Have a Question?
< All Topics
Print

Initial Setup of Debian 10

Posted
Updated
ByYongKW

Some of the useful commands to perform initial setup of Debian 10

Verify Repository

verify the following links are included in /etc/apt/sources.list

$ cat /etc/apt/sources.list
deb http://deb.debian.org/debian/ buster main
deb-src http://deb.debian.org/debian/ buster main

deb http://security.debian.org/debian-security buster/updates main
deb-src http://security.debian.org/debian-security buster/updates main

# buster-updates, previously known as 'volatile'
deb http://deb.debian.org/debian/ buster-updates main
deb-src http://deb.debian.org/debian/ buster-updates main

Add users to Sudo Group

Login as root to install sudo and add user called kwyong to sudo group

$ apt install sudo
$ adduser kwyong sudo

Users have to logoff and logon again for the sudo right to be applied

Install open-vm-tools

$ sudo apt install open-vm-tools openssh-server -y

Static IP Address

Configuration of Static IP Address, Gateway & DNS Servers

$ sudo nano /etc/network/interfaces
# The primary network interface
allow-hotplug eth0
iface eth0 inet static
        address 192.168.1.222/24
        gateway 192.168.1.1
        dns-nameservers 1.1.1.1 8.8.8.8

Reboot the server for the new IP Address to be applied

$ reboot

Secure SSH Login

Generate a new SSH key from Windows 10 Machines with Maboxterm installed

$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/mobaxterm/.ssh/id_rsa): debian
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in debian.
Your public key has been saved in debian.pub.
The key fingerprint is:
SHA256:zjSeZm1ausekXayw6hIb17IltYlDcHnRHWvuTUvlNN0 kwyong@YONG-WIN10
The key's randomart image is:
+---[RSA 2048]----+
|       ..o ...   |
|    . o . . ..  o|
|     o .    o  .E|
|      . .  o   +.|
|     . +So .. o .|
|    o *=*+..o+ . |
|     = *BB+o. o  |
|    o .oo==      |
|     oo.+o       |
+----[SHA256]-----+

Verify the private key (debian) & public key (debian.pub) is created successfully

$ ls -l /home/mobaxterm/.ssh
total 19
-rw-r--r--    1 kwyong   UsersGrp      1766 Feb  2 21:32 debian
-rw-r--r--    1 kwyong   UsersGrp       399 Feb  2 21:32 debian.pub
drwxr-xr-x    1 kwyong   UsersGrp         0 Jul 22  2019 hostkeys
-rw-r--r--    1 kwyong   UsersGrp      1766 Aug  6  2018 id_rsa
-rw-r--r--    1 kwyong   UsersGrp       381 Aug  9  2018 id_rsa.pub
-rw-r--r--    1 kwyong   UsersGrp     22485 Feb  2 17:18 known_hosts

Copy the public key to Debian with ssh-copy-id

$ ssh-copy-id -i /home/mobaxterm/.ssh/debian [email protected]

/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
stty: standard input: Inappropriate ioctl for device

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

Login to Debian and verify that /home/keyong/.ssh/authorized_keys is created successfully

$ ls /home/kwyong/.ssh
authorized_keys

Login to Debian with Private Key from Windows 10

$ ssh -i /home/mobaxterm/.ssh/debian [email protected]
Enter passphrase for key '/home/mobaxterm/.ssh/debian':

Disable the Password Login in Debian and restart ssh

$ sudo nano /etc/ssh/sshd_config
    PasswordAuthentication no

#Restart SSH 
$ sudo systemctl restart sshd

Login from machines without the private key installed to verify SSH password login had been disabled

[Administrator.LAB-AD01] ➤ ssh [email protected]
Permission denied (publickey)

Hostname

Change Hostname

$ sudo hostnamectl set-hostname debian10

Update /etc/hosts

$ sudo nano /etc/hosts

127.0.0.1       localhost
192.168.1.222   debian10.aventislab.com debian10

Timezone

List availble timezone in /usr/share/zoneinfo

$ sudo ls /usr/share/zoneinfo

Change the timezone to Asia/Kuala_Lumpur

$ sudo timedatectl set-timezone Asia/Kuala_Lumpur
$ sudo timedatectl
               Local time: Mon 2021-01-04 15:58:10 +08
           Universal time: Mon 2021-01-04 07:58:10 UTC
                 RTC time: Mon 2021-01-04 07:58:11
                Time zone: Asia/Kuala_Lumpur (+08, +0800)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no

UFW Firewall

Install UFW Firewall

$ sudo apt install ufw

By default, UFW is set to deny all incoming connections and allow all outgoing connections

$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing

Allow inbound SSH, HTTP & HTTPS

$ sudo ufw allow ssh
$ sudo ufw allow http
$ sudo ufw allow https

Enable UFW

$ sudo ufw enable

Verify UFW is enable

$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)
80/tcp (v6)                ALLOW       Anywhere (v6)
443/tcp (v6)               ALLOW       Anywhere (v6)

Allow Specific Port Ranges

$ sudo ufw allow 6000:6007/tcp
$ sudo ufw allow 6000:6007/udp

Cockpit – WebUI for Server Management

Install and start cockpit

$ sudo apt install cockpit

# Start & Enable cockpit to start automatically when server is rebooted
$ sudo systemctl start cockpit
$ sudo systemctl enable cockpit.socket

Allow inbound TCP 9090

$ sudo ufw allow 9090/tcp

Login to cockpit via https://IP-ADDRESS:9090

Initial Setup Of Debian 10

Replace the default self-sign SSL Certification

Refer to my previous post on how to Generate Wildcard SSL Certificate from Let’s Encrypt

Verify that the cert.cer & cer.key are created successfully

PS C:\Users\kwyong\AppData\Local\Posh-ACME\acme-v02.api.letsencrypt.org\106285172\!.aventis.dev> ls
    Directory: C:\Users\kwyong\AppData\Local\Posh-ACME\acme-v02.api.letsencrypt.org\106285172\!.aventis.dev

Mode                LastWriteTime         Length Name                                             ----                -------------         ------ ----                                         
-a----       14/12/2020   2:44 PM           1838 cert.cer                                   
-a----       14/12/2020   2:44 PM           1708 cert.key                                         ```

Create a new file called AventisDev.cert with the content of cert.cer & cert.key

cat cert.key
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

cat cert.cer
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

nano AventisLab.cert
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

Upload the AventisDev.cert to Debian

$ scp AventisLab.cert kwyong@debian:/tmp

Copy the AventisDev.cert to /etc/cockpit/ws-certs.d and restart cockpit

# Copy to/etc/cockpit/ws-certs.d
$ cp /tmp/AventisDev.cert /etc/cockpit/ws-certs.d

# Restart Cockpit 
$ systemctl enable --now cockpit.socket

Verify AventisDev.cert is used for cockpit now

remotectl certificate
	certificate: /etc/cockpit/ws-certs.d/AventisLab.cert

Login to cockpit via https://FQDN:9090 to verify AventisDev.cert is used now

Table of Contents
Scroll to Top