Jump directly to main content

Initial Server Setup

This section assumes you have a fresh Debian install on a server (either physical or VPS)

It will cover installing the essentials for access, and basic security so you don't need to worry in the future. This section may seem a little daunting for a first-time linux user, but most of it is copy/paste, hopefully with enough description to understand what is being done.

This first section will be done on the physical PC, or on the VPS via their website, or SSH'd as root if that's the option given.


Perhaps silly, but login as your user with root priveleges or the root user if a user isn't currently setup.

For the first few steps it's written as if you're logged in as root, if you followed my install guide, this won't have a password, so we'll change user with the following command

sudo su -

Now just follow along with the remainder of the guide. If you wish not to change users you could also just add sudo in-front of the commands to run them as root that way.

Update the OS

Even with a fresh install of Debian from the latest ISO, there may be some updates you're missing, and it's a good idea to have these, especially in case they're security updates.

apt update && apt upgrade

Install essential packages

These are packages that are needed for accessing, and controlling the server

apt install sudo ssh -y

Some useful packages too

apt install vim htop wget curl tmux -y

Add a user, and give super user privilleges

This can be ignored if my guide was followed, or you already have a user setup. Some VPS just have root however, so I believe this should be included.

The reason for a new account instead of using root, basically comes down to security. If you want multiple people on the server too, it's best to have a unique account for each.

adduser $USERNAME$	
usermod -aG sudo $USERNAME$

*replace $USERNAME$ with the user you want to create, e.g. nathan

(Local server) Set static IP

If the server is a physical PC in your home you will need to set a static IP, otherwise your router could assign a different IP on reboot, and this would mess with port forwarding, and internal DNS.

If you're using a VPS, this step can be ignored.

Set static IP for local server

Secure ssh

Although this is optional, I recommend it, as SSH (secure shell) will likely be the primary means of access to the server. You don't want to be next to it whenever you've got a change to make.

Open the following file with your editor of choice, I use vim.

vim /etc/ssh/sshd_config

Within the editor you will need to search for PermitRootLogin and set it to no, this prevents ssh as root

Search for Port and set it to a different port than 22, a port over 1024 prevents basic nmap scans, and therefor a lot of bruteforcing, so let's go with 2020 as it's easy to remember

Below the Port line, add a new line and write Protocol 2 this enables ssh2, which is more secure than the standard ssh protocol.

(Optional) Comment/Add a # to the beginning of the passwordlogin line. This will prevent sshing to the server from any PC that doesn't have it's SSH key on the server already. I recommend only doing this if your sshkeys are on the server, or you're comfortable adding them.

systemctl reload sshd

This reloads the ssh daemon, and enables all the changes we've made

Setup UFW

UFW (Uncomplicated Firewall) is a simple to use firewall, that can be used to easily open/close ports on your server.

We'll install ufw, deny access inwards to all ports, but allow our server to access any ports outwards. We will then manually allow traffic to the SSH port we set, in this case 2020.

apt install ufw
ufw default deny incoming &&
ufw default allow outgoing &&
ufw allow 2020 &&
ufw enable

If there are any other ports that need to be opened in the future this can be done with:

ufw allow $PORT

Set hostname

Setting the name for a server is not an important step, but it's nice to have each server easily identifable.

Simply change the hostname within the two files below. Ensure they share the same name between files.

vim /etc/hosts


vim /etc/hostname

This next section is to be done via a terminal, or an SSH client e.g. PuTTY for Windows. This part of the guide is written for a Unix terminal.

SSH into the server

This is a two part section, and I recommend using this every time you SSH into a server from a new PC.

ssh $USER$@$HOST$ -p 2020

This will likely display a message asking to verify the key for the server. This is to prevent man-in-the-middle attacks, so I recommend verifying this whenever asked.

Verify SSH

To verify, you'll need to run the following command on the server.

ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key.pub

Then if the key the server shows matches that on your PC's SSH prompt, type yes and hit enter from your PC.

SSH without a password

To be more secure, and to SSH faster we can setup an SSH key, and use that for user authentication.

Create an SSH key

We'll create an ed25519 ssh-key, as it's more secure, and performant than the default rsa.

ssh-keygen -t ed25519

Copy the SSH key onto the server

From the terminal there's a nifty command to copy ssh keys to a server.

ssh-copy-id -p 2020 -i ~/.ssh/id_ed25519 USER@HOST

Alternatively you can add the key to the server manually. This is recommended, especially when adding other users.

First on your PC you need to run the following, and take note of the output.

cat ~/.ssh/id_ed25519.pub

Then on the server, open the following file, and add the output to a new line.

vim /home/USER/.ssh/authorized_keys

SSH again

Now simply run the same ssh command as before, and you shouldn't get a password prompt.

ssh $USER$@$HOST$ -p 2020

(Optional) Fail2Ban

Fail2ban is used to periodically check server logs, and bans IPs that appear to be trying to brute-force into your server. It's only "required" for servers exposed to the internet.

apt install fail2ban -y
systemctl enable fail2ban

There's a lot of options for fail2ban, this just installs it. For a little more detail checkout Crownclouds fail2ban guide.

TODO:(Optional) Unattended Upgrades

Updates to a server typically want to be done by a human in case things go wrong, but smaller updates can be set to be done automatically.

apt install unattended-upgrades

The above downlads, and starts unattended-upgrades with some good defaults, but if you want a some more details check cyberciti'sunattended upgrades guide.

(Optional) Setup User preferences

These are a few things I personally like to have on a basic server. If you have your own preferences, dotfiles, or intend to use oh-my-zsh fell free to skip over this.

Vi mode bash

Warning this is a preference you may not want to use if you're a beginner, and/or don't use VIM (text editor), as it sets the terminal to work more like VIM

Open your .bashrc file in your editor of choice

vim ~/.bashrc

Add the following to the bottom of the file

set -o vi


Instead of typing out long commands you can alias them, and type a shorthand version. I've written an article about aliases that explains setting up, and aliases I use. Below are some essentials for those that don't want to jump to another article.

alias ll="ls -lhtr"
alias df="df -h"
alias ta="tmux attach || tmux new"
alias ipe="curl ifconfig.co"

Reads shouldn't write!

Another personal opinion, and change is to enable noatime, and nodiratime. Be careful with this change! And ignore if you followed my Debian install guide, as they're already enabled.

Basically without these, when a file is opened (read) on your filesystem, a write is invoked to update the time it was opened, which causes unwanted writes, and CPU cycles.

Open your fstab file

sudo vim /etc/fstab

And edit your mounted drive(s) to include these flags

UUID=<YOUR-UUID>    /    ext4    noatime,nodiratime    0 1

The above uses an example, make your EXISTING lines look kinda like the above. Essentially just adding noatime, nodiratime

Server maintance notes

Keep the server up-to date as much as possible

Only install things that you need. If this is a server for learning, half ignore this, but for production servers only install services, and make changes that are required.