Debian Server Setup [Deleted]
- Thread starter Adam Howard
- Start date
Adam Howard
Well-known member
/etc/apt/sources.list
Would be the preferred method for easier load and management.
I've known servers to continue to look for X, Y, Z even when you remove something from /ect/apt/sources.list.d
Call it bug or odd mystery, but YUM on CentOS / RedHat sometimes has a similar issue.
Adam Howard
Well-known member
Question: What does this mean and how do I do it?
Answer: It means you'll need to make a new user name, other than root. For security you do not want your website running as root. There are also some compatibility reasons as well.
Why?
Think of the root user as being GOD. You can basically make the whole server in your image. Now, do you really want the whole internet to view files which happen to have the permission settings of "GOD"? Its just very unwise.
Another reason is compatibility. There are scripts which are design not to run in root for your own protection. Some developer have gotten wise at how few people forget or don't bother to adding another user name & so they've developed ways to protect you from yourself (although you shouldn't depend on that way of thinking).
But the most important fact here is security. Every file people upload on your forum, can possible inherit the maximum permissions of the user name your site is running on. It can be a very big security risk allowing everything to run as root (don't do it).
The command you want to use this:
Remember to replace "You-Desired-User-Name" with an actual name you want.
So if you wanted the name "alice" you would have typed in
EXAMPLE :
It is important that you use ALL lower case letters when typing in a name. You can also add numbers.
It is unwise (don't do it) to try to add special symbols to a user name; As its not always supported for everything (you can however use special symbols for passwords though).
EXAMPLE :
Good:
alice
alice123
123alice
Bad:
Alice
aliCe
alice@#$%134
@#$%123alice
Someone is bound to argue that there are settings or hacks that will allow you to do everything in the "bad list". Do not listen to them. Not ever scripts, mod, add-on, tweak, or program within Linux yet fully supports anything beyond basic user names. So unless you want to go about tweaking everything, always.... Don't do it.
(Someone is bound to not listen to me anyways. You're on your own if you don't listen)
Helpful tips:
Will allow you to see all possible options when adding a user
Now you're going to need to add a password to that user name.
Unlike your user name, there is virtually no limit on your password. You can make it as short or as long as you want; using any letter, number, symbol, or case size as your heart desires (go crazy if you want). The only limit is you can't put spaces in it so don't go hitting the "space bar" (not fully supported).
It should be something hard for others to guess, but easy for you, yourself to remember. Write it down or save it some place (a password manager for example).
But it is for this reason that when you do type in your new password, do it very slowly and carefully.
Linux calls this a security feature. I like to call it "the moment of panic" because most noobs to Linux (new people), don't expect this and assume that things are not responding. And so they end up hitting random keys.
So don't panic. It's normal to not see anything as you type your password.
Now that you know all this the actual command is:
Remember to replace "USER-NAME" with the actual user name that you made before.
EXAMPLE :
You will be asked to enter your new password 2x (twice). Again, slowly and carefully.
Log out and see if you can log-in using your new user name.
If you can, you're done. Wasn't that easy?
To actually make a directory, while logged in as your user
Remember to replace "Directory-Name-and-path" with the actual name of the directory you want and path.
Example :
Will indeed make a directory (folder) named "directory1" at the current location (in what ever directory you currently you are in)
If you want to make it in a different place (not where you currently are), you would use
Example :
Of course replacing the above path names with the correct names you needed. Just remember to always start it with the / symbol
You're done.
Wasn't that easy?
Create directory as user (not as root)
Answer: It means you'll need to make a new user name, other than root. For security you do not want your website running as root. There are also some compatibility reasons as well.
Why?
Think of the root user as being GOD. You can basically make the whole server in your image. Now, do you really want the whole internet to view files which happen to have the permission settings of "GOD"? Its just very unwise.
Another reason is compatibility. There are scripts which are design not to run in root for your own protection. Some developer have gotten wise at how few people forget or don't bother to adding another user name & so they've developed ways to protect you from yourself (although you shouldn't depend on that way of thinking).
But the most important fact here is security. Every file people upload on your forum, can possible inherit the maximum permissions of the user name your site is running on. It can be a very big security risk allowing everything to run as root (don't do it).
How to make a new user
IMPORTANT: Read in FULL before proceeding
The command you want to use this:
PHP:
useradd YOUR-Desired-User-NameRemember to replace "You-Desired-User-Name" with an actual name you want.
So if you wanted the name "alice" you would have typed in
EXAMPLE :
PHP:
useradd aliceIt is important that you use ALL lower case letters when typing in a name. You can also add numbers.
It is unwise (don't do it) to try to add special symbols to a user name; As its not always supported for everything (you can however use special symbols for passwords though).
EXAMPLE :
Good:
alice
alice123
123alice
Bad:
Alice
aliCe
alice@#$%134
@#$%123alice
Someone is bound to argue that there are settings or hacks that will allow you to do everything in the "bad list". Do not listen to them. Not ever scripts, mod, add-on, tweak, or program within Linux yet fully supports anything beyond basic user names. So unless you want to go about tweaking everything, always.... Don't do it.
(Someone is bound to not listen to me anyways. You're on your own if you don't listen)
Helpful tips:
PHP:
man adduserWill allow you to see all possible options when adding a user
NEXT....
Now you're going to need to add a password to that user name.
Unlike your user name, there is virtually no limit on your password. You can make it as short or as long as you want; using any letter, number, symbol, or case size as your heart desires (go crazy if you want). The only limit is you can't put spaces in it so don't go hitting the "space bar" (not fully supported).
It should be something hard for others to guess, but easy for you, yourself to remember. Write it down or save it some place (a password manager for example).
- IMPORTANT: Type in your password slowly and very carefully. And don't panic when you see nothing on your screen as you type it.
But it is for this reason that when you do type in your new password, do it very slowly and carefully.
Linux calls this a security feature. I like to call it "the moment of panic" because most noobs to Linux (new people), don't expect this and assume that things are not responding. And so they end up hitting random keys.
So don't panic. It's normal to not see anything as you type your password.
Now that you know all this the actual command is:
PHP:
passwd USER-NAMERemember to replace "USER-NAME" with the actual user name that you made before.
EXAMPLE :
PHP:
passwd aliceYou will be asked to enter your new password 2x (twice). Again, slowly and carefully.
Log out and see if you can log-in using your new user name.
If you can, you're done. Wasn't that easy?
NEXT.....
To actually make a directory, while logged in as your user
PHP:
mkdir Directory-Name-and-pathRemember to replace "Directory-Name-and-path" with the actual name of the directory you want and path.
Example :
PHP:
mkdir directory1Will indeed make a directory (folder) named "directory1" at the current location (in what ever directory you currently you are in)
If you want to make it in a different place (not where you currently are), you would use
Example :
PHP:
mkdir /path1/path2/path3/directory1Of course replacing the above path names with the correct names you needed. Just remember to always start it with the / symbol
You're done.
Wasn't that easy?
Sheratan
Well-known member
Since someone mentioned nginx, let me share my phpmyadmin - nginx configuration.
Put this on your server { ... } block.
auth_basic and auth_basic_user_file is an extra protection. Works like htpasswd in apache if you dont know.
Put your .htpasswd outside /html/ directory for extra protection. Change its name to whatever you wanted.
fastcgi_pass balance; is some-kind of basic balance load in nginx. (URL) If you dont use this method, try changing it to whatever you use in location ~\.php$ { ... }
Correction are welcome.
PS: How about a tutorial to create secure mail server in Debian?
PS #2: Sorry for my bad English.
Put this on your server { ... } block.
Code:
location /location.of.your.phpmyadmin.directory {
auth_basic "Staff Only";
auth_basic_user_file /usr/share/nginx/.htpasswd;
location ~^/location.of.your.phpmyadmin.directory/(.+\.php)$ {
fastcgi_index index.php;
include fastcgi_params;
fastcgi_pass balance;
try_files $uri /index.php;
}
}Put your .htpasswd outside /html/ directory for extra protection. Change its name to whatever you wanted.
fastcgi_pass balance; is some-kind of basic balance load in nginx. (URL) If you dont use this method, try changing it to whatever you use in location ~\.php$ { ... }
Correction are welcome.
PS: How about a tutorial to create secure mail server in Debian?
PS #2: Sorry for my bad English.
Adam Howard
Well-known member
Question: Will this guide work on Debian 7 (Debian Wheezy) ?
Answer:
YES, this guide will work on Debian 7. However you will need to upgrade your repositories & you will need to make sure they have released updates for Debian 7.
This guide currently does recommend Dotdeb.org for sources. Once they update their servers, I will be posting a resource update to this guide, with included instructions on how to easily upgrade to Debian 7.
Answer:
YES, this guide will work on Debian 7. However you will need to upgrade your repositories & you will need to make sure they have released updates for Debian 7.
This guide currently does recommend Dotdeb.org for sources. Once they update their servers, I will be posting a resource update to this guide, with included instructions on how to easily upgrade to Debian 7.
Adam Howard
Well-known member
For those of you NOT currently using Dotdeb.org or any other 3rd party source and only using the default repositories
1st BACKUP everything. (Your site files, your database, and any setting. BACKUP NOW)
You're doing a full OS upgrade. You want to be sure you have a copy of everything.
NEXT
Type in
And change squeeze to wheezy
For example
Originally it looked like this
When done it should look like this
You basically want to just replace that 1 word for the other word (which happens to be the build name).
NOTE: If you're using the Debian Back Port source, you need to completely change it to this
The original was
SAVE.
Close.
Next type in
then
And finally
Reboot.
Done. Wasn't that easy?
If you need help, please ask. If you feel uneasy doing this yourself, send me a PM and I can do this for you (there is a small wait time as I have others also asking me to do this)
For those of you using Dotdeb.org (or other 3rd party sources) .... Don't worry. Once it's updated there, I'll update my guide here.
edit:
Dotdeb.org user please see this
http://xenforo.com/community/threads/debian-server-setup.35066/page-2#post-533777
1st BACKUP everything. (Your site files, your database, and any setting. BACKUP NOW)
You're doing a full OS upgrade. You want to be sure you have a copy of everything.
NEXT
Type in
PHP:
nano /etc/apt/sources.listAnd change squeeze to wheezy
For example
Originally it looked like this
PHP:
# Debain Main Update
deb http://ftp.de.debian.org/debian stable main contrib non-free
deb-src http://ftp.de.debian.org/debian stable main contrib non-free
deb http://ftp.debian.org/debian/ squeeze-updates main contrib non-free
deb-src http://ftp.debian.org/debian/ squeeze-updates main contrib non-free
deb http://security.debian.org/ squeeze/updates main contrib non-free
deb-src http://security.debian.org/ squeeze/updates main contrib non-freeWhen done it should look like this
PHP:
# Debain Main Update
deb http://ftp.de.debian.org/debian stable main contrib non-free
deb-src http://ftp.de.debian.org/debian stable main contrib non-free
deb http://ftp.debian.org/debian/ wheezy-updates main contrib non-free
deb-src http://ftp.debian.org/debian/ wheezy-updates main contrib non-free
deb http://security.debian.org/ wheezy/updates main contrib non-free
deb-src http://security.debian.org/ wheezy/updates main contrib non-freeYou basically want to just replace that 1 word for the other word (which happens to be the build name).
NOTE: If you're using the Debian Back Port source, you need to completely change it to this
PHP:
deb http://ftp.debian.org/debian/ wheezy-backports mainThe original was
PHP:
deb http://backports.debian.org/debian-backports squeeze-backports mainSAVE.
Close.
Next type in
PHP:
apt-get updatethen
PHP:
apt-get upgradeAnd finally
PHP:
apt-get dist-upgradeReboot.
Done. Wasn't that easy?
If you need help, please ask. If you feel uneasy doing this yourself, send me a PM and I can do this for you (there is a small wait time as I have others also asking me to do this)
For those of you using Dotdeb.org (or other 3rd party sources) .... Don't worry. Once it's updated there, I'll update my guide here.
edit:
Dotdeb.org user please see this
http://xenforo.com/community/threads/debian-server-setup.35066/page-2#post-533777
Mouth
Well-known member
Anyone have a working nginx config for securing /admin.php behind auth password (aka htpasswd)?
Sheratan
Well-known member
Just for 1 files?
Mouth
Well-known member
Yeah, my occasional googling every couple of weeks have not revealed a solution to me. I already have a directory (and all it's contents) secured behind an auth passwd, but have been unable to find anything (that works!) for a single file, specifically /admin.php for XF.
Adam Howard
Well-known member
Dotdeb.org - For those of you who use Dotdeb.org for source, it is now safe to upgrade you copy of Debian to Wheezy, by following this guide here http://xenforo.com/community/threads/debian-server-setup.35066/page-2#post-533175
Take note that you should remove the following 2 lines form your source list (if you had it)
This is because PHP 5.4 is now default in Wheezy. There is NO official php 5.3 support for Debain 7. This is true for Ubuntu users as well.
Please also note that php 5.3 has reached end of life and php 5.5 is just around the corner. This guide will be updated to include php 5.5 support (with php 5.4 support) upon its release.
Take note that you should remove the following 2 lines form your source list (if you had it)
PHP:
deb http://packages.dotdeb.org squeeze-php54 all
deb-src http://packages.dotdeb.org squeeze-php54 allThis is because PHP 5.4 is now default in Wheezy. There is NO official php 5.3 support for Debain 7. This is true for Ubuntu users as well.
Please also note that php 5.3 has reached end of life and php 5.5 is just around the corner. This guide will be updated to include php 5.5 support (with php 5.4 support) upon its release.
Adam Howard
Well-known member
Confused? Don't be.
My full source list looks like this after upgrading to Wheezy
Note: I use all available sources (clearly marked)
My full source list looks like this after upgrading to Wheezy
Note: I use all available sources (clearly marked)
PHP:
# Debain Main Update
deb http://ftp.de.debian.org/debian stable main contrib non-free
deb-src http://ftp.de.debian.org/debian stable main contrib non-free
deb http://ftp.debian.org/debian/ wheezy-updates main contrib non-free
deb-src http://ftp.debian.org/debian/ wheezy-updates main contrib non-free
deb http://security.debian.org/ wheezy/updates main contrib non-free
deb-src http://security.debian.org/ wheezy/updates main contrib non-free
# Debian Backport
deb http://ftp.debian.org/debian/ wheezy-backports main
# Dotdeb.org
deb http://packages.dotdeb.org wheezy all
deb-src http://packages.dotdeb.org wheezy allAdam Howard
Well-known member
Adam Howard updated Debian Server Setup with a new update entry:
UPGRADE Debian 6 Squeezy to Debian 7 Wheezy
Read the rest of this update entry...
UPGRADE Debian 6 Squeezy to Debian 7 Wheezy
Read the rest of this update entry...
14DH01
Active member
what are the files to be backed up to a dedicated server?
And how to restore the state from a backup?
Adam Howard
Well-known member
Generally the files you want to backup are your sites files (and database).
You also want to backup any customized configuration files (for example your configuration file for MYSQL which is etc/mysql/my.cnf ). This of course assuming if you customized any configuration. If you didn't and kept with stock version, you have no need to back them up.
Only you (or your administrator) would know if you had anything customized.
The main point is to backup your site and your database. Always a good idea to backup this more than once (just in case).
Arkshine
Active member
Just updraded. No major problems. Just one issue with MariaDB where apt-get dist-upgrade would want to remove MariaDB packages.
Not a big deal since we could reinstall it after. Then, once all upgraded, MariaDB could not be installed because of some dependencies.
After some research, I've found it seems there is some issue : https://mariadb.atlassian.net/browse/MDEV-3882 ; and the work-around (to install specific version of a lib) provided in the link has worked for me.
Except that, seems ok.
Not a big deal since we could reinstall it after. Then, once all upgraded, MariaDB could not be installed because of some dependencies.
After some research, I've found it seems there is some issue : https://mariadb.atlassian.net/browse/MDEV-3882 ; and the work-around (to install specific version of a lib) provided in the link has worked for me.
Except that, seems ok.
Adam Howard
Well-known member
Thanks for sharing that update (for those who use MariaDB).
I kept this guide basic and never included Percona or MariaDB support to it. Mostly because they're slow to update. These projects follow the main project... ie... MySQL gets updated, then Percona & MariaDB update, because they depend on MySQL (they're built off of it & are not their own independent projects).
Another reason why I didn't add a bunch of 3rd party sources, was this guide was made to remain simple & easy for even the most "noob-ish" person to Linux (made so even a Windows user could follow it).
Mouth
Well-known member
I would also suggest
PHP:
apt-get autoremove && apt-get autocleanAdam Howard
Well-known member
I wouldn't.
There have been the odd dependency count (although rare)
... ie...
After upgrading the OS (doing a full OS upgrade), the system sometimes will tell you (before or after the reboot) that X is safe to remove, but later it turns out X was really needed (sometimes).
I would wait until the next batch of updates before trying to "clean house"
Adam Howard
Well-known member
Generally speaking, no.
You almost never want a DNS server on your VPS (or dedicated server). The only exception would be when you make tens, hundreds, thousands of name lookups a second and want them cached. But that situation is extremely rare (usually reserved for hosting providers or domain providers who have hundreds or thousands of domain names to redirect).
This is something your host should do automatically without you having to setup. So when you type in Domain1.com and Domain2.com, they should be pointing to your setup. If they don't it maybe a good time to find a new host (as suggested in the guide).
DNS Servers can pose a high resource usage (even when properly configured). It is why usually good hosting providers use completely dedicated servers, with the sole purpose is to act as a "gateway" (DNS Server) and not to host anything else.
There is also the debate that a DNS Server can pose an extra security risk. Of course both view points on that have merit (depending on which side you want to believe). I personally believe a well configured DNS Server is just as secure as anything else you can install or configure. But with that said, not having it is 1 less thing to worry about.
With those 2 reasons in mind... I excluded leaving out a guide to adding a DNS Server. Your hosting service provider should do this automatically, the moment you pointed your domain name to their name servers or should have the option to add your domain names to their DNS Servers. I've only ever found 1 host so far that didn't and their services were not idea.
