, I like to use my local
timezone
when sshing into them. Looking at file timestamps is much less
confusing that way.
I also ensure that the locale I use is available on the server by adding it
the list of generated locales:
dpkg-reconfigure locales
Other than that, I harden the ssh configuration
and end up with the following settings in /etc/ssh/sshd_config
(jessie):
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
UsePrivilegeSeparation sandbox
AuthenticationMethods publickey
PasswordAuthentication no
PermitRootLogin no
AcceptEnv LANG LC_* TZ
LogLevel VERBOSE
AllowGroups sshuser
or the following for wheezy servers:
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512,hmac-sha2-256
On those servers where I need duplicity/paramiko to
work, I also add the following:
KexAlgorithms ...,diffie-hellman-group-exchange-sha1
MACs ...,hmac-sha1
Then I remove the "Accepted" filter in /etc/logcheck/ignore.d.server/ssh
(first line) to get a notification whenever anybody successfully logs into
my server.
I also create a new group and add the users that need ssh access to it:
addgroup sshuser
adduser francois sshuser
and add a timeout for root sessions by putting this in /root/.bash_profile
:
TMOUT=600
Security checks
apt-get install logcheck logcheck-database fcheck tiger debsums corekeeper
apt-get remove john john-data rpcbind tripwire
Logcheck is the main tool I use to keep an eye on log files, which is why I
add a few additional log files to the default list in
/etc/logcheck/logcheck.logfiles
:
/var/log/apache2/error.log
/var/log/mail.err
/var/log/mail.warn
/var/log/mail.info
/var/log/fail2ban.log
while ensuring that the apache logfiles are readable by logcheck:
chmod a+rx /var/log/apache2
chmod a+r /var/log/apache2/*
and fixing the log rotation configuration by adding the following to
/etc/logrotate.d/apache2
:
create 644 root adm
I also modify the main logcheck configuration file
(/etc/logcheck/logcheck.conf
):
INTRO=0
FQDN=0
Other than that, I enable daily checks in /etc/default/debsums
and
customize a few tiger settings in /etc/tiger/tigerrc
:
Tiger_Check_RUNPROC=Y
Tiger_Check_DELETED=Y
Tiger_Check_APACHE=Y
Tiger_FSScan_WDIR=Y
Tiger_SSH_Protocol='2'
Tiger_Passwd_Hashes='sha512'
Tiger_Running_Procs='rsyslogd cron atd /usr/sbin/apache2 postgres'
Tiger_Listening_ValidProcs='sshd mosh-server ntpd'
General hardening
apt-get install harden-clients harden-environment harden-servers apparmor apparmor-profiles apparmor-profiles-extra
While the harden packages are configuration-free, AppArmor must be manually enabled:
perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub
update-grub
Entropy and timekeeping
apt-get install haveged rng-tools ntp
To keep the system clock accurate and increase the amount of entropy
available to the server, I install the above packages and add the tpm_rng
module to /etc/modules
.
Preventing mistakes
apt-get install molly-guard safe-rm sl
The above packages are all about catching mistakes (such as
accidental deletions).
However, in order to extend the molly-guard protection to mosh sessions, one needs to
manually apply a patch.
Package updates
apt-get install apticron unattended-upgrades deborphan debfoster apt-listchanges update-notifier-common aptitude popularity-contest
These tools help me keep packages up to date and remove unnecessary or
obsolete packages from servers. On Rackspace servers, a small configuration
change
is needed to automatically update the monitoring tools.
In addition to this, I use the update-notifier-common
package along with
the following cronjob in /etc/cron.daily/reboot-required
:
#!/bin/sh
cat /var/run/reboot-required 2> /dev/null true
to send me a notification whenever a kernel update requires a reboot to take
effect.
Handy utilities
apt-get install renameutils atool iotop sysstat lsof mtr-tiny
Most of these tools are configure-free, except for sysstat, which requires
enabling data collection in /etc/default/sysstat
to be useful.
Apache configuration
apt-get install apache2-mpm-event
While configuring apache is often specific to each server and the services
that will be running on it, there are a few common changes I make.
I enable these in /etc/apache2/conf.d/security
:
<Directory />
AllowOverride None
Order Deny,Allow
Deny from all
</Directory>
ServerTokens Prod
ServerSignature Off
and remove cgi-bin directives from /etc/apache2/sites-enabled/000-default
.
I also create a new /etc/apache2/conf.d/servername
which contains:
ServerName machine_hostname
Mail
apt-get install postfix
Configuring mail properly is tricky but the following has worked for me.
In /etc/hostname
, put the bare hostname (no domain), but in
/etc/mailname
put the fully qualified hostname.
Change the following in /etc/postfix/main.cf
:
inet_interfaces = loopback-only
myhostname = (fully qualified hostname)
smtp_tls_security_level = may
smtp_tls_protocols = !SSLv2, !SSLv3
Set the following aliases in /etc/aliases
:
- set
francois
as the destination of root
emails
- set an external email address for
francois
- set
root
as the destination for www-data
emails
before running newaliases
to update the aliases database.
Create a new cronjob (/etc/cron.hourly/checkmail
):
#!/bin/sh
ls /var/mail
to ensure that email doesn't accumulate unmonitored on this box.
Finally, set reverse DNS for the server's IPv4 and IPv6 addresses and then
test the whole setup using mail root
.
Network tuning
To reduce the server's contribution to
bufferbloat I change the default kernel
queueing discipline (jessie or later) by putting the following in /etc/sysctl.conf
:
net.core.default_qdisc=fq_codel
apt-get install openssh-server mosh fail2ban
dpkg-reconfigure locales
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
UsePrivilegeSeparation sandbox
AuthenticationMethods publickey
PasswordAuthentication no
PermitRootLogin no
AcceptEnv LANG LC_* TZ
LogLevel VERBOSE
AllowGroups sshuser
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512,hmac-sha2-256
KexAlgorithms ...,diffie-hellman-group-exchange-sha1
MACs ...,hmac-sha1
addgroup sshuser
adduser francois sshuser
TMOUT=600
apt-get install logcheck logcheck-database fcheck tiger debsums corekeeper
apt-get remove john john-data rpcbind tripwire
Logcheck is the main tool I use to keep an eye on log files, which is why I
add a few additional log files to the default list in
/etc/logcheck/logcheck.logfiles
:
/var/log/apache2/error.log
/var/log/mail.err
/var/log/mail.warn
/var/log/mail.info
/var/log/fail2ban.log
while ensuring that the apache logfiles are readable by logcheck:
chmod a+rx /var/log/apache2
chmod a+r /var/log/apache2/*
and fixing the log rotation configuration by adding the following to
/etc/logrotate.d/apache2
:
create 644 root adm
I also modify the main logcheck configuration file
(/etc/logcheck/logcheck.conf
):
INTRO=0
FQDN=0
Other than that, I enable daily checks in /etc/default/debsums
and
customize a few tiger settings in /etc/tiger/tigerrc
:
Tiger_Check_RUNPROC=Y
Tiger_Check_DELETED=Y
Tiger_Check_APACHE=Y
Tiger_FSScan_WDIR=Y
Tiger_SSH_Protocol='2'
Tiger_Passwd_Hashes='sha512'
Tiger_Running_Procs='rsyslogd cron atd /usr/sbin/apache2 postgres'
Tiger_Listening_ValidProcs='sshd mosh-server ntpd'
General hardening
apt-get install harden-clients harden-environment harden-servers apparmor apparmor-profiles apparmor-profiles-extra
While the harden packages are configuration-free, AppArmor must be manually enabled:
perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub
update-grub
Entropy and timekeeping
apt-get install haveged rng-tools ntp
To keep the system clock accurate and increase the amount of entropy
available to the server, I install the above packages and add the tpm_rng
module to /etc/modules
.
Preventing mistakes
apt-get install molly-guard safe-rm sl
The above packages are all about catching mistakes (such as
accidental deletions).
However, in order to extend the molly-guard protection to mosh sessions, one needs to
manually apply a patch.
Package updates
apt-get install apticron unattended-upgrades deborphan debfoster apt-listchanges update-notifier-common aptitude popularity-contest
These tools help me keep packages up to date and remove unnecessary or
obsolete packages from servers. On Rackspace servers, a small configuration
change
is needed to automatically update the monitoring tools.
In addition to this, I use the update-notifier-common
package along with
the following cronjob in /etc/cron.daily/reboot-required
:
#!/bin/sh
cat /var/run/reboot-required 2> /dev/null true
to send me a notification whenever a kernel update requires a reboot to take
effect.
Handy utilities
apt-get install renameutils atool iotop sysstat lsof mtr-tiny
Most of these tools are configure-free, except for sysstat, which requires
enabling data collection in /etc/default/sysstat
to be useful.
Apache configuration
apt-get install apache2-mpm-event
While configuring apache is often specific to each server and the services
that will be running on it, there are a few common changes I make.
I enable these in /etc/apache2/conf.d/security
:
<Directory />
AllowOverride None
Order Deny,Allow
Deny from all
</Directory>
ServerTokens Prod
ServerSignature Off
and remove cgi-bin directives from /etc/apache2/sites-enabled/000-default
.
I also create a new /etc/apache2/conf.d/servername
which contains:
ServerName machine_hostname
Mail
apt-get install postfix
Configuring mail properly is tricky but the following has worked for me.
In /etc/hostname
, put the bare hostname (no domain), but in
/etc/mailname
put the fully qualified hostname.
Change the following in /etc/postfix/main.cf
:
inet_interfaces = loopback-only
myhostname = (fully qualified hostname)
smtp_tls_security_level = may
smtp_tls_protocols = !SSLv2, !SSLv3
Set the following aliases in /etc/aliases
:
- set
francois
as the destination of root
emails
- set an external email address for
francois
- set
root
as the destination for www-data
emails
before running newaliases
to update the aliases database.
Create a new cronjob (/etc/cron.hourly/checkmail
):
#!/bin/sh
ls /var/mail
to ensure that email doesn't accumulate unmonitored on this box.
Finally, set reverse DNS for the server's IPv4 and IPv6 addresses and then
test the whole setup using mail root
.
Network tuning
To reduce the server's contribution to
bufferbloat I change the default kernel
queueing discipline (jessie or later) by putting the following in /etc/sysctl.conf
:
net.core.default_qdisc=fq_codel
apt-get install harden-clients harden-environment harden-servers apparmor apparmor-profiles apparmor-profiles-extra
perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub
update-grub
apt-get install haveged rng-tools ntp
To keep the system clock accurate and increase the amount of entropy
available to the server, I install the above packages and add the tpm_rng
module to /etc/modules
.
Preventing mistakes
apt-get install molly-guard safe-rm sl
The above packages are all about catching mistakes (such as
accidental deletions).
However, in order to extend the molly-guard protection to mosh sessions, one needs to
manually apply a patch.
Package updates
apt-get install apticron unattended-upgrades deborphan debfoster apt-listchanges update-notifier-common aptitude popularity-contest
These tools help me keep packages up to date and remove unnecessary or
obsolete packages from servers. On Rackspace servers, a small configuration
change
is needed to automatically update the monitoring tools.
In addition to this, I use the update-notifier-common
package along with
the following cronjob in /etc/cron.daily/reboot-required
:
#!/bin/sh
cat /var/run/reboot-required 2> /dev/null true
to send me a notification whenever a kernel update requires a reboot to take
effect.
Handy utilities
apt-get install renameutils atool iotop sysstat lsof mtr-tiny
Most of these tools are configure-free, except for sysstat, which requires
enabling data collection in /etc/default/sysstat
to be useful.
Apache configuration
apt-get install apache2-mpm-event
While configuring apache is often specific to each server and the services
that will be running on it, there are a few common changes I make.
I enable these in /etc/apache2/conf.d/security
:
<Directory />
AllowOverride None
Order Deny,Allow
Deny from all
</Directory>
ServerTokens Prod
ServerSignature Off
and remove cgi-bin directives from /etc/apache2/sites-enabled/000-default
.
I also create a new /etc/apache2/conf.d/servername
which contains:
ServerName machine_hostname
Mail
apt-get install postfix
Configuring mail properly is tricky but the following has worked for me.
In /etc/hostname
, put the bare hostname (no domain), but in
/etc/mailname
put the fully qualified hostname.
Change the following in /etc/postfix/main.cf
:
inet_interfaces = loopback-only
myhostname = (fully qualified hostname)
smtp_tls_security_level = may
smtp_tls_protocols = !SSLv2, !SSLv3
Set the following aliases in /etc/aliases
:
- set
francois
as the destination of root
emails
- set an external email address for
francois
- set
root
as the destination for www-data
emails
before running newaliases
to update the aliases database.
Create a new cronjob (/etc/cron.hourly/checkmail
):
#!/bin/sh
ls /var/mail
to ensure that email doesn't accumulate unmonitored on this box.
Finally, set reverse DNS for the server's IPv4 and IPv6 addresses and then
test the whole setup using mail root
.
Network tuning
To reduce the server's contribution to
bufferbloat I change the default kernel
queueing discipline (jessie or later) by putting the following in /etc/sysctl.conf
:
net.core.default_qdisc=fq_codel
apt-get install molly-guard safe-rm sl
apt-get install apticron unattended-upgrades deborphan debfoster apt-listchanges update-notifier-common aptitude popularity-contest
These tools help me keep packages up to date and remove unnecessary or
obsolete packages from servers. On Rackspace servers, a small configuration
change
is needed to automatically update the monitoring tools.
In addition to this, I use the update-notifier-common
package along with
the following cronjob in /etc/cron.daily/reboot-required
:
#!/bin/sh
cat /var/run/reboot-required 2> /dev/null true
to send me a notification whenever a kernel update requires a reboot to take
effect.
Handy utilities
apt-get install renameutils atool iotop sysstat lsof mtr-tiny
Most of these tools are configure-free, except for sysstat, which requires
enabling data collection in /etc/default/sysstat
to be useful.
Apache configuration
apt-get install apache2-mpm-event
While configuring apache is often specific to each server and the services
that will be running on it, there are a few common changes I make.
I enable these in /etc/apache2/conf.d/security
:
<Directory />
AllowOverride None
Order Deny,Allow
Deny from all
</Directory>
ServerTokens Prod
ServerSignature Off
and remove cgi-bin directives from /etc/apache2/sites-enabled/000-default
.
I also create a new /etc/apache2/conf.d/servername
which contains:
ServerName machine_hostname
Mail
apt-get install postfix
Configuring mail properly is tricky but the following has worked for me.
In /etc/hostname
, put the bare hostname (no domain), but in
/etc/mailname
put the fully qualified hostname.
Change the following in /etc/postfix/main.cf
:
inet_interfaces = loopback-only
myhostname = (fully qualified hostname)
smtp_tls_security_level = may
smtp_tls_protocols = !SSLv2, !SSLv3
Set the following aliases in /etc/aliases
:
- set
francois
as the destination of root
emails
- set an external email address for
francois
- set
root
as the destination for www-data
emails
before running newaliases
to update the aliases database.
Create a new cronjob (/etc/cron.hourly/checkmail
):
#!/bin/sh
ls /var/mail
to ensure that email doesn't accumulate unmonitored on this box.
Finally, set reverse DNS for the server's IPv4 and IPv6 addresses and then
test the whole setup using mail root
.
Network tuning
To reduce the server's contribution to
bufferbloat I change the default kernel
queueing discipline (jessie or later) by putting the following in /etc/sysctl.conf
:
net.core.default_qdisc=fq_codel
apt-get install renameutils atool iotop sysstat lsof mtr-tiny
apt-get install apache2-mpm-event
While configuring apache is often specific to each server and the services
that will be running on it, there are a few common changes I make.
I enable these in /etc/apache2/conf.d/security
:
<Directory />
AllowOverride None
Order Deny,Allow
Deny from all
</Directory>
ServerTokens Prod
ServerSignature Off
and remove cgi-bin directives from /etc/apache2/sites-enabled/000-default
.
I also create a new /etc/apache2/conf.d/servername
which contains:
ServerName machine_hostname
Mail
apt-get install postfix
Configuring mail properly is tricky but the following has worked for me.
In /etc/hostname
, put the bare hostname (no domain), but in
/etc/mailname
put the fully qualified hostname.
Change the following in /etc/postfix/main.cf
:
inet_interfaces = loopback-only
myhostname = (fully qualified hostname)
smtp_tls_security_level = may
smtp_tls_protocols = !SSLv2, !SSLv3
Set the following aliases in /etc/aliases
:
- set
francois
as the destination of root
emails
- set an external email address for
francois
- set
root
as the destination for www-data
emails
before running newaliases
to update the aliases database.
Create a new cronjob (/etc/cron.hourly/checkmail
):
#!/bin/sh
ls /var/mail
to ensure that email doesn't accumulate unmonitored on this box.
Finally, set reverse DNS for the server's IPv4 and IPv6 addresses and then
test the whole setup using mail root
.
Network tuning
To reduce the server's contribution to
bufferbloat I change the default kernel
queueing discipline (jessie or later) by putting the following in /etc/sysctl.conf
:
net.core.default_qdisc=fq_codel
apt-get install postfix
inet_interfaces = loopback-only
myhostname = (fully qualified hostname)
smtp_tls_security_level = may
smtp_tls_protocols = !SSLv2, !SSLv3
francois
as the destination of root
emailsfrancois
root
as the destination for www-data
emails#!/bin/sh
ls /var/mail
/etc/sysctl.conf
:
net.core.default_qdisc=fq_codel