Debian7 VPS Installing Required Packages

Debian7 VPS Installing Required Packages for basic and advanced configuration. Such packages and will be needed through the rest of the configuration steps. Initially, you will install and configure MTA eMail services in order to receive emails and alerts notification while you are configuring your system. The required packages will include Development Tools and packages to prepare the VM or VPS for advanced HowTo configuration Articles.

Besides, I will install updates, upgrades, NTP time server, Utilities, and Development Tools, which will prepare the VM/VPS for Linux Security Measures and Hardening Tools. As you probably noticed, the VM or the VPS must go through few layers of staging before start loading and running specific services such Web Hosting Solution services.

Objectives:

1. Installing Required Packages

2. Installing MTA eMail Services

3. Setting Basic Configuration

Prerequisites:

A. Basic Debian or Ubuntu System Knowledge

B. Login to your DigitalOcean or Vultr Account

C. Follow the Courses and Sections by Order

Recommendations:

For better performance, use VPS with at least 2 CPUs, 4G Memory, 1G Bandwidth, and SSD Storage drive.

Installing Required Packages

Run the following steps (1 to 5)

1. Backup Source List

cp /etc/apt/sources.list /etc/apt/sources.bak

Note: or you can hold Alt-b to instruct nano editor to Backup the file before modifying and saving the file. It will save a backup of the sources.list file as “sources.list~”

Source list used to download packages for your system. DigitalOcean or Vultr might add their own sources as well to your sources.list file. I usually backup the sources.list file and I use my own list which is the default sources.list of Debian7.

2. Edit the Source List

nano /etc/apt/sources.list

Using nano editor, I usually use Ctrl-k keys at the beginning of the file to delete all lines. Copy the following sources.list content and paste it inside the blank sources.list.

deb http://ftp.de.debian.org/debian/ wheezy main contrib non-free
deb-src http://ftp.de.debian.org/debian/ wheezy main contrib non-free

deb http://security.debian.org/ wheezy/updates main contrib non-free
deb-src http://security.debian.org/ wheezy/updates main contrib non-free

# wheezy-updates, previously known as 'volatile'
deb http://ftp.de.debian.org/debian/ wheezy-updates main contrib non-free
deb-src http://ftp.de.debian.org/debian/ wheezy-updates main contrib non-free

deb http://ftp.us.debian.org/debian/ wheezy main contrib non-free
deb-src http://ftp.us.debian.org/debian/ wheezy main contrib non-free

# wheezy-updates, previously known as 'volatile'
deb http://ftp.us.debian.org/debian/ wheezy-updates main contrib non-free
deb-src http://ftp.us.debian.org/debian/ wheezy-updates main contrib non-free

Save: Ctrl-X, Hit Y Key, and Enter.

List apt directory to see the backup file

ls -nah /etc/apt/

drwxr-xr-x  6 0 0 4.0K Feb 14 03:14 .
drwxr-xr-x 76 0 0 4.0K Feb 14 02:18 ..
drwxr-xr-x  2 0 0 4.0K Jan 28  2015 apt.conf.d
-rw-r--r--  1 0 0   99 May  3  2013 listchanges.conf
drwxr-xr-x  2 0 0 4.0K Mar 14  2013 preferences.d
-rw-r--r--  1 0 0  108 Feb 14 03:12 sources.bak
-rw-r--r--  1 0 0  820 Feb 14 03:14 sources.list
drwxr-xr-x  2 0 0 4.0K Mar 14  2013 sources.list.d
-rw-------  1 0 0 1.2K May  3  2013 trustdb.gpg
-rw-------  1 0 0    0 May  3  2013 trusted.gpg
drwxr-xr-x  2 0 0 4.0K Jan 28  2015 trusted.gpg.d

3. Refresh Source List

apt-get update

Please make sure the source update list finish successfully, it should show you “Reading package lists… Done” with no errors, something similar to the following:

Get:5 http://security.debian.org wheezy/updates/main Translation-en [132 kB]
Fetched 469 kB in 3s (130 kB/s)
Reading package lists... Done
[email protected]:~#

4. Install Dependencies, Utilities, and Development Tools

Note: the following Required Packages such Dependencies, Utilities, and Development Tools are required across all the Web Hosting Solution.

TIP: Copy the whole line as one command and past it inside Putty window. Just hit right click inside Putty window after you copied the whole line below, and it should get pasted right way, then hit enter to execute.

apt-get install aptitude build-essential make module-assistant wajig libc6 libpcre3-dev libpcrecpp0 libexpat1 ssl-cert libssl-dev libpcre3 glibc-doc zlib1g-dev python-software-properties zlib1g lsb-base openssl binutils sudo arj nomarch libgeoip-dev zoo unzip zip bzip2 lzop cabextract apt-listchanges daemon libnet-ldap-perl libauthen-sasl-perl libio-string-perl git libio-socket-ssl-perl libnet-ident-perl libnet-dns-perl autoconf automake1.9 libtool flex bison debhelper binutils-gold ssh openssh-server php5-cli debconf-utils lsb-release

5. Check if System Reboot Required

a. Create system-status.sh file

nano /root/system-status.sh

Copy and paste the following code inside system-status.sh file:

#!/bin/bash
if [ -f /var/run/reboot-required ]; then
  echo ***System Reboot Required***
fi

Save: Ctrl-X, Hit Y Key, and Enter.

b. Set Execute Permission

chmod +rwx /root/system-status.sh

c. Run system-status.sh file

/root/system-status.sh

If system reboot required, you will see the following message:

***System Reboot Required***

Installing MTA eMail Services

I need MTA (SMTP) service such Postfix for email notification, however, Debian Base systems might come with Exim4 or Sendmail, meaning, aptitude package manager will ask you to remove other MTA packages such Exim4 or Sendmail before installing Postfix.

It’s your choice, but I highly recommend using Postfix since it’s going to be used as standard Mail Server if you decide to build Web Hosting Solution.

Run the following steps (1 to 4)

1. Install Postfix Packages

aptitude install postfix postfix-mysql postfix-doc

You might be prompted by the following:

exim4-config : Conflicts: postfix but 2.9.6-2 is to be installed.
The following actions will resolve these dependencies:

     Remove the following packages:
1)     exim4
2)     exim4-base
3)     exim4-config
4)     exim4-daemon-light

Accept this solution? [Y/n/q/?] y

Press Y key to continue. And confirm with Y key again.

The following packages will be REMOVED:
 exim4{a} exim4-base{a} exim4-config{a} exim4-daemon-light{a}
0 packages upgraded, 10 newly installed, 4 to remove and 0 not upgraded.
Need to get 8,510 kB of archives. After unpacking 15.7 MB will be used.
Do you want to continue? [Y/n/?] y

2. Configure Postfix Settings

General type of mail configuration:  >> Internet Site
System mail name: >> node1.ccnahub.com

3. Restart Postfix Service

service postfix restart

[ ok ] Stopping Postfix Mail Transport Agent: postfix.
[ ok ] Starting Postfix Mail Transport Agent: postfix.

4. Forward Root Emails

nano /etc/aliases

Add your email to the end of aliases file. The file should look like this, notice the last line.

# /etc/aliases
mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
root: [email protected]

Save: Ctrl-X, Hit Y Key, and Enter.

Refresh Aliases for changes to take effect

newaliases

Setting Basic Configuration

Run the following steps (1 to 12)

1. Change default Shell

Disable Dash as default Shell by using the following command:

dpkg-reconfigure dash

When asked: Use dash as the default system shell (/bin/sh)? Choose No

2. Install Network Time Protocol

aptitude install ntp ntpdate

Note: You might be asked to read an agreement, press q key to exit and continue.

Then set Server Time Zone

dpkg-reconfigure tzdata

Check date and time again

date

3. (Optional) For more com time accuracy, edit /etc/ntp.conf

nano /etc/ntp.conf

Scroll down to pool.ntp.org section

For Example, USA users, change ntp servers

From:

# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
# pick a different set every time it starts up.  Please consider joining the
# pool: http://www.pool.ntp.org/join.html
server 0.debian.pool.ntp.org iburst
server 1.debian.pool.ntp.org iburst
server 2.debian.pool.ntp.org iburst
server 3.debian.pool.ntp.org iburst

To:

# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the
# pool: http://www.pool.ntp.org/join.html
server 0.us.pool.ntp.org iburst
server 1.us.pool.ntp.org iburst
server 2.us.pool.ntp.org iburst
server 3.us.pool.ntp.org iburst

Save: Ctrl-X, Hit Y Key, and Enter.

I have changed the upper pool NTP servers based on this link http://www.pool.ntp.org/zone/us just pick based on your country or area.

Restart NTP service

service ntp restart

Force Time Zone Update Using Specific NTP Server

Copy and paste all 4 lines one shot.

service ntp stop
ntpdate -s us.pool.ntp.org
service ntp start
date

4. Display Nano Editor Cursor in the Status Bar

nano /etc/nanorc

Scroll down little bit using the Arrow key, and comment out # set const in order to show Cursor Movements Line Number.

From:

# set const

To:

set const

Save: Ctrl-X, Hit Y Key, and Enter.

5. Add Warning Messages and MOTD

Very important to set Warning Messages at Web Console, SSH prompt, and Message of the Day. If an intruder penetrated your server and you are trying to get the authority involved because of data lose, first thing they would ask you “Have you set a Warning Messages and MOTD at Login Prompt?”, if not, your case will be dropped.

a. Add Web Console Message

nano /etc/issue

Copy and paste the following warning message at the end of issue file

******************************************************************
*                                                                *
*                           - WARNING -                          *
*                                                                *
*               THIS SYSTEM IS PRIVATE PROPERTY FOR              *
*                THE USE OF AUTHORIZED USERS ONLY                *
*                                                                *
******************************************************************

Save: Ctrl-X, Hit Y Key, and Enter.

b. Edit MOTD file

nano /etc/motd

Copy and paste the following MOTD at the end. Before you save, edit the current MOTD message to suite your company needs. I believe, all you need to change is the company name.

******************************************************************
***                                                            ***
***                   W A R N I N G ! ! !                      ***
***                                                            ***
***  THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF YOUR       ***
***  COMPANY NAME INC. ADMIN STAFF AUTHORIZED USERS ONLY!      ***
***  ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED   ***
***  TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO    ***
***  SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO         ***
***  IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR  ***
***  OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR  ***
***  SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. ***
***  UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL    ***
***  CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO  ***
***  LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL     ***
***  EXTENT OF THE LAW.                                        ***
***                                                            ***
***  UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,  ***
***  CIVIL AND CRIMINAL LAWS.                                  ***
***                                                            ***
******************************************************************

Save: Ctrl-X, Hit Y Key, and Enter.

c. Force sshd to display Pre-Login Message

nano /etc/ssh/sshd-banner

Copy and paste the following Warning Message inside sshd-banner

******************************************************************
*                                                                *
*                           - WARNING -                          *
*                                                                *
*               THIS SYSTEM IS PRIVATE PROPERTY FOR              *
*                THE USE OF AUTHORIZED USERS ONLY                *
*                                                                *
******************************************************************

Save: Ctrl-X, Hit Y Key, and Enter.

d. Edit sshd_config Configuration file

nano /etc/ssh/sshd_config

Enable Banner Message

Hit Ctrl-w and search for word banner, set as shown below. If you can’t find it, add it to the end of the file.

Banner /etc/ssh/sshd-banner

Save: Ctrl-X, Hit Y Key, and Enter.

e. Restart sshd Service

service ssh restart

6. Change Root Prompt Color

nano /root/.bashrc

Paste either the Red or Yellow color at the end of /root/.bashrc. Don’t enable more than one code. Copy and paste the code you like. You can disable the code by number sign # at the beginning of the code, or by simply deleting it.

# Red Color Code Prompt

PS1='${debian_chroot:+($debian_chroot)}\[\033[01;31m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '

# Yellow color Code Prompt

PS1='${debian_chroot:+($debian_chroot)}\[\033[0;33m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '

Save: Ctrl-X, Hit Y Key, and Enter.

Logout from root or Exit your Putty session; relogin to test it.

For more styling and colors, check this link https://wiki.archlinux.org/index.php/Color_Bash_Prompt

Enable Green Color Prompt for other Users

You need to comment out #force_color_prompt=yes inside the user’s .bashrc file, for example, I am going to enable green color for my user imad.

TIP: if you haven’t created extra users yet, you can use adduser command to create another user. In case you don’t want to create extra users, you can skip this step.

nano /home/imad/.bashrc

Scroll down or Ctrl-w and search for “force_color_prompt=yes“, and remove the hash sign to enable the color.

From:

# force_color_prompt=yes

To:

force_color_prompt=yes

Save: Ctrl-X, Hit Y Key, and Enter.

Test it. From root session, login as regular user

[email protected]:~# login imad 
Password:

You will be prompted by Green prompt

[email protected]:~$

Type exit to logout

[email protected]:~$ exit
logout
[email protected]:~#

7. Install Package Check Tools, Reboot Notifier, and Update Notifier

aptitude install update-notifier-common debian-goodies apticron lsof

8. System and Packages Status Aliases

Run the following 2 commands:

alias packages-status="/usr/lib/update-notifier/apt-check --human-readable"

alias system-status="/usr/lib/update-notifier/update-motd-reboot-required"

Make Aliases persistent

nano .bashrc

Add the aliases to the end of .bashrc file as shown below:

[...]
alias packages-status="/usr/lib/update-notifier/apt-check --human-readable"
alias system-status="/usr/lib/update-notifier/update-motd-reboot-required"

Save: Ctrl-X, Hit Y Key, and Enter.

9. Install Updates and Safe Upgrades

Let’s check what packages needs updates or upgrades.

packages-status

Note: that package-status alias points to update notifier package.

If any, you will see something similar to the following:

6 packages can be updated.
2 updates are security updates.

Now, let’s run Update and Safe Upgrades

aptitude update && aptitude -V safe-upgrade

If any updates or upgrades required, press Y key and Enter.

Note: the installer might ask you to read a License, press Enter then press q key to continue.

10. Check if any of the Services needs Restart

checkrestart

Note: If you see one, two, or more services listed, then select all of them, right click again on the putty window to start all of them, or simply reboot your VPS.

Again, you might not see any service listed for restart especially if the system didn’t update or upgrade any service, hence, will show you similar to the following message:

[email protected]:~# checkrestart
Found 0 processes using old versions of upgraded files
[email protected]:~#

If there are some services require restart, then they will be listed as shown below:

[...]
These are the init scripts:
(restart any service get listed under this line)
service nfs-common restart
service rpcbind restart
service ssh restart
service ntp restart
service acpid restart
service udev-mtab restart
service udev restart
service cron restart
service atd restart
service rsyslog restart
[...]

Tip: You don’t need Ctrl-c to copy content from Putty terminal, once you highlight something at putty window, it’s already copied to the Clip board. Just hit right click on the same putty window and it will be pasted on.

11. Check if System Reboot Required

/root/system-status.sh

Or

system-status

Note: that system-status alias points to update notifier package.

If system reboot required, you will see the following messages

*** System restart required ***

If Reboot Required

reboot

Or Restart

shutdown -r now

TIP: -r to restart and -h to halt and Power off.

12. Checking Packages Status Again

packages-status

0 packages can be updated.
0 updates are security updates.

If you still see packages needs upgrade or updates, then run the following:

aptitude update && aptitude -V safe-upgrade

Subject Related

By Debian Basic Configuration | Debian Package Management