Here are the things that I did after my last Debian install. I usually do most of them every time I install Debian and have a hard time remembering all the steps so I wrote them down this time.
This is a standard web-server with Apache, PHP and MySql so not all things may apply for another type of server/workstation.
I you have any comments and/or suggestions of other things to do I would appreciate if you would share them with me.My mail adress can be found on the about page.
Purge the following entries in dselect by pressing _:
| emacs20 | I don't use emacs | |
| emacsen-common | (see above) | |
| telnetd | The telnet deamon is a security disaster. Use SSH instead. | |
| fingerd | It is recommended to remove the finger deamon due to security reasons | |
| pidentd | (see above) | |
| lpr | I don't have a printer connected to my server | |
| nfs-common | Unless this is a fileserver there is no need to run the NFS server on in. | |
| nfs-kernel-server | (see above) | |
| nfs-server | (see above) | |
| nhfsstone | (see above) | |
| traceroute | I like the nanog-traceroute better since it among other things can show AS-info. | |
| ibritish | I only use the US word list. | |
| gpm | I don't run X so there's no need for a mouse on the machine. | |
| ppp | PPP is mostly used for modem connections. I use Ethernet. | |
| pppconfig | (see above) |
Add the following entries in dselect by pressing +:
| nmap | Nice tool to scan for open ports on this machine and others | |
| traceroute-nanog | Better traceroute than the original | |
| tripwire | Checks to see if any unauthorized changes are made to the files. | |
| joe | Simple and fast editor with Wordstar/Borland key bindnings. | |
| wget | Tool for downloadning files via FTP or HTTP | |
| ntp | Deamon that synchronizes the clock with time servers on internet I use time.telia.net, ntp.internet5.net, server ntp.swip.net and time1.stupi.se as time servers. |
|
| ntpdate | Initially sets the clock to the correct time from internet. ntp won't handle big differences itself. |
Comment out by adding a # in front of the line the following entries in inetd.conf:
discard tcp
discard udp
daytime tcp
time tcpDon't forget to restart inetd by doing a kill -hup `cat /var/run/inetd.pid`
Do a /etc/init.d/portmap stop and then add exit 0 after the first few comments
Edit /etc/init.d/ntpdate, comment out the test and exit lines and insert time.telia.net time1.stupi.se in the start-section
Add the following lines to /root/.bashrc
alias ls='ls -F'
alias l='ls -lAF'
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
Do the following to change deafult editor:
cd /etc/alternatives
rm editor
ln -s /usr/bin/joe editor
rm editor.1.gz
ln -s /usr/man/man1/joe.1.gz editor.1.gzAdd the followning lines in /etc/apt/sources.list for getting the security updates
deb http://security.debian.org stable/updates main contrib non-free
deb http://security.debian.org/debian-non-US/ stable/non-US main contrib non-freeGet and install the updates by doing:
apt-get update
apt-get upgradeInstall SSH support:
Begin by downloading and unpacking the sources
cd /usr/local/src
wget ftp://ftp.sunet.se/pub/OpenBSD/OpenSSH/portable/openssh-2.9p2.tar.gz
wget http://www.openssl.org/source/openssl-0.9.6b.tar.gz
tar xzf openssh-2.9p2.tar.gz
tar xzf openssl-0.9.6b.tar.gzInstall the zlib1g development files
apt-get install zlib1g-dev
Compile and install SSL-libaries
cd openssl-0.9.6b
./config
make
make install
cd /usr/local/src
Compile and install SSH
cd openssh-2.9p2
./configure --sysconfdir=/etc
make
make install
cd /usr/local/src
Copy this file to /etc/init.d/ssh and install it
chmod 0755 /etc/init.d/ssh
update-rc.d ssh defaults >/dev/null
Step the clock to right time and set the HW clock to it:
ntpdate -v time1.stupi.se
hwclock --systohc --utc
Create script to check for updates install it in crontab:
cat > /usr/local/sbin/check-updates << EOF
#!/bin/bash
apt-get update > /dev/null 2> /dev/null
apt-get dist-upgrade -d -y > /dev/null 2> /dev/null
TEST=\`ls /var/cache/apt/archives/*.deb 2> /dev/null\`
if [ "$TEST" != "" ]; then
ls /var/cache/apt/archives/*.deb | mail -s "New Packages for $HOSTNAME are availiable"
root
fi
exit 0
EOF
ln -s /usr/local/sbin/check-updates /etc/cron.daily/check-updates
Install apache, php & mysql:
cd /usr/local/src/
wget ftp://ftp.sunet.se/pub/www/servers/apache/dist/httpd/apache_1.3.20.tar.gz
wget http://prdownloads.sourceforge.net/mysql/mysql-3.23.39.tar.gz
wget "http://www.php.net/do_download.php?download_file=php-4.0.6.tar.gz&source_site=se.php.net"
tar xzf apache_1.3.20.tar.gz
tar xzf php-4.0.6.tar.gz
tar xzf mysql-3.23.39.tar.gz
Compile, install and setup mysql first
cd /usr/local/src/mysql-3.23.39
groupadd mysql
useradd -g mysql mysql
./configure --prefix=/usr/local/mysql --with-mysqld-user=mysql --without-debug
--sysconfdir=/etc
make
make install
scripts/mysql_install_db
chown -R root /usr/local/mysql
chown -R mysql /usr/local/mysql/var
chgrp -R mysql /usr/local/mysql
cp support-files/my-medium.cnf /etc/my.cnf
/usr/local/mysql/bin/safe_mysqld --user=mysql --skip-networking&
/usr/local/mysql/bin/mysql -u root mysql
UPDATE user SET Password=PASSWORD('XYZZY') WHERE user='root';
FLUSH PRIVILEGES;
EXIT
cd /usr/local/src/apache_1.3.20
groupadd apache
useradd -g apache apache
./configure \
--bindir=/usr/local/apache/bin \
--sbindir=/usr/local/apache/sbin \
--libexecdir=/usr/local/apache/lib \
--mandir=/usr/local/apache/man \
--sysconfdir=/etc/apache \
--datadir=/www \
--iconsdir=/www/icons \
--htdocsdir=/www/html \
--cgidir=/www/cgi-bin \
--includedir=/usr/local/apache/include \
--localstatedir=/var \
--runtimedir=/var/run \
--logfiledir=/var/log/apache \
--proxycachedir=/var/cache/apache \
--enable-shared=max \
--server-uid=apache \
--server-gid=apache
PHP
cd /usr/local/src/php-4.0.6
./configure \
--with-mysql \
--with-exec-dir \
--with-apxs=/usr/local/apache/sbin/apxs \
--with-config-file-path=/etc/apache/