Debian Lenny Server Setup

This page describes my procedure for setting up a simple home server, to host web pages, backups, media, documents, printer, etc. Currently this is running on a PPC Mac Mini, although these instructions are almost completely platform agnostic (with the main exception being that you may want to run Sun Java instead of GCJ if you are on an Intel platform). This is mostly just relevent to me; using this guide, I can re-create my server OS / application setup in an hour or two. If someone else finds it useful, so much the better.

Install

• Do a minimal Debian install, without any extra components. We will be installing only the needed components later.

Partition layout

• Split up your disk something as follows. You can adjust partition sizes as needed; by using LVM, you can easily increase partition sizes if needed, so leave some extra space in your volume group.

  Filesystem	Size	Mount Point
  /dev/mapper/vg0-root	1G	/
  /dev/hda3	512M	/boot
  /dev/mapper/vg0-tmp	256M	/tmp
  /dev/mapper/vg0-usr	8G	/usr
  /dev/mapper/vg0-var	1G	/var
  /dev/mapper/vg0-home	56G	/home
  /dev/mapper/vg0-swap	2G	swap

• Once you have rebooted into the full Debian environment, install the following packages:

  openssh-server fail2ban samba mt-daapd less locate vim logcheck rsync w3m rsnapshot lsof cups git openjdk-6-jdk ant ntpdate zip unzip ddclient courier-imap-ssl courier-mta-ssl

Configure

SSH

• Edit /etc/ssh/sshd_config, change the following lines:

  PasswordAuthentication = no
PermitRootLogin = no

Courier Mail

I have expanded the Courier setup into its own page, as it is a bit more in-depth than the rest of this tutorial. Please refer to that page for details on how to configure Courier ESMTP and IMAP.

Firefly

• Edit /etc/mt-daapd.conf and change the following:
  • Server Name
  • Password
  • Library Location
  • Rescan interval - 1 day (86400)

Samba

• Create media user with command:

  adduser --disabled-password --gecos "Media,,,,," media

• Create folder /etc/samba/private, with permissions root:root 700
• In /etc/samba/smb.conf, do the following:
  • Disable home directory sharing
  • Disable printing
  • User security
  • Disable passwd program / chat / sync
  • Password DB backend is tdbsam with a DB location of /etc/samba/private/passdb.tdb
  • Add Archives share
  • Add Documents share
  • Add Music share
  • Add Movies share
  • Add Pictures share
  • Add Web share
• All shares should be read only = no, and valid users = media; for example:

  [Archives]
 path = /home/media/archives
 read only = no
 valid users = media

• Note that it is recommended to rename the debian smb.conf file to smb.conf.master, make changes to it, and then 'compile' using

  testparm -s /etc/samba/smb.conf.master > /etc/samba/smb.conf

  to create the 'real' config file. See the sample smb.conf files as a template of how the final version should look.
• Once the config file is set up, run:

  smbpasswd -a media

  and enter a password.

Logcheck

• Edit /etc/logcheck/logcheck.conf and change the following:

  SENDMAILTO="wyatt.olson@gmail.com"

• Add following lines to existing file 'courier' in /etc/logcheck/ignore.d.server:

  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ courierd: newmsg.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ courierd: [Ss]tarted.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ courierd: Waiting.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ courierd: Initial.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ courierd: Purging.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ courierd: Install.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ courierd: completed.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ courieresmtp: id=.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ courieresmtpd: started,ip=.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ courieresmtpd: error,relay=.*513 Relaying denied.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ courieresmtpd: error,relay=.*535 Authentication failed.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ courieresmtpd: error,relay=.*550 User .* unknown$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ courierd: SHUTDOWN: respawnlo limit reached, system inactive.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ courierd: Loading STATIC transport module libraries.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ courierd: Courier .* Copyright .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ courierd: queuelo=[0-9]+, queuehi=[0-9]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ courierlocal: id=.*Message delivered.$

• Add following lines to new file 'logrotate' in /etc/logcheck/ignore.d.server:

  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: imklog [0-9.]+, log source = /proc/kmsg started.
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"] restart

• Add following lines to new file 'mt-daapd' in /etc/logcheck/ignore.d.server:

  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]-]+\[[0-9]+\])?: Rescanning database
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]-]+\[[0-9]+\])?: Starting playlist scan
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]-]+\[[0-9]+\])?: Updating playlists
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]-]+\[[0-9]+\])?: Write error: Broken pipe
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]-]+\[[0-9]+\])?: Scanned [0-9]+ songs \(was [0-9]+\) in [0-9]+ seconds

• Add following lines to new file 'rsyslogd' in /etc/logcheck/ignore.d.server:

  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: imklog [0-9.]+, log source = /proc/kmsg started
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: .* restart


• Add the following line to existing file 'ntpdate' in /etc/logcheck/ignore.d.server:

  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpdate\[[0-9]+\]: adjust time server [0-9.]{7,15} offset -?[0-9.]+ sec$

External Drive

• Add external drive to /etc/fstab, with flags 'nodev,nosuid,noexec'
• Mount under /mnt/external
• Create 'movies' and 'backup' folders on external drive

Rsnapshot

• Change snapshot_root to /mnt/external/backup/snapshots/
• Remove Hourly interval
• Add Monthly interval (3? months)
• Uncomment cmd_cp
• Change localhost destinations to spark/; add /var/www/, /boot/ to spark destinations.
• Add a backup source / destination for each backed up system
• Uncomment lines from /etc/cron.d/rsnapshot (optionally adjust times to do backups later in the day, say 5:00 - 6:00 AM, after remote backups finished).

Cups

• Change Listen localhost:631 to *:631; add the following lines to each of the location elements (/, /admin, /admin/conf):

  Allow From 192.168.0. Allow From 127.0.0.1

• Add printer
  • Go to http://spark:631
  • Add printer
  • For driver use PPD file Brother-HL-2040-hl1250.ppd
  • For the name, enter 'HL-2040'; the location / description don't matter.
• In theory it should now appear under the printer browser on OS X. If not, you can manually add it as an IPP printer, hostname 'spark', queue 'printers/HL-2040'.

Security

• Add 'nodev' to all non-root/boot partitions, and noexec,nosuid to home and the external drive.

SDParm

• Add the following script 'sdparm' to /etc/cron.hourly:

  #!/bin/sh
/usr/bin/sdparm --command=stop /dev/sda < /dev/null

NTPDate

• Add the following script 'ntpdate' to /etc/cron.hourly:

  #!/bin/sh
/usr/sbin/ntpdate-debian -s

ddclient

• Change the config file /etc/ddclient.conf as follows:

  pid=/var/run/ddclient.pid
protocol=zoneedit1
use=web
server=dynamic.zoneedit.com
login=username
password='password'
host1.example.com
*.host1.example.com


Jetty

• See the Jetty standalone installation page for instructions on setting up Jetty under Debian.