If you’re new to server management and use the terminal on GNU/Linux from time to time, this guide will hopefully come in handy for you to get started with your own server.
Unless you have good reasons to use another GNU/Linux distribution, I recommend you to install Debian. It has a lot of ready-to-install applications, is very stable and it’s perhaps the distribution with more tutorials around.
Please notice that this is a very basic tutorial and has only been tested on Debian.
Connect to your server
First of all, log in as root:
ssh root@123.123.123.123 # where 123.123.123.123 is your server's IP address
Some hosting providers disable ssh root access, so you will need to replace root by your user name. If this is the case, after you log in you should become root:
su -
Update your system
aptitude update
aptitude upgrade
aptitude dist-upgrade
Add your user
If your hosting provider disables root access, then you should skip this step.
adduser emacs
Replace emacs by VI VI VI if you don’t believe in Saint IGNUcius.
Sudo setup
sudo is a very useful utility, and I recommend you to use it.
First, let’s install it:
aptitude install sudo
Then, we add your user to the list of sudoers, by running visudo
and then adding the following line at the end of the file emacs ALL=(ALL) ALL
.
Now you become yourself:
su emacs -
Shared key ssh authentication
At this point you should use shared key ssh authentication, but for that there’s a great tutorial at ammonlauritzen.com.
Configuring the SSH daemon
Open /etc/ssh/sshd_config with your favorite text editor, say:
sudo nano /etc/ssh/sshd_config
And make sure the following lines are set this way, if not, add or modify them accordingly:
PermitRootLogin no
PasswordAuthentication no
X11Forwarding no
UsePAM no
AllowUsers emacs # separate two or more usernames by spaces
Finally, apply your modifications:
sudo /etc/init.d/ssh reload
Don’t log out yet, we need to check that you will be able to access your server via ssh (this is, that you didn’t break anything on the /etc/ssh/sshd_config file). To check if everything is OK, try to log in:
ssh emacs@123.123.123.123
If you’re able to access, then it’s well configured and you may close the second session. If not, then you should check your modifications and try again.
Setting up a basic firewall
We are going to setup a very basic firewall with the powerful netfilter/iptables. For this step you need to be root:
sudo -s
First, store the current iptables rules, in case something goes wrong with ours:
iptables-save > /etc/iptables.conf.old
Now, create the file /etc/iptables.conf and add the following contents:
# boring stuff for someone new to server administration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [495:60715]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# this is the port used by the SSH daemon
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
COMMIT
Please pay attention to this line:
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
You should use a line similar for every open port that you want to be accessible from the Internet. This is, if you have a webserver, you should copy that line but replace “22” by “80” (or any other port):
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
This is how you “enable” ports.
Then we load the configuration (and don’t log out until we test it!):
iptables-restore < /etc/iptables.conf
Testing the rules
To test the rules, open another terminal and try to access your server:
ssh emacs@123.123.123.123
If you could access, then the rules should be OK. If not, reload the original rules until you find help:
iptables-restore < /etc/iptables.conf.old
Loading the rules when the server stars
If the rules we defined work, then our the firewall should be loaded when the server starts:
Create the file /etc/network/if-pre-up.d/iptables with the following contents:
#!/bin/bash
/sbin/iptables-restore < /etc/iptables.conf
Then make it executable:
chmod +x /etc/network/if-pre-up.d/iptables
We can now go back to our normal user:
exit
Your server is ready!
At this point, you are ready to start installing applications on your brand-new server!
What’s next?
- Make sure you already know the basics of GNU/Linux.
- Learn more about Debian.
- Find the HOWTO you were looking for.