Notes on setting up Debian GNU/Linux

Since 1996 I've used Debian on all of my servers, workstations, and laptops. One of the nice things about it is that, unlike most other Linux and Unix distributions, it mostly provides sensible and security-conscious defaults.

I keep these notes about what tuning I find useful. This is not necessarily advice or a how-to guide. It would be inappropriate to create a rigorous checklist; if you have enough machines that you do installs more often than your desired configuration changes, then you should be automating the procedure, not creating a checklist for humans.

Mostly these apply to Debian 3.0; some notes are about testing.

Software RAID

Unless your machine is a laptop, you can afford to buy another disk and run a software RAID mirror. Hard disk failures are unlike all others in that they certainly cause data loss; if most components fail, your system may stop working, but can generally be revived after replacing the bad part. If you lose a nonredundant disk, then it’s off to the backups, and sorry about any data you changed in the meantime.

Debian can’t install out of the box to a RAID partition; I usually create a swap partition of a few GB, install to that, create the RAID, and then move data over.

Don’t forget to RAID your swap partition.

For RAID-5, mke2fs accepts a -R stride option equal to your chunksize, which will help performance.

ssh hardening

The default ephemeral key size is 768 bits; this is probably not adequate depending on your threat model, but certainly on any recent CPU you can afford much more. Set ServerKeyBits 2048 in /etc/ssh/sshd_config.

You’ll also need to upgrade the ssh host keys to at least 2048 bits from the default 1024. Because these are difficult to change, consider making it larger.

- ssh 1: ssh-keygen -b 2048 -f /etc/ssh/ssh_host_key.new -N ''
  ... or don't bother; ssh 1 is disabled by default, and you should
      keep it that way unless you really need to allow access from
      legacy clients

- ssh 2: ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -b 2048 -N ''
	 ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -b 2048 -N ''

I also like to set PermitRootLogin no; my security policy requires that root access depend on having both the root password and either console access or the login of a trusted administrator. (See below about locking down su(1).)

OpenSSL defaults

Set default_bits = 2048 in /etc/ssl/openssl.cnf.

UltraSPARC crypto performance

Debian 3.0’s OpenSSL libraries in libssl0.9.6 are built for a generic SPARC CPU, and do not take advantage of the v9 instructions that make crypto much, much faster. (Note that OpenSSL is used by several applications, notably OpenSSH as a general-purpose crypto library even for non-SSL uses.)

In testing, this problem is fixed; v9 libraries are installed in parallel and the appropriate version is chosen at runtime. You should install the updated libssl0.9.6, or rebuild it if it pulls in too many dependencies.

Service trimming

Unlike, say, Solaris, Debian doesn’t come with much enabled. But you can run less. inetd by default only runs discard, daytime, and time, services you probably don’t need; so consider not running inetd at all.

update-rc.d -f inetd remove
killall inetd

portmap should be removed similarly.

NTP

pool.ntp.org is a useful way to configure timeservers if you don’t have a local time infrastructure, or want to supplement it.

User configuration

I think dotfiles should not be provided for users. The simplest way to accomplish this is to negate /etc/skel entirely by creating an empty /etc/skel.null, and setting SKEL=/etc/skel.null in /etc/adduser.conf.

I also don’t see the point of creating a group for each user; USERGROUPS=no will turn this off. You’ll need to manually set your own account back into group 100.

It is useful to put yourself into the root and adm groups, notably so you can view logs.

Custom kernel

Through longstanding habit, I always build my own kernels. kernel-package has made this cleaner.

I like to avoid using modules on servers, again through longstanding habit. On workstations and laptops, with their constantly varying hardware configurations, modules can be useful; however, I still build any key hardware such as disk and network controllers statically into the kernel, and I do not use automatic module loading.

Mail

Choose a mailer; the default of Exim is not so bad, but I find qmail does what I need and is a lot less code. It is not for everyone; qmail is quite idiosyncratic and its author is difficult to work with. However, it is as solid as a rock.

If you install qmail, you’ll need to patch it to work with STARTTLS, and generate a certificate. I have a custom package with the STARTTLS patch applied, which I cannot distribute because of qmail’s strange license.

Package remove and addition

I find these packages undesirable:

I always add:

For laptops, in addition to whatever applications you want, cpudyn is useful.

devfs

devfs is to be replaced by udev, but that is still in the future. Meanwhile, I build kernels with devfs and install the devfsd package. If you’re not using kernel module autoloading, edit /etc/devfs/devfsd.conf to comment out the MODLOAD line.

/bin/sh

dash (formerly ash) is a minimalist implementation of the Bourne shell, about an order of magnitude smaller than bash. Besides its reduced memory footprint, it imposes discipline to use only portable Bourne constructs in scripts that start with #!/bin/sh.

apt-get install dash
dpkg-divert --add /bin/sh
cd /bin
ln -sf ash sh

Setuid lockdown

Use dpkg-statoverride to override package-provided setuid permissions in cases where they do not ask you at installation time whether files should be installed setuid.

In particular, I like to lock down /bin/su to mode 4750, so that only certain users can execute it; this defends against a bug in su, and requires that two passwords be used to gain root. Be sure you’re in the root group. This is historically equivalent to the wheel group, which GNU su does not support because it –can help fascist system administrators hold unwarranted power over other users—. You make the call.

/bin/mount and /bin/umount can be 755 unless you need to allow unprivileged users to mount removable media, which is usually not the case on servers. Also consider making it 4750 and in group users or a new group created for this purpose.

/usr/bin/procmail and /usr/bin/lockfile do not need to be setuid if you are using maildirs in $HOME.

Extra pseudofilesystems

If your system has USB, add to /etc/fstab:

none            /proc/bus/usb   usbdevfs defaults       0       0

If you are using kernel 2.6, add:

sys		/sys		sysfs	defaults	0	0

These will likely be available as the default in the release following Debian 3.0.

dnscache

I find it useful to have a local DNS cache, and I like Dan Bernstein’s dnscache for this.

apt-get install daemontools-installer
build-daemontools
apt-get install djbdns-installer
build-djbdns
dnscache-conf dnscache dnslog /var/dnscache
cd /var/lib/svscan; ln -s ../../dnscache .
echo "nameserver 127.0.0.1" > /etc/resolv.conf
echo "domain example.com"  >> /etc/resolv.conf   # or your domain
cat > /etc/pump.conf <<EOF
device eth0 {
    nodns	  
}
EOF

IDE tuning

If you have IDE devices, it may be possible to realize large performance gains by adjusting them with hdparm. Historically I’ve used scripts like this in /etc/rcS.d:

#!/bin/sh

for drive in /dev/hd?; do
    if hdparm -i $drive | grep -qw 'Model=IBM-IC25N020ATCS04-0,'; then
	hdparm -u1 -c1 -m16 -k1 -S6 $drive
    fi
done

Debian after 3.0 uses /etc/defaults/hdparm instead.

S.M.A.R.T.

Most modern disk drives, both IDE and SCSI, include prefailure diagnostics.

For Debian 3.0, install smartsuite. Be sure your drives are enabled for error reporting using smartctl -e.

For Debian after 3.0, use the successor package smartmontools. It enables reporting on all drives by default.

Logfile retention

If you have a document retention policy, consider that the system may by default keep logfiles around for longer than your policy allows. An example cleanup job for /etc/crontab:

0 0	* * *	root	/etc/init.d/sysklogd reload; \
	                    find /var/log -type f ! -name dmesg \
	                                  -mtime +14 -print0 \
	                    | xargs -r -0 rm

Passive FTP

These days passive FTP causes many fewer problems than old-style two-way FTP, but it is still not the default for many applications. Some places you might need to change settings:

/etc/wgetrc
/etc/lynx.cfg	
/etc/Net/Config.pm
/etc/squid.conf

Serial consoles

For all servers, a getty on a serial line is useful; uncomment the T0 line in /etc/inittab. A laptop with a USB serial cable is much more compact than a keyboard and mouse, and more versatile.

If you are using a true serial console, you may need to set KLOGD="-c 3" in /etc/init.d/klogd to limit console logging to critical messages. At least on SPARC SU consoles, interrupts are disabled while writing messages, causing your system to appear to hang while it waits to write out notices at 9600 bps.

sysctl settings

Some generally useful settings in /etc/sysctl.conf:

net/ipv4/icmp_echo_ignore_broadcasts = 1
net/ipv4/tcp_ecn = 1
net/ipv4/tcp_syncookies = 1

Note that tcp_ecn causes problems when talking to machines behind broken firewalls.

Run sysctl -p to activate them.

Laptop setup

For laptops, disk access is the enemy of battery life.

Strip /etc/syslogd.conf to a minimum. Set SYSLOGD=-m 0 in /etc/init.d/sysklogd.

If using ext2 filesystems, consider noflushd. Mount ext3 filesystems with commit=600.

Network access control

Run netstat -tuan to be sure you’re not running anything you can live without.

Set up iptables, even if you are behind a firewall.

Filesystem tuning

ext2 filesystems are generally better off as journaled ext3 filesystems. You can convert them in-place using tune2fs -j.

With a 2.6 kernel, large directory access is dramatically improved with htrees; use tune2fs -O dir_index to enable them for newly created directories. You can hash existing dirs by then unmounting or remounting read-only and running e2fsck -jD.

2.6 also includes the Orlov allocator; chattr +T /home is usually a good idea.

Consider using tmpfs.

[home]