Change to root
| Code Block |
|---|
su - |
Update
| Code Block |
|---|
apt-get -y update
apt-get -y upgrade |
Install Packages
| Code Block |
|---|
apt-get -y install wget sudo vim unzip gzip rsync sysstat cifs-utils nmap tcpdump tmux virt-what chrony smbclient ufw curl net-tools nload fontconfig ripgrep tmpreaper |
Update tmpreaper config
| Code Block |
|---|
sudo sed -i '/SHOWWARNING=true/d' /etc/tmpreaper.conf
sudo sed -i -e "s/^# TMPREAPER_TIME=7d/TMPREAPER_TIME=1d/" /etc/tmpreaper.conf |
Configure VIM
VIM detects the mouse, and copy pasting between two terminal windows is annoying because of this. Disable this as follows for root and jtel:
| Code Block |
|---|
cat << EOFF >> ~/.vimrc
set mouse-=a
EOFF
cp ~/.vimrc /home/jtel
chown jtel:jtel /home/jtel/.vimrc |
Configure Sudo for jtel User
The following command adds the jtel user to the sudo group:
| Code Block |
|---|
adduser jtel sudo |
Sometimes the command will not work. Try adding "sudo" to the beginning:
| Code Block |
|---|
sudo adduser jtel sudo |
Setup the Firewall
Until Debian 11.5
First of all, stop ufw logging to the default syslog destination (/var/log/messages).
| Code Block |
|---|
sed -i -e "s/^#\& stop/\& stop/" /etc/rsyslog.d/20-ufw.conf
systemctl restart rsyslog |
Debian 11.5 and later
| Info |
|---|
From Debian 11.5 and later the base config under /etc/rsyslog.d/20-ufw.conf is correct and logs into /var/log/ufw.log . No additional settings must be made to the configuration file. |
The following commands enable the firewall and allow ssh.
| Code Block |
|---|
ufw --force reset
ufw --force default deny incoming
ufw --force default allow outgoing
ufw allow ssh
ufw --force enable |
Setup chrony
The following commands install chrony and modify the basic chrony.conf file to remove usage of the default pool and any configured servers, and replace this with the 3 (very reliable) time servers from the German PTB.
| Code Block |
|---|
# Replace all existing servers
sed -i -e "s/^server /# server /" /etc/chrony/chrony.conf
# Replace pool setting
sed -i -e "s/^pool /# pool /" /etc/chrony/chrony.conf
# Add PTB Servers
cat << EOFF >> /etc/chrony/chrony.conf
# Servers to use
server ptbtime1.ptb.de iburst
server ptbtime2.ptb.de iburst
server ptbtime3.ptb.de iburst
EOFF
# Disable timesyncd daemon
systemctl disable systemd-timesyncd
# Enable Chrony
systemctl enable chrony
# Stop (just in case it was started), then start and get status
systemctl stop chrony
systemctl start chrony |
Check chrony
| Code Block |
|---|
systemctl status chrony chronyc sources |
...
Bash Settings
The following script does the following:
- Setup a warning when using git as root
...
The following command makes it (intentionally) more difficult to use git as the root user.
...
- (on root only)
- Allow for less on zipped files
| Code Block |
|---|
# root user cat <<'EOFF' >> ~/.bashrc [ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)" alias git='printf "It looks like you are trying to run GIT as ROOT.\nFor jtel installations, GIT should always be run from the jtel user.\nIf you really want to run git as root, you will need to access it directly, using /usr/bin/git for example.\n"' EOFF source ~/.bashrc # jtel user cat <<'EOFF' >> /home/jtel/.bashrc [ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)" EOFF |
Enable sar
Debian 9
| Code Block |
|---|
# Enable stats
sed -i 's/ENABLED="false"/ENABLED="true"/g' /etc/default/sysstat
systemctl enable sysstat
# Restart sysstat daemon
systemctl stop sysstat
systemctl start sysstat |
Debian 10+
| Code Block |
|---|
# Enable stats sed -i 's/ENABLED="false"/ENABLED="true"/g' |
...
/etc/default/sysstat
systemctl enable sysstat
# Restart sysstat daemon
systemctl stop sysstat
systemctl start sysstat |
Configure Cron - Debian 11
| Warning | ||||
|---|---|---|---|---|
| ||||
In early versions of Debian 11 Buster, a setting must be made in the configuration file /lib/systemd/system/anacron.timer and the deamon/service must be reloaded. Otherwise, the daily cron jobs will run at the default value, which is <07..23:30> This problem has not been seen after Debian 11.4.
|
Detect the Hypervisor
| Code Block |
|---|
virt-what |
VMWare
The tools are installed as follows:
| Code Block |
|---|
apt-get -y install open-vm-tools |
Hyper-V
The tools are installed as follows:
| Code Block |
|---|
apt-get -y install hyperv-daemons |
KVM
The tools are installed as follows:
| Code Block |
|---|
apt-get -y install qemu-guest-agent |
Other Hypervisors
Consult the manufacturer for further detals.
Reboot
Reboot to load the new kernel if one was downloaded and make sure the guest tools are running OK.
Proxy Server
Proxy Server
If a proxy server is used, the following commands will configure the proxy server for root and the jtel user.
The top 5 lines should be modified.
| Code Block |
|---|
PROXY_USERNAME=
PROXY_PASSWORD=
PROXY_SERVER=proxy.example.de
PROXY_PORT=3128
PROXY_EXCEPTIONS=.example.de,.local,10.
if [ -n "$PROXY_USERNAME" ] && [ -n "$PROXY_PASSWORD" ]
then
PROXY="http://$USERNAME:$PASSWORD@$PROXY_SERVER:$PROXY_PORT"
elif [ -n "$PROXY_USERNAME" ]
then
PROXY="http://$USERNAME@$PROXY_SERVER:$PROXY_PORT"
else
PROXY="http://$PROXY_SERVER:$PROXY_PORT"
fi
cat <<EOFF >> ~/.bashrc
export ALL_PROXY=$PROXY
export HTTP_PROXY=$PROXY
export HTTPS_PROXY=$PROXY
export FTP_PROXY=$PROXY
export RSYNC_PROXY=$PROXY
export http_proxy=$PROXY
export https_proxy=$PROXY
export ftp_proxy=$PROXY
export rsync_proxy=$PROXY
export NO_PROXY=$PROXY_EXCEPTIONS
EOFF
cat <<EOFF >> /home/jtel/.bashrc
export ALL_PROXY=$PROXY
export HTTP_PROXY=$PROXY
export HTTPS_PROXY=$PROXY
export FTP_PROXY=$PROXY
export RSYNC_PROXY=$PROXY
export http_proxy=$PROXY
export https_proxy=$PROXY
export ftp_proxy=$PROXY
export rsync_proxy=$PROXY
export NO_PROXY=$PROXY_EXCEPTIONS
EOFF
source ~ |
...
/.bashrc |