.. include:: global.rst ============================ Building the Server Manual ============================ .. _Extra Info: Contabo ========== * Picked an os (Debian 13) * made a root password (56&8*5Aj) .. _Sudo: sudo ==== Become root:: su - Install sudo so other admin can help you if needed. .. code-block:: console apt install openssh-client ssh-keygen # accept all the defaults ssh-copy-id root@ .. code-block:: console apt update apt upgrade -y apt install sudo .. _UserSetup: User Setup ========== Add the admin for the machine. Be sure to have our standard admin so they can help you get in if you get stuck. .. code-block:: console adduser usermod -aG sudo grep sudo /etc/group # shows you the user Also set up the ssh you need to get into the system. For example, the make sure the backup system can ssh as root via a key, example: .. code-block:: console ssh-copy-id root@IP Once you have the backup admin and the root ssh step up and have tested at least one backup admin and the root, edit the ``/etc/ssh/sshd_config`` so you have: .. code-block:: ini PermitRootLogin prohibit-password #PermitRootLogin yes This means that you can log into root with an ssh key but not a password. The second line is a comment and is ignored, but we leave it in so we can use it if we need to allow another machine have root access we can just switch the comment between the two lines and then turn it back after the machine has the access it needs. .. _SignOnMessageServerName: Sign on Message & Server Name ============================= * Change ``/etc/motd`` (message of the day) to include the name of the server and any appropriate message such as: .. code-block:: text You are signed into qrorder.owls.plus * ``nano /etc/hostname`` and change the name of the server. * ``nano /etc/hosts`` and add the server name to end of the names such as: .. code-block:: text 86.48.28.228 vmi1019627.contaboserver.net vmi1019627 apps Notices, we leave the contabo names and just add ours. The result of these two changes is that on the cli apps will show up, but on a ping the full contabo name will show up. Hence, we can keep track of both. Restart the system to make it stick: .. code-block:: console shutdown -r now .. _Server.VM.External: Initial Software ===================== In 2025 Contabo is offering Debian 13. You should choose that. For those of you maintaining sysems: Debian 13 (codename Trixie) has a five-year support life cycle, ending its full support on August 9, 2028, and its Long Term Support (LTS) on June 30, 2030. Debian 13 was released on August 9, 2025 Debian 12 (Bookworm) does not have a fixed "end of life" date but instead follows a lifecycle with different phases of support, including regular support for approximately three years and Long Term Support (LTS) for an additional two years. Specifically, Debian 12's full support ends around June 2026, with its Long Term Support (LTS) ending on June 30, 2028. Debian 11 "Bullseye" officially entered its Long Term Support (LTS) phase in August 2024 and is scheduled to reach its full end-of-life on August 31, 2026. While the main Debian security support for it ended in August 2024, the LTS team provides security updates for a limited set of architectures (i386, amd64, armhf, and arm64) until this date. After August 31, 2026, no further updates will be provided, so it is **highly recommended to upgrade** to a supported release, such as Debian 12 "Bookworm," before then. Upgrading in Debian works well. You can get the instructions from AI. * Purchase the machine and set up for root user. Then ssh in and build the machine as following. * You should be root, but if not become root with: .. code-block:: console su - Make sure the system is up-to-date: .. code-block:: console apt update apt upgrade It is possible to use the -y switch with upgrade if you want to answer the default yes for all upgrades. .. _sudo_installed: .. index:: triple: sudo; install; errors Install sudo so other admin can help you: .. code-block:: console apt install sudo Note, if it is already installed and is up-to-date, you will be told. .. _CheckResolvConf: Check-resolv-conf ================= See if /etc/resolv.conf is a symlink or a real file. Contabo sometimes has it as a syslink from /run/resolvconf/resolv.conf. If so: .. code-block:: console cd /etc rm resolv.conf nano resolv.conf Enter the servername: .. code-block:: console nameserver 8.8.8.8 nameserver 4.2.2.2 nameserver 8.8.4.4 Then look for the immutable bit: .. code-block:: console lsattr /etc/resolv.conf You probably will see: .. code-block:: console --------------e------- resolv.conf The fact that we do not see i means the immutable bit is off. Change with: .. code-block:: console sudo chattr +i /etc/resolv.conf Run lsattr again and you will see: .. code-block:: console ----i---------e------- resolv.conf which means the immutable bit is on. If you ever have to turn the immutable bit off, use -i instead of +i. Check if it is working with: .. code-block:: console apt update .. _UserSetup: User Setup ========== Add the admin for the machine. Be sure to have backup admin so they can help you get in if you get stuck. In other words, you should have other people you totally trust that can jump into your machine from another location and unlock it in case you lock yourself out. And, yes, it happens. Note, Contable also has a back door for you which they sent you credentials. So if you have no friends, you can count on that but that would be a very sad situation to have no friends. The best friend you can have is Jesus, but He doesn't do server house calls. .. code-block:: console adduser usermod -aG sudo grep sudo /etc/group # shows you the user Setup Your Client Machine ============================= Prevent root sign-in via password and keep password sign-in to your backup admin. Edit the ``/etc/ssh/sshd_config`` so you have: .. rubric:: first .. code-block:: console PermitRootLogin prohibit-password #PermitRootLogin yes This means that you can log into root with an ssh key but not a password. The second line is a comment and is ignored, but we leave it in so we can use it if we need to allow another machine have root access we can just switch the comment between the two lines and then turn it back after the machine has the access it needs. .. rubric:: second Add these lines to the bottom and change the backup users to your own. .. code-block:: console # To disable tunneled clear text passwords, change to "no" here! PasswordAuthentication no PermitEmptyPasswords no #### OWLS ### set up backup users Match User tim PasswordAuthentication yes Match User jeremy PasswordAuthentication yes Match User madman PasswordAuthentication yes .. rubric:: Be sure to run the following after changing the sshd_config file: .. code-block:: console systemctl restart sshd.service This makes sure that the changes you made to ``/etc/ssh/sshd_config`` will be done and your root password signin is shutdown so robots can't hit at the root user. Firewall ======== * Work through :ref:`csf_firewall` Server Software ==================== * Work through :ref:`Apache2` Encryption ============ You can start on :ref:`LetsEncryptCertificationSiteConfFiles` to get the software set up, **OR** you can do it when you are ready to setup certificates. .. _Crontab: crontab ======= * Set up root crontab with ``sudo crontab -e`` and add these lines: .. code-block:: text # m h dom mon dow command 1 1 1 * * certbot renew 47 1 1 * * systemctl restart apache2 1 1 15 * * certbot renew 47 1 15 * * systemctl restart apache2 The backup system is working on adding apt updates to the crontab. .. _CommonSoftware: Common Software =============== * Install other commonly used software .. code-block:: console apt install rsync apt install locate updatedb # creates database for locate You need to run updatedb after installing new software or lots of changes in your files.