Home

Debian 7 Setup on Hyper-V, But Also in General


These notes were written for a Hyper-V VM installation, but are rather generic as reference.


Installation

- English SysLang, Norwegian Kb Layout.
- Manual network settings for static IP.
- Set domain to localdomain, unless FQDN.
- Only SSH Server and Standard System Utilities.
- Post-Edit sources.list to remove CD and use INET.


Installing a Webserver (LAMP)

# apt-get install apache2 php5 mysql-server
# apt-get install phpmyadmin
# apt-get install php5-curl
# a2enmod rewrite; service apache2 reload


Securing Apache Headers

# nano /etc/apache2/conf.d/security
ServerTokens Prod
ServerSignature Off
TraceEnable Off
# service apache2 reload


Prepping a User For SFTP & Webfiles

# adduser thronic
# chown root.root /home/thronic (needed for SFTP).
# nano /etc/passwd (Set /bin/false as shell).
# cd ~thronic; mkdir public_www
# chown thronic.thronic public_www


Adding a Website

# cd /etc/apache2/sites-available/
# cp default thronic.com.conf
# nano thronic.com.conf

NOTES (Updated for Apache 2.4 and/or Debian 8 "Jessie"):
Site configuration sample: domain.com.conf, domain.com.ssl.conf
# a2ensite thronic.com; service apache2 reload

Everything else is pretty much ready by default.
Check this article for adding a commercial CA or this article for adding a Let's Encrypt CA.


Setting Up GMAIL For Outgoing Mail

# apt-get remove exim*; apt-get purge exim*
# apt-get install postfix mailutils libsasl2-2 ca-certificates libsasl2-modules postfix-pcre postfix-mysql
# nano /etc/postfix/main.cf

Add to end of main.cf:

# USE GMAIL,ZOHO,etc SMTP
smtp_header_checks = pcre:/etc/postfix/smtp_header_checks
relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_use_tls = yes

Put in /etc/postfix/smtp_header_checks:
/^From:.*/ REPLACE From: ServerName <[email protected]>

Put in /etc/postfix/sasl_passwd:
[smtp.gmail.com]:587 [email protected]:pass

Secure and activate authentication:
# chmod 400 /etc/postfix/sasl_passwd
# postmap /etc/postfix/sasl_passwd
# service postfix restart

Test:
# echo "This is a test mail from X" | mail -s "Test mail" [email protected] -a "FROM:[email protected]"
# echo "This is a test mail from X" | mail -s "Test mail" [email protected]

^ Both should work, last one to check default working relay allowed.


Secure File Transfer (OpenSSH SFTP)

# nano /etc/ssh/sshd_config

Replace:
Subsystem sftp /usr/lib/openssh/sftp-server

With:
Subsystem sftp internal-sftp

Add to end of file:
Match User thronic
  ChrootDirectory /home/thronic
  AllowTCPForwarding no
  X11Forwarding no
  ForceCommand internal-sftp

# service ssh restart

Add net.ipv4.tcp_sack=0 to /etc/sysctl.conf and run sysctl -p (faster uploads)


Setting Up Pulseway Monitoring

# wget https://www.pulseway.com/download/pulseway_x64.deb
# dpkg -i pulseway_x64.deb
# cd /etc/pulseway
# cp config.xml.sample config.xml
# nano config.xml
  NOTES:
  Mainly fill in username, password and computer name.
  Password will be automagically encrypted on startup.

# service pulseway start


Fail2Ban Brute Force Protection

# apt-get install fail2ban
# nano /etc/fail2ban/jail.conf (make it strict)
^ bantime = 86400
   findtime = 3600
   maxretry = 3


Setting Up CIFS for Backup To NAS/SAN

For Mounting a Local Network Share For Backups.
Put in chmod 700 init scripts for boot consistency.

# apt-get install cifs-utils
# mkdir /MountPoint
# mount -t cifs -o username=user,password=pass,uid=n,gid=n //Host/Share /MountPoint

Backup of web files.
tar zcfp /var/www/userdomain.me/weekly-backup/FILES.tar.gz -C / var/www/userdomain.me/web

Backup of database.
mysqldump --user=username --password=password DatabaseName | gzip > /var/www/userdomain.me/weekly-backup/DATABASE.sql.gz


Checking Hyper-V Support

~$ lsmod | grep hv
hv_utils 12986 0
hv_netvsc 18304 0
hv_storvsc 17423 2
hv_vmbus 32029 4 hid_hyperv,hv_storvsc,hv_netvsc,hv_utils
scsi_mod 162269 5 libata,sr_mod,sg,hv_storvsc,sd_mod

Hyper-V Notes
VM tested and working (mostly) fine with live Windows Server Backup (-allCritical -systemState). I say mostly because I've registered that both Linux and Windows based VM's can have a tendency to briefly loose their HDD connection - albeit in a non-critical way - when VSS is called upon. This is when testing over time on 2012R2 and Windows 10 systems. 2008 and older will not even support live backups, but pause (saved state) the VM briefly instead.


smartmontools
Not necessarily important on a VM, but nice to have notes here when installing on bare-metal. I'm setting check interval to 30min and automatic mail when SMART error is found:
# apt-get install smartmontools

# nano /etc/smartmontools/run.d/10mail
^ Edit the mail command to include -a "FROM:[email protected]" or whatever accepted relay is.
  Maybe you don't need it, but I did when using Zoho as a mail relayer instead of gmail.

# nano /etc/default/smartmontools
^ start_smartd=yes
  smartd_opts="--interval=1800"
  
# nano /etc/smartd.conf
^ DEVICESCAN -d removable -n standby -m [email protected] -M test -M exec /usr/share/smartmontools/smartd-runner
  ^ Remove '-M test' after using it to test if mails can get through. It's just for testing SMART mail error send.
  
# service smartd stop/start to test etc.