Debian Wheezy Server Setup
This page describes my procedure for setting up a simple home server. This is mostly just relevent to me; if someone else finds it useful, so much the better.
Install
- Do a minimal Debian install, without any extra components.
Partition layout
- Split up your disk something as follows. As of grub2 you can boot from an LVM volume, so no need for a separate /boot anymore. In my case, I have a 1TB disk allocated to a LVM volume group 'vgsystem', and a 2TB disk allocated to backups. You can adjust partition sizes as needed; by using LVM, you can easily increase partition sizes if needed, so leave some extra space in your volume group. I use EXT4 for all partitions.
Filesystem Size Mount Point /dev/mapper/vgsystem-lvroot 10G / /dev/mapper/vgsystem-lvhome 10G /home /dev/mapper/vgsystem-lvwww 5G /var/www /dev/mapper/vgsystem-lvwebapps 10G /var/lib/tomcat7/webapps /dev/mapper/vgsystem-lvpostgres 1G /var/lib/postgresql /dev/mapper/vgsystem-lvarchives 100G /mnt/archives /dev/mapper/vgsystem-lvmovies 300G /mnt/movies /dev/mapper/vgsystem-lvmusic 50G /mnt/music /dev/sdb1 2T /mnt/backup /dev/mapper/vgsystem-lvswap 8G swap - Boot into the full Debian environment after you are done with the installer.
- Edit /etc/fstab to use UUIDs for partitions, and add mount options as desired. I use 'nodev,nosuid,noexec' for all the /mnt volumes, with an extra 'noatime' on /mnt/backup (since that disk will be spun down during the day).
-
Once you have rebooted into the full Debian environment, go to aptitude and mark as many components as possible as 'optional' (use the 'M' key). When finished, install the following package (these should be the only ones left as required):
anacron apache2 aptitude avahi-daemon bsd-mailx cups ddclient discover dmsetup fail2ban git gocryptfs hostname ifupdown init init-system-helpers linux-image-amd64 logcheck lsof lvm2 minidlna ncdu nftables nullmailer openssh-server postgresql python3-certbot-apache rsync smartmontools sntp sudo tomcat9 vim wget
Configure
SSH
- Edit /etc/ssh/sshd_config, change the following lines:
PasswordAuthentication no
PermitRootLogin no
MaxSessions 2
Protocol 2
# Recommendations from https://stribika.github.io/2015/01/04/secure-secure-shell.html
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
X11Forwarding no
PrintMotd no
TCPKeepAlive no
Tomcat
- Increase Tomcat's max heap size to 2GB. Edit /etc/default/tomcat7 and change the line with -Xmx to 2048:
JAVA_OPTS="-Djava.awt.headless=true -Xmx2048m -XX:+UseConcMarkSweepGC"
Nullmailer SMTP
My requirements for a mail server are quite simple: I use GMail for IMAP, I just want to be able to send / recieve mail to my @digitalcave.ca domain. Nullmailer handles this easily with just three files in /etc/nullmailer:
- adminaddr:
myaddress@example.com -
defaultdomain:
example.com - remotes:
smtp.gmail.com smtp --port=587 --starttls --user=myusername@gmail.com --pass=secretpassword
Rsnapshot
- Change snapshot_root to /mnt/snapshots/
- Remove Hourly interval
- Add Monthly interval (3? months)
- Uncomment cmd_cp
- Change localhost destinations to jupiter/; add /var/www/, /boot/ to venus destinations.
- Add a backup source / destination for each backed up system
- Uncomment lines from /etc/cron.d/rsnapshot (optionally adjust times to do backups later in the day, say 5:00 - 6:00 AM, after remote backups finished).
- My current config (after removing comment lines), is:
config_version 1.2
snapshot_root /mnt/backup/snapshots/
cmd_cp /bin/cp
cmd_rm /bin/rm
cmd_rsync /usr/bin/rsync
cmd_logger /usr/bin/logger
interval daily 7
interval weekly 4
interval monthly 3
verbose 2
loglevel 3
logfile /var/log/rsnapshot.log
lockfile /var/run/rsnapshot.pid
backup /home/ jupiter/
backup /etc/ jupiter/
backup /usr/local/ jupiter/
backup /var/www/ jupiter/
backup /var/lib/tomcat7/webapps/ jupiter/
backup /var/lib/postgresql/backup/ jupiter/
backup /mnt/backup/behemoth/ behemoth/
backup /mnt/backup/defender/ defender/
backup /mnt/backup/nova/ nova/
backup /mnt/backup/toska/ toska/
Cups
- Change Listen localhost:631 to *:631; add the following lines to each of the location elements (/, /admin, /admin/conf):
Allow From 192.168.0. Allow From 127.0.0.1 - Add printer
- Go to http://jupiter:631
- Add printer
- For driver use PPD file Brother-HL-2040-hl1250.ppd
- For the name, enter 'HL-2040'; the location / description don't matter.
- In theory it should now appear under the printer browser on OS X. If not, you can manually add it as an IPP printer, hostname 'jupiter', queue 'printers/HL-2040'.
HDParm
- Add the following config to /etc/hdparm.conf:
/dev/sda {
spindown_time = 0
}
/dev/sdb {
spindown_time = 120
}
ddclient
- Change the config file /etc/ddclient.conf as follows:
protocol=zoneedit1
ssl=yes
use=web, web='http://dynamic.zoneedit.com/checkip.html', web-skip='IP Address'
server=dynamic.zoneedit.com
login=username
password='password'
example.com
*.example.com
minidlna
- Add the following media directories (change as needed)
media_dir=V,/mnt/movies
media_dir=A,/mnt/music
SMART Monitor
- Comment out the DEVICESCAN lines, and add the following lines in /etc/smartd.conf:
/dev/sda -a -s (S/../.././02|L/../../6/03) -m root -M exec /usr/share/smartmontools/smartd-runner
/dev/sdb -a -s (S/../.././02|L/../../6/03) -m root -M exec /usr/share/smartmontools/smartd-runner
- Uncomment line
#start_smartd=yesfrom /etc/default/smartmontools - See this blog for additional details
Logcheck
- Add the following lines to /etc/logcheck/ignore.d.server files, as follows:
ahavi-daemon^\w{3} [ :0-9]{11} [._[:alnum:]-]+ avahi-daemon\[[0-9]+\]: Invalid legacy unicast query packet.$postfix
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ avahi-daemon\[[0-9]+\]: Received response from host [0-9.]+ with invalid source port [0-9]+ on interface '[0-9a-zA-Z.]+'$^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: warning: hostname [^[:space:]]+ does not resolve to address [^[:space:]]+$smartd^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: Device: /dev/[^[:space:]]+( \[[_/[:alnum:][:space:]]+\])?, offline data collection was (aborted|suspended) by an interrupting command from host \(auto:on\)$
SFTP Jails (for backups)
- Add a group 'sftpbackup'
addgroup sftpbackup - Add the following lines to the end of /etc/ssh/sshd_config:
Match Group sftpbackup ChrootDirectory /mnt/backup/%uThis will cause all incoming connections for users in the sftpbackup group to use SFTP, and be chroot'd in /mnt/backup/
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp - Add the user(s) which you wish to use for backup to the sftpbackup group by modifying /etc/group:
sftpbackup:x:1008:user1,user2,user3 - Change the login shell for these users from /bin/bash to /bin/false by modifying /etc/passwd:
user1:x:1001:1001:,,,:/home/user1:/bin/false
... - (Optionally) create a LVM volume mounted at /mnt/backup/
for them to backup to. Ensure that there is a user-writeable folder in there, called backup (or whatever you want; this will be the path they need to write their SFTP files to). All folders from /mnt/backup/ and up must only be writable by root, or SFTP will not work.
SSH Jails (for rsync backups)
If your backup users need a real shell (e.g. for rsync to work), you can still use a Chroot, just without the SFTP only requirement. To do this, follow the instructions above, but with some changes:
- Remove the "ForceCommand" line from sshd_config
- For each user [user], do the following:
- Copy /bin/bash to /mnt/backup/[user]/bin
- Copy /usr/bin/rsync to /mnt/backup[user]/usr/bin
- Run 'ldd /bin/bash' and 'ldd /usr/bin/rsync'; you will see a list of libraries which are linked to each program. Copy those libraries to the chroot. e.g.:
cd /mnt/backup/[user] mkdir -p lib/x86_64-linux-gnu
cp /lib/x86_64-linux-gnu/libtinfo.so.5 lib/x86_64-linux-gnu/
- You can verify that it is working by trying to enter the chroot environment: 'chroot /mnt/backup/[user]'. You should be able to get to a bash prompt, and run 'rsync'.
EncFS for remote backups
This describes how to have a partition on your drive encrypted. You can then backup the underlying encfs volume to an untusted source.
- Install encfs (aptitude install encfs)
- Make a volume where the encrypted data will go (optional; it just needs to go somewhere)
- Create the encrypted volume:
encfs /path/to/encfs-root /path/to/encfs-mountpoint. Remember the passphrase. - Create a wrapper file to allow for encfs mounts in fstab (put file at /usr/local/bin/encfs-backup):
#!/bin/sh
encfs --public --extpass="cat /etc/encfs/encfs_password" $* - Create a file, readable / writable only by root, containing the encfs passphrase, at /etc/encfs/encfs_password.
- Add the encfs mount to /etc/fstab:
/usr/local/bin/encfs-wrapper#/path/to/encfs-root /path/to/encfs-mountpoint fuse rw,user,auto 0 2
You can then save anything you want to /path/to/encfs-mountpoint, and corresponding encrypted files will show up on /path/to/encfs-root. You can then backup /path/to/encfs-root to any untrusted backup service you choose (cloud hosting, semi-trusted friend with bi-lateral SSH chroots as described above, desktop drive at work that the janitor may have access to, whatever). The data will be useless without the password.
Make sure that your password (better yet, passphrase) is strong but memorable. If it is randomly generated and your machine is destroyed, you may not remember the password when you go to recover your data.
Host Time Capsule volumes
-
See my Time Capsule Debian page for details.