Among the initial settings to be made after installing Debian, we will configure the following items.
- Restricting users who can su
- Edit Debian repository mirror settings
- Make locate command available
- Locale settings
- Configure time zone settings
- Update system packages
Contents
1. Limit the users who can su
In Debian, the default configuration allows any user to become the root user with the "su" command.
When multiple users are created on the server, if the login information of any one of the users is known, the su command can be used to take away the root user privileges after unauthorized access, so we need to restrict the users who can execute the su command as much as possible.
Therefore, limit the users who can execute the su command as much as possible. Only users who belong to the wheel group can be authorized to execute su.
1.1 Adding users to the wheel group
Create a wheel group with the following command
1 |
# groupadd wheel |
Run the usermod command to add a user to the wheel group. For example, let's say the user you want to add is example.
1 |
# usermod -g wheel example |
Verify that it has been added to the wheel group using the id command.
1 2 |
# id example uid=1000(testuser01) gid=1001(wheel) groups=1001(wheel) |
1.2 Edit the su command configuration file
The configuration file for the su command is /etc/pam.d/su
1 2 3 4 5 6 7 8 9 10 11 12 |
# vi /etc/pam.d/su # Uncomment this to force users to be a member of group root # before they can use `su'. You can also add "group=foo" # to the end of this line if you want to use a group other # than the default "root" (but this may have side effect of # denying "root" user, unless she's a member of "foo" or explicitly # permitted earlier by e.g. "sufficient pam_rootok.so"). # (Replaces the `SU_WHEEL_ONLY' option from login.defs) #auth required pam_wheel.so Uncomment ↓ auth required pam_wheel.so |
Now, the example user can use the "su -" command to transition to root privileges.
2. Editing Debian repository mirror settings
The repository mirror configuration file is /etc/apt/sources.list, make a copy and edit it.
1 2 |
# cd /etc/apt/ # cp sources.list sources.list_back |
1 |
# vi /etc/apt/sources.list |
The file contents are
deb http://ftp.jp.debian.org/debian/ buster main
deb-src http://ftp.jp.debian.org/debian/ buster main
deb http://security.debian.org/debian-security buster/updates main
deb-src http://security.debian.org/debian-security buster/updates main
# buster-updates, previously known as 'volatile'
deb http://ftp.jp.debian.org/debian/ buster-updates main
deb-src http://ftp.jp.debian.org/debian/ buster-updates main
# This system was installed using small removable media
# (e.g. netinst, live or single CD). The matching "deb cdrom"
# entries were disabled at the end of the installation process.
# For information about how to configure apt package sources,
# see the sources.list(5) manual.
The top one is the media we used during the installation. Since it is not used anymore, I have commented it out.
If you want to use it in Japan, make it a mirror with jp.
3. Make the locate command available
The find command can be used to search for a specific file on the entire Linux system, but the options for find are somewhat confusing.
The locate command is capable of extracting all files with the specified file name.
Although it requires you to create a database of file and folder names in advance, it has the advantage of fast file search and ease of use. In this section, we will enable the "locate" command to be used.
3.1 Install the locate package
1 2 3 |
# apt install -y locate # dpkg -l | grep locate ii locate 4.6.0+git+20190209-2 amd64 maintain and query an index of a directory tree |
3.2 Create a database
1 |
# updatedb |
3.3 Run the locate command.
s an example, we will search for all files named "sshd".
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# locate sshd /etc/pam.d/sshd /etc/ssh/sshd_config /etc/systemd/system/sshd.service /run/sshd /run/sshd.pid /usr/sbin/sshd /usr/share/man/man5/sshd_config.5.gz /usr/share/man/man8/sshd.8.gz /usr/share/openssh/sshd_config /usr/share/openssh/sshd_config.md5sum /usr/share/vim/vim81/syntax/sshdconfig.vim /var/lib/systemd/deb-systemd-helper-enabled/sshd.service /var/lib/ucf/cache/:etc:ssh:sshd_config |
A list of filenames containing sshd is now displayed.
4. Locale settings
This is the language setting for your Linux system, and if you selected Japanese as the locale when you installed Debian, then you are already in a Japanese environment and do not need to change it.
If your environment is set to English locale and you prefer Japanese locale, please do so.
4.1 Check the current locale.
Check the locale set in the system. To check the locale, use the "localectl status" command.
1 2 3 4 5 |
# localectl status System Locale: LANG=C.UTF-8 VC Keymap: n/a X11 Layout: jp X11 Model: pc105 |
In the above case, "C.UTF-8" is the locale, which means it is the C locale (POSIX locale).
4.2 Change to Japanese locale
In Debian, you can check the list of locales with the command "localectl list-locales". Let's run it to see the locales available on the system.
1 2 3 |
# localectl list-locales C.UTF-8 ja_JP.utf8 |
Two locales are now displayed. The displayed result "ja_JP.utf8" is the locale for Japanese, so we will set the "ja_JP.utf8" locale.
To set the locale, use the "localectl set-locale" command. Execute it as follows
1 |
# localectl set-locale LANG=ja_JP.utf8 |
Confirm.
1 2 3 4 5 |
# localectl status System Locale: LANG=ja_JP.utf8 VC Keymap: n/a X11 Layout: jp X11 Model: pc105 |
We have confirmed that the "ja_JP.utf8" locale has been set as shown above.
5. Setting the time zone
In most cases, the time zone of Debian 10 is set at the time of installation, but if the Japanese time zone "JST" is not specified, you can change it with the "timedatectl" command.
5.1 Display the current time zone
To check the time zone set on the server, run the "timedatectl status" command
1 2 3 4 5 6 7 8 |
# timedatectl status Local time: 金 2019-11-01 15:49:16 JST Universal time: 金 2019-11-01 06:49:16 UTC RTC time: 金 2019-11-01 06:49:17 Time zone: Asia/Tokyo (JST, +0900) System clock synchronized: yes NTP service: active RTC in local TZ: no |
The time zone is set to "Asia/Tokyo (JST)" as shown above.
5.2 Change time zone to Japan
If the time zone is not set to "Asia/Tokyo (JST)", you can use the command "timedatectl set-timezone" to change the time zone.
1 |
# timedatectl set-timezone Asia/Tokyo |
I'll check it out.
1 2 3 4 5 6 7 8 |
# timedatectl status Local time: 金 2019-11-01 15:50:23 JST Universal time: 金 2019-11-01 06:50:23 UTC RTC time: 金 2019-11-01 06:50:23 Time zone: Asia/Tokyo (JST, +0900) System clock synchronized: yes NTP service: active RTC in local TZ: no |
6. Update the system package
A Debian system installed from the media may contain outdated packages. Debian also uses "apt" to update all packages.
If you do not want to update the packages, but just want to see the list of packages that will be updated, you can run the "apt update" command. You can do this as follows
1 2 3 4 5 6 7 8 |
# apt update hit:1 http://deb.debian.org/debian buster InRelease hit:2 http://deb.debian.org/debian buster-updates InRelease hit:3 http://security.debian.org/debian-security buster/updates InRelease Loading package list... Done Create the dependency tree. Reading status information... Done All packages are up to date. |
To update the package, run the "apt upgrade" command.
1 2 3 4 5 6 |
# apt upgrade -y Loading package list... Done Create the dependency tree. Reading status information... Done An upgrade package is detected... Done Upgrades: 0, new installs: 0, removals: 0, pending: 0. |
No update was done this time because there were no packages to update.