Building the Server Manual

Contabo

  • Picked an os (Debian 13)

  • made a root password (56&8*5Aj)

sudo

Become root:

su -

Install sudo so other admin can help you if needed.

apt install openssh-client
ssh-keygen # accept all the defaults
ssh-copy-id root@<ip>

apt update
apt upgrade -y
apt install sudo

User Setup

Add the admin for the machine. Be sure to have our standard admin so they can help you get in if you get stuck.

adduser <username>
usermod -aG sudo <username>
grep sudo /etc/group # shows you the user

Also set up the ssh you need to get into the system. For example, the make sure the backup system can ssh as root via a key, example:

ssh-copy-id root@IP

Once you have the backup admin and the root ssh step up and have tested at least one backup admin and the root, edit the /etc/ssh/sshd_config so you have:

PermitRootLogin prohibit-password
#PermitRootLogin yes

This means that you can log into root with an ssh key but not a password. The second line is a comment and is ignored, but we leave it in so we can use it if we need to allow another machine have root access we can just switch the comment between the two lines and then turn it back after the machine has the access it needs.

Sign on Message & Server Name

  • Change /etc/motd (message of the day) to include the name of the server and any appropriate message such as:

You are signed into qrorder.owls.plus

  • nano /etc/hostname and change the name of the server.

  • nano /etc/hosts and add the server name to end of the names such as:

86.48.28.228 vmi1019627.contaboserver.net vmi1019627 apps

Notices, we leave the contabo names and just add ours. The result of these two changes is that on the cli apps will show up, but on a ping the full contabo name will show up. Hence, we can keep track of both.

Restart the system to make it stick:

shutdown -r now

Initial Software

In 2025 Contabo is offering Debian 13. You should choose that.

For those of you maintaining sysems:

Debian 13 (codename Trixie) has a five-year support life cycle, ending its full support on August 9, 2028, and its Long Term Support (LTS) on June 30, 2030. Debian 13 was released on August 9, 2025

Debian 12 (Bookworm) does not have a fixed “end of life” date but instead follows a lifecycle with different phases of support, including regular support for approximately three years and Long Term Support (LTS) for an additional two years. Specifically, Debian 12’s full support ends around June 2026, with its Long Term Support (LTS) ending on June 30, 2028.

Debian 11 “Bullseye” officially entered its Long Term Support (LTS) phase in August 2024 and is scheduled to reach its full end-of-life on August 31, 2026. While the main Debian security support for it ended in August 2024, the LTS team provides security updates for a limited set of architectures (i386, amd64, armhf, and arm64) until this date. After August 31, 2026, no further updates will be provided, so it is highly recommended to upgrade to a supported release, such as Debian 12 “Bookworm,” before then.

Upgrading in Debian works well. You can get the instructions from AI.

  • Purchase the machine and set up for root user. Then ssh in and build the machine as following.

  • You should be root, but if not become root with:

su -

Make sure the system is up-to-date:

apt update
apt upgrade

It is possible to use the -y switch with upgrade if you want to answer the default yes for all upgrades.

Install sudo so other admin can help you:

apt install sudo

Note, if it is already installed and is up-to-date, you will be told.

Check-resolv-conf

See if /etc/resolv.conf is a symlink or a real file. Contabo sometimes has it as a syslink from /run/resolvconf/resolv.conf.

If so:

cd /etc
rm resolv.conf
nano resolv.conf

Enter the servername:

nameserver 8.8.8.8
nameserver 4.2.2.2
nameserver 8.8.4.4

Then look for the immutable bit:

lsattr /etc/resolv.conf

You probably will see:

--------------e------- resolv.conf

The fact that we do not see i means the immutable bit is off. Change with:

sudo chattr +i /etc/resolv.conf

Run lsattr again and you will see:

----i---------e------- resolv.conf

which means the immutable bit is on.

If you ever have to turn the immutable bit off, use -i instead of +i.

Check if it is working with:

apt update

User Setup

Add the admin for the machine. Be sure to have backup admin so they can help you get in if you get stuck. In other words, you should have other people you totally trust that can jump into your machine from another location and unlock it in case you lock yourself out. And, yes, it happens. Note, Contable also has a back door for you which they sent you credentials. So if you have no friends, you can count on that but that would be a very sad situation to have no friends. The best friend you can have is Jesus, but He doesn’t do server house calls.

adduser <username>
usermod -aG sudo <username>
grep sudo /etc/group # shows you the user

Setup Your Client Machine

Prevent root sign-in via password and keep password sign-in to your backup admin.

Edit the /etc/ssh/sshd_config so you have:

first

PermitRootLogin prohibit-password
#PermitRootLogin yes

This means that you can log into root with an ssh key but not a password. The second line is a comment and is ignored, but we leave it in so we can use it if we need to allow another machine have root access we can just switch the comment between the two lines and then turn it back after the machine has the access it needs.

second

Add these lines to the bottom and change the backup users to your own.

# To disable tunneled clear text passwords, change to "no" here!
PasswordAuthentication no
PermitEmptyPasswords no

#### OWLS ### set up backup users
Match User tim
    PasswordAuthentication yes

Match User jeremy
    PasswordAuthentication yes

Match User madman
    PasswordAuthentication yes

Be sure to run the following after changing the sshd_config file:

systemctl restart sshd.service

This makes sure that the changes you made to /etc/ssh/sshd_config will be done and your root password signin is shutdown so robots can’t hit at the root user.

Firewall

  • Work through csf_firewall

Server Software

  • Work through Apache2

Encryption

You can start on LetsEncryptCertificationSiteConfFiles to get the software set up, OR you can do it when you are ready to setup certificates.

crontab

  • Set up root crontab with sudo crontab -e and add these lines:

# m h  dom mon dow   command
1 1 1 * * certbot renew
47 1 1 * * systemctl restart apache2
1 1 15 * * certbot renew
47 1 15 * * systemctl restart apache2

The backup system is working on adding apt updates to the crontab.

Common Software

  • Install other commonly used software

apt install rsync
apt install locate
updatedb # creates database for locate

You need to run updatedb after installing new software or lots of changes in your files.