Server installation
This page has been moved to docs.fsfe.org with the rest of the sysadmin documentation.
This is a generic server installation guide.
Choose hostname and IP address
- Hostname:
- - For real (physical) servers, we use chemical element names, see:
SVN:/Technology/Systems/ServerList
SVN:/Technology/Systems/VServerList
- IP address: choose among the currently available addresses, see:
SVN:/Services/Misc/Network
- Update the DNS with the new server name and IP address
Install hardware
- Check BIOS settings
- Set up serial console or other monitoring hardware
Install OS and basic packages
- Install the latest release of Debian stable
- If the server is going to be a linux-vserver host, install a -vserver enabled
- kernel
- Select the 'unix server' group of packages in tasksel
- Install and configure basic system administration tools
- - aptitude install less locales ssh mc vim screen logcheck logcheck-database ntp deborphan psmisc wget rsync telnet lsof
- Configure screen: copy SVN:/Technology/Misc/screen/.screenrc in /root
- Set the default editor: vim (flame on! )
- update-alternatives --config editor
Kernel configuration
- Check that /etc/modules has all needed modules
Network configuration
- /etc/hostname: set hostname (then run '/bin/hostname -F /etc/hostname')
- /etc/resolv.conf: add nameservers
- /etc/hosts: add needed entries for known hosts
- /etc/hosts.allow and /etc/hosts.deny: set access rules
- /etc/init.d/firewall: if needed, add local firewall script and enable it for
- the desired runlevel(s).
A generic firewall script is available at SVN:/Technology/Services/Misc/Network/conf/firewall to /etc/init.d/firewall. Adapt it for the server and then run
- update-rc.d firewall defaults
Configure ssh access
- /etc/ssh/sshd_config
- - To avoid automated attacks, consider switching to a non-standard port (and
- update user documentation accordingly: needed settings in ~/.ssh/config)
- (commenting it is not enough, as the default value is yes)
- (instead of all addresses):
ListenAddress ip.address.of.system
LogLevel VERBOSE
- On vserver guests, fix the "oom_adj vserver bug", in /etc/default/ssh
- SSHD_OOM_ADJUST=
- (empty string)
- Install authorised keys in /root/.ssh/authorized_keys
- Disable the root password in /etc/shadow
Configure logging
- rsyslog
- - If needed, set up remote logging
- Logrotate
- - Configure it to keep more than 1 week of logfiles, for selected logfiles
- (e.g. webserver, or other important services)
- Logcheck
- - /etc/logcheck/logcheck.conf: set recipient (SENDMAILTO) - /etc/cron.d/logcheck: set execution time (e.g. 0 8-22/2 * * *)
- Configure /etc/aliases
- redirect all system accounts (postmaster, etc...) to root
redirect root to admin@fsfe.org
- Replace exim with postfix or other simpler smtp server
See SVN:/technology/Services/Misc/Mail/smtp_sendonly_howto.txt
Configure and complete package management
- Configure /etc/apt/sources.list, adding needed sources (e.g. backports,
- volatile...)
- Disable automatic install of recommended packages
echo 'APT::Install-Recommends "false";' >> /etc/apt/apt.conf
- Remove unneeded packages
- - aptitude purge nfs-common portmap - run aptitude in interactive mode and see if there are unneeded packages - run orphaner
- Install/update needed packages
- If this is a linux-vserver host, just set up ssh and no other services; create
- vserver guests instead (see the vserver docs)
Update internal documentation
- Add a entry in this wiki page for each service running on the server
- If the server is a physical one, add it to the hardware section of our documentation in git.
Notify interested people
- Announce the server availability on system-hackers@lists.fsfe.org, pointing to documentation
- Notify the server name and IP address to the system administrators of the hosting facility, to let them add it to the monitoring services; see the relevant contacts in: SVN:/Technology/emergency_contacts.txt