Checklist for configuring a Debian system

In the spirit of Thomas Limoncelli's Time Management for System Administrators, this is my checklist for setting up a new Debian system. I have added a few notes to the original list to justify their existence and to provide some background information.

Whilst you should avoid performing repetitive interactive configuration and defer to the multitude of tools designed for this task, constructing and sharing a checklist can still be an instructive step. It can also be useful in situations where a machine has already been partly configured for you.

Software

  • /etc/apt/sources.list

    • Choose a sensible primary mirror
    • Ensure use of release codenames (eg. "lenny") instead of synonyms
    • Confirm security mirror is enabled
    • Remove references to contrib and non-free
  • Disable installation of Recommends:

    echo 'APT::Install-Recommends "0";' > /etc/apt/apt.conf.d/90recommends
    
  • Disable Pdiffs:

    echo 'Acquire { Retries "0"; Pdiffs "false"; };' > /etc/apt/apt.conf.d/50pdiffs
    
  • Ensure we are up to date security-wise:

    apt-get update && apt-get dist-upgrade
    
  • Setup and configure locales first to avoid annoying Perl warnings. Don't choose All locales; you almost certainly don't want that.

    apt-get install locales
    dpkg-reconfigure -plow locales
    
  • Install some essential utilities:

    apt-get install vim-nox ntp openssh-server screen most tree bzip2 unzip moreutils dnsutils htop pwgen telnet manpages manpages-dev vrms acl gawk strace curl tcpdump apticron
    

Users

  • Before we create any real users, we configure PAM to reject weak passwords. Custom banned passwords can be added to the dictionary by editing /usr/share/dict/cracklib and running update-cracklib.

    apt-get install libpam-cracklib
    

    Edit: For lenny, you must also run the following:

    sed -i -e 's|^password|# \0|' /etc/pam.d/common-password
    echo 'password required    pam_cracklib.so retry=3 minlen=6 difok=3' >> /etc/pam.d/common-password
    echo 'password required    pam_unix.so use_authtok nullok md5' >> /etc/pam.d/common-password
    

    (Thanks to Steve Langasek)

  • Configure sudo. I prefer to create a new group instead of re-using adm as that is already used by logfiles.

    addgroup rootusers
    adduser myuser
    adduser myuser rootusers
    apt-get install sudo
    echo 'User_Alias ROOTUSERS  = %rootusers' >> /etc/sudoers
    echo 'ROOTUSERS, root     ALL=(ALL) ALL' >> /etc/sudoers
    

    Edit: You can keep the lenny-era sudo behaviour with:

    echo 'Defaults env_keep += HOME' >> /etc/sudoers
    echo 'Defaults !tty_tickets' >> /etc/sudoers
    

Mail relay

Email remains the primary method to asynchronously inform the system adminstrator that their attention is required.

It is assumed that the machine will not handle your day-to-day email (or indeed accept any external mail) but will instead simply forward it elsewhere. We also assume a preference for Exim, but the configuration for Postfix is almost identical.

  • First, install the mail packages:

    apt-get install exim4-daemon-light bsd-mailx
    dpkg-reconfigure exim4-config
    
  • During the Exim configuration, choose Internet site and follow all the defaults, ensuring that you only listen on 127.0.0.1 and you are not relaying mail for any other domains.

  • If you did not do so during the debconf-based configuration, you can configure forwarding to another email address so we don't have to continually poll this machine for issues:

    echo 'root: you@example.com' >> /etc/aliases
    newaliases
    
  • Finally, we test mail delivery:

    echo "Test 1 from $(hostname)" | mail root -s "Test 1 from $(hostname)"
    

The d-i manual has some further advice on this, including the use of "smarthosts".

Miscellaneous

  • Stop Emacs creating backup files everywhere:

    mkdir -p /etc/emacs/site-start.d
    echo '(setq backup-inhibited t)' > /etc/emacs/site-start.d/10no-backup.el
    
  • Configure Munin:

    apt-get install munin-node
    echo 'allow ^123\.123\.123\.123$' >> /etc/munin/munin-node.conf
    /etc/init.d/munin-node restart
    

    For baroque network configurations, you can generate the regular expression line with this script.

  • Configure molly-guard, a tool for preventing accidental shutdowns. As molly-guard cannot detect shutdowns initiated within a combination of GNU screen and SSH, we configure it to always query the hostname:

    apt-get install molly-guard
    echo "ALWAYS_QUERY_HOSTNAME=true" >> /etc/molly-guard/rc
    
  • Monitor disk S.M.A.R.T. attributes:

    apt-get install hddtemp smartmontools
    sed -i 's|^#start_smartd=yes|start_smartd=yes|' /etc/default/smartmontools
    /etc/init.d/smartmontools start
    
  • Setup backups - I'm quite partial to backupninja because it automates most of the tedious SSH configuration. I adjust the time of the backup to when I'm likely to be around to fix issues and cut down on email noise by not reporting successful backups:

    apt-get install backupninja hwinfo debconf-utils rdiff-backup
    sed -i -e 's|^when = everyday at 01:00|when = everyday at 9:30|' /etc/backupninja.conf
    sed -i -e 's|^reportsuccess = yes|reportsuccess = no|' /etc/backupninja.conf
    ninjahelper
    
  • Filesystems

    • In /etc/fstab, check noatime is enabled on all filesystems, and acl where needed.
    • Use tune2fs to adjust how much of the disk is reserved for the superuser - the default of 5% is excessive for large volumes.
  • Reboot. You should be prompted by molly-guard before your computer restarts.

Comments (7)

Kai

Great inspiration! Added to my own sysadmin notes.

June 3, 2009, 8:23 p.m. #

why not using the group "sudo", which is already there in the default /etc/sudoers ?

%sudo ALL=NOPASSWD: ALL

June 3, 2009, 8:33 p.m. #
No reason, except my own blindness. I wonder; is that a lenny-ism? I don't see its introduction in the changelog.
Natxo Asenjo

checklists are nice, but having a Fully Automated Installation is better. Check fai: http://www.inf….

You can also use cfengine or puppet to ensure that all computers are set the way they must be.

June 4, 2009, 6:20 a.m. #
Please re-read the second paragraph. Further comments that simply refer to such tools will not be shown.
Bernhard R. Link

Instead of configuring locales, I suggest using locales-all. Install once, purge locales, and no longer any problems of having some user wanting another locale generated.

June 4, 2009, 10:24 a.m. #
Thanks. pusling pointed this out to me last night - another package I was not aware of.
Cae

New Debian/Linux user... the "Confirm security mirror is enabled"
- security mirror is enabled by default in lenny, but
- does squeeze have a security mirror?

June 4, 2009, 1:07 p.m. #
Yes, see http://secure-…. I would confirm whether it's being actively maintained so far away from a release before relying on it.
Pete

Why dont you use aptitude? iirc debian oficially only support dist-upgrades with aptitude, so there should be some reason to use it.

June 4, 2009, 2:15 p.m. #
Habit combined with some problems I have with aptitude. Your assertion regarding support for dist-upgrade is false.

This is awesome, I also issue these commands on new servers I setup:

echo "alias screen='TERM=screen screen'" >> /etc/bash.bashrc
echo "username ALL=NOPASSWD:ALL" >> /etc/sudoers

echo "set softtabstop=4" >> /etc/vim/vimrc
echo "set shiftwidth=4" >> /etc/vim/vimrc
echo "set tabstop=4" >> /etc/vim/vimrc
echo "set expandtab" >> /etc/vim/vimrc
echo "set noai" >> /etc/vim/vimrc
echo "ForwardAgent yes" >> /etc/ssh/ssh_config

The vim stuff is for sane tabbing, and screen alias is to get rid of that weird barking thing when I press delete.

June 4, 2009, 11:30 p.m. #
Hm. I fear modifying the system-wide vim and bash configurations is a bit anti-social.