This guide will show you how to install a complete Debian Etch server. The initial install is specifically for people hosted with linode.com but the other parts of this guide are suitable for everyone.

To create/edit a file, you can use either nano or vi. Remember to SAVE the file after you create or edit it.

Basic Installation

After your account is setup with linode.com, login to the member’s area with your username and password. Navigate to the option marked as Distro Wizard. The distribution page should be displayed.

To keep things simple, you will create one root partition and one swap partition.

First select the distribution you want to install – Debian. This is marked as Debian 4.0 [168 MB min.size].

Next, enter the disk image size. This is the size of the root partition. To keep things simple, you calculate it as the total disk space – 1024 [the size you want to assign to the swap partition]. The total disk space is displayed on the right hand side of the window. From my server, it reads as:

You currently have a total storage quota of 15,360 MB, with 0 used, and 15,360 available..

The size of the root partition in my case is 15360 – 1024 = 14336 MB.

Next, enter the size of the swap partition, in my case 1024 MB.

Feel free to adjust these values according to your preferences.

Finally, set a root password for the server. Be sure to set a strong password (something which you remember easily but is not obvious to others).

The screen should look similar to this.

Click Create Profile. The system installation will now be in progress.

Navigate to the Dashboard page to monitor it.

Wait till the status of all the assigned jobs are set to Success.

Now click Boot to boot your newly installed server. Wait for the result of the boot action to change to Success.

Your system is now installed and ready for further action.

To get the details of your server’s IP and DNS, navigate to the option marked as Remote Access. Use these details to set up your name server information. The good and free DNS hosting servers that I recommend are zoneedit.com and xname.org.

Once the domain name resolves properly, you have to set the Reverse DNS. Reverse DNS indicates that your IP belongs to your domain name. Many mail servers will not accept mail from your domain if the Reverse DNS is not set properly.

From the Dashboard, navigate to the option named Utilities. From the Utilities page, select the option marked as Reverse DNS Manager. The Reverse DNS page is then displayed.

Enter your domain name [without the www - for example technichristian.info] and click Lookup.

The result will be displayed with the option to set the hostname to your server’s IP.

Click Yes to set the Reverse DNS.

Wait for a couple of hours for the Reverse DNS entry to propagate. Then navigate to the Reverse DNS checker, enter your server’s IP and then click Lookup. The result should indicate that the Reverse DNS is set properly.

Along with setting the Reverse DNS, set your domain’s SPF record using the SPF wizard. Many mail servers will reject your mail if your domain does not have a proper SPF record.

This completes the basic setup. From this point on, all other installations shown in this article can be performed by everyone.

Setting the Hostname

The first task is to set the proper hostname of the server.

To do this, SSH into your server and as root, execute the following commands:

echo domain.com > /etc/hostname
/bin/hostname -F /etc/hostname

Replace domain.com with your domain name.

Installing APF Firewall

Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today’s Internet deployed servers and the unique needs of custom deployed Linux installations.

First, get the latest APF package by executing the following commands:

cd /usr/src
wget http://www.r-fx.ca/downloads/apf-current.tar.gz

Next, verify the md5sum of the file by executing the command:

md5sum apf-current.tar.gz

The md5sum should be 92b5b6cd0a9f4070eac323f377b85259.

If the md5sum does not match, then delete the file by executing the command: rm apf-current.tar.gz and then download the file again.

Once the md5sum is OK, extract the files by executing the command:

tar -xvzf apf-current.tar.gz

Navigate to the directory apf-0.9.6-3 and install APF, by executing the following commands:

cd apf-0.9.6-3
sh install.sh

Next install the configuration files by executing the following commands:

cd /etc/apf
mv conf.apf conf.apf.old
wget http://technichristian.net/DEBIAN-ETCH-SERVER/conf.apf
chmod 640 conf.apf
cd /usr/src

Find out your server’s external interface by executing the command: ifconfig -a. The interface that contains your server’s main IP is the external interface.

If your server’s external interface is NOT eth0, then edit /etc/apf/conf.apf.

Find the lines:

IFACE_IN=”eth0″
IFACE_OUT=”eth0″

and change them accordingly.

Sometimes, the external interface might appear as: inet0:0. In this case, set the interface as inet0 in the lines above.

Start APF by executing the command: apf -s

Execute the command: apf -l and view the output.

If the output is any thing other than:

Chain INPUT (policy ACCEPT 12 packets, 859 bytes)
num pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 9 packets, 882 bytes)
num pkts bytes target prot opt in out source destination

you know your firewall is started and working.

My configuration has only the following ports open:

• port 21 – FTP
• port 22 – SSH
• Port 25 – SMTP
• port 80 – HTTP
• port 110 – POP3
• port 143 – IMAP
• Port 443 – HTTPS
• port 993 – IMAPS
• port 995 – POP3S

If you want to open out other ports (or close down open ports), then find the line (in /etc/apf/conf.apf) that reads: IG_TCP_CPORTS=”22,80,25,443,143,110,995,993,21″ and change the port numbers accordingly.

Restart APF by executing the command: apf -f && apf -s

Installing Lighttpd

Lighttpd is the perfect alternative to Apache. As the name suggests, it is very light on resources and runs like a champ.

The version in Debian Etch repository is a very old version [1.4.13]. The current version at this time of writing is 1.4.20. You are going to build lighttpd from source.

SSH into your server and as root, perform the following:

First, update your apt sources and then update your existing installation. To do this, execute the command: apt-get update && apt-get upgrade.

Next, install the build tools. To do this, execute the command:

apt-get install gcc build-essential autoconf automake patch bison flex

Next, install all the needed libraries and tools by executing the command:

apt-get install bzip2 mysql-server mysql-client libmysqlclient15-dev libfam-dev fam libfam0 liblua5.1-0 liblua5.1-0-dev lua5.1 libmemcache-dev libmemcache0 memcached libgdbm-dev libgdbm3 pkg-config libssl-dev libpcre3 libpcre3-dev libxml2-dev libbz2-dev libxml2 xml-core libxml2-utils libsqlite3-0 libsqlite3-dev sqlite

(All on ONE line)

MySQL will also be installed.

During the installation of MySQL, you have to set a password for the root MySQL user. Also for the choice: Support MySQL connections from hosts running Debian “sarge” or older, select No.

Portmap will also be installed. For the question: Should portmap be bound to the loopback address? answer Yes. Portmap should listen on the local system only.

Next, get the lighttpd source files. Execute the commands:

cd /usr/src
wget http://www.lighttpd.net/download/lighttpd-1.4.21.tar.bz2

to get the file.

Verify the md5sum of the file. To do this, execute the command:

md5sum lighttpd-1.4.21.tar.bz2.

The md5 sum should be: 49eeba63c931fa82120711adc7182731. If the md5sum is not as shown, then delete the file, by executing the command: rm lighttpd-1.4.21.tar.bz2 and then download the file again.

Once the md5sum matches, extract the file by executing the command: tar -xvjf lighttpd-1.4.21.tar.bz2.

Navigate into the extracted directory:cd lighttpd-1.4.21

Configure the build by executing the command:

./configure --prefix=/usr --sysconfdir=/etc --with-mysql --with-openssl --with-pcre --with-bzip2 --with-fam --with-gdbm --with-memcache --with-lua=lua5.1 --with-webdav-props --with-webdav-locks

(All on ONE line)

Next, make and install the files by executing the command: make && make install.

Lighttpd is now installed.

Installing PHP

Lighttpd uses the fastcgi version of PHP. Install PHP and all the associated modules by executing the command:

cd /usr/src

apt-get install php5-cgi php5-curl php5-dev php5-gd php5-imagick php5-imap php5-json php5-mcrypt php5-memcache php5-mhash php5-mysql php5-pspell php5-sqlite3 php5-suhosin php5-xsl php5-xcache

(All on ONE line).

For the question Trust new CA certificates, answer Yes.

For the question Continue installing libc-client without Maildir support, answer Yes.

For the question Configure php.ini for json, answer Yes.

For the question Configure php.ini for memcache, answer Yes.

PHP is now installed along with a PHP accelerator and cache (xcache).

Getting Lighttpd Ready to Run

Replace the existing php.ini with the modified php.ini, by executing the commands:

cd /etc/php5/cgi/
mv php.ini php.ini.old
wget http://technichristian.net/DEBIAN-ETCH-SERVER/php.ini

Create the directory from where files are served. The directory to use is /var/www/htdocs. Execute the following commands to create it:

mkdir -p /var/www/htdocs
chown -R www-data:www-data /var/www/htdocs

Create the lighttpd log directory, by executing the commands:

mkdir -p /var/log/lighttpd
touch /var/log/lighttpd/access.log
touch /var/log/lighttpd/error.log
chown -R www-data:www-data /var/log/lighttpd/

Create the lighttpd cache directory, by executing the following commands:

mkdir -p /var/cache/lighttpd/compress
chown -R www-data:www-data /var/cache/lighttpd/

Finally, create the lighttpd runtime directory, by executing the following commands:

mkdir -p /var/run/lighttpd/
chown -R www-data:www-data /var/run/lighttpd/

Get the lighttpd configuration file and place it in /etc by executing the commands:

cd /etc
wget http://technichristian.net/DEBIAN-ETCH-SERVER/lighttpd.conf

Start lighttpd by executing the command:

lighttpd -f /etc/lighttpd.conf

There should be no errors.

Executing ps -e | grep lighttpd should show the process number of the lighttpd process.

Executing ps -e | grep php-cgi should show the process numbers of the php5-cgi processes.

Navigate to /var/www/htdocs and download the test php file, by executing the following commands:

cd /var/www/htdocs
wget http://technichristian.net/DEBIAN-ETCH-SERVER/info.phpq
mv info.phpq info.php
cd /usr/src

Open your web browser and navigate to http://domain.com/info.php (replace domain.com with your domain name) and you will see the php information in all its glory.

This indicates that both your lighttpd and php installs are working fine.

You should see the eaccelerator section in the output, indicating that your eaccelerator installation is working fine.

You should also see a suhosin section in the output, indicating that your PHP is hardened.

Next, setup lighttpd for HTTPS (Secure HTTP) operation.

Lighttpd can only serve either ssl or non-ssl at one time. To get over this, run two lighttpd daemons – one to server on port 80 [Non-SSL (which we have done earlier)] and the other to serve on port 443 (SSL).

Make a copy of the lighttpd binary and call it lighttpd-ssl by executing the following command:

cd /usr/src
cp /usr/sbin/lighttpd /usr/sbin/lighttpd-ssl

Next, create the SSL and cache directories to store the SSL key and the cache information, by executing the following commands:

mkdir -p /var/www/ssl/cache
chown -R www-data:www-data /var/www/ssl

Next, create the SSL self signed certificate by executing the following commands:

cd /var/www/ssl
openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
chown www-data:www-data server.pem
chmod 600 server.pem

Here is an example of what you should enter as certificate information:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Dallas
Locality Name (eg, city) []:Texas
Organization Name (eg, company) [Internet Widgits Pty Ltd]:technichristian.info
Organizational Unit Name (eg, section) []:Internet Division
Common Name (eg, YOUR name) []:technichristian.info
Email Address []:admin@technichristian.info

Finally get the lighttpd-ssl.conf file and save it in /etc by executing the following commands:

cd /etc
wget http://technichristian.net/DEBIAN-ETCH-SERVER/lighttpd-ssl.conf

Start up lighttpd-ssl by executing the command:

lighttpd-ssl -f /etc/lighttpd-ssl.conf

There should be no errors.

Executing ps -e | grep lighttpd-ssl should show the process number of the lighttpd-ssl process.

Open your web browser and navigate to https://domain.com/info.php (replace domain.com with your domain name) and you will see the php information in all its glory.

You will see a certificate warning from your browser. This is because your SSL certificate is NOT verified by any certification authority such as Verisign or Geotrust for instance. Accept the certificate and continue. Your browsing is not less secure than if you paid for a verified certificate. You should pay and get a verified certificate if you are a commercial entity.

Now remove the info.php file by executing the command:rm info.php in your /var/www/htdocs directory. Having it there is a security risk as anyone can access its output through a web browser and see all your PHP information.

If you ever need to kill lighttpd, you can execute the following:

To kill lighttpd

killall lighttpd php-cgi

To kill lighttpd-ssl

killall lighttpd-ssl php-cgi

To kill both lighttpd and lighttpd-ssl

killall lighttpd lighttpd-ssl php-cgi

Installing Postfix and Courier

Postfix and Courier will take care of your mail server needs. The following section will show you how to install Postfix with SMTP-AUTH and TLS.

To install, Posfix, execute the following command:

apt-get install postfix libsasl2 sasl2-bin libsasl2-modules libdb3-util procmail

Note: Substitute your actual domain name for domain.com in the questions below.

Select Internet Site for the question General type of configuration?

Enter the admin address (for e.g. admin@domain.com or webmaster@domain.com) for the question Where should mail for root go? [You will create this account later]

Enter domain.com for the question Mail name?

Enter domain.com, localhost, localhost.localdomain for the question Other destinations to accept mail for?

Answer No for the question Force synchronous updates on mail queue?

Next, execute the command dpkg-reconfigure postfix to reconfigure postfix.

Answer the questions as above.

Enter 127.0.0.0/8 for the question Local Networks?

Answer Yes for the question Use Procmail for local delivery?

Enter 0 for the question Mailbox size limit?

Enter + for the question Local address extension character?

Select all for the question Internet protocols to use?

Next, execute the following commands to configure postfix and TLS.

postconf -e ‘smtpd_sasl_local_domain =’
postconf -e ‘smtpd_sasl_auth_enable = yes’
postconf -e ‘smtpd_sasl_security_options = noanonymous’
postconf -e ‘broken_sasl_auth_clients = yes’
postconf -e ‘smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination’
postconf -e ‘inet_interfaces = all’
echo ‘pwcheck_method: saslauthd’ >> /etc/postfix/sasl/smtpd.conf
echo ‘mech_list: plain login’ >> /etc/postfix/sasl/smtpd.conf
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
postconf -e ‘smtpd_tls_auth_only = no’
postconf -e ‘smtp_use_tls = yes’
postconf -e ‘smtpd_use_tls = yes’
postconf -e ‘smtp_tls_note_starttls_offer = yes’
postconf -e ‘smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key’
postconf -e ‘smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt’
postconf -e ‘smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem’
postconf -e ‘smtpd_tls_loglevel = 1′
postconf -e ‘smtpd_tls_received_header = yes’
postconf -e ‘smtpd_tls_session_cache_timeout = 3600s’
postconf -e ‘tls_random_source = dev:/dev/urandom’
postconf -e ‘mailbox_command =’

As postfix runs chrooted, you need to make a few changes for authentication through saslauthd to function properly.

First, create the saslauthd directory. To do this, execute the command:

mkdir -p /var/spool/postfix/var/run/saslauthd

Next, edit /etc/default/saslauthd.

Find the line that reads START=no and change it to START=yes.

Next, find the line that reads OPTIONS=”-c” and change it to OPTIONS=”-c -m /var/spool/postfix/var/run/saslauthd -r”

Start saslauthd by executing the command: /etc/init.d/saslauthd start

Edit /etc/postfix/main.cf

Find the line that reads smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) and change it to smtpd_banner = $myhostname ESMTP

No one needs to know which mailer and which OS we are using.

Find the line that reads #delay_warning_time = 4h and uncomment it (remove the ‘#’ from it). Postfix will notify you in case it cannot deliver a mail even after 4 hours.

Add the following lines:

#Users mail will be delivered to Maildir directory in their home folder
home_mailbox = Maildir/

#The max size of a message is 31457280 bytes – i.e. 30 MB
message_size_limit = 31457280

#A helo from the receiving mail server is required
#else the connection will be dropped.
smtpd_helo_required = yes

#All incoming messages will be checked for spam
# with zen.spamhaus.org and if spam, rejected.
smtpd_client_restrictions = permit_mynetworks, \
reject_rbl_client zen.spamhaus.org, permit

#Protect against DOS attacks
disable_vrfy_command = yes
smtpd_error_sleep_time = 0s
smtpd_soft_error_limit = 5
smtpd_hard_error_limit = 10
smtpd_timeout = 30s
smtpd_delay_reject = no

Next, install Courier. This is the imap/pop3 server.

Execute the following command:

apt-get install courier-authdaemon courier-base courier-imap courier-imap-ssl courier-ssl courier-pop courier-pop-ssl gamin libgamin0 libglib2.0-0 ispell wamerican-huge

(All on ONE line).

Answer No for the question Create directories for web-based administration?

Click OK for the notice SSL certificate required.

Courier is now installed.

In the command above, ispell along with the American English dictionary is installed. British English users should install wbritish-huge instead of wamerican-huge.

Next, install postgrey. Postgrey is a greylisting daemon for postfix.

In name, as well as operation, greylisting is related to whitelisting and blacklisting. What happens is that each time a given mailbox receives an email from an unknown contact (ip), that mail is rejected with a “try again later”-message (This happens at the SMTP layer and is transparent to the end user). This, in the short run, means that all mail gets delayed at least until the sender tries again – but this is where spam loses out! Most spam is not sent out using RFC compliant MTAs; the spamming software will not try again later. [More information here.]

Execute the following commands to install it:

cd /usr/src
apt-get install postgrey

Postgrey should now be installed and running. Execute the command: netstat -anp | grep 60000 to verify that postgrey is running.

The output should look similar to:

tcp 0 0 127.0.0.1:60000 0.0.0.0:* LISTEN 22665/postgrey.pid

Edit /etc/postfix/main.cf

Find the line that reads:

smtpd_client_restrictions = permit_mynetworks, \
reject_rbl_client zen.spamhaus.org, permit

and change it to:

smtpd_client_restrictions = permit_mynetworks, check_policy_service inet:127.0.0.1:60000, \
reject_rbl_client zen.spamhaus.org, permit

Postgrey comes with a set of whitelisted servers. These are listed in /etc/postgrey/whitelist_clients. Postgrey automatically whitelists a server, after it has made 5 successful email deliveries to your email addresses.

Edit /etc/postgrey/whitelist_clients if you want to add or delete whitelisted servers.

Next, set up a filter to block all unwanted attachment extensions.

Execute the following commands:

cd /etc/postfix
wget http://technichristian.net/DEBIAN-ETCH-SERVER/mime_header_checks.regexp
cd /usr/src

The two lines in the file will reject all emails containing attachments with the specified extensions.

Note: I do NOT block zip files on my server. If you do NOT want to block zip files, then remove ‘|zip’ from the first line.

The full list of extensions to block is here.

Next, configure Postfix to verify SPF information when receiving email.

A SPF record indicates that a specified server is allowed to send email for a specified domain or specified multiple domains.

First, install the Mail::SPF package, by executing the commands:

cd /usr/src
perl -MCPAN -e shell

Answer no for the question Are you ready for manual configuration? [yes]

At the cpan prompt enter: install Mail::SPF

Answer yes to install all dependencies.

The final lines of a successful build should be:

Installing /usr/local/bin/spfquery
Writing /usr/local/lib/perl/5.8.8/auto/Mail/SPF/.packlist
/usr/bin/make install — OK

Exit the cpan shell with the command:exit.

Note: If the build fails and drops you back to the cpan shell prompt, enter exit to return to the bash prompt, then restart the cpan shell and the build..

Execute: wget http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.005.tar.gz. This is the package that integrates with postfix and verifies the SPF header.

Check the md5sum with the command: md5sum postfix-policyd-spf-perl-2.005.tar.gz.

The md5sum should be: 1408e41325e798c3f89f2d2403e20921 for the present version (2.005). If the md5sum does not match, then delete the file by executing the command: rm postfix-policyd-spf-perl-2.005.tar.gz and download the file again.

Once the md5sum matches, install the package with the commands:

tar -xvzf postfix-policyd-spf-perl-2.005.tar.gz
cd postfix-policyd-spf-perl-2.005
cp postfix-policyd-spf-perl /usr/lib/postfix/policyd-spf-perl
cd /usr/src
echo “policy unix – n n – - spawn user=nobody argv=/usr/bin/perl /usr/lib/postfix/policyd-spf-perl” >> /etc/postfix/master.cf

Edit /etc/postfix/main.cf. Find the line that reads:

smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

and change it to:

smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination, check_policy_service unix:private/policy

Finally, edit /etc/aliases

and verify that the following three aliases are present:

root: admin@domain.com
postmaster: admin@domain.com
abuse: admin@domain.com

Add them if they are not present. Substitute the email address you entered when configuring postfix (Where should mail for root go?)

Rebuild the aliases database by executing the command: newaliases.

Restart postfix by executing the command: /etc/init.d/postfix restart.

The output of the command: ps -e should indicate that the processes: courierlogger, authdaemond, couriertcpd, postgrey, master, pickup and qmgr are running.

Create the user you entered when configuring postfix (Where should mail for root go?) – For e.g. user admin

Execute the command: useradd -d /home/admin -g users -m -s /bin/false admin to create the user.

(Remember to change ‘admin’ to the desired username in the command above).

Next, set a password for the newly created user by executing the command: passwd admin

(Again remember to change ‘admin’ to the desired username in the command above).

The new user’s mail directory will be created AFTER the first email is received. Send an email to [newuser@domain.com] (substitute your actual email address).

Wait a few minutes and then check the mail log by executing the command: tail /var/log/mail.log.

The output should have a line similar to the following:

Nov 16 11:44:37 li6-24 postfix/local[23178]: B48391D48A: to=, relay=local, delay=0.48, delays=0.43/0.02/0/0.03, dsn=2.0.0, status=sent (delivered to maildir)

This indicates that the mail directory is created successfully and the mail delivered to it.

The output should also have a line similar to the following:

Nov 23 01:40:34 host postfix/policy-spf[24947]: : Policy action=PREPEND Received-SPF: pass (gmail.com … _spf.google.com: 72.14.202.183 is authorized to use ‘xxx@gmail.com’ in ‘mfrom’ identity (mechanism ‘ip4:72.14.192.0/18′ matched)) receiver=technichristian.net; identity=mfrom; envelope-from=”xxx@gmail.com”; helo=ro-out-1112.google.com; client-ip=72.14.202.183

This indicates that Postfix verifies SPF records before accepting the email.

Written by Michael R.M. David

Debian 4.0 Server Guide - Part 1, 9.8 out of 10 based on 6 ratings