June 3rd 2009

Checklist for configuring a Debian system

In the spirit of Thomas Limoncelli's Time Management for System Administrators, this is my checklist for setting up a new Debian system. I have added a few notes to the original list to justify their existence and to provide some background information.

Whilst you should avoid performing repetitive interactive configuration and defer to the multitude of tools designed for this task, constructing and sharing a checklist can still be an instructive step. It can also be useful in situations where a machine has already been partly configured for you.


  • /etc/apt/sources.list

    • Choose a sensible primary mirror
    • Ensure use of release codenames (eg. "lenny") instead of synonyms
    • Confirm security mirror is enabled
    • Remove references to contrib and non-free
  • Disable installation of Recommends:

    echo 'APT::Install-Recommends "0";' > /etc/apt/apt.conf.d/90recommends
  • Disable Pdiffs:

    echo 'Acquire { Retries "0"; Pdiffs "false"; };' > /etc/apt/apt.conf.d/50pdiffs
  • Ensure we are up to date security-wise:

    apt-get update && apt-get dist-upgrade
  • Setup and configure locales first to avoid annoying Perl warnings. Don't choose All locales; you almost certainly don't want that.

    apt-get install locales
    dpkg-reconfigure -plow locales
  • Install some essential utilities:

    apt-get install vim-nox ntp openssh-server screen most tree bzip2 unzip moreutils dnsutils htop pwgen telnet manpages manpages-dev vrms acl gawk strace curl tcpdump apticron


  • Before we create any real users, we configure PAM to reject weak passwords. Custom banned passwords can be added to the dictionary by editing /usr/share/dict/cracklib and running update-cracklib.

    apt-get install libpam-cracklib

    Edit: For lenny, you must also run the following:

    sed -i -e 's|^password|# \0|' /etc/pam.d/common-password
    echo 'password required    pam_cracklib.so retry=3 minlen=6 difok=3' >> /etc/pam.d/common-password
    echo 'password required    pam_unix.so use_authtok nullok md5' >> /etc/pam.d/common-password

    (Thanks to Steve Langasek)

  • Configure sudo. I prefer to create a new group instead of re-using adm as that is already used by logfiles.

    addgroup rootusers
    adduser myuser
    adduser myuser rootusers
    apt-get install sudo
    echo 'User_Alias ROOTUSERS  = %rootusers' >> /etc/sudoers
    echo 'ROOTUSERS, root     ALL=(ALL) ALL' >> /etc/sudoers

    Edit: You can keep the lenny-era sudo behaviour with:

    echo 'Defaults env_keep += HOME' >> /etc/sudoers
    echo 'Defaults !tty_tickets' >> /etc/sudoers

Mail relay

Email remains the primary method to asynchronously inform the system adminstrator that their attention is required.

It is assumed that the machine will not handle your day-to-day email (or indeed accept any external mail) but will instead simply forward it elsewhere. We also assume a preference for Exim, but the configuration for Postfix is almost identical.

  • First, install the mail packages:

    apt-get install exim4-daemon-light bsd-mailx
    dpkg-reconfigure exim4-config
  • During the Exim configuration, choose Internet site and follow all the defaults, ensuring that you only listen on and you are not relaying mail for any other domains.

  • If you did not do so during the debconf-based configuration, you can configure forwarding to another email address so we don't have to continually poll this machine for issues:

    echo 'root: you@example.com' >> /etc/aliases
  • Finally, we test mail delivery:

    echo "Test 1 from $(hostname)" | mail root -s "Test 1 from $(hostname)"

The d-i manual has some further advice on this, including the use of "smarthosts".


  • Stop Emacs creating backup files everywhere:

    mkdir -p /etc/emacs/site-start.d
    echo '(setq backup-inhibited t)' > /etc/emacs/site-start.d/10no-backup.el
  • Configure Munin:

    apt-get install munin-node
    echo 'allow ^123\.123\.123\.123$' >> /etc/munin/munin-node.conf
    /etc/init.d/munin-node restart

    For baroque network configurations, you can generate the regular expression line with this script.

  • Configure molly-guard, a tool for preventing accidental shutdowns. As molly-guard cannot detect shutdowns initiated within a combination of GNU screen and SSH, we configure it to always query the hostname:

    apt-get install molly-guard
    echo "ALWAYS_QUERY_HOSTNAME=true" >> /etc/molly-guard/rc
  • Monitor disk S.M.A.R.T. attributes:

    apt-get install hddtemp smartmontools
    sed -i 's|^#start_smartd=yes|start_smartd=yes|' /etc/default/smartmontools
    /etc/init.d/smartmontools start
  • Setup backups - I'm quite partial to backupninja because it automates most of the tedious SSH configuration. I adjust the time of the backup to when I'm likely to be around to fix issues and cut down on email noise by not reporting successful backups:

    apt-get install backupninja hwinfo debconf-utils rdiff-backup
    sed -i -e 's|^when = everyday at 01:00|when = everyday at 9:30|' /etc/backupninja.conf
    sed -i -e 's|^reportsuccess = yes|reportsuccess = no|' /etc/backupninja.conf
  • Filesystems

    • In /etc/fstab, check noatime is enabled on all filesystems, and acl where needed.
    • Use tune2fs to adjust how much of the disk is reserved for the superuser - the default of 5% is excessive for large volumes.
  • Reboot. You should be prompted by molly-guard before your computer restarts.

You can subscribe to new posts via email or RSS.