Recently, I opened an unmanaged VPS hosting account with Digital Ocean (of which I am an affiliate), and created a barebone Debian virtual server. Because the hosting was unmanaged, I had to apply all the system changes to the machine myself. Below were the steps I took to set up the Debian virtual machine after spinning it up for the first time.
I assume that you want to set up the LAMP stack - Linux, Apache, MYSQL, PHP - on your machine.
SSH into the virtual machine.
Before you can login, you need to know the public IP address of the new machine. Digital Ocean sends it to you in an email.
$ ssh root@your.IP.address
When you first login to the Digital Ocean server, you are automatically prompted to enter a new password. If your VPS is with someone else, change the password with the following command.
Get to know your system environment.
Which Linux release?
# lsb_release -a
How much memory, and swap space?
# free -h
total used free shared buffers cached Mem: 497M 64M 432M 0B 7.3M 33M -/+ buffers/cache: 23M 473M Swap: 0B 0B 0B
Note: No swap space was pre-allocated.
How much disk space?
# df -h
Is DNS configured?
# cat /etc/resolv.conf
# cat /etc/apt/sources.list
deb http://mirrors.digitalocean.com/debian wheezy main
deb http://security.debian.org/ wheezy/updates main
# apt-get update
# apt-get upgrade
Configure correct timezone.
datecommand to verify the current time. If the time looks wrong, your machine may be pre-configured to the wrong timezone.
# date Thu Dec 4 00:07:37 UTC 2014
The current time reported was in the UTC timezone. But, I live in Vancouver, Canada which is in the Pacific timezone. To change the timezone, write the proper time zone string to the file
/etc/timezone, and run
# echo America/Vancouver > /etc/timezone
# dpkg-reconfigure -f noninteractive tzdata
Current default time zone: 'America/Vancouver'
Local time is now: Wed Dec 3 16:08:58 PST 2014.
Universal Time is now: Thu Dec 4 00:08:58 UTC 2014.
Now, if you run
date, you should see the correct time in the local timezone.
Wed Dec 3 16:09:01 PST 2014
Refer to my earlier post for more details.
Customize default text editor.
If you are not used to a text editor, it can drive you crazy. So, I change the default text editor from
vim. You will thank me when you run
visudoin the next step.
Note: my first choice for text editor is
emacsis not installed by default. Sigh.
# update-alternatives --config editor
Soon, I'll configure SSH to prevent direct
rootlogin. Before that can happen, a new user is needed.
First, create a new user as follows:
# adduser peter
Then, grant the new user
Insert the following line in the
User privilege specificationsection.
peter ALL=(ALL:ALL) ALL
Tighten up SSH security.
# sed -i -e "s/^PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config
- Change SSH port number from port 22 to port 2121.
# sed -i -e "s/^Port 22/Port 2121/" /etc/ssh/sshd_config
- Restart the SSH daemon.
# service ssh restart
Build up firewall.
iptablesto see how your firewall is currently configured:
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Note: The firewall is set up by default to accept everything.
To build a minimal firewall that allows incoming web, SSH and ping traffic, issue the following commands in the specified order:
# iptables -I INPUT 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# iptables -I INPUT 2 -i lo -j ACCEPT
# iptables -I INPUT 3 -m conntrack --ctstate NEW -p tcp --syn --dport 80 --j ACCEPT
# iptables -I INPUT 4 -m conntrack --ctstate NEW -p tcp --syn --dport 2121 --j ACCEPT
# iptables -I INPUT 5 -p icmp --icmp-type echo-request -m limit --limit 2/second -j ACCEPT
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
Inspect the new firewall using the following command:
# iptables -L -v
Refer to my earlier post for more details on how to set up the firewall.
Save firewall configuration.
The new firewall configuration does not persist in the event of a system reboot. To save the firewall permanently, you must first install the
# apt-get install iptables-persistent
The install program will ask if you want to save the current `iptables` rules. Answer yes.
If you make more firewall changes after installing the above package, you need to explicitly save the rules using the command below:
# iptables-save > /etc/iptables/rules.v4
fail2banscans system log files for signs of a cyber attack. Upon the detection of a possible attack, it bans the originating suspect IP address for a specified amount of time.
# apt-get install fail2ban
# cat > /etc/fail2ban/jail.local
ignoreip = 127.0.0.1/8
bantime = 3600
maxretry = 3
maxretry = 3
port = 2121
bantimespecifies the ban duration in seconds.
maxretryspecifies the threshold for triggering the ban.
portspecifies the SSH port number.
# service fail2ban restart
Create swap file.
My VPS hosting plan with Digital Ocean gives me 512 MB of RAM and 20 GB in SSD disk space. While RAM is limited in that configuration, the virtual server has plenty of unused disk space. The extra disk space can be utilized to boost the available virtual memory. Follow the steps below to create the swap file
# fallocate -l 500M /var/swap.img
# chmod 600 /var/swap.img
# mkswap /var/swap.img
# swapon /var/swap.img
# echo "/var/swap.img none swap sw 0 0" >> /etc/fstab
Refer to my earlier post for more details.
Set up SMTP server to redirect
You run the risk of ignoring important system alerts if emails to
rootare not read regularly. Follow the steps below to forward all
rootemails to an email address that you actually monitor.
exim4to redirect all outbound emails to the Google Gmail SMTP server.
You need a Gmail account in order to use Gmail SMTP. Refer to my earlier post for more details.
# hostname --fqdn > /etc/mailname
/etc/mailnamefile should contain the fully-qualified domain name to use for outgoing mail messages. The Sender email address of a message uses this value as its domain name.
# sed -i -e "s/dc_eximconfig_configtype=.*/dc_eximconfig_configtype='smarthost'/" /etc/exim4/update-exim4.conf.conf
smarthostis the configuration type you want.
# sed -i -e "s/dc_smarthost=.*/dc_smarthost='smtp.gmail.com::587'/" /etc/exim4/update-exim4.conf.conf
If you have a non-Gmail SMTP server, replace
smtp.gmail.comwith the proper domain name.
# sed -i -e "s/dc_hide_mailname=.*/dc_hide_mailname='false'/" /etc/exim4/update-exim4.conf.conf
# sed -i -e "s/dc_other_hostnames=.*/dc_other_hostnames=''/" /etc/exim4/update-exim4.conf.conf
# echo '*.google.com:yourAccount@gmail.com:yourPassword' >> /etc/exim4/passwd.client
Customize the above with your own Gmail account and password. If you are not using Gmail, replace
google.comwith the proper domain name.
# service exim4 restart
rootemails to a valid email address.
Refer to an earlier post for more details.
# echo -e 'root: peter\npeter: yourEmailAddress@somedomain.com' >> /etc/aliases
The above command inserts 2 lines into
/etc/aliases. The first line (
root: peter) specifies that all emails to
rootare forwarded to
peter, a new user we added earlier. The second line (
peter: yourEmailAddress@somedomain.com) specifies that all emails to
peterare redirected to the external email address.
newaliasesto rebuild the email aliases database.
Note which essential packages are still uninstalled.
My yet-to-install package list comprises:
You can use the following command to find out if a package, say PHP5, is installed:
# dpkg -l php5*
dpkg-query: no packages found matching php5*
Install missing packages.
# apt-get install chkconfig
# apt-get install mysql-server mysql-client
After installing MYSQL, run the
mysql_secure_installationprogram to tighten up security.
# apt-get install apache2
# apt-get install php5 php5-mysql php5-gd php5-curl
For further details on how to install the above packages, refer to my earlier post.
After you put in all the hard work to get this far, your machine is finally in a usable state. It is wise (albeit optional) to save the current machine state. Digital Ocean allows you to create a system snapshot of your server. You can restore the server to that particular state at any time in the future.
When you login to the virtual server via SSH, don't forget to use the new user and port number.
$ ssh -p 2121 firstname.lastname@example.org