Home » news aggregator » sources

Technical wiki updates

Syndicate content Wikispaces : linuxman - all changes
All page edits and messages on Wikispaces : linuxman
URL: http://linuxman.wikispaces.com/space/xml
Updated: 11 min 26 sec ago

SLES 10 installation notes

Wed, 2008-08-20 10:49
Remove packages Things to remove from the base distribution unless there's a good reason to do otherwise:
  • ksh - old Korn shell; no one uses this any more.
  • nfs-utils, nfsidmap, portmap - NFS file sharing; it's hard to set up securely
  • yp-tools, ypbind - NIS client; rarely used any more
Add packages Two packages worth installing on public servers are:
  • chkrootkit
  • rkhunter
    They're not part of SLES, but are part of OpenSUSE, so you'll need to get them from the links above.
Other packages SLES 10 doesn't include subversion, but requires you to download a 2.9 GB "developer kit" to get access to it. An alternative to this stupid, but supported, arrangement is to use the simpler, but unsupported, method of using OpenSUSE 10.2 packages.

To achieve this, download the following packages from http://download.opensuse.org/distribution/10.2/repo/oss/suse/i586/ :
  • subversion
  • neon
  • db
  • db43
  • db-utils
and install them manually with rpm -Uvh on your SLES 10 system. If anyone can point me to a public repository containing the developer packages without requiring this, that would be greatly appreciated!
Enable services Some services need enabling before they will start on boot:
for i in acct amanda clamd freshclam lm_sensors mdadmd named ntp snmpd snort sysstat ; do
chkconfig $i on
done Service configuration Some miscellaneous tweaks that might be desired:
  • Disable splash screen (mainly for servers which have no X) - /etc/sysconfig/bootsplash :
SPLASH="no"
  • Enable clearing out of /tmp and /var/tmp - /etc/sysconfig/cron :
MAX_DAYS_IN_TMP="30"
MAX_DAYS_IN_LONG_TMP="90"
LONG_TMP_DIRS_TO_CLEAR="/var/tmp"
CLEAR_TMP_DIRS_AT_BOOTUP="yes"
SYSLOG_ON_NO_ERROR="yes"
  • Enable chrooted postfix - /etc/sysconfig/postfix :
POSTFIX_CHROOT="yes"
POSTFIX_UPDATE_CHROOT_JAIL="yes"
  • Enable tighter permissions of common programs - /etc/sysconfig/security :
PERMISSION_SECURITY="secure local"
  • Enable snort - /etc/sysconfig/snort :
SNORT_ACTIVATE="no"
SNORT_AUTO="your-ip/mask"
SNORT_PROMISC="yes"
  • Enable magic SysRq key - /etc/sysconfig/sysctl :
ENABLE_SYSRQ="yes" Links

SLES 10 installation notes

Wed, 2008-08-20 10:11
Remove packages Things to remove from the base distribution unless there's a good reason to do otherwise:
  • ksh - old Korn shell; no one uses this any more.
  • nfs-utils, nfsidmap, portmap - NFS file sharing; it's hard to set up securely
  • yp-tools, ypbind - NIS client; rarely used any more
Add packages Two packages worth installing on public servers are:
  • chkrootkit
  • rkhunter
    They're not part of SLES, but are part of OpenSUSE, so you'll need to get them from the links above.
Other packages SLES 10 doesn't include subversion, but requires you to download a 2.9 GB "developer kit" to get access to it. An alternative to this stupid, but supported, arrangement is to use the simpler, but unsupported, method of using OpenSUSE 10.2 packages.

To achieve this, download the following packages from http://download.opensuse.org/distribution/10.2/repo/oss/suse/i586/ :
  • subversion
  • neon
  • db
  • db43
  • db-utils
and install them manually with rpm -Uvh on your SLES 10 system. If anyone can point me to a public repository containing the developer packages without requiring this, that would be greatly appreciated!
Enable services Some services need enabling before they will start on boot:
for i in acct amanda clamd freshclam lm_sensors mdadmd named ntp snmpd snort sysstat ; do
chkconfig $i on
done Service configuration Some miscellaneous tweaks that might be desired:
  • Disable splash screen (mainly for servers which have no X) - /etc/sysconfig/bootsplash :
SPLASH="no"
  • Enable clearing out of /tmp and /var/tmp - /etc/sysconfig/cron :
MAX_DAYS_IN_TMP="30"
MAX_DAYS_IN_LONG_TMP="90"
LONG_TMP_DIRS_TO_CLEAR="/var/tmp"
CLEAR_TMP_DIRS_AT_BOOTUP="yes"
SYSLOG_ON_NO_ERROR="yes"
  • Enable chrooted postfix - /etc/sysconfig/postfix :
POSTFIX_CHROOT="yes"
POSTFIX_UPDATE_CHROOT_JAIL="yes"
  • Enable tighter permissions of common programs - /etc/sysconfig/security :
PERMISSION_SECURITY="secure local"
  • Enable snort - /etc/sysconfig/snort :
SNORT_ACTIVATE="no"
SNORT_AUTO="your-ip/mask"
SNORT_PROMISC="yes"
  • Enable magic SysRq key - /etc/sysconfig/sysctl :
ENABLE_SYSRQ="yes" Links

SLES 10 installation notes

Wed, 2008-08-20 10:10
Remove packages Things to remove from the base distribution unless there's a good reason to do otherwise:
  • ksh - old Korn shell; no one uses this any more.
  • nfs-utils, nfsidmap, portmap - NFS file sharing; it's hard to set up securely
  • yp-tools, ypbind - NIS client; rarely used any more
Add packages Two packages worth installing on public servers are:
  • chkrootkit
  • rkhunter
    They're not part of SLES, but are part of OpenSUSE, so you'll need to get them from the links above.
Other packages SLES 10 doesn't include subversion, but requires you to download a 2.9 GB "developer kit" to get access to it. An alternative to this stupid, but supported, arrangement is to use the simpler, but unsupported, method of using OpenSUSE 10.2 packages.

To achieve this, download the following packages from http://download.opensuse.org/distribution/10.2/repo/oss/suse/i586/ :
  • subversion
  • neon
  • db
  • db43
  • db-utils
and install them manually with rpm -Uvh on your SLES 10 system. If anyone can point me to a public repository containing the developer packages without requiring this, that would be greatly appreciated!
Enable services Some services need enabling before they will start on boot:
for i in acct amanda clamd freshclam lm_sensors mdadmd named ntp snmpd snort sysstat ; do
chkconfig $i on
done Service configuration Some miscellaneous tweaks that might be desired:
  • Disable splash screen (mainly for servers which have no X) - /etc/sysconfig/bootsplash :
SPLASH="no"
  • Enable clearing out of /tmp and /var/tmp - /etc/sysconfig/cron :
MAX_DAYS_IN_TMP="30"
MAX_DAYS_IN_LONG_TMP="90"
LONG_TMP_DIRS_TO_CLEAR="/var/tmp"
CLEAR_TMP_DIRS_AT_BOOTUP="yes"
SYSLOG_ON_NO_ERROR="yes"
  • Enable chrooted postfix - /etc/sysconfig/postfix :
POSTFIX_CHROOT="yes"
POSTFIX_UPDATE_CHROOT_JAIL="yes"
  • Enable tighter permissions of common programs - /etc/sysconfig/security :
PERMISSION_SECURITY="secure local"
  • Enable snort - /etc/sysconfig/snort :
SNORT_ACTIVATE="no"
SNORT_AUTO="your-ip/mask"
SNORT_PROMISC="yes"
  • Enable magic SysRq key - /etc/sysconfig/sysctl :
ENABLE_SYSRQ="yes" Links

Password practices

Mon, 2008-08-11 10:19
Choosing a password that is both hard to guess and easy to remember is not difficult - there are two simple rules:
  1. Use a whole phrase or sentence .
    Don't try to make it into an acronym or substitute numbers for letters.
  2. Choose something you think about a lot, and then say something specific about it.
    Adding this layer of abstraction is important because it means that even if a person knows something about you, they aren't any closer to finding your password.

Here are some examples of moving from concept to specifics (note the use of punctuation and numbers which is always a good idea):
  • Soccer:
    Soccer is my life!
  • Computer frustration:
    These computers are crazy.
  • Rick Warren :
    That is 1 LOUD shirt...
  • Rugby League :
    Score: Qld 56, NSW 0

Links
Humour There's plenty of good password humour out there. Here are some samples:

Ubuntu installation procedure

Sun, 2008-08-10 07:15
Start See Linux installation procedure first!
Caveats Software installation
  • (I usually share one bind9 instance across all VMs on one physical host.)
  • Purge unneeded library dependencies:
    while [ `deborphan | wc -l` -gt 0 ]; do
    aptitude purge `deborphan`
    done
Other things to do after a fresh install
  • Set up /etc/resolv.conf with appropriate name servers & domains. (The installer only allows one domain and one name server.)
  • Add your ssh public key to /root/.ssh/authorized_keys2 .
  • Edit /etc/syslog.conf to put syslog messages on tty12. Add this line:
    *.debug /dev/tty12
  • sysstat config.

Ubuntu installation procedure

Fri, 2008-08-08 21:14
Start See Linux installation procedure first!
Caveats Software installation Other things to do after a fresh install

DNS

Wed, 2008-07-23 22:06
DNS is the Internet Domain Name System, the system which converts names like linuxman.wikispaces.com to IP addresses like 192.168.1.1 .

Setting up a DNS server
Testing Here are some useful site sites for testing your DNS server & configuration. configuration:

References

RUTE

Wed, 2008-07-23 11:12
RUTE is the Root User's Tutorial and Exposition , a great resource for learning Linux from the system administrator perspective.

DNS

Wed, 2008-07-23 11:11
DNS is the Internet Domain Name System, the system which converts names like linuxman.wikispaces.com to IP addresses like 192.168.1.1 .

Setting up a DNS server
References

Autoproxy

Wed, 2008-07-23 11:08
To set up autoproxy:
  1. Put  proxy.pac on the document root of your web server. Edit for your site. (There's another sample at sample wpad.dat .
  2. Test browser by using http://yourwebserver/proxy.pac as the autoproxy.
  3. If this works, add a DNS alias of wpad to yourwebserver.
  4. Rename proxy.pac to wpad.dat.
  5. Test browser using auto proxy settings. It should work now. Some client/server combinations seem to have trouble if the wpad points to a named virtual host rather than a standard (non-virtual) web server (i've had problems with the Windows XP/IIS combination here).
  6. Add appropriate MIME types somewhere in your Apache configuration:
    AddType application/x-ns-proxy-autoconfig .dat
    AddType application/x-ns-proxy-autoconfig .pac

Essential spam-fighting techniques

Wed, 2008-07-23 11:07
In running several mail servers for small-to-medium-sized organisations, i've found that there are a few basic things that will help reduce spam from a huge flood to a tiny trickle, using Free Software tools.

Key steps
  1. Use greylisting . Greylisting servers are lightweight enough to deploy on almost any mail server as a filter to keep out some simple spam systems. Let SpamAssassin (which is more CPU & memory intensive), deal with the serious stuff. Greylisting on my personal server has resulted in a long-term reduction in spam as a percentage of total mail. (See spam statistics for details.)
  2. Add some fake MXs before and after your real MX.
  3. If you can afford to spare a some bandwidth (on my sites it has never equated to more than a few small emails per minute, which amounts to very little) for spam fighting, collect some live spam:
    1. Allocate several honeypot email addresses, and list them on a web page that looks reasonably legitimate. If possible, send out a few real messages from these addresses to public newsgroups or mailing lists that have public archives.
    2. If possible, allocate several honeypot domains, and give them real MX records in DNS. Many of the spambots i've seen recently try either completely random addresses, or use a set of fixed variations on a database of common first & last names. List some addresses in your honeypot domains on your web page.
    3. Exclude all of your honeypot addresses and domains from checking by both your greylist and your spam filter.
    4. Forward all mail to honeypot addresses and domains to a single account on your server.
  4. Ensure your SpamAssassin database is trained with new data regularly:
    1. If your users are well-trained to make sure only spam stays in their junk folders, use your IMAP server's junk folders to train your spam database.
    2. Use your IMAP server's Inbox and Sent folders for each user to train your ham database.
    3. Use the data you've captured in your honeypot addresses to train your spam database. I run my SpamAssassin installations in autolearn mode to do learning on the fly, and i add training data from my IMAP folders every night.
  5. Graph your mail statistics with mailgraph , amavis-stats or something similar, and actually look at the data once a week or so. This can help you spot errors or deficiencies in your spam filtering configuration.

These simple steps have been extremely effective in keeping my users' inboxes almost completely free of spam with relatively little effort.

References
  1. Mail Filtering: Or, how to block a few million spams per day without breaking a sweat. - this has some great wisdom that gives specific advice for sendmail, but the techniques can be applied to other mailers as well.
    A couple of notes on where i disagree with the advice given there:
    • SpamAssassin 3.x works fantastically well for me (and the load it causes on my systems is not great), provided that Bayesian filtering is on.
    • I use RBLs with SpamAssassin, but they are only used for scoring spam, and not actually blocking mail. I completely agree with Jef that RBLs should never be used to block email. Dynamic IP range RBLs are particularly nasty in my opinion (speaking as someone who uses a dynamic IP for his server ;-), because they block emails not based on whether or not they are spam, but on what sort of ISP data plan the sender is on.
  2. SpamAssassin's list of other tricks - great reading
  3. Greylisting tools:
  4. SpamAssassin
  5. Another technique for authentication of messages sent from remote mail servers is Bluereef 's Sonar SMTP tagged message authentication, which is a variation on greylisting which uses a challenge-response process rather than simply relying on normal SMTP server retries. I no longer recommend this, because it produces backscatter for every spam that comes in, which can get your (legitimate) server listed as a spam originator.

Creating a Debian server for a small nonprofit

Wed, 2008-07-23 11:05
NOTE
This material is now somewhat obsolete, and more up-to-date information can be found in the pages General Debian installation notes and Generic Linux installation procedure .

Background
This page is what i'm using to document building a file/print/proxy server for a small nonprofit office. The server's DNS name (or IP address before DNS is set up) is shown below as SERVER, and the domain name is shown as YOUR.DOMAIN.NAME.

See also General Debian installation notes .

Network design
Here's a diagram of the network setup used in this example (drawn with dia ):

This document details the installation of the file/proxy/firewall server.

Software
For this project i'm using Debian 3.1 (sarge) which is the current stable release of Debian. The main advantages of using Debian are:

  • stable in both reliability and level of churn
  • uses only free software in the base operating system

Hardware
The hardware used for this project was:

  • AMD Sempron 2200
  • ASUS A7V400-MX motherboard
  • 512M PC2100 Kingmax DDR RAM
  • 2 x Western Digital Caviar 200G 7200rpm HDD

Installation
  • Boot from Debian sarge netinst CD
  • Configure disks as follows:
    • 2 disks - both masters on their controllers (assuming ATA)
    • 1 Gb ext3 /boot RAID1
    • The rest of the disks as a single RAID1 partition given to LVM
    • Create a volume group called vg00
    • Create logical volumes:
      • 4 Gb swap
      • 3 Gb reiserfs /
      • 8 Gb reiserfs /var
      • any additional space should be allocated to appropriate data volumes like /home
  • When you install the system, don't choose any software sets.

Software selection
After the system boots, install a workable minimal system:

  • Add non-free to the end of each deb repository line in /etc/apt/sources.list - this enables lha and unrar (see below) to be installed.
  • apt-get update && apt-get dist-upgrade
  • apt-get remove --purge nano nvi
  • apt-get install acct apt-show-versions arj bc bind9-host bzip2 chkrootkit clamav cvs debian-keyring deborphan debsums ftp gnupg hddtemp isag less lha lsof ltrace make mdadm ntp ntp-server ntpdate pciutils postfix powermgmt-base psmisc rcs rsync smartmontools ssh strace sysstat sysvconfig time traceroute unrar unzip unzoo vim wget whois xpdf zip
?? lsb uudeview
  • Other possible package sets to install:
    • administration: apt-get install webmin
    • CD burning: apt-get install cdrecord mkisofs
    • database server: apt-get install postgresql or apt-get install mysql
    • DHCP server: apt-get install dhcp webmin-dhcpd
    • DNS server: apt-get install bind9
    • firewall: apt-get install aide ethereal logwatch oinkmaster shorewall snort tethereal tripwire webmin-snort
    • dynamic IP server: apt-get install ddclient
    • monitoring: apt-get install mrtg snmp snmpd
    • printing: apt-get install cupsys magicfilter printconf
    • proxy server: apt-get install dansguardian sarg squid squidguard webmin-sarg webmin-squid
    • web browsing: apt-get install mozilla

apt setup
Sometimes, you need to get more recent software than is provided by Debian stable. Here's a sample apt preferences file which will allow us to pull in packages from testing or unstable without ever allowing them to become the default. You can read more about this at http://www.argon.org/%7Eroderick/apt-pinning.html .

Security setup
  • Add your public key (~/.ssh/id_dsa.pub) to SERVER:~root/.ssh/authorized_keys2
  • Disable password authentication and PAM in /etc/ssh/sshd_config; restart ssh (service ssh restart)

Network setup
  • Set up webmin on http://SERVER:10000/ - turn on SSL redirection
  • Set up DNS using webmin. Add a YOUR.DOMAIN.NAME zone and a reverse lookup zone for your chosen IP address range. (In my case i've used 192.168.0.0/24 for my DMZ (see below) and 192.168.1.0/24 for my LAN.)
  • Set up DHCP using webmin:
    • I recommend using static addresses for all client PCs - this requires gathering and maintaining MAC addresses, but if the network is relatively stable, it is well worth the effort, as it simplifies troubleshooting enormously. Or, to put it more strongly, dynamic addressing should only be used if you have more clients than IP addresses. It is useful for dialup ISPs and not much else.
    • Use a nice long lease time (i use 40 days), so that if you have a problem with your DHCP server, at least network access is still available to the clients.
    • Set the following client options for the subnet:
      • subnet mask
      • domain name
      • NTP servers - use SERVER's internal IP address
      • default gateway (router) - use SERVER's internal IP address
      • DNS servers - use SERVER's internal IP address
      • log server - use SERVER's internal IP address. The main reason for this is that HP JetDirect print servers use it to send syslog messages to the server, which helps with troubleshooting.

Firewall
  • Shorewall is the only packet filtering configuration utility i recommend. See PPPPPPS for some quick tips.

Proxy server
  • Set up an apache2 virtual host for serving local LAN functions - here's a sample virtual host config
  • Add /var/www/wpad.dat - here's a sample wpad.dat . This is used to let web browsers (those which support it - Mozilla is a notable exception) automatically find and use your proxy server.
  • Modifications to /etc/squid/squid.conf (here's a squid.conf patch to do all of the following steps):
    • Uncomment and adjust the cache_dir line - i usually start with a 1000 Mb cache
    • Add Safe_ports and SSL_ports entries for webmin and usermin.
    • Add appropriate ACLs to allow access for DMZ NIC and the local LAN.
  • Configure Dan's Guardian. All of these are matters of judgement and your requirements may be different. The main thing we're trying to achieve here is stopping PCs that are open to public access from being used to display porn. Make the following changes to files in /etc/dansguardian:
    • Comment out "UNCONFIGURED" line in dansguardian.conf
    • Change accessdeniedaddress to use SERVER address in the URL (also in dansguardian.conf)
    • Change naughtynesslimit in dansguardianf1.conf to your preferred level - i usually start it somewhere around 120 and adjust as necessary.
    • Remove the contents of bannedextensionlist - all this will do is get in the way of legitimate browsing.
    • Set ICRAchat = 1 in pics

Monitoring
When you're troubleshooting a problem, it's essential to know how your systems are performing in various aspects.

  • sysstat: Enable it in /etc/default/sysstat and run service sysstat restart
  • snmp:
    echo "rocommunity public SERVER_INTERNAL_IP" > /etc/snmp/snmpd.conf
    This gives us a simple setup that allows use by the local system. Then run
    • service snmpd restart
  • to activate the new configuration.
  • mrtg: Run the following commands:

cd /etc
rm -f mrtg.cfg
mkdir mrtg
ln -s mrtg/mrtg.cfg .
cd mrtg
vi Makefile
make
Create /etc/mrtg/Makefile from the sample mrtg makefile . Running make will access the SNMP daemon on SERVER and create an mrtg configuration.

Other miscellaneous changes
  • /etc/crontab : If you're an early riser like me, you don't want the cron.daily, .weekly, and .monthly jobs running while you're working on the system. I move them back from after 6 am to 1, 2, & 3 am respectively.

Basic steps to secure a public bind9 server

Wed, 2008-07-23 11:04
It seems to be typical of public DNS servers that when they appear, people want to use them as forwarders. I've never worked out why this is so (probing for vulnerabilities?) but it's happened every time i've set up a public server.

The solution to this is bind9 ACLs (Access Control Lists). Bind provides some built-in ACLs, including localhost and any . The following ACL example assumes our ISP is going to act as our secondary, and we have a number of internal and external systems which want to use this host as a forwarder.
acl ourISP {
1.2.3.0/24;
};
acl ourExternal {
3.2.1.0/24;
};
acl ourInternal {
192.168.0.0/20;
}; Next, we set up the defaults for all zones in the main options section:
options {
...
allow-transfer {
localhost;
ourInternal;
ourExternal;
ourISP;
};
allow-query {
localhost;
ourInternal;
ourExternal;
ourISP;
};
...
} Lastly, add settings for zones which we master. This allows us to answer direct queries from anyone for the domains we master, but those for which we are not authoritative are covered under the default ACLs. All zones we master or secondary for should be given an allow-query {any; }; entry like the one below.
zone "example.com.au" {
type master;
file "master/example.com.au.hosts";
allow-query {
any;
};
};

Linux installation procedure

Wed, 2008-07-23 11:00
System planning Disk design
  • RAID
    In general, Linux software RAID is preferable for OS disks.
  • file system layouts
    In general, the fewer file systems present, the easier a system is to manage. For most servers, separate volumes for the following file systems should be configured:
    • / (root)
    • /boot
    • /tmp
    • /var
  • Additional file systems should be added when applications need isolation. For small server disks (anything under 72 GB or so), this may not be feasible.
  • location of data
    In general, unless there is a good reason to do otherwise, application data should be stored under /srv/APPNAME for system-provided applications, or /var/opt/APPNAME for 3rd-party applications which comply with the FHS standard for optional packages.
  • Commonly used disk-related commands
Network design
  • Determine trust models for network services.
  • Determine location in network topology.
Distribution-specific Installation Notes Configuration As a simple way of maintaining configuration history on a system, i prefer to set up subversion for maintaining local configuration on all systems.
Services Host services As far as possible, all hosts should have some basic accounting and performance collection configured, and store it for at least one month, preferably more. Packages that should be configured are:
Network services Notes on specific packages Packages that will be needed on most systems that are possibly not installed on some distributions:
  • acct (a.k.a. psacct) - Process accounting (logs CPU/disk/memory usage of particular processes).
  • chkrootkit - intrusion detection
  • clamav - virus scanner
  • findutils-locate - locate files on the system
  • ethereal - protocol analyser
  • ltrace - library call trace (ltrace-32bit also for 64-bit systems)
  • net-snmp - allows monitoring of various aspects of the system
  • nmap - network diagnostics tool
  • ntp (a.k.a. xntp) - Network Time Protocol. This package ensures that the system's clock is kept in sync.
  • rcs - revision control system
  • rsync
  • sensors (a.k.a. lm-sensors) - motherboard health monitoring
  • snort - Intrusion detection system
  • strace - system call trace
  • sysstat - Collects system performance statistics that can be viewed later with sar or isag.

Other packages you might want:
  • aide - intrusion detection
  • amanda - backup
  • bind - DNS server
  • iptraf - IP traffic monitor
  • linux-iscsi/open-iscsi - for network storage via iSCSI
  • multipath d - disk load balancing & failover
  • rsnapshot - rsync-based backup tool that saves time and disk space
  • webalizer - gather web server statistics from logs
  • xpdf - For reading system documentation in PDF.

Notes on specific packages that are usually installed by default:

LAMP

Mon, 2008-07-07 06:37
LAMP stands for Linux , Apache , MySQL , and PHP / Perl / Python , the standard web application stack on Linux servers.

cacti

Mon, 2008-07-07 06:35
Cacti is a graphing tool based on LAMP that is a doddle to set up and provides great graphing functionality. I monitor my systems with it wherever possible.

squid

Mon, 2008-07-07 06:34
Graphing I use cacti for my graphing, and there is a good page at Gentoo-Wiki on setting it up to monitor squid. I followed the instructions on that page on my Debian system and it worked well.

(The rest of this is another public bookmark, "so i don't have to remember it" pages.)
Authentication & filtering Logging & graphing Miscellany

squid

Mon, 2008-07-07 06:34
(This Graphing I use cacti for my graphing, and there is a good page at Gentoo-Wiki on setting it up to monitor squid. I followed the instructions on that page on my Debian system and it worked well.

(The rest of this is another one of those public bookmark, "so i don't have to remember it" pages.)
Authentication & filtering Logging & graphing Miscellany

home

Sun, 2008-07-06 14:20
LinuxMan's technical notes
About this wiki

Debian installation notes

Sun, 2008-07-06 14:19
Start See Generic Linux installation procedure first!
Caveats
  • These reflect my preferences
  • They're mostly based on etch (Debian 4.0), but should work for other derivatives and earlier versions.
  • They're mostly here for my benefit, particularly when installing VServer s, VMware VMs, or Xen domUs.
Software installation
  • Change /etc/apt/sources.list to comment unneeded repositories (i don't use deb-src on most machines) and add contrib & non-free (if necessary).
  • Add the following to /etc/apt/apt.conf :
    Aptitude::Recommends-Important "false"; This ensures that aptitude doesn't enforce "soft" (recommends) dependencies, only "hard" (requires) dependencies. It doesn't seem to be necessary on new vservers, since this file is copied from the host.
  • (sarge only) Reduce the noise of package installs:
    dpkg-reconfigure debconf (Choose high when prompted for the priority.) This step isn't necessary any more on etch, since high is the default.
  • Install latest OS updates that didn't get added during the install process:
    aptitude update
    aptitude upgrade
  • Set ftp_proxy , http_proxy , and https_proxy environment variables.
  • Remove non-preferred apps in base install:
    aptitude purge vim-tiny nvi nano
  • Install preferred software.
    • Core set for all machines:
      aptitude install acct apt-show-versions at bc bind9-host bzip2 deborphan \
      debsums file ftp isag less logwatch lsof lsscsi ltrace make openssl patch \
      perl postfix psmisc rsync ssh strace sysstat subversion sysvconfig telnet \
      time vim
    • Additional packages for physical hosts (i.e. not VMs):
      aptitude install bind9 pciutils
  • (I usually share one bind9 instance across all VMs on one physical host.)
  • Purge unneeded library dependencies:
    while [ `deborphan | wc -l` -gt 0 ]; do
    aptitude purge `deborphan`
    done
Other things to do after a fresh install
  • Set up /etc/resolv.conf with appropriate name servers & domains. (The installer only allows one domain and one name server.)
  • (VMs only) Edit the mess that debootstrap/xen-create-image makes of /etc/hosts .
  • Add your ssh public key to /root/.ssh/authorized_keys2 .
  • Edit /etc/syslog.conf to put syslog messages on tty12. Add this line:
    *.debug /dev/tty12
  • Verify contents of /etc/network/interfaces
  • Change sysstat config.
  • (VServers only) It seems necessary to change the following line in /etc/postfix/main.cf :
    inet_interfaces = all to
    inet_interfaces = $myhostname