Contents
1.Debian12
In this article, we will explain how to build a server with Debian, the basis of the user-friendly Linux distribution UBUNTU. The latest is Debian 12 (codenamed “bookworm”) (released on June 10, 2023), a point-release version of Debian 12.8 (released on November 9, 2024) with bug fixes and security updates.
See below for Miscellaneous Bugfixes and Security Updates.
https://www.debian.org/News/2024/20241109
1.1 Debian12.8 Download Installation Image
Go to the official Debian website https://www.debian.org/ and download the file “debian-12.8.0-amd64-netinst"
Burn the iso image saved above as a boot disk to CD or USB using your favorite writing software.
1.2 Debian12.8 INstall
The installation procedure after that is the same as for Debian 12.1, so we omit it. Please refer to the following page.
2. Initialization
2.1 Installing and configuring the vim editor
Debian has "nano" as the default editor. nano is somewhat difficult to use, and there are few environments where it is used, so we will show you how to change the editor to "vim".
Check the vim package
Debian comes with vim installed by default, but the package is called "vim-tiny", which is a less functional version. To check the installed vim packages, use the "dpkg" command. The "-l" option will display a list of packages.
Since the "dpkg" command as is will show all packages installed on the system, we will use the "grep" command to extract only those packages that contain the string "vim". Execute as follows
1 2 3 |
huong@debian:~$ dpkg -l | grep vim ii vim-common 2:9.0.1378-2 all Vi IMproved - Common files ii vim-tiny 2:9.0.1378-2 amd64 Vi IMproved - enhanced vi editor - compact version |
You can see that only the "vim-tiny" package is installed as shown above.
①Installing the vim package
The "-y" option to the apt install command is an option to automatically confirm the installation.
1 2 3 4 5 6 7 8 9 10 |
$ su - Password : ←Root user password created during the installation process of Debian12 # apt install -y vim After installation, check the vim package again with the dpkg command # dpkg -l | grep vim ii vim 2:9.0.1378-2 amd64 Vi IMproved - enhanced vi editor ii vim-common 2:9.0.1378-2 all Vi IMproved - Common files ii vim-runtime 2:9.0.1378-2 all Vi IMproved - Runtime files ii vim-tiny 2:9.0.1378-2 amd64 Vi IMproved - enhanced vi editor - compact version |
Vim is installed as shown above.
➁Change the editor used by default
Change the default editor to "vim" installed from nano. To change the default editor, run the command "update-alternatives --set editor".
1 2 |
# update-alternatives --set editor /usr/bin/vim.basic update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/editor (editor) in manual mode |
If the output looks like the above, the editor has been modified.
➂Change vim settings
To allow all users, create a ".vimrc" file in "/root/".
To create a vim environment for each user, create a ".vimrc" file in the user's home directory.
This time, we will create a ".vimrc" file in the root user's home directory "/root/".
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
# vi ~/.vimrc "Enables pasting and copying of text set clipboard+=autoselect " Use vim's own extensions (not compatible with vi) set nocompatible " Specify character code set encoding=utf-8 " Specify file encoding set fileencodings=utf-8,iso-2022-jp,sjis,euc-jp " Specify the line feed code to be automatically recognized set fileformats=unix,dos "Obtain a backup set backup " Specify the directory from which to obtain backups set backupdir=~/backup " Number of generations to keep search history set history=50 " Do not distinguish between upper and lower case letters when searching set ignorecase " Mixing capital letters in search terms makes the search case sensitive set smartcase " Highlight words matching your search term set hlsearch " Use incremental search (Starts searching for matching strings at any time while a search term is being entered) set incsearch " Display line numbers set number " Visualize line breaks ( $ ) and tabs ( ^I ) set list " Highlight corresponding parentheses when entering parentheses set showmatch " No newlines at the end of files set binary noeol " Enable automatic indentation set autoindent " Color-coded display by syntax syntax on " change color of comment text in case of [ syntax on] highlight Comment ctermfg=LightCyan " Wrap lines by window width set wrap |
Please comment out anything unnecessary in the above
④Activation of vim configuration changes
Please log out of the system for the settings to take effect. When you log in to the system again, the above information will be reflected.
2.2 Network Settings
①Host Name Settings
This section describes how to change the hostname of a host that has been set during Debian installation for some reason.
To set the hostname, use the command "hostnamectl set-hostname". Execute the command as follows In this example, the hostname is set to "Lepard".
1 |
# hostnamectl set-hostname Lepard |
The result of the configuration can be confirmed by referring to the "/etc/hostname" file.
Refer to the "/etc/hostname" file with the "cat" command, and if the "Lepard" value is displayed as shown below, the host name confirmation is complete.
1 2 |
# cat /etc/hostname Lepard |
➁Set IP address to network interface
The IP address of the Debian 12 installation is set to a dynamic IP address (DHCP), so set a fixed IP address. Then reboot the network interface (ens33 in this case).
The network interface name will vary depending on the environment in which the setup was performed.
The command to check the network information is "ip addr (or ip a)". Running this command will display the network interface name and IP address information.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:f9:86:e2 brd ff:ff:ff:ff:ff:ff altname enp2s1 inet 192.168.11.27/24 brd 192.168.11.255 scope global dynamic ens33 valid_lft 166581sec preferred_lft 166581sec inet6 fe80::20c:29ff:fef9:86e2/64 scope link valid_lft forever preferred_lft forever |
The one displayed after the sequential number is the "network interface name. Since "lo" is the "local loopback interface," it is not usually used. In the above case, "ens33" is the network interface name.
➂
Setting up a static IP address
Now that we know the network interface name, we will configure the network settings. We will proceed assuming the following information necessary for network configuration and the parameters to be configured this time.
・IP address 192.168.11.83
・subnet mask 255.255.255.0(24Bit)
・default gateway 192.168.11.1
・DNS Server 192.168.11.1
IP addresses are configured by modifying the "/etc/network/interfaces" file.
Open the interfaces file with the vi command.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# vi /etc/network/interfaces The default values are as follows # The primary network interface allow-hotplug ens33 iface ens33 inet dhcp Change as follows # The primary network interface allow-hotplug ens33 #iface ens33 inet dhcp ←comment-out # network interface settings iface ens33 inet static ←add address 192.168.11.83 ←add netmask 255.255.255.0 ←add gateway 192.168.11.1 ←add dns-nameservers 192.168.11.1 ←add |
④Enable static IP address
1 |
# systemctl restart networking ifup@ens33 |
2.3 Set server time synchronization
We will configure "timesyncd", a service that automatically adjusts the server time.
①Configuration of timesyncd service
The timesyncd service is configured in the file "/etc/systemd/timesyncd.conf".
Before changing the file, make a backup copy of the original file.
1 |
# cp -p /etc/systemd/timesyncd.conf /etc/systemd/timesyncd.conf.org |
We will edit the configuration file.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# vi /etc/systemd/timesyncd.conf The default values are as follows [Time] #NTP= #FallbackNTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org #RootDistanceMaxSec=5 #PollIntervalMinSec=32 #PollIntervalMaxSec=2048 Change this to a time server in Japan as follows NTP=ntp.jst.mfeed.ad.jp FallbackNTP=ntp.nict.jp #RootDistanceMaxSec=5 #PollIntervalMinSec=32 #PollIntervalMaxSec=2048 |
➁Reflection of timesyncd service settings
1 |
# systemctl restart systemd-timesyncd |
If no error is printed, the service has restarted. Check the time synchronization. The "timedatectl status" command is used to check the time synchronization. Execute as follows
1 2 3 4 5 6 7 8 |
# timedatectl status Local time: Thu 2024-11-14 12:38:27 JST Universal time: Thu 2024-11-14 03:38:27 UTC RTC time: Thu 2024-11-14 03:38:27 Time zone: Asia/Tokyo (JST, +0900) System clock synchronized: yes NTP service: active RTC in local TZ: no |
If "System clock synchronized: yes" is displayed, the time is synchronized.
2.4 Restrict users who can su
In Debian, any user can be changed to the root user with the "su" command in the default configuration.
If multiple users are created on the server, and if any of the users' login information is known, the su command can be used to take away root user privileges after unauthorized access is gained.
Only users who belong to the wheel group can be authorized to execute su.
①Adding users to the wheel group
First, create a wheel group with the following command
1 |
# groupadd wheel |
Run the usermod command to add a user to the wheel group. As an example, let us assume that the user to be added is "lan".
1 2 |
# useradd lan # usermod -g wheel lan |
Confirm that the wheel group is added to the wheel group using the id command.
1 2 |
# id lan uid=1001(lan) gid=1001(wheel) groups=1001(wheel) |
➁Edit configuration file for su command
The configuration file for the su command is /etc/pam.d/su. (around line 15)
1 2 3 4 5 6 7 8 9 10 |
# vi /etc/pam.d/su # Uncomment this to force users to be a member of group wheel # before they can use `su'. You can also add "group=foo" # to the end of this line if you want to use a group other # than the default "wheel" (but this may have side effect of # denying "root" user, unless she's a member of "foo" or explicitly # permitted earlier by e.g. "sufficient pam_rootok.so"). # (Replaces the `SU_WHEEL_ONLY' option from login.defs) auth required pam_wheel.so ← Uncomment |
The "lan" user can now transition to root privileges using the "su -" command.
2.5 Debian Repository Mirror Settings Edit
The repository mirror configuration file is /etc/apt/sources.list, make a copy and edit it.
1 2 3 |
# cd /etc/apt/ # cp sources.list sources.list_back # vi sources.list |
The file contents are
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
#deb cdrom:[Debian GNU/Linux 12.8.0 _Bookworm_ - Official amd64 NETINST with firmware 20241109-11:04]/ bookworm contrib main non-free-firmware deb http://ftp.jp.debian.org/debian/ bookworm main non-free-firmware deb-src http://ftp.jp.debian.org/debian/ bookworm main non-free-firmware deb http://security.debian.org/debian-security bookworm-security main non-free-firmware deb-src http://security.debian.org/debian-security bookworm-security main non-free-firmware # bookworm-updates, to get updates before a point release is made; # see https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports deb http://ftp.jp.debian.org/debian/ bookworm-updates main non-free-firmware deb-src http://ftp.jp.debian.org/debian/ bookworm-updates main non-free-firmware # This system was installed using small removable media # (e.g. netinst, live or single CD). The matching "deb cdrom" # entries were disabled at the end of the installation process. # For information about how to configure apt package sources, # see the sources.list(5) manual. |
The top one is the media used during installation. It is no longer used, so it is commented out.
Add Backports repository (add the following to the last line)
1 |
deb http://deb.debian.org/debian/ bookworm-backports main non-free-firmware |
Update source list
1 |
# apt update |
2.6 Make the locate command available
To search for a specific file on the entire Linux system, use the find command, but find is somewhat confusing in its options.
The locate command can extract all files with a specified filename.
Although a database of file and folder names must be created in advance, it has the advantage of being fast and easy to use. In this example, the "locate" command is used.
①Installing the locate package
1 2 3 |
# apt install -y locate # dpkg -l | grep locate ii locate 4.9.0-4 amd64 maintain and query an index of a directory tree |
If the locate package name appears in the execution result as shown above, the installation has been verified.
➁Create database
1 |
# updatedb |
➂Executing the locate command
As an example, search for all files named "sshd".
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# locate sshd /etc/pam.d/sshd /etc/ssh/sshd_config /etc/systemd/system/sshd.service /run/sshd /run/sshd.pid /usr/sbin/sshd /usr/share/man/man5/sshd_config.5.gz /usr/share/man/man8/sshd.8.gz /usr/share/openssh/sshd_config /usr/share/openssh/sshd_config.md5sum /usr/share/vim/vim81/syntax/sshdconfig.vim /var/lib/systemd/deb-systemd-helper-enabled/sshd.service /var/lib/ucf/cache/:etc:ssh:sshd_config |
A list of filenames containing sshd is now displayed.
2.7 Locale Settings
If you have selected Japanese as your locale when installing Debian, you are already in a Japanese environment and do not need to change it.
If your environment is "English locale" and you prefer to use Japanese locale, please do so.
①Check current locale
Check the locale set in the system. Use the "localectl status" command to check the locale.
(Currently, LANG=en_US.UTF-8 is used for English.)
1 2 3 4 5 6 |
# localectl status System Locale: LANG=en_US.UTF-8 LANGUAGE=en_US:en VC Keymap: (unset) X11 Layout: jp X11 Model: pc105 |
➁Changed to Japanese locale
Set the locale with the dpkg-reconfigure command
1 |
# dpkg-reconfigure locales |
Delete "*" from "en_US.UTF-8 UTF-8" and click OK
Select "ja_JP,UTF-8" and click OK
Check again
1 2 3 4 5 |
# localectl status System Locale: LANG=ja_JP.UTF-8 VC Keymap: (unset) X11 Layout: jp X11 Model: pc105 |
We have confirmed that the "ja_JP.UTF-8" locale is set as shown above.
2.8 Time Zone Settings
In most cases, the time zone for Debian 12 is set during installation, but if the Japanese time zone "JST" is not specified, it can be changed with the "timedatectl" command.
①Display of current time zone
To check the time zone set on the server, run the "timedatectl status" command
1 2 3 4 5 6 7 8 |
# timedatectl status Local time: Thu 2024-11-14 12:46:02 JST Universal time: Thu 2024-11-14 03:46:02 UTC RTC time: Thu 2024-11-14 03:46:01 Time zone: Asia/Tokyo (JST, +0900) System clock synchronized: yes NTP service: active RTC in local TZ: no |
The time zone is set to "Asia/Tokyo (JST)" as shown above.
➁Change time zone to Japan
If it is not "Asia/Tokyo (JST)", you can change the time zone with the "timedatectl set-timezone" command.
1 |
# timedatectl set-timezone Asia/Tokyo |
2.9 Update system packages
Debian systems installed from the media may contain outdated packages. Debian also uses "apt" to update all packages.
To see only the list of packages to be updated without updating the packages, run the "apt update" command. The command is executed as follows
1 2 3 4 5 6 7 8 9 10 11 12 |
# apt update Hit:1 http://deb.debian.org/debian bookworm InRelease Get:2 http://deb.debian.org/debian bookworm-updates InRelease [52.1 kB] Get:3 http://security.debian.org/debian-security bookworm-security InRelease [48.0 kB] Get:4 http://security.debian.org/debian-security bookworm-security/main Sources [10.2 kB] Get:5 http://security.debian.org/debian-security bookworm-security/main amd64 Packages [21.8 kB] Get:6 http://security.debian.org/debian-security bookworm-security/main Translation-en [9,624 B] Fetched 142 kB in 0s (297 kB/s) Reading package lists... Done Building dependency tree... Done Reading state information... Done All packages are up to date. |
In this case, all packages have been updated, but if you need to update any of them, run the "apt upgrade" command.
1 2 3 4 5 6 |
# apt upgrade -y Reading package lists... Done Building dependency tree... Done Reading state information... Done Calculating upgrade... Done 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. |