Best Initial Server Setup with Debian 12 Bookworm – OrcaCore

By Posted on

Best Initial Server Setup with Debian 12 Bookworm - OrcaCore

Best Initial Server Setup with Debian 12 Bookworm – OrcaCore

Debian 12 Bookworm, released on July 10th, 2023, represents a significant step forward in the Debian lineage. This tutorial provides a comprehensive guide to performing the Best Initial Server Setup with Debian 12 Bookworm. It’s packed with enhanced features and updated software compared to its predecessor, Debian 11, making it a robust choice for server environments.

For those interested in upgrading from Debian 11, a detailed guide is available on the Orcacore website: Upgrade Debian 11 to Debian 12 from Command Line.

This guide walks you through essential steps to prepare your Debian 12 server for production use. You will learn how to update and upgrade your system, create a user with sudo privileges, configure the hostname, secure your SSH server, and establish a basic firewall using UFW. Let’s dive into the Best Initial Server Setup with Debian 12 Bookworm.

Step 1 – How To Update and Upgrade Debian 12 Bookworm?

The first step in the Best Initial Server Setup with Debian 12 Bookworm is to ensure your system is up-to-date. Log in to your Debian 12 server via the terminal and execute the following commands:

# apt update
# apt upgrade -y

These commands refresh the package lists and upgrade all installed packages to their latest versions. The -y flag automatically confirms the upgrade, avoiding prompts.

Additionally, it’s advisable to perform a distribution upgrade to handle dependency changes and package removals:

apt dist-upgrade

Finally, remove any orphaned or unnecessary packages to keep your system clean:

apt autoremove

Step 2 – How To Create a Sudo User on Debian 12?

Logging in as the root user for everyday tasks is a security risk. Creating a non-root user with sudo privileges is crucial for secure server management, a key part of the Best Initial Server Setup with Debian 12 Bookworm.

Create a new user with the adduser command:

adduser <mark>orca</mark>

Replace <mark>orca</mark> with your desired username. The system will prompt you to set a password and provide user information.

<strong><mark>Output</mark></strong>
Adding user `orca' ...
Adding new group `orca' (1000) ...
Adding new user `orca' (1000) with group `orca (1000)' ...
Creating home directory `/home/orca' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for orca
Enter the new value, or press ENTER for the default
        Full Name []: orca
        Room Number []: 2
        Work Phone []: 4585
        Home Phone []:
        Other []:
Is the information correct? [Y/n] y
Adding new user `orca' to supplemental / extra groups `users' ...
Adding user `orca' to group `users' ...

Answer the prompts and confirm the information.

Next, add the user to the sudo group to grant administrative privileges:

usermod -aG sudo <mark>orca</mark>

Now you can switch to the newly created user:

su <mark>orca</mark>

Step 3 – How To Configure Debian 12 Bookworm Server Hostname?

A hostname identifies your server on a network. Setting a descriptive hostname is a fundamental aspect of the Best Initial Server Setup with Debian 12 Bookworm.

Check the current hostname using hostnamectl:

sudo hostnamectl

The output will display various system information, including the static hostname.

To change the hostname, use the hostnamectl set-hostname command:

sudo hostnamectl set-hostname <mark>debian-bookworm</mark>

Replace <mark>debian-bookworm</mark> with your desired hostname.

Verify the change:

hostname
<strong><mark>Output</mark></strong>
debian-bookworm

Step 4 – How To Secure SSH Server on Debian 12 Bookworm?

Securing the SSH server is paramount for protecting your server from unauthorized access, a key part of the Best Initial Server Setup with Debian 12 Bookworm. Changing the default SSH port and disabling root login are crucial steps.

Open the SSH configuration file:

sudo vi /etc/ssh/sshd_config

Locate the Port line and change the port number to a non-standard port (e.g., 6571):

Include /etc/ssh/sshd_config.d/*.conf
Port <strong><mark>6571</mark></strong>
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

Find the PermitRootLogin line and set it to no:

# Authentication:
#LoginGraceTime 2m
PermitRootLogin <strong><mark>no</mark></strong>
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

Save and close the file. Restart the SSH service:

sudo systemctl restart ssh

If the SSH server is not installed, install it using:

sudo apt install openssh-server

Step 5 – How To Set up a UFW Firewall on Debian 12 Bookworm?

A firewall acts as a barrier between your server and the outside world, controlling network traffic. Setting up a UFW firewall is an essential part of the Best Initial Server Setup with Debian 12 Bookworm.

Install UFW:

sudo apt install ufw

Enable UFW:

sudo ufw enable

Allow traffic on the new SSH port:

sudo ufw allow 6571/tcp

Reload the firewall:

sudo ufw reload

Check the firewall status:

sudo ufw status

Finally, reboot the server to apply the changes:

reboot

Alternative Solutions for Initial Server Setup

While the above steps provide a solid foundation, let’s explore two alternative approaches to enhancing your initial server setup.

1. Automating the Setup with Ansible

Ansible is an automation tool that allows you to define your desired server state in a playbook and apply it consistently across multiple servers. This eliminates manual configuration and ensures repeatability.

Explanation:

Instead of running individual commands on the server, you can create an Ansible playbook that automates tasks like updating packages, creating users, configuring SSH, and setting up the firewall. This approach is particularly useful for managing multiple servers or for ensuring consistent configurations across your infrastructure.

Code Example (Ansible Playbook – initial_setup.yml):

---
- hosts: all
  become: true
  tasks:
    - name: Update apt cache
      apt:
        update_cache: yes
    - name: Upgrade packages
      apt:
        upgrade: dist
    - name: Create sudo user
      user:
        name: orca
        groups: sudo
        append: yes
        password: "$6$rounds=656000$ZEWfFvK2W.e412412412412.13124/312412.31241234123412341234.dsafsdasf4123123" # Replace with a hashed password
    - name: Change SSH port
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^#?Port 22'
        line: 'Port 6571'
      notify: Restart SSH
    - name: Disable root login
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^#?PermitRootLogin yes'
        line: 'PermitRootLogin no'
      notify: Restart SSH
    - name: Enable UFW
      ufw:
        state: enabled
    - name: Allow SSH port
      ufw:
        rule: allow
        port: '6571'
        proto: tcp
    - name: Reload UFW
      ufw:
        state: reloaded

  handlers:
    - name: Restart SSH
      service:
        name: ssh
        state: restarted

To run this playbook:

  1. Install Ansible on your control machine.
  2. Configure your inventory file to include your Debian 12 server.
  3. Run the playbook: ansible-playbook initial_setup.yml

This Ansible playbook automates the entire initial server setup process, ensuring consistency and reducing the risk of errors. Remember to replace the password hash with a secure one generated using mkpasswd -m sha-512.

2. Using Cloud-Init for Automated Initialization

Cloud-Init is a widely used tool for automatically configuring cloud instances during their initial boot. While often associated with cloud environments, it can also be used to initialize bare-metal servers and virtual machines.

Explanation:

Cloud-Init allows you to provide a configuration file (usually in YAML format) that specifies the desired state of the server. This file can include commands to run, packages to install, users to create, and files to write. When the server boots for the first time, Cloud-Init reads the configuration file and automatically applies the settings.

Code Example (Cloud-Init Configuration – cloud-config.yml):

#cloud-config
package_update: true
package_upgrade: true

users:
  - name: orca
    groups: sudo
    shell: /bin/bash
    password: "$6$rounds=656000$ZEWfFvK2W.e412412412412.13124/312412.31241234123412341234.dsafsdasf4123123" # Replace with a hashed password
    sudo: ['ALL=(ALL:ALL) NOPASSWD:ALL']

ssh_pwauth: no

write_files:
  - path: /etc/ssh/sshd_config
    content: |
      Port 6571
      PermitRootLogin no
      PasswordAuthentication no

runcmd:
  - ufw enable
  - ufw allow 6571/tcp
  - ufw reload
  - systemctl restart ssh

To use this configuration:

  1. Ensure Cloud-Init is installed on your Debian 12 server (it’s often pre-installed on cloud images).
  2. Place the cloud-config.yml file in a location where Cloud-Init can access it (e.g., /var/lib/cloud/seed/nocloud-data). The specific location depends on the datasource configured.
  3. Reboot the server. Cloud-Init will automatically apply the configuration during the boot process.

Cloud-Init provides a powerful and flexible way to automate the initial setup of your Debian 12 server. It’s particularly useful for cloud environments but can also be adapted for bare-metal and virtualized deployments. Remember to replace the password hash with a secure one generated using mkpasswd -m sha-512.

Conclusion

This tutorial has covered the essential steps for performing the Best Initial Server Setup with Debian 12 Bookworm. By following these steps, you can ensure that your server is secure, up-to-date, and ready for production use. Additionally, we explored alternative methods using Ansible and Cloud-Init for automating the setup process, providing scalable and consistent solutions. Remember to adapt these solutions to your specific environment and security requirements. Enjoy your optimized Debian 12 Bookworm server!

Related posts:

Leave a Reply

Your email address will not be published. Required fields are marked *