Initial Server Setup with Debian 12 (9 things todo)

March 3, 2024 March 3, 2024 9 min read

In this tutorial, I will show you the initial server setup with Debian 12. This will be 9 things you must do to ensure your Debian server is ready for production.

Without further ado, let’s dive in.

Prerequisites

Before proceeding, make sure that you have installed Debian server on your machine and have an internet connection on top of it.

Updating repository and upgrading packages

To initial the process, run the command below to update the Debian package index and get the latest package information. Then, upgrade packages on your system.

apt update && apt upgrade -y
Updating repository and upgrading packages
Updating repository and upgrading packages

Installing basic utilities

After upgrading packages, you will install basic utilities for managing the Debian server. Here are my lists:

  • Text editor – it is always good to have both vim and nano installed.
  • net-tools – ifconfig and netstat are part of net-tools. Sure you can use the ip or ss command, but net-tools is also a good alternative.
  • lsof or list open files – checking list opened files or open ports by services or process.
  • wget and curl.
  • gnupg2 and apt-transport-https – used when adding third-party repositories.

Run the following apt command to install basic utilities.

apt install nano vim net-tools lsof unzip wget curl gnupg2 apt-transport-https -y
Installing basic utilities on Debian server
Installing basic utilities on Debian server

Disable Banner Login

This is optional, but if you want to get rid of a welcome message when logging into the server, do this:

Create the file ~/.hushlogin using the command below. This file must be located in the home directory of your user, for example /home/arvidl/.hushlogin.

touch ~/.hushlogin

Setting up FQDN (Fully Qualified Domain Name)

Setting up a proper fqdn or fully qualified domain name is always recommended for the long-term run. You can have a fancy local domain name for your Debian server, such as bookworm64.geekandnix.com. You also get more benefits when running multiple servers.

To set up fqdn on the Debian server, follow these steps:

1. Run the hostnamectl command below to change your hostname and default domain. In this example, I will use the hostname bookworm64 with the default domain geekandnix.com.

hostnamectl set-hostname bookworm64.geekandnix.com

2. Now, open the /etc/hosts file using vim.

vim /etc/hosts

Append the following configuration to the bottom of the line. Make sure to change the details IP address, fqdn, and the system hostname.

# server ip  fqdn                      hostname
192.168.5.20 bookworm64.geekandnix.com bookworm64

When done, save the changes and exit the file.

3. Lastly, run the following command to check the default domain and system fqdn.

hostname -d
hostname -f

As you can see below, I have a default domain geekandnix.com with the fqdn bookworm64.geekandnix.com.

Setting up FQDN (Fully Qualified Domain Name) on Debian
Setting up FQDN (Fully Qualified Domain Name) on Debian

Setting up PATH environment variable

On the Debian server, sbin directories /usr/sbin and /usr/local/sbin are not included in the system PATH environment variable. This causes an error command not found when running commands such as reboot or shutdown, which is located on both sbin directories. To solve this issue, you must add both /usr/sbin and /usr/local/sbin directories to the system PATH.

To add /usr/sbin and /usr/local/sbin directories to the system PATH, execute the following:

1. Create a new file /etc/profile.d/path.sh using vim. This file will be loaded system-wide automatically when starts.

vim /etc/profile.d/path.sh

Insert the following configuration to add sbin directories /usr/sbin and /usr/local/sbin to the system PATH.

export PATH=$PATH:/usr/sbin:/usr/local/sbin

Save the file when done and exit.

2. Now, run the command below to apply your modification.

source /etc/profile.d/path.sh

3. Finally, run the command below to verify the current system PATH.

echo $PATH

You should see directories /usr/sbin and /usr/local/sbin added to the system PATH. With this, you can now run commands within sbin directories.

Setting up system PATH environment variable on Debian
Setting up system PATH environment variable on Debian

Setting up sudo

For every Linux user, the sudo command will always be in their head whenever needed to execute a command line or application as a privileged or administrator user.

On the Debian server, sudo is not installed by default, so here is how you do it:

1. Run the apt command below to install sudo packages.

apt install sudo -y
Installing sudo on Debian
Installing sudo on Debian

2. Once sudo is installed, run the visudo command below to modify the sudo config file /etc/sudoers. Always use visudo when editing the sudo configuration, and do not edit the /etc/sudoers directly.

export SUDO_EDITOR=vim
visudo

Uncomment the following line to allow users within the sudo group can execute the sudo command and get the root privileges.

%sudo ALL=(ALL:ALL) ALL

Save and exit the file when finished.

3. Now, run the usermod command below to add your user to the sudo group. In this case, I will set up user arvidl to execute the sudo command.

usermod -aG sudo arvidl

4. Then, log in as a normal user with the command below.

su - arvidl

5. Lastly, run the sudo su command to get the root privileges and execute the id command to verify your current user.

sudo su
id

If your configuration is successful, you should become root like the following:

Setting up sudo on Debian
Setting up sudo on Debian

Securing SSH Server

SSH or Secure Shell is the gateway to your server, so making it secure is the top priority. How? You will change the default SSH port, disable root login, and only use strong and recommended algorithms on your SSH settings.

To secure SSH, proceed with the following steps:

1. Create a new additional configuration for SSH /etc/ssh/sshd_config.d/secure.conf using vim.

vim /etc/ssh/sshd_config.d/secure.conf

Insert the following configuration to secure your SSH server. This setting is based on Mozilla OpenSSH security recommendations for modern servers.

Port 3896
PermitRootLogin no

# Supported HostKey algorithms by order of preference.
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

KexAlgorithms [email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr

MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]

Save and exit the file.

Detailed sshd_config options:

  • Port 3896: change the default SSH port to 3896. You can adjust this as you need.
  • PermitRootLogin no: disallow user root to login via SSH.
  • Hostkey: Only strong HostKey algorithms will be allowed, which are ed25519, rsa, and ecdsa.
  • KexAlgorithms: specify KEX (Key Exchange) algorithm.
  • Ciphers: specify allowed ciphers.
  • MACs: specify the default MACs (Message Authentication Code) algorithm.

2. Now, run the command below to delete the default SSH host keys and generate new keys based on the HostKey configuration.

rm /etc/ssh/ssh_host_*
ssh-keygen -A

3. Next, run the command below to restart the SSH and apply your changes. Once executed, your SSH will be running on custom port 3896.

systemctl restart sshd
Hardening OpenSSH server
Hardening OpenSSH server

4. Lastly, run the ss command below to check the list of open ports on your system.

ss -tulpn | grep sshd

As you can see below, the sshd program is running on port 3896.

Checking SSH port via ss command
Checking SSH port via ss command

Setting up UFW (Uncomplicated Firewall)

After you have secured SSH, you will set up a firewall and secure your Debian server. For easier and more convenient usage, you will install and use UFW (Uncomplicated Firewall) as the default firewall on your Debian.

To set up UFW on Debian, follow these actions:

1. Run the apt command below to install UFW (Uncomplicated Firewall) to your Debian server.

sudo apt install ufw -y
Installing UFW (Uncomplicated Firewall) on Debian
Installing UFW (Uncomplicated Firewall) on Debian

2. Once installation is complete, run the ufw command below to open the SSH port and allow traffic into it.

# enable profile OpenSSH
sudo ufw allow OpenSSH

# add custom port for SSH 3896/tcp
sudo ufw allow 3896/tcp

3. Now, run the command below to start and enable UFW. With this, your UFW should be run and start automatically at system boot.

Type y to confirm with the process.

sudo ufw enable

Once started, you should get an output Firewall is active and enabled on system startup.

Add SSH port and enable UFW
Add SSH port and enable UFW

4. Next, run the ufw command below to verify the UFW status. You should see UFW status Active with the SSH port 3896 enabled.

sudo ufw status
Checking UFW status
Checking UFW status

5. With the UFW active and SSH port enabled, let’s log in to the server via SSH again.

Open a new terminal or new tab and connect to your Debian server via the ssh command below. Input your password when prompted.

ssh [email protected] -p 3896

Once connected, your configuration of SSH with a custom port and UFW is successful.

Connecting to Debian server with custom SSH port and UFW enabled
Connecting to Debian server with custom SSH port and UFW enabled

Optional: Setting up Syslog

The new Debian logging system has been moved from syslog to systemd journal. That’s why you didn’t find the log file such as /var/log/syslog or /var/log/messages on your machine.

Whether you’re using systemd journal or Syslog, it’s important to know how to check log files for debugging.

1. If you’re using a systemd journal, run the journalctl command below to view and check the logs of your services.

# print all logs of sshd service
journalctl -u ssh

# print last logs of sshd service
journalctl -t -u ssh

2. Optionally, if you want to go old-school and use log files, then install rsyslog with the following command.

sudo apt install rsyslog -y
Installing rsyslog
Installing rsyslog

3. Then, run the command below to ensure that the rsyslog service is running and enabled.

# checking if rsyslog is enabled
sudo systemctl is-enabled rsyslogd

# checking rsyslog status
sudo systemctl status rsyslogd
Checking rsyslog service
Checking rsyslog service

4. Lastly, check log files within the /var/log directory with the command below.

# print all log /var/log/syslog
cat /var/log/syslog

# print last log of /var/log/syslog
tail -f /var/log/syslog

Conclusion

In this tutorial, you have initialized the Debian server with the installation of basic system utilities, setting up fqdn and system PATH, configuring sudo, securing the SSH server, implementing firewall via UFW (Uncomplicated Firewall), and setting up Syslog.

What’s next? I suggest you install fail2ban for blocking brute-force attacks, then configure NTP (Network Time Protocol) via Chrony to ensure you have the correct time.

ArvidL
ArvidL

System administrator and devops enthusiast, leveraging over 10+ years of Linux expertise to optimize operations. Proficient in FreeBSD, VMWare, KVM, Proxmox, PfSense, Ansible, Docker, and Kubernetes.

Read Also:
How to Install PHP (8.3, 8.2, 8.1, 8.0) on Debian 12

How to Install PHP (8.3, 8.2, 8.1, 8.0) on Debian 12

How to Install and Use MariaDB on Debian 12

How to Install and Use MariaDB on Debian 12

Most Popular

How to Install VNC on Ubuntu 22.04 (GNOME and TigerVNC)

Ubuntu

How to Install VNC on Ubuntu 22.04 (GNOME and TigerVNC)

A Complete Guide to Install PowerDNS on Ubuntu Server 22.04

Ubuntu

A Complete Guide to Install PowerDNS on Ubuntu Server 22.04

How to Install Fail2ban with UFW on Ubuntu 22.04

Ubuntu

How to Install Fail2ban with UFW on Ubuntu 22.04

How to Install FreeBSD 14 Step-by-Step (With Screenshot)

FreeBSD

How to Install FreeBSD 14 Step-by-Step (With Screenshot)

How to Install Ubuntu 24.04 Server (Step-by-Step)

Ubuntu

How to Install Ubuntu 24.04 Server (Step-by-Step)

Support me