April 7th, 2008
If you’re new to server management and use the terminal on GNU/Linux from time to time, this guide will hopefully come in handy for you to get started with your own server.
Unless you have good reasons to use another GNU/Linux distribution, I recommend you to install Debian. It has a lot of ready-to-install applications, is very stable and it’s perhaps the distribution with more tutorials around.
Please notice that this is a very basic tutorial and has only been tested on Debian.
Connect to your server
First of all, log in as root:
ssh firstname.lastname@example.org # where 220.127.116.11 is your server's IP address
Some hosting providers disable ssh root access, so you will need to replace root by your user name. If this is the case, after you log in you should become root:
Update your system
Add your user
If your hosting provider disables root access, then you should skip this step.
sudo is a very useful utility, and I recommend you to use it.
First, let’s install it:
aptitude install sudo
Then, we add your user to the list of sudoers, by running
visudo and then adding the following line at the end of the file
emacs ALL=(ALL) ALL.
Now you become yourself:
su emacs -
Shared key ssh authentication
At this point you should use shared key ssh authentication, but for that there’s a great tutorial at ammonlauritzen.com.
Configuring the SSH daemon
Open /etc/ssh/sshd_config with your favorite text editor, say:
sudo nano /etc/ssh/sshd_config
And make sure the following lines are set this way, if not, add or modify them accordingly:
AllowUsers emacs # separate two or more usernames by spaces
Finally, apply your modifications:
sudo /etc/init.d/ssh reload
Don’t log out yet, we need to check that you will be able to access your server via ssh (this is, that you didn’t break anything on the /etc/ssh/sshd_config file). To check if everything is OK, try to log in:
If you’re able to access, then it’s well configured and you may close the second session. If not, then you should check your modifications and try again.
Setting up a basic firewall
We are going to setup a very basic firewall with the powerful netfilter/iptables. For this step you need to be root:
First, store the current iptables rules, in case something goes wrong with ours:
iptables-save > /etc/iptables.conf.old
Now, create the file /etc/iptables.conf and add the following contents:
# boring stuff for someone new to server administration
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [495:60715]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# this is the port used by the SSH daemon
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
Please pay attention to this line:
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
You should use a line similar for every open port that you want to be accessible from the Internet. This is, if you have a webserver, you should copy that line but replace “22″ by “80″ (or any other port):
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
This is how you “enable” ports.
Then we load the configuration (and don’t log out until we test it!):
iptables-restore < /etc/iptables.conf
Testing the rules
To test the rules, open another terminal and try to access your server:
If you could access, then the rules should be OK. If not, reload the original rules until you find help:
iptables-restore < /etc/iptables.conf.old
Loading the rules when the server stars
If the rules we defined work, then our the firewall should be loaded when the server starts:
Create the file /etc/network/if-pre-up.d/iptables with the following contents:
/sbin/iptables-restore < /etc/iptables.conf
Then make it executable:
chmod +x /etc/network/if-pre-up.d/iptables
We can now go back to our normal user:
Your server is ready!
At this point, you are ready to start installing applications on your brand-new server!
- Make sure you already know the basics of GNU/Linux.
- Learn more about Debian.
- Find the HOWTO you were looking for.