Initial Setup of Debian 10

< All Topics

Some of the useful commands to perform initial setup of Debian 10

Verify Repository

verify the following links are included in /etc/apt/sources.list

$ cat /etc/apt/sources.list
deb buster main
deb-src buster main

deb buster/updates main
deb-src buster/updates main

# buster-updates, previously known as 'volatile'
deb buster-updates main
deb-src buster-updates main

Add users to Sudo Group

Login as root to install sudo and add user called kwyong to sudo group

$ apt install sudo
$ adduser kwyong sudo

Users have to logoff and logon again for the sudo right to be applied

Install open-vm-tools

$ sudo apt install open-vm-tools openssh-server -y

Static IP Address

Configuration of Static IP Address, Gateway & DNS Servers

$ sudo nano /etc/network/interfaces
# The primary network interface
allow-hotplug eth0
iface eth0 inet static

Reboot the server for the new IP Address to be applied

$ reboot

Secure SSH Login

Generate a new SSH key from Windows 10 Machines with Maboxterm installed

$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/mobaxterm/.ssh/id_rsa): debian
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in debian.
Your public key has been saved in
The key fingerprint is:
SHA256:zjSeZm1ausekXayw6hIb17IltYlDcHnRHWvuTUvlNN0 [email protected]
The key's randomart image is:
+---[RSA 2048]----+
|       ..o ...   |
|    . o . . ..  o|
|     o .    o  .E|
|      . .  o   +.|
|     . +So .. o .|
|    o *=*+..o+ . |
|     = *BB+o. o  |
|    o .oo==      |
|     oo.+o       |

Verify the private key (debian) & public key ( is created successfully

$ ls -l /home/mobaxterm/.ssh
total 19
-rw-r--r--    1 kwyong   UsersGrp      1766 Feb  2 21:32 debian
-rw-r--r--    1 kwyong   UsersGrp       399 Feb  2 21:32
drwxr-xr-x    1 kwyong   UsersGrp         0 Jul 22  2019 hostkeys
-rw-r--r--    1 kwyong   UsersGrp      1766 Aug  6  2018 id_rsa
-rw-r--r--    1 kwyong   UsersGrp       381 Aug  9  2018
-rw-r--r--    1 kwyong   UsersGrp     22485 Feb  2 17:18 known_hosts

Copy the public key to Debian with ssh-copy-id

$ ssh-copy-id -i /home/mobaxterm/.ssh/debian [email protected]

/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
stty: standard input: Inappropriate ioctl for device

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

Login to Debian and verify that /home/keyong/.ssh/authorized_keys is created successfully

$ ls /home/kwyong/.ssh

Login to Debian with Private Key from Windows 10

$ ssh -i /home/mobaxterm/.ssh/debian [email protected]
Enter passphrase for key '/home/mobaxterm/.ssh/debian':

Disable the Password Login in Debian and restart ssh

$ sudo nano /etc/ssh/sshd_config
    PasswordAuthentication no

#Restart SSH 
$ sudo systemctl restart sshd

Login from machines without the private key installed to verify SSH password login had been disabled

[Administrator.LAB-AD01] ➤ ssh [email protected]
Permission denied (publickey)


Change Hostname

$ sudo hostnamectl set-hostname debian10

Update /etc/hosts

$ sudo nano /etc/hosts       localhost debian10


List availble timezone in /usr/share/zoneinfo

$ sudo ls /usr/share/zoneinfo

Change the timezone to Asia/Kuala_Lumpur

$ sudo timedatectl set-timezone Asia/Kuala_Lumpur
$ sudo timedatectl
               Local time: Mon 2021-01-04 15:58:10 +08
           Universal time: Mon 2021-01-04 07:58:10 UTC
                 RTC time: Mon 2021-01-04 07:58:11
                Time zone: Asia/Kuala_Lumpur (+08, +0800)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no

UFW Firewall

Install UFW Firewall

$ sudo apt install ufw 

By default, UFW is set to deny all incoming connections and allow all outgoing connections

$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing

Allow inbound SSH, HTTP & HTTPS

$ sudo ufw allow ssh
$ sudo ufw allow http
$ sudo ufw allow https

Enable UFW

$ sudo ufw enable

Verify UFW is enable

$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)
80/tcp (v6)                ALLOW       Anywhere (v6)
443/tcp (v6)               ALLOW       Anywhere (v6)

Allow Specific Port Ranges

$ sudo ufw allow 6000:6007/tcp
$ sudo ufw allow 6000:6007/udp

Cockpit – WebUI for Server Management

Install and start cockpit

$ sudo apt install cockpit

# Start & Enable cockpit to start automatically when server is rebooted
$ sudo systemctl start cockpit
$ sudo systemctl enable cockpit.socket

Allow inbound TCP 9090

$ sudo ufw allow 9090/tcp

Login to cockpit via https://IP-ADDRESS:9090

Initial Setup Of Debian 10

Replace the default self-sign SSL Certification

Refer to my previous post on how to Generate Wildcard SSL Certificate from Let’s Encrypt

Verify that the cert.cer & cer.key are created successfully

PS C:\Users\kwyong\AppData\Local\Posh-ACME\\106285172\!> ls
    Directory: C:\Users\kwyong\AppData\Local\Posh-ACME\\106285172\!

Mode                LastWriteTime         Length Name                                             ----                -------------         ------ ----                                         
-a----       14/12/2020   2:44 PM           1838 cert.cer                                   
-a----       14/12/2020   2:44 PM           1708 cert.key                                         ```

Create a new file called AventisDev.cert with the content of cert.cer & cert.key

cat cert.key

cat cert.cer

nano AventisLab.cert


Upload the AventisDev.cert to Debian

$ scp AventisLab.cert [email protected]:/tmp

Copy the AventisDev.cert to /etc/cockpit/ws-certs.d and restart cockpit

# Copy to/etc/cockpit/ws-certs.d
$ cp /tmp/AventisDev.cert /etc/cockpit/ws-certs.d

# Restart Cockpit 
$ systemctl enable --now cockpit.socket

Verify AventisDev.cert is used for cockpit now

remotectl certificate
	certificate: /etc/cockpit/ws-certs.d/AventisLab.cert

Login to cockpit via https://FQDN:9090 to verify AventisDev.cert is used now

Next Install WordPress with LEMP on Debian 10
Table of Contents