This is the checklist I follow when I create a new Linux Debian Server.
The goal is a safe shared hosting environment where every user can ssh to the server but no user can see the content of another users home folder.

Setup language

You need to setup language if you get error messages like this one

Run the following two commands to solve the issue:

File Permissions

Files should be restricted to the owner only. This must be the case for newly created files. Thus we set an umask that works both locally and over SSH. We also ensure the home folder for the current user, as well as future ones, has those strict permissions.

  1. In the file /etc/login.defs
    do: umask 077
  2. In the file /etc/profile
    do: umask 077
  3. In the file /etc/pam.d/common-session
    do: session optional umask=077
    (you might just need to append ” umask=077″ at the end of an existing line)
  4. In the file /etc/adduser.conf
    do: DIR_MODE=0700
  5. run: chmod -r 700 /home/CURRENTUSER

Login security and Root login security and sudoers

You should not be able to log in as root using password. Instead we use key authentication for root.

  • Paste your public key into /root/.ssh/authorized_keys
  • Try to log in using your key to make sure this works.
  • Modify /etc/sudoers to give your own account full sudo rights. My file looks like this somewhere in the middle:

    That is a kinda crude way to do it. On ubuntu the standard way to do is to add the user to the admin group:

IP configuration

  1. Make the changes to /etc/network/interfaces
  2. /etc/init.d/networking restart

Configure mounts and limit disk IO

Please start with reading my guide on how to add storage devices.

If you have loads of RAM available and want to limit disc IO you can tell the kernel to avoid swapping processes out of physical memory for as long as possible:

Add/Remove new users

To add a new user use the command: adduser [username]
Note that usage of this command (adduser) is recommended compared to using the more lowlevel command useradd.

To remove a user use the command: userdel -fr [username]
The -fr part makes sure home folder and other files are delete.
Without it you will have to delete the files using another command.

To list the current users: cat /etc/passwd | cut -d”:” -f1

Install webserver packages

We install:

  • Apache using mod_ruid2 for security reasons and mod macro
  • PHP and some must have extenstions
  • Postfix

Configure PHP

Change the following values in /etc/php5/apache2/php.ini
To increase some limits

  • upload_max_filesize = 50M
  • post_max_size = 50M
  • max_execution_time = 300
  • memory_limit = 256M
  • max_input_vars = 5000

Configure MySQL

We want mysql to use utf8 per default instead of latin1. Find your MySQL configuration file (on most Linux/BSD systems it’s /etc/mysql/my.cnf) and make sure it’s got the following statements under the relevant headers. None of these settings should be set per default so just paste them directly under the corresponding header:

Also make sure you only accept connections from localhost. This is good for security and is the default in Ubuntu 11.10:

If you scan your computer from the outside using nmap you will notice that port 3306 is actually closed from the outside world. With this setting there is no reason to add firewall rules for it.

Restart MySQL and make sure it’s working;

TODO: query cache size etc.

Configure Apache2

Do you get this message?

We just need to tell apache what the name of the server is. The name of my server is “berit”. So I “ServerName berit” to /etc/apache2/httpd.conf:

Configure PHPMyAdmin

Open the file /etc/phpmyadmin/

You may want to hide some system databases from the web interface. To do that you would add a row like this to the middle of the file:

Add these rows to the end of the file to force SSL and increase the max rows per page:

If you wan’t to be able to autologin as root (dangerous but handy on local installations):

Setting up Backups

I have written a separate guide on how to setup backups for your linux server.