Differences between revisions 1 and 19 (spanning 18 versions)
Revision 1 as of 2010-01-28 16:26:51
Size: 288
Editor: SamatJain
Comment:
Revision 19 as of 2014-03-23 20:26:48
Size: 3487
Editor: SamatJain
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
Describe DebianChecklist here. Chris Lamb has a good [[http://www.chris-lamb.co.uk/2009/06/03/checklist-configuring-debian-system/|Debian installation checklist]], from which I stole most of this list.
Line 5: Line 5:
# Enable log compression with date postfix'd extension
cat /etc/logrotate.conf | sed "s/#compress/compress/" > /etc/logrotate.conf.tmp
echo "dateext" >> /etc/logrotate.conf.tmp		 # Configure sudo, adding my user to the sudo group so I don't get password prompts
aptitude install sudo
adduser xjjk sudo
echo '%sudo ALL=NOPASSWD: ALL' > /etc/sudoers.d/No-Passwords-for-sudo-Group
chmod 0440 /etc/sudoers.d/No-Passwords-for-sudo-Group

# Disable installation of recommended packages
echo 'APT::Install-Recommends "false";' > /etc/apt/apt.conf.d/90recommends

# Configure locales to prevent harassment about it later
aptitude install locales
dpkg-reconfigure -plow locales
# …or install all locales so they don't need to be configured/reinstalled
aptitude install locales-all

# Enable log compression with date suffixed extension
cat /etc/logrotate.conf | sed "s/#compress/compress\ndateext/" > /etc/logrotate.conf.tmp
Line 9: Line 23:

# Disable root login—public key access only!
cat /etc/ssh/sshd_config | sed "s/PermitRootLogin yes/PermitRootLogin without-password/" > /etc/ssh/sshd_config.tmp
mv /etc/ssh/sshd_config.tmp /etc/ssh/sshd_config
service ssh restart

# Prevent PAM from allowing easily-crackable passwords
aptitude install libpam-cracklib

# Install essential utilities
sudo aptitude install \
openssh-server screen \
rsync \
atool lzma rzip xz-utils \
htop dstat iotop \
manpages manpages-dev \
strace tcpdump lsof \
moreutils \
dnsutils \
chrony \
vim less \
bash-completion \
sysfsutils procps \
vnstat \
unattended-upgrades \
ncurses-term \
cpufrequtils powertop \
molly-guard

# Enable automatic security updates (careful!) (TODO: this is interactive; how to pass "yes"?)
sudo dpkg-reconfigure -plow unattended-upgrades

# HDD Temperature/SMART monitoring utilities
aptitude install hddtemp smartmontools
sed -i 's/^#start_smartd=yes/start_smartd=yes/' /etc/default/smartmontools
/etc/init.d/smartmontools start

# Configure rsyslog for daily archival logging
cat << EOF > /etc/rsyslog.d/51-cron.conf
# Enable cron logging
cron.* /var/log/cron.log
EOF
cat << EOF > /etc/rsyslog.d/99-archive.conf
\$template DailyLogs,"/var/log/archive/%\$YEAR%%\$MONTH%/%\$YEAR%%\$MONTH%%\$DAY%.log"
# Archive logging
*.* -?DailyLogs
EOF
cat << EOF > /etc/cron.daily/rsyslog-archive
#!/bin/sh
# Compress *.log-files not changed in more than 24 hours
find /var/log/archive -type f -mtime +1 -name "*.log" -exec xz '{}' \;
EOF
chmod +x /etc/cron.daily/rsyslog-archive

# Async logging for rsync (commit every 30m)
cat << EOF > /etc/rsyslog.d/98-async.conf
\$OMFileFlushInterval 1800
\$OMFileASyncWriting on
EOF

# Use tmpfs for /var/run and /var/lock (may break some buggy packages), like Ubuntu
cat << EOF >> /etc/default/rcS
RAMRUN=yes
RAMLOCK=yes
EOF

# Allow running X11 apps remotely
sudo aptitude install xbase-clients

# Add noatime,commit=900 to entries in /etc/fstab

# Enable SATA APLM
echo SATA_APLM_ENABLE=true | sudo tee /etc/pm/config.d/sata-alpm
Line 10: Line 97:

== New account setup ==

=== Remote ===

{{{#!highlight sh
# Quiet login
touch .hushlogin
cd ~
mkdir -p .ssh/controls
mkdir -p .vim/tmp
chmod -R 755 .ssh
chmod 644 .ssh/authorized_keys
}}}

=== Locally ===

{{{#!highlight sh
# Copy SSH keys
rsync -aPv .ssh/authorized_keys remote:.ssh/
rsync -aPv .bashrc .bash_profile .inputrc .vimrc .screenrc remote:
}}}

Chris Lamb has a good Debian installation checklist, from which I stole most of this list. 

   1 # Configure sudo, adding my user to the sudo group so I don't get password prompts
   2 aptitude install sudo
   3 adduser xjjk sudo
   4 echo '%sudo ALL=NOPASSWD: ALL' > /etc/sudoers.d/No-Passwords-for-sudo-Group
   5 chmod 0440 /etc/sudoers.d/No-Passwords-for-sudo-Group
   6 
   7 # Disable installation of recommended packages
   8 echo 'APT::Install-Recommends "false";' > /etc/apt/apt.conf.d/90recommends
   9 
  10 # Configure locales to prevent harassment about it later
  11 aptitude install locales
  12 dpkg-reconfigure -plow locales
  13 # …or install all locales so they don't need to be configured/reinstalled
  14 aptitude install locales-all
  15 
  16 # Enable log compression with date suffixed extension
  17 cat /etc/logrotate.conf | sed "s/#compress/compress\ndateext/" > /etc/logrotate.conf.tmp
  18 mv /etc/logrotate.conf.tmp /etc/logrotate.conf
  19 
  20 # Disable root login—public key access only!
  21 cat /etc/ssh/sshd_config | sed "s/PermitRootLogin yes/PermitRootLogin without-password/" > /etc/ssh/sshd_config.tmp
  22 mv /etc/ssh/sshd_config.tmp /etc/ssh/sshd_config
  23 service ssh restart
  24 
  25 # Prevent PAM from allowing easily-crackable passwords
  26 aptitude install libpam-cracklib
  27 
  28 # Install essential utilities
  29 sudo aptitude install \
  30 openssh-server screen \
  31 rsync \
  32 atool lzma rzip xz-utils \
  33 htop dstat iotop \
  34 manpages manpages-dev \
  35 strace tcpdump lsof \
  36 moreutils \
  37 dnsutils \
  38 chrony \
  39 vim less \
  40 bash-completion \
  41 sysfsutils procps \
  42 vnstat \
  43 unattended-upgrades \
  44 ncurses-term \
  45 cpufrequtils powertop \
  46 molly-guard
  47 
  48 # Enable automatic security updates (careful!) (TODO: this is interactive; how to pass "yes"?)
  49 sudo dpkg-reconfigure -plow unattended-upgrades
  50 
  51 # HDD Temperature/SMART monitoring utilities
  52 aptitude install hddtemp smartmontools
  53 sed -i 's/^#start_smartd=yes/start_smartd=yes/' /etc/default/smartmontools
  54 /etc/init.d/smartmontools start
  55 
  56 # Configure rsyslog for daily archival logging
  57 cat << EOF > /etc/rsyslog.d/51-cron.conf
  58 # Enable cron logging
  59 cron.* /var/log/cron.log
  60 EOF
  61 cat << EOF > /etc/rsyslog.d/99-archive.conf
  62 \$template DailyLogs,"/var/log/archive/%\$YEAR%%\$MONTH%/%\$YEAR%%\$MONTH%%\$DAY%.log"
  63 # Archive logging
  64 *.* -?DailyLogs
  65 EOF
  66 cat << EOF > /etc/cron.daily/rsyslog-archive
  67 #!/bin/sh
  68 # Compress *.log-files not changed in more than 24 hours
  69 find /var/log/archive -type f -mtime +1 -name "*.log" -exec xz '{}' \;
  70 EOF
  71 chmod +x /etc/cron.daily/rsyslog-archive
  72 
  73 # Async logging for rsync (commit every 30m)
  74 cat << EOF > /etc/rsyslog.d/98-async.conf
  75 \$OMFileFlushInterval 1800
  76 \$OMFileASyncWriting on
  77 EOF
  78 
  79 # Use tmpfs for /var/run and /var/lock (may break some buggy packages), like Ubuntu
  80 cat << EOF >> /etc/default/rcS
  81 RAMRUN=yes
  82 RAMLOCK=yes
  83 EOF
  84 
  85 # Allow running X11 apps remotely
  86 sudo aptitude install xbase-clients
  87 
  88 # Add noatime,commit=900 to entries in /etc/fstab
  89 
  90 # Enable SATA APLM
  91 echo SATA_APLM_ENABLE=true | sudo tee /etc/pm/config.d/sata-alpm

New account setup

Remote

   1 # Quiet login
   2 touch .hushlogin
   3 cd ~
   4 mkdir -p .ssh/controls
   5 mkdir -p .vim/tmp
   6 chmod -R 755 .ssh
   7 chmod 644 .ssh/authorized_keys

Locally

   1 # Copy SSH keys
   2 rsync -aPv .ssh/authorized_keys remote:.ssh/
   3 rsync -aPv .bashrc .bash_profile .inputrc .vimrc .screenrc remote:

SamatsWiki: DebianChecklist (last edited 2019-10-18 23:01:36 by SamatJain)