Monthly Archives: May 2012

Debian for vi users in Australia

Preamble

Just about every computer I run, from my servers to my Raspberry Pi, is running some form of Debian Linux. For every installation I do, I have to go through a series of post-installation steps to get the system working the way I want it to. As I do not perform installations on an everyday basis, every time I do one, I have to go look up the various Debian-specific re-configuration commands required. This time I am recording them, and hope that they may be of use to others.

Note that this does not just apply to vi users in Australia – make appropriate substitutions, and you can be an EMACS user in Denmark, if you so wish.

Get Up To Date!

sudo apt-get update
sudo apt-get upgrade

Configure Locale

sudo dpkg-reconfigure locales

I generally check en_AU.UTF-8, en_GB.UTF-8, en_US.UTF-8. On the following screen, I select en_AU.UTF-8 as the default locale.

For the Raspberry Pi, setting the default locale fixes the keymap problem. (The Pi defaults to GB keyboard layout – Australia uses the US layout, so hash, dollar, don’t do what is expected. And it’s been over 11 years since I used a British keyboard.)

See the locale page on the Debian Wiki for details of how to fine-tune locales.

Configure Default Editor

As far as I’m concerned, There is No Editor But vi. I use vim, which might not be installed, so installing it first might be a Good Move.

sudo apt-get install vim
sudo update-alternatives --config editor

What’s The Time?

ntpq -crv

Hopefully ntpd has been installed automatically, and is up and running. Using public NTP servers, the stratum entry in this list should be 3. If ntpq throws any errors, try again with sudo. If there is still an issue, ntpd might need to be installed. To check who your ntp peers are:

ntpq -cpe

Configure your timezone:

sudo dpkg-reconfigure tzdata

Enabling sshd (Raspberry Pi)

The Raspberry Pi comes with sshd disabled. To get it working:

sudo cp /boot/boot_enable_ssh.rc /boot/boot.rc

Don’t forget to edit /etc/ssh/sshd_config to set appropriate security options.

Installing Packages

This is my default package set:

apt-get install dns-browse bzip2 links lynx apache2 subversion php5 php5-cli
libapache2-mod-php5 mysql-server mysql-client libmysqlclient15-dev
automake autoconf make gcc g++ gdb bison flex libtool postfix
expat libexpat1-dev libssl-dev libxml2 libxml2-dev libapache2-svn
imagemagick libmagick++10 libmagick10 ghostscript patch unzip

Apache users may need to enable what I consider to be essential modules:

a2enmod rewrite
a2enmod ssl
a2enmod headers

And here are a few security essentials to pop at the bottom of /etc/apache2/apache2.conf:

# You'll want this for PCI/DSS compliance:
ServerSignature Off
ServerTokens Prod
TraceEnable off

# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
RequestHeader unset Request-Range

# Don’t let people see your subversion stuff:
<LocationMatch .svn>
Order allow,deny
Deny from all
</LocationMatch>

More Security Stuff

Recommended for PCI/DSS compliance, you’ll want this in /etc/sysctl.conf:

net.ipv4.tcp_timestamps = 0

And ditto for IPv6, if you have it configured. (I assume.)

You did check your /etc/ssh/sshd_config, didn’t you?

If you have an Internet-facing system, I will say just one word: iptables. And ip6tables, if you’re cool and appreciate just how good hexadecimal addresses look.