In the spirit of Thomas Limoncelli's Time Management for System Administrators, this is my checklist for setting up a new Debian system. I have added a few notes to the original list to justify their existence and to provide some background information.

Whilst you should avoid performing repetitive interactive configuration and defer to the multitude of tools designed for this task, constructing and sharing a checklist can still be an instructive step. It can also be useful in situations where a machine has already been partly configured for you.

Software

/etc/apt/sources.list
- Choose a sensible primary mirror
- Ensure use of release codenames (eg. "lenny") instead of synonyms
- Confirm security mirror is enabled
- Remove references to contrib and non-free

Disable installation of Recommends:

echo 'APT::Install-Recommends "0";' > /etc/apt/apt.conf.d/90recommends

Ensure we are up to date security-wise:
```
apt-get update && apt-get dist-upgrade
```
Setup and configure locales first to avoid annoying Perl warnings. Don't choose All locales; you almost certainly don't want that.
```
apt-get install locales
dpkg-reconfigure -plow locales
```

Install some essential utilities:

apt-get install vim-nox ntp openssh-server screen most tree bzip2 unzip moreutils dnsutils htop pwgen telnet manpages manpages-dev vrms acl gawk strace curl tcpdump

Users

Before we create any real users, we configure PAM to reject weak passwords. Custom banned passwords can be added to the dictionary by editing /usr/share/dict/cracklib and running update-cracklib.
```
apt-get install libpam-cracklib
sed -i -e 's|^password|# \0|' /etc/pam.d/common-password
echo 'password required    pam_cracklib.so retry=3 minlen=6 difok=3' >> /etc/pam.d/common-password
echo 'password required    pam_unix.so use_authtok nullok md5' >> /etc/pam.d/common-password
```
(Edit: Please read this response from Steve Langasek regarding this modification on squeeze and Ubuntu 8.10)

Configure sudo. I prefer to create a new group instead of re-using adm as that is already used by logfiles.

addgroup rootusers
adduser myuser
adduser myuser rootusers
apt-get install sudo
echo 'User_Alias ROOTUSERS  = %rootusers' >> /etc/sudoers
echo 'ROOTUSERS, root     ALL=(ALL) ALL' >> /etc/sudoers

Mail relay

Email remains the primary method to asynchronously inform the system adminstrator that their attention is required.

It is assumed that the machine will not handle your day-to-day email (or indeed accept any external mail) but will instead simply forward it elsewhere. We also assume a preference for Exim, but the configuration for Postfix is almost identical.

First, install the mail packages:

apt-get install exim4-daemon-light bsd-mailx
dpkg-reconfigure exim4-config

During the Exim configuration, choose Internet site and follow all the defaults, ensuring that you only listen on 127.0.0.1 and you are not relaying mail for any other domains.
If you did not do so during the debconf-based configuration, you can configure forwarding to another email address so we don't have to continually poll this machine for issues:
```
echo 'root: you@example.com' >> /etc/aliases
newaliases
```

Finally, we test mail delivery:

echo "Test 1 from $(hostname)" | mail root -s "Test 1 from $(hostname)"

The d-i manual has some further advice on this, including the use of "smarthosts".

Miscellaneous

Stop Emacs creating backup files everywhere:

mkdir -p /etc/emacs/site-start.d
echo '(setq backup-inhibited t)' > /etc/emacs/site-start.d/10no-backup.el

Configure Munin:

apt-get install munin-node
echo 'allow ^123\.123\.123\.123$' >> /etc/munin/munin-node.conf
/etc/init.d/munin-node restart

For baroque network configurations, you can generate the regular expression line with this script.

Configure molly-guard, a tool for preventing accidental shutdowns. As molly-guard cannot detect shutdowns initiated within a combination of GNU screen and SSH, we configure it to always query the hostname:
```
apt-get install molly-guard
echo "ALWAYS_QUERY_HOSTNAME=true" >> /etc/molly-guard/rc
```

Monitor disk S.M.A.R.T. attributes:

apt-get install hddtemp smartmontools
sed -i 's|^#start_smartd=yes|start_smartd=yes|' /etc/default/smartmontools
/etc/init.d/smartmontools start

Setup backups - I'm quite partial to backupninja because it automates most of the tedious SSH configuration. I adjust the time of the backup to when I'm likely to be around to fix issues and cut down on email noise by not reporting successful backups:
```
apt-get install backupninja hwinfo debconf-utils rdiff-backup
sed -i -e 's|^when = everyday at 01:00|when = everyday at 9:30|' /etc/backupninja.conf
sed -i -e 's|^reportsuccess = yes|reportsuccess = no|' /etc/backupninja.conf
ninjahelper
```
Filesystems
- In /etc/fstab, check noatime is enabled on all filesystems, and acl where needed.
- Use tune2fs to adjust how much of the disk is reserved for the superuser - the default of 5% is excessive for large volumes.
Reboot. You should be prompted by molly-guard before your computer restarts.

Great inspiration! Added to my own sysadmin notes.

Kai

why not using the group "sudo", which is already there in the default /etc/sudoers ?

%sudo ALL=NOPASSWD: ALL

David Paleino

No reason, except my own blindness. I wonder; is that a lenny-ism? I don't see its introduction in the changelog.

— lamby

checklists are nice, but having a Fully Automated Installation is better. Check fai: http://www.i....

You can also use cfengine or puppet to ensure that all computers are set the way they must be.

Natxo Asenjo

Please re-read the second paragraph. Further comments that simply refer to such tools will not be shown.

Instead of configuring locales, I suggest using locales-all. Install once, purge locales, and no longer any problems of having some user wanting another locale generated.

Bernhard R. Link

Thanks. pusling pointed this out to me last night - another package I was not aware of.

New Debian/Linux user... the "Confirm security mirror is enabled"
- security mirror is enabled by default in lenny, but
- does squeeze have a security mirror?

Cae

Yes, see http://secure-testing-master.debian.net/. I would confirm whether it's being actively maintained so far away from a release before relying on it.

Why dont you use aptitude? iirc debian oficially only support dist-upgrades with aptitude, so there should be some reason to use it.

Pete

Habit combined with some problems I have with aptitude. Your assertion regarding support for dist-upgrade is false.

This is awesome, I also issue these commands on new servers I setup:

echo "alias screen='TERM=screen screen'" >> /etc/bash.bashrc
echo "username ALL=NOPASSWD:ALL" >> /etc/sudoers

echo "set softtabstop=4" >> /etc/vim/vimrc
echo "set shiftwidth=4" >> /etc/vim/vimrc
echo "set tabstop=4" >> /etc/vim/vimrc
echo "set expandtab" >> /etc/vim/vimrc
echo "set noai" >> /etc/vim/vimrc
echo "ForwardAgent yes" >> /etc/ssh/ssh_config

The vim stuff is for sane tabbing, and screen alias is to get rid of that weird barking thing when I press delete.

Albert Lash

Hm. I fear modifying the system-wide vim and bash configurations is a bit anti-social.

lamby

Checklist for configuring a Debian system

Software

Users

Mail relay

Miscellaneous

Seven comments

Reply