How to setup your server with Debian (small)
It can be confusing for beginners though (eg: me
So here it is, a guide for other Debian Linode users. Hope it'll help you in configuring your Linode:
I'll update it along as I add more services to my server, when I do I'll post in this thread to let you know.
cheers,
Harry
31 Replies
I tried out your little walkthrough by got stuck on the firehol install. Going step by step with Debian on my linode, i got to the part where you start the shell script. I got the following error
(none):/downloads/firehol-1.191# ./firehol.sh start
ERROR: Command 'less' not found in the system path.
FireHOL requires this command for its operation.
Please install the required package and retry.
So, i installed less via apt-get install less, then retried the install:
(none):/downloads/firehol-1.191# ./firehol.sh start
ERROR: Command 'lsmod' not found in the system path.
FireHOL requires this command for its operation.
Please install the required package and retry.
At this point, there is no lsmod on my debian linode and I cant see where it exists in any apt-get package.
Any thoughts?
Thanks
Ron
> IMPORTANT WARNING:
–----------------
FireHOL cannot find your current kernel configuration.
Please, either compile your kernel with /proc/config,
or make sure there is a valid kernel config in:
/usr/src/linux/.config
Because of this, FireHOL will simply attempt to load
all kernel modules for the services used, without
being able to detect failures.
FireHOL: Saving your old firewall to a temporary file: OK
FireHOL: Processing file /etc/firehol/firehol.conf: OK
FireHOL: Activating new firewall (167 rules):
WARNING : This might or might not affect the operation of your firewall.
WHAT : A runtime command failed to execute (returned error 255).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/modprobe ipconntrackftp -q
OUTPUT :
modprobe: Can't open dependencies file /lib/modules/2.4.26-linode29-1um/modules.dep (No such file or directory)
OK
It hasn't changed much at all since the linode21 kernel, and CONFIGIPNF_CONNTRACK is enabled.
Modules are disabled inside the Linode kernels for security reasons. You can ignore that warning message, most likely.
-Chris
@You_Wish:
sufehmi great info on your site thanks very helpful
You're welcome.
However please be advised that it's not ideal. My goal is to create a tutorial to setup a webhosting server (on Debian), however I'm still compiling some packages (instead of installing via apt-get)
This is a problem because everytime there's a new release for that package (eg: security patch), then you'll have to recompile again.
(while updating Debian packages is as simple as apt-get update then apt-get upgrade)
FYI.
Thanks,
Harry
apt-get install make
apt-get install gcc
apt-get install libgcrypt-dev
You need those - the first 2 are logical, but the last one isn't that obvious :p
@Moose:
Ok, found a little mistake
:) apt-get install make
apt-get install gcc
Sorry - now I've put those steps at the beginning of the guide.
> apt-get install libgcrypt-dev
Strange… I think if you have installed OpenSSL, then you shouldn't need to do that.
Anyway, I'm very busy at the moment, but I'll reinstall the server in a few weeks time. Then I'll use that opportunity to change as much of the install routine to use apt-get (instead of manual compile), get them in the right order, and add more stuff to that documentation.
I'll let you know when I do.
Thanks,
Harry
@Quik:
It might also be a good idea to edit out the additional OpenSSH instance, and remind users that they can just connect directly to their Linode's console through the host. This saves a few minutes of time setting up and removes the need to keep checking for updates
:)
Excellent idea !
It's just that I'm used to installing at least 2 instances of sshd, because I've had enough of being locked out from my own server
Well that's very true for a dedicated server, but as you said, we don't need it for a Linode server
Thanks,
Harry
I've taken your page, and combined it with other information I've found and tried, to begin creating a similar tutorial. I'm no fan of forks - perhaps we can combine at some point?
I'm using .deb packages wherever possible to simplify and shorten the setup.
The downside is that a config from my tutorial will be behind the "latest and greatest" as much as the official Debian packages are.
http://wiki.gednet.com/DebianServerSetup
It's not complete (no web/db/email services yet), but I'm making progress. Commenting is enabled, so everyone feel free to let me know if I've missed - or messed up - any items.
Cheers,
ged
@ged:
Great work Harry.
I've taken your page, and combined it with other information I've found and tried, to begin creating a similar tutorial. I'm no fan of forks - perhaps we can combine at some point?
I have no problem at all with that, in fact I'll be happy to.
> I'm using .deb packages wherever possible to simplify and shorten the setup.
The downside is that a config from my tutorial will be behind the "latest and greatest" as much as the official Debian packages are.
After a few problems in the past, my primary concerns now are security, maintainability, and reliability; that's why I stick to Debian stable :
They're maintained by Debian's security team
Using Debian packages enable Webmin to pick them up automatically (I've tried getting Webmin to recognise manually-installed package - it's very time consuming at least)
Upgrading / updating is a snap
Some people may say you're lame for using Webmin - but my concern is to manage as many servers using as little time as possible (including time needed to learn each software packages)
>
http://wiki.gednet.com/DebianServerSetup
It's not complete (no web/db/email services yet), but I'm making progress. Commenting is enabled, so everyone feel free to let me know if I've missed - or messed up - any items.
Great stuff ged… finally I found some info on setting up Apache+SSL using Debian packages (still messes this one up) - thanks. Also some other very interesting information.
One question - why installing qmail from source ? (the link to qmail install tutorial)
I've tried it, and it's still painful even after using easy to follow guide such as qmailrocks.org; I ended up using postfix (it's a one-page config using webmin). My friend uses ezmlm-qmail and he installed the Debian package.
Let me know if I'm missing something obvious here.
cheers,
Harry
@sufehmi:
I have no problem at all with that, in fact I'll be happy to.
Great!
@sufehmi:
After a few problems in the past, my primary concerns now are security, maintainability, and reliability; that's why I stick to Debian stable
I agree. I've only made a couple of exceptions so far: webmin and phpMyAdmin are installed from source (easy though). And the Apache/MySQL/PHP-related packages come from's .deb repository which gets updates as well, but they're not official. http://dotdeb.org
I'd prefer the stable packages rather than dotdeb, if stable is debugged/secure enough. What do you think?
I'm nixing qmail, actually, though I haven't updated the tutorial. I'm looking at a Postfix solution instead. I have been reviewing a few different tutorials to try to find a Debian-stable solution, and I am leaning toward something like this onePHPMyWebHosting
@sufehmi:
Some people may say you're lame for using Webmin - but my concern is to manage as many servers using as little time as possible (including time needed to learn each software packages)
Well, whatever.
:? Hey, I'm open to other ideas.:)
Update:
I've been searching around for a good virtual mail howto that is simple to set up. No dice. The one I mentioned above is fairly complicated, and none of the howtos I saw using Postfix+Courier+MySQL talked about how to use the system once it's in place. Go figure.
So I'm on the fence between qmail+vmailmgr and Postfix+etc. Vmailmgr has a command-line interface which would work well for me, but it's not part of the Debian distribution.
@ged:
@sufehmi:I have no problem at all with that, in fact I'll be happy to.
Great!
I just finished installing a plain Debian server at home. I'll use it to make my guide better, also utilising information in yours.
I just updated my guide to reflect this, also have started to incorporate some bits and pieces from your guide.
>
@sufehmi:
After a few problems in the past, my primary concerns now are security, maintainability, and reliability; that's why I stick to Debian stable
I agree. I've only made a couple of exceptions so far: webmin and phpMyAdmin are installed from source (easy though). And the Apache/MySQL/PHP-related packages come from's .deb repository which gets updates as well, but they're not official. http://dotdeb.orgI'd prefer the stable packages rather than dotdeb, if stable is debugged/secure enough. What do you think?
Agree, I'd prefer that as well.
> I'm nixing qmail, actually, though I haven't updated the tutorial. I'm looking at a Postfix solution instead. I have been reviewing a few different tutorials to try to find a Debian-stable solution, and I am leaning toward something like
this onePHPMyWebHosting
Thanks for the info, I'll use it when installing Postfix in this test server.
> Update:
I've been searching around for a good virtual mail howto that is simple to set up. No dice. The one I mentioned above is fairly complicated, and none of the howtos I saw using Postfix+Courier+MySQL talked about how to use the system once it's in place. Go figure.
I noticed that too…. well, it seems that our guide will be filling a lot of holes once finished.
> So I'm on the fence between qmail+vmailmgr and Postfix+etc. Vmailmgr has a command-line interface which would work well for me, but it's not part of the Debian distribution.
Fortunately, we have quite supportive Postfix community in Indonesia - so fingers crossed, I'll be able to set it up for virtual mail.
I'll keep you posted.
cheers,
Harry
In any case, I'm glad to let someone else piece through the Postfix virtual mail puzzle - it's gives me a headache.
Since there seem to be so many manual changes that need to be made to support it, perhaps we can put together something like this tutorial for qmail on Debian, but for Postfix:
http://www.qmailrocks.org/install_db.htm
They make the process simpler by scripting many of the manual changes.
Let me know what you think.
ged
@ged:
What I'm hoping to generate is a secure virtual mailhosting setup with IMAP support, where the domain & mailuser can be configured via mySQL. (Kind of like using the mysql-include module for Apache.) Add a domain and mail users to the DB, restart the appropriate services (if necessary), and voila. That's my hope anyway.
Since there seem to be so many manual changes that need to be made to support it, perhaps we can put together something like this tutorial for qmail on Debian, but for Postfix
Hi Ged,
Sorry, been busy with life & office in the past few weeks - anyway, looks like someone has beat us to it :
http://www.workaround.org/articles/ispmail/
I'm gonna give it a try as soon as possible, then I'll let you know.
cheers,
Harry
A bit extra information on how to avoid logcheck from sending huge report to you (hint: specify entries that can be safely ignored)
Firehol config updated- example to blacklist IP addresses (useful in case of DoS/DDoS), avoiding dhclient from filling logs with junk
Information to setup postfix ala ISPs (database-based virtual domain, anti-virus/spam, webmail, etc)
cheers,
Harry
@caker:
Modules are disabled inside the Linode kernels for security reasons. You can ignore that warning message, most likely.
-Chris
Ok, I'm ignoring it – but Firehol does say specifically: "FireHOL requires this command for its operation".
And in
(just above
That hasn't happened!
How do we know if Firehol is working or not?
@SunZoomSpark:
How do we know if Firehol is working or not?
Try accessing the ports of the server which has been blocked by Firehol, see if it's REALLY blocked.
btw; wow, an ancient thread
sudo firehol status
will produce the output of /sbin/iptables -nxvL | /usr/bin/pager.
Cliff
> ERROR: Command 'lsmod' not found in the system path.
FireHOL requires this command for its operation.
Please install the required package and retry.
Note that you need an operational 'which' command
for FireHOL to find all the external programs it
needs. Check it yourself. Run:
which lsmod
Output from /sbin/iptables -nxvL is
> Chain INPUT (policy ACCEPT 77661 packets, 45148429 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 60343 packets, 7237447 bytes)
pkts bytes target prot opt in out source destination
I don't think firehol is working yet.
You are right – firehol did not create a firewall (iptables).
To resolve this you can either hack on firehol (so it doesn't require lsmod as a dependency) or you can install /bin/lsmod.
Debian:````
apt-get install module-init-tools
Even though we can't use kernel modules on a Linode, having that package installed causes no harm.
Another thing you might want to do to appease firehol's environment checks, is this (as root):
mkdir /usr/src/linux-fake
ln -s /usr/src/linux-fake /usr/src/linux
zcat /proc/config.gz > /usr/src/linux/.config
````
That will kill the warning message firehol exudes when it can't find the non-existent kconfig file.
Cliff
@c1i77:
… you can install /bin/lsmod
So that is what I did and all I had to do!
I haven't looked at iptables closely yet, but output from /sbin/iptables -nxvL | wc -l is 223 lines.
Attempted connections to rejected ports get closed immediately, so I guess firehol is now set up.
Thanks++
Thanks
@purana:
It would appear the wiki pages mentioned through out this thread all no longer work, anyone know where they moved too.
Thanks
thank you for bumping a 4 year old thread. No, most likely not.
@purana:
It would appear the wiki pages mentioned through out this thread all no longer work, anyone know where they moved too.
Thanks
Purana, might I suggest:
It's a good tutorial for the initial setup, there are also howto's for other apps afterward, good luck.
@ged:
I've taken your page, and combined it with other information I've found and tried, to begin creating a similar tutorial. I'm no fan of forks - perhaps we can combine at some point?
.
Check out howtoforge.com instead, much better tutorials..