Debian Wheezy Server Setup
This page describes my procedure for setting up a simple home server, to host web pages, backups, media, documents, printer, etc. Currently this is running on an old Core 2 Duo desktop, although these instructions are almost completely platform agnostic. This is mostly just relevent to me; using this guide, I can re-create my server OS / application setup in an hour or two. If someone else finds it useful, so much the better.
Install
- Do a minimal Debian install, without any extra components. We will be installing only the needed components later. Once you are done, go to aptitude and mark as many components as possible as 'optional' (use the 'M' key). When finished, the only packages left as required should be something along the lines of:
acpi acpi-support-base aptitude linux-image-amd64 lvm2 man-db vim
Partition layout
- Split up your disk something as follows. As of grub2 you can boot from an LVM volume, so no need for a separate /boot anymore. In my case, I have a 1TB disk allocated to a LVM volume group 'vgsystem', and a 2TB disk allocated to backups. You can adjust partition sizes as needed; by using LVM, you can easily increase partition sizes if needed, so leave some extra space in your volume group. I use EXT4 for all partitions.
Filesystem Size Mount Point /dev/mapper/vgsystem-lvroot 10G / /dev/mapper/vgsystem-lvhome 10G /home /dev/mapper/vgsystem-lvwww 5G /var/www /dev/mapper/vgsystem-lvwebapps 10G /var/lib/tomcat7/webapps /dev/mapper/vgsystem-lvpostgres 1G /var/lib/postgresql /dev/mapper/vgsystem-lvarchives 100G /mnt/archives /dev/mapper/vgsystem-lvmovies 300G /mnt/movies /dev/mapper/vgsystem-lvmusic 50G /mnt/music /dev/sdb1 2T /mnt/backup /dev/mapper/vgsystem-lvswap 8G swap - Boot into the full Debian environment after you are done with the installer.
- Edit /etc/fstab to use UUIDs for partitions, and add mount options as desired. I use 'nodev,nosuid,noexec' for all the /mnt volumes, with an extra 'noatime' on /mnt/backup (since that disk will be spun down during the day).
-
Once you have rebooted into the full Debian environment, install the following packages:
acpi acpi-support-base apache2 aptitude cups ddclient fail2ban git iotop linux-image-amd64 logcheck lsof lvm2 man-db mediatomb nethogs ntpdate openjdk-7-jdk openssh-server postfix postgresql rsnapshot samba screen smartmontools sudo tomcat7 vim wakeonlan zip
Configure
SSH
- Edit /etc/ssh/sshd_config, change the following lines:
PasswordAuthentication = no
PermitRootLogin = no
Tomcat
- Increase Tomcat's max heap size to 2GB. Edit /etc/default/tomcat7 and change the line with -Xmx to 2048:
JAVA_OPTS="-Djava.awt.headless=true -Xmx2048m -XX:+UseConcMarkSweepGC"
Postfix SMTP
My requirements for a mail server are quite simple: I use GMail for IMAP, I just want to be able to send / recieve mail to my @digitalcave.ca domain. Postfix handles this easily:
- Create a file /etc/postfix/virtual with contents:
@example.com meOf course replace @example.com with your email address, and the other entries with proper email addresses. This tells the system to forward any unspecified mail coming to @example.com to me, and then lists forwards for me@example.com, someone@example.com, etc.
me me@gmail.com
someone someone@gmail.com
... -
Run postmap to create the compiled lookup table for this file:
postmap /etc/postfix/virtual
- Add the following lines to the end of main.cf
smtpd_helo_restrictions = reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
virtual_alias_maps = hash:/etc/postfix/virtual -
Reload Postfix config
/etc/init.d/postfix reload
Samba
- Create media user with command:
adduser --disabled-password --gecos "Media,,,,," media
- Create folder /etc/samba/private, with permissions root:root 700
- In /etc/samba/smb.conf, do the following:
- Disable home directory sharing
- Disable printing
- User security
- Disable passwd program / chat / sync
- Password DB backend is tdbsam with a DB location of /etc/samba/private/passdb.tdb
- Add Archives share
- Add Documents share
- Add Music share
- Add Movies share
- Add Pictures share
- Add Web share
- All shares should be read only = no, and valid users = media; for example:
[Archives]
path = /home/media/archives
read only = no
valid users = media -
Note that it is recommended to rename the debian smb.conf file to smb.conf.master, make changes to it, and then 'compile' using
testparm -s /etc/samba/smb.conf.master > /etc/samba/smb.conf
[global]
server string = %h server
obey pam restrictions = Yes
passdb backend = tdbsam:/etc/samba/private/passdb.tdb
pam password change = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
panic action = /usr/share/samba/panic-action %d
hide files = lost+found
[Archives]
path = /mnt/archives
valid users = media
read only = No
[Movies]
path = /mnt/movies
valid users = media
read only = No
[Music]
path = /mnt/music
valid users = media
read only = No - Once the config file is set up, run:
smbpasswd -a media
Rsnapshot
- Change snapshot_root to /mnt/external/backup/snapshots/
- Remove Hourly interval
- Add Monthly interval (3? months)
- Uncomment cmd_cp
- Change localhost destinations to jupiter/; add /var/www/, /boot/ to venus destinations.
- Add a backup source / destination for each backed up system
- Uncomment lines from /etc/cron.d/rsnapshot (optionally adjust times to do backups later in the day, say 5:00 - 6:00 AM, after remote backups finished).
- My current config (after removing comment lines), is:
config_version 1.2
snapshot_root /mnt/backup/snapshots/
cmd_cp /bin/cp
cmd_rm /bin/rm
cmd_rsync /usr/bin/rsync
cmd_logger /usr/bin/logger
interval daily 7
interval weekly 4
interval monthly 3
verbose 2
loglevel 3
logfile /var/log/rsnapshot.log
lockfile /var/run/rsnapshot.pid
backup /home/ jupiter/
backup /etc/ jupiter/
backup /usr/local/ jupiter/
backup /var/www/ jupiter/
backup /var/lib/tomcat7/webapps/ jupiter/
backup /var/lib/postgresql/backup/ jupiter/
backup /mnt/backup/behemoth/ behemoth/
backup /mnt/backup/defender/ defender/
backup /mnt/backup/nova/ nova/
backup /mnt/backup/toska/ toska/
Cups
- Change Listen localhost:631 to *:631; add the following lines to each of the location elements (/, /admin, /admin/conf):
Allow From 192.168.0. Allow From 127.0.0.1
- Add printer
- Go to http://jupiter:631
- Add printer
- For driver use PPD file Brother-HL-2040-hl1250.ppd
- For the name, enter 'HL-2040'; the location / description don't matter.
- In theory it should now appear under the printer browser on OS X. If not, you can manually add it as an IPP printer, hostname 'jupiter', queue 'printers/HL-2040'.
HDParm
- Add the following config to /etc/hdparm.conf:
/dev/sda {
spindown_time = 0
}
/dev/sdb {
spindown_time = 120
}
NTPDate
- Add the following script 'ntpdate' to /etc/cron.hourly:
#!/bin/sh
/usr/sbin/ntpdate-debian -s
ddclient
- Change the config file /etc/ddclient.conf as follows:
protocol=zoneedit1
ssl=yes
use=web, web='http://dynamic.zoneedit.com/checkip.html', web-skip='IP Address'
server=dynamic.zoneedit.com
login=username
password='password'
example.com
*.example.com
MediaTomb
- Copy the configuration file to /etc/mediatomb/config.xml
- Make a symlink /Movies to /mnt/movies
SMART Monitor
- Comment out the DEVICESCAN lines, and add the following lines in /etc/smartd.conf:
/dev/sda -a -s (S/../.././02|L/../../6/03) -m root -M exec /usr/share/smartmontools/smartd-runner
/dev/sdb -a -s (S/../.././02|L/../../6/03) -m root -M exec /usr/share/smartmontools/smartd-runner
- Uncomment line
#start_smartd=yes
from /etc/default/smartmontools - See this blog for additional details
Logcheck
- Add the following lines to /etc/logcheck/ignore.d.server files, as follows:
ahavi-daemon^\w{3} [ :0-9]{11} [._[:alnum:]-]+ avahi-daemon\[[0-9]+\]: Invalid legacy unicast query packet.$
postfix
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ avahi-daemon\[[0-9]+\]: Received response from host [0-9.]+ with invalid source port [0-9]+ on interface '[0-9a-zA-Z.]+'$^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: warning: hostname [^[:space:]]+ does not resolve to address [^[:space:]]+$
smartd^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: Device: /dev/[^[:space:]]+( \[[_/[:alnum:][:space:]]+\])?, offline data collection was (aborted|suspended) by an interrupting command from host \(auto:on\)$
SFTP Jails (for backups)
- Add a group 'sftpbackup'
addgroup sftpbackup
- Add the following lines to the end of /etc/ssh/sshd_config:
Match Group sftpbackup ChrootDirectory /mnt/backup/%u
This will cause all incoming connections for users in the sftpbackup group to use SFTP, and be chroot'd in /mnt/backup/
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp - Add the user(s) which you wish to use for backup to the sftpbackup group by modifying /etc/group:
sftpbackup:x:1008:user1,user2,user3
- Change the login shell for these users from /bin/bash to /bin/false by modifying /etc/passwd:
user1:x:1001:1001:,,,:/home/user1:/bin/false
... - (Optionally) create a LVM volume mounted at /mnt/backup/
for them to backup to. Ensure that there is a user-writeable folder in there, called backup (or whatever you want; this will be the path they need to write their SFTP files to). All folders from /mnt/backup/ and up must only be writable by root, or SFTP will not work.
SSH Jails (for rsync backups)
If your backup users need a real shell (e.g. for rsync to work), you can still use a Chroot, just without the SFTP only requirement. To do this, follow the instructions above, but with some changes:
- Remove the "ForceCommand" line from sshd_config
- For each user [user], do the following:
- Copy /bin/bash to /mnt/backup/[user]/bin
- Copy /usr/bin/rsync to /mnt/backup[user]/usr/bin
- Run 'ldd /bin/bash' and 'ldd /usr/bin/rsync'; you will see a list of libraries which are linked to each program. Copy those libraries to the chroot. e.g.:
cd /mnt/backup/[user] mkdir -p lib/x86_64-linux-gnu
cp /lib/x86_64-linux-gnu/libtinfo.so.5 lib/x86_64-linux-gnu/
- You can verify that it is working by trying to enter the chroot environment: 'chroot /mnt/backup/[user]'. You should be able to get to a bash prompt, and run 'rsync'.
EncFS for remote backups
This describes how to have a partition on your drive encrypted. You can then backup the underlying encfs volume to an untusted source.
- Install encfs (aptitude install encfs)
- Make a volume where the encrypted data will go (optional; it just needs to go somewhere)
- Create the encrypted volume:
encfs /path/to/encfs-root /path/to/encfs-mountpoint
. Remember the passphrase. - Create a wrapper file to allow for encfs mounts in fstab (put file at /usr/local/bin/encfs-backup):
#!/bin/sh
encfs --public --extpass="cat /etc/encfs/encfs_password" $* - Create a file, readable / writable only by root, containing the encfs passphrase, at /etc/encfs/encfs_password.
- Add the encfs mount to /etc/fstab:
/usr/local/bin/encfs-wrapper#/path/to/encfs-root /path/to/encfs-mountpoint fuse rw,user,auto 0 2
You can then save anything you want to /path/to/encfs-mountpoint, and corresponding encrypted files will show up on /path/to/encfs-root. You can then backup /path/to/encfs-root to any untrusted backup service you choose (cloud hosting, semi-trusted friend with bi-lateral SSH chroots as described above, desktop drive at work that the janitor may have access to, whatever). The data will be useless without the password.
Make sure that your password (better yet, passphrase) is strong but memorable. If it is randomly generated and your machine is destroyed, you may not remember the password when you go to recover your data.
Host Time Capsule volumes
-
See my Time Capsule Debian page for details.