Making a Debian / Devuan machine work nicely
Immediately after installing a Debian / Devuan server, there are several things I like to do in order to make it more usable and/or familiar.
Feel free to pick and choose which ones of these you like and which you prefer to live without.
(Depending on how your system got installed (eg: maybe as an image from a virtual hosting provider), and which release version you are starting from, some of these may already be done for you, and/or may not be necessary, but none will cause any harm.)
- Install aptitude, at, less, net-tools, ntp, psmisc, rsync, vim and purge nano, vim-tiny (I was very surprised to find 'less' missing on a Bytemark Debian 9 VM):
# apt-get install aptitude # aptitude install at less net-tools ntp psmisc rsync vim # aptitude purge apparmor nano vim-tiny
(If you don't purge nano, then you might get surprised when you run some command such as visudo and expect it to edit the sudoers file using vi, and find yourself looking at nano instead - you didn't type nanosudo, after all.) Also, Debian 11 / Devuan 4 and above enable apparmor by default, which is likely to get in your way until you decide you actually want to use it. Oddly, I haven't found an obvious way to leave it installed but not enabled.
- Purge policykit if it's installed:
# aptitude purge policykit-1
Policykit appears to be something the systemd people introduced; you don't need it, and it may well make your system insecure. Purging this package also seems to eliminate a whole load of things to do with X11, GTK and Gnome, which you probably don't want on a server in the first place.
- Turn off vim syntax highlighting so you can actually read files while editing them (especially anything such as comments, otherwise shown in dark blue on black):
# echo "syntax off" >> ~/.vimrc
(It would be good to find a system-wide way of doing this, but adding the same thing to any of /etc/vim/vimrc, /etc/vim/vimrc.local or /usr/share/vim/vimrc simply doesn't work. Therefore you have to do this in the home directory of each user who wants to be able to see files as they edit them.)
- Add date & timestamps to bash command history so you can tell exactly when you used each command:
# vi /etc/profile immediately under "export PATH" add: export HISTSIZE=10000 export HISTFILESIZE=10000 export HISTCONTROL=none export HISTTIMEFORMAT="%F %T "
If you plan on using a Graphical Desktop Environment, it's a good idea to add the above lines to /etc/bash.bashrc as well, otherwise you get different results depending on whether you log in at the console or start a window manager and then open a console session inside it.
- Stop ls from surrounding filenames with apostrophes when they contain spaces (needed for Debian 10 Buster / Devuan 3 Beowulf and above):
While you're editing /etc/profile, add the line export QUOTING_STYLE=literal
so you can see filenames output by ls as you've been used to for the past 30 years. It's a good idea to add the above line to /etc/bash.bashrc as well, otherwise you get different results depending on whether you log in at the console or start a window manager and then open a console session inside it.
- Tell logrotate to create useful filenames so that instead of syslog.3.gz you get syslog-20270431.gz and you know what day's (or week's) contents you can expect to find in the file
Add "dateext" and "dateyesterday" (uncommented) to /etc/logrotate.conf
The first setting tells logrotate to use dates instead of numbers in the filenames, the second tells it to name the file for the date of the contents, not the date of the logrotation (which generally happens the day after the contents were created). Note that these settings make it even more meaningful that logrotate should be run very soon after midnight on each day.
- Allow non-root users to use the "ping" command again
# sysctl -w net.ipv4.ping_group_range="0 65535"
Some idiot decided that ping is now a privileged command, only to be used by root. The above allows normal users (and monitoring systems such as Icinga) to carry on using ping as they have been able to since the beginning of Unix and Linux.
- Allow the root user to log in by SSH (needed for Debian 8 Jessie and later), and ensure that DSA public keys work (needed for Debian 9 Stretch and later):
# vi /etc/ssh/sshd_config If there is a line (which may be commented-out) "PermitRootLogin prohibit-password" change this to "PermitRootLogin yes" (not commented-out). If there is a line "PasswordAuthentication no" change this to "PasswordAuthentication yes". Immediately under "PubkeyAuthentication yes" (which may be commented out, and can remain so) add: PubkeyAcceptedKeyTypes=+ssh-dss and then restart the SSH daemon: # /etc/init.d/ssh restart
It's perfectly safe to restart sshd even while you're logged in over SSH, although I still recommend testing a second login before logging out of the session where you restarted the daemon. Note that for more modern releases, you may well find directories /etc/ssh/ssh_config.d and /etc/ssh/sshd_config.d exist. If this is the case, then instead of modifying the file sshd_config, simply add the configuration items you want to one or more files (with names ending in .conf) under sshd-config.d. This will avoid questions like "do you want to install the new version or keep your modified version?" when you upgrade sshd at a later date.
- Give root a sensible $PATH when you use su
# vi /etc/default/su (this file may not exist - create it if necessary) add: ALWAYS_SET_PATH=yes
Debian used to give the root user a sensible $PATH (including /sbin and /usr/sbin) when a non-root user used the command "su". Now the Debian people have decided you have to say "su -" instead to get that behaviour. If you want to carry on using "su", make the above change to /etc/default/su. If you're still using systemd, then I don't believe this fix works, so you're on your own trying to work out how to do this in that situation.
- Disable KnownHosts hashing so that you can tab-complete previously-used hostnames, and be able to edit / read the KnownHosts file:
# vi /etc/ssh/ssh_config change the entry for HashKnownHosts from "yes" to "no"
- Send 'root' emails from the machine name instead of simply 'root'
sed -i "s/:root:/:$HOSTNAME:/" /etc/passwd
- Install sysvinit and purge systemd (Debian 8 Jessie and later, not needed for Devuan of course):
# aptitude install sysvinit-{core,utils} accept the prompt to remove systemd-sysv Reboot # aptitude purge systemdIf you've installed a Graphical Desktop Environment such as KDE or Gnome, then this won't work (it'll try to uninstall most of your system) - the solution here is to upgrade to Devuan instead.
- Stop apt or aptitude from installing recommended or suggested packages by default:
# vi /etc/apt/apt.conf.d/norecommendationsplease APT::Install-Recommends "false"; APT::Get::Install-Recommends "false"; # vi /etc/apt/apt.conf.d/nosuggestionsplease APT::Install-Suggests "false"; APT::Get::Install-Suggests "false";
This stops apt or aptitude from automatically installing packages which you didn't ask to install, but are simply recommended or suggested by the package maintainer. It will tell you what those packages are, though, so you can install them as well if you agree that they're a good idea.
- Stop the screen clearing at the end of all the startup messages, just before the login prompt, and preventing you from being able to see any errors as services start:
# vi /etc/inittab at the end of each line such as "1:2345:respawn:/sbin/getty 38400 tty1" add the option "--noclear"
If you're still using systemd, then there is no /etc/inittab; you're on your own trying to work out how to do this in that situation.
- Allow the machine to continue booting if there's a file system check problem and nobody is available to enter a root password or press Ctrl/D
vi /etc/init.d/checkfs.sh Add the option "-t 30" to the single instance of "sulogin" in that script: if ! sulogin -t 30 $CONSOLE
If you're still using systemd, then there is no /etc/init.d/checkfs.sh; you're on your own trying to work out how to do this in that situation.
- File systems are checked before networking is available, so if you have a remote server which boots and finds a file system problem, it'll just sit there and wait until someone visits its console. There is no way to recover from this remotely, which seems a pretty poor design decision in my opinion. This fix acts as though someone had pressed Ctrl/D after 30 seconds, allowing the boot process to continue as best it can.
- Make sure the system can shut down especially if it's a virtual guest inside (for example) qemu:
# aptitude install acpid acpi-support-base
If you don't have these packages installed, qemu cannot shut down guest VMs, so:
- they'll get unpleasantly abruptly terminated once the timeout is reached, and have to do an fsck when they start up again
- the default timeout is 5 minutes for each VM, so shutting down a host with 10 VMs in it would take almost an hour!
- Stop syslog from sending messages to open consoles
- Edit /etc/sysctl.conf and follow the instructions near the top:
# Uncomment the following to stop low-level messages on console #kernel.printk = 3 4 1 3
- It's probably a very good idea to install fail2ban as early as possible, too; it makes no difference to using the machine per se, but it keeps the log files much tidier by eliminating a large proportion of the tedious break-in attempts you would otherwise see:
# aptitude install fail2ban
It blocks only SSH by default; you must enable blocking of any other services manually. Be sure to add your own IPs to the whitelist so that you don't get locked out by accident!
In /etc/fail2ban/jail.conf add the IPs, network ranges and/or DNS host names of all your own trusted systems: ignoreip = 127.0.0.0/8 198.51.100.64/29 203.0.113.42 home.example.com office.example.com
There is probably more, which I've temporarily forgotten, but I'll add it when it comes back to me after using the latest machine I've installed and find that something's not right…
Go up
Return to main index.