Skip to content

Debian Server Setup Guide

Download and install Debian ISO (DVD)

  • Configure networking during installation using the provided IPv4.
  • Use nameserver: 1.1.1.1 or 1.0.0.1.

Check internet connection first

Just ping google.com and see the resoults

The internet does indeed work

You're good to go and can skip the next section 🫠

Internet is fucked up

Danger

Setting those sysctl keys to 1 disables IPv6 at the kernel interface level, so the system will not accept or process IPv6 packets and services. If internet (ping) doesn't work it's better to set manually the getaway

Proceed to disable ipv6 

sudo tee /etc/sysctl.d/99-disable-ipv6.conf > /dev/null <<EOF
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
EOF
sudo sysctl --system
ip -6 addr show

Add new user

Create new user

sudo adduser username
sudo ausermod -aG username

SSH setup

On VPS

sudo apt install -y openssh-server
sudo systemctl status ssh
Edit SSH config:

sudo nano /etc/ssh/sshd_config

port 4822
PubkeyAuthentication yes
PasswordAuthentication no
KbdInteractiveAuthentication no
UsePAM yes
PermitRootLogin no

On client:

ssh-keygen -t ed25519 -C "your_email@example.com"
ssh-copy-id username@server_ip
ssh-copy-id username@server_ip

Restart ssh (on VPS)

Restart SSH: 

sudo systemctl restart ssh

Correct .nanorc

Make your personal modifications on the nanorc file

nano .nanorc

Correct the .bashrc

Make your personal modifications on the bashrc file 

nano ~/.bashrc
Put inside the debian orange theme (arbitrary) 
PS1="\[$(tput setaf 196)\]\u\[$(tput setaf 202)\]@\[$(tput setaf 208)\]\h \[$(tput setaf 231)\]\w \[$(tput sgr0)\]$ "

fastfetch

Warning

The fastfetch will NOT work right away you'll must install first fastfetch

Last adjustements

sudo tee /etc/resolv.conf > /dev/null <<EOF
nameserver 1.1.1.1
nameserver 1.0.0.1
EOF

sudo apt install fastfetch              # Essential
sudo apt install qemu-guest-agent       # For the host status on kyun.host dashboard
sudo systemctl start qemu-guest-agent   # Start and enabble the service
sudo systemctl enable qemu-guest-agent

Setting up iptables

By default iptables are stored in RAM and are deleted on poweroff, to make them persistant there are some thing to set up, mainly: a script that auto-executes itself at boot that restores the iptables

Create a directory to store the iptables configs

mkdir /etc/iptables

Save the current configs

iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6

Create a restoration script

nano /etc/network/if-pre-up.d/iptables

Add the following lines to the script

#!/bin/sh
/sbin/iptables-restore < /etc/iptables/rules.v4
/sbin/ip6tables-restore < /etc/iptables/rules.v6

Make the script executable

chmod +x /etc/network/if-pre-up.d/iptables

Saving iptables configs

From now on the configurations must be stored inside the two file

/etc/iptables/rules.v4
/etc/iptables/rules.v6

So to save the iptables config use the following commands

iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6

Blocking SMTP ports

VPS providers generally don't allow SMTP traffic so to be sure we keep it this way we block the SMTP ports in INPUT, OUTPUT and in the docker networks

To block the SMTP traffic in INPUT and OUTPUT with iptables

# INPUT chain
iptables -A INPUT -p tcp --dport 25 -j REJECT
iptables -A INPUT -p tcp --dport 587 -j REJECT
iptables -A INPUT -p tcp --dport 465 -j REJECT
# PUTPUT chain
iptables -A OUTPUT -p tcp --dport 25 -j REJECT
iptables -A OUTPUT -p tcp --dport 587 -j REJECT
iptables -A OUTPUT -p tcp --dport 465 -j REJECT

And to block SMTP connections in the docker networks we use the DOCKER-USER chain

iptables -A DOCKER-USER -p tcp --dport 25 -j REJECT
iptables -A DOCKER-USER -p tcp --dport 465 -j REJECT
iptables -A DOCKER-USER -p tcp --dport 587 -j REJECT

And updated the saved configuration permanently with

iptables-save > /etc/iptables/rules.v4

Now if IPv6 is enabled close the ports on ip6tables too:

# INPUT chain
ip6tables -A INPUT -p tcp --dport 25 -j REJECT
ip6tables -A INPUT -p tcp --dport 587 -j REJECT
ip6tables -A INPUT -p tcp --dport 465 -j REJECT
# PUTPUT chain
ip6tables -A OUTPUT -p tcp --dport 25 -j REJECT
ip6tables -A OUTPUT -p tcp --dport 587 -j REJECT
ip6tables -A OUTPUT -p tcp --dport 465 -j REJECT
# DOCKER-USER chain
ip6tables -A DOCKER-USER -p tcp --dport 25 -j REJECT
ip6tables -A DOCKER-USER -p tcp --dport 465 -j REJECT
ip6tables -A DOCKER-USER -p tcp --dport 587 -j REJECT

And updated the saved configuration permanently with

ip6tables-save > /etc/iptables/rules.v6

A config file with a backup of all pangolin will be hopefully attatched to this guide