Debian 9 server, part I: Basic setup

2018-03-02

Table of contents

Starting slowly
Set up root account
Set up main server settings
Setting up user, permissions etc
Adding SSH keys
- Root access ssh keys
Reboot
What’s next?

A new day, a new server.
A blank canvas to fill with wonders of modern computing.

Anyway, I’ve found a VPS so cheap I could not justify NOT buying it, even if the discount is just for a year and comes with some minor annoyances (mostly increased spam, easily filtered out).
First things first, set up a shell access, user accounts, permissions and all that jazz.

Starting slowly

When my server first booted all there was there was a root account and the SSH daemon.
So, 1 ssh command later and 1 password pasted from email message from the hosting company (sent as plaintext, kinda no-no but that’s just for the first log-in) and we’re in.

Side note: nano is my go-to in-console editor, it does the job for me and IMO is a bit underrated (check out /etc/nanorc, it’s quite configurable!).

Set up root account

(everything as root on the server)

passwd
# (set new password for root)
apt update
apt upgrade

Set up main server settings

(still everything as root on the server)

Hostname

echo "myhostname.tld" > /etc/hostname
# Normally I'd just add the "myhostname" to /etc/hosts,
# but since it's a VPS we need to go deeper
nano /etc/cloud/templates/hosts.debian.tmpl

In this file add “myhostname” alias to the proper entry, in my case it was the line:

127.0.1.1 {{fqdn}} {{hostname}} myhostname.tld myhostname

Timezone

timedatectl set-timezone TIMEZONE # e.g. Europe/London

Locale

nano /etc/locale.gen
# (Uncomment desired locale, e.g. "en_US.UTF-8 UTF-8")
locale-gen

Setting up user, permissions etc

useradd myuser
passwd myuser
# (set new password for user)

Then came setting up sudo permissions for the user:

gpasswd -a myuser sudo
nano /etc/sudoers

There I’ve uncommented the line:

%sudo ALL=(ALL:ALL) ALL

And added this line for teh lulz:

Defaults insults

Adding SSH keys

(on a local machine, as the regular user)

mkdir -p ~/.ssh
chmod 600 ~/.ssh
cd ~/.ssh
ssh-keygen -t rsa -b 4096 -f key_file_name -C "some comment"
scp key_file_name.pub myuser@myhostname:~/key_file_name.pub
# (enter previously set password)
ssh myuser@myhostname
# (again, enter previously set password)
# (from here on commands issued as regular user on the server)
mkdir ~/.ssh
chmod 600 ~/.ssh
cat key_file_name.pub >> ~/.ssh/authorized_keys
rm key_file_name.pub

Root access ssh keys

While checking out the default setup I’ve noticed that root user had two keys set up in the respective authorized_keys file.
My guess is that they’re used to enable remote rebooting etc of the server via the provider’s management website.
I’d prefer to specify an user account that’s used for this task, but unfortunately it’s not possible.
So for now the keys are to stay, but in the future I want to figure out a way to “redirect” login attempts with those keys onto a separate user account with extended logging and access only to shutdown/reboot/etc commands.

Reboot

Fingers crossed.
As the regular user on the server:

sudo systemctl reboot -i

What’s next?

Part II: Website and SSL
TODO: links to further parts (when they’re done)