Introduction
This document provides basic installation and configuration instructions for setting up a Debian GNU/Linux 4.0 (Etch) system. You should already have a basic understanding of Linux and TCP/IP networking.
A lot of information can be found on the official Debian website http://www.debian.org/.
Installing and setting up the system can consume quite some time when you're doing this for the first time. Make sure you have some free time to spare...
Test configuration:
- Intel Pentium 4 3.4 GHz
- 1 GiB RAM
- 250 GiB SATA disk
- 3com 3c905 10/100 NIC
Downloading the ISO image
Debian can be downloaded in many different shapes and sizes. You will find download links and mirrors on the official Debian web site. This document is based on the Debian businesscard image version 4.0r6.
At 33 MiB it's rather small. After the base system is installed any additional packages will be downloaded from an official FTP mirror server.
Back-up
Partitioning the hard disk drive and formatting partitions will most likely result in loss of data. You are responsible for creating good back-ups of all important data on any disk drives that are in the system you're about to install a new operating system to. Always make back-ups of important files!!
Installation
Booting
Burn the ISO image you downloaded earlier onto a CD using an application like Alcohol 120%, Nero or PowerISO. Insert the disk into the computer you want to install Debian on and make sure booting from CD is enabled in the BIOS of your computer. With some computers you will have to press a key to choose the boot device.
When the computer boots the installer will load and you will be shown a boot prompt. Just hit <Enter> to boot with the 2.6 kernel.
Choose language
First step of the installation program is language selection. This documentation is based on English, but you can install in a different language if you want to. Select the language you prefer and press <Enter>.
Then you can select your location. The location is used for things like time zone and FTP mirror selection.
Select a keyboard layout
Configure the keyboard to suit your needs. If you don't know what to choose try the default option by pressing <Enter>.
Once you selected your keyboard layout the installer will detect hardware and install the appropriate drivers.
Configure the network
By default the installer will attempt to use DHCP to configure your network settings and ask you for a desired hostname.
However, if you want to set an IP address manually, you can press <Tab> twice to Go Back. Then choose Configure network manually.
Choose a mirror of the Debian archive
Here you can set up the apt installer system. We will be needing the suggested "network mirror" in order to install all the software we want to use. Select an FTP mirror near your location. If you want or need to use a proxy server you can set it up right away. I won't be using one myself.
Partition disks
It's very important that you partition you hard disk correctly. Partitions usually aren't changed once the system is up and running. What partition information is displayed in the partitioner depends on how you have used the hard disk before. If the disk is new(empty) you will see only FREE SPACE. If you want to make a multi boot system with Windows and Debian remember to install Windows first.
You can have the installer erase the entire disk and partition it automatically or you can choose to edit the partition table manually. I'll go ahead and choose manual. If there are any partitions already present on the disk you could delete them here. Of course you shouldn't delete the Windows partition when you are doing a multi boot setup. Deleting a partition will remove any data on that partition! The swap partition should be two times the size of the RAM you have in your computer with a maximum of 2 GiB. Which should be more then enough swap space.
To partition empty space on the hard disk select the Free Space with the <up> and <down> arrow keys. Press <Enter> and Create a new partition. My test PC has 1GiB of RAM so I want my swap partition to be 2 GiB. Enter the correct value for your setup at the Size prompt. Choose Primary and Beginning to create the partition where the free space starts (fastest park of the hard disk drive). Next we must change the file system usage. Choose Use as from the menu and select swap area. Then choose Done setting up the partition to finish setting up the swap space.
The second partition Debian needs is a root partition. Select Free Space again, press <Enter> and choose Create a new partition from the menu. You can normally use all remaining space as suggested by the installer. This is also a Primary partition. The root partition will be used for applications, documents, help files, etc. Make sure you set the Bootable flag to on. Press Done setting up the partition again to finish setting up your root partition. To save the changes made to the partition table select Finish partitioning and write changes to disk from the menu. Select yes<Enter> to confirm.
Set up users and passwords
After the partitions are formatted you will need to set up a root password and create a new normal user account. Just follow the instructions up to the point where it will start copying files to the hard disk. This will take some time, hang in there.
Once the base system is installed the program will test the FTP mirror we configured earlier. This shouldn't give you any trouble so long as you have configured the network properly.
Configuring popularity-contest
The version of Etch I downloaded offers a way to send package usage information to the devs every week. I will go with the default option for now...
Software selection
The lazy way to get started is to choose from the predefined collections of software suggested by the installer. But installing manually is a lot more fun! Remove all check marks with the space bar and hit Continue.
Install the GRUB boot loader on a hard disk
You should install the GRUB boot loader into the Master Boot Record (MBR) of the hard disk as suggested. This is the best best option almost all situations. If you already have Windows installed on another partition on the same system, you will be asked what you want to do with the other operating system(s).
Finish the installation
Be sure to remove any CD and/or floppy disks from their drives before rebooting. Then select Continue to reboot.
Important directories
Below is an overview of the most important directories you'll find in the root partition of you Debian system.
| /etc | Application and system settings |
| /home | User home directories and website data |
| /var | Log files, email, databases, etc. |
| /usr | Applications installed by users |
| /boot | The kernel image |
| /dev | Devices like floppy drive, CD-ROM drive, etc. |
| /root | Root user's home directory |
| /mnt | Used for mounting devices |
| /lib | (Shared) program libraries |
| /bin and /sbin | (Links to) executables |
| /tmp | Temporary files, contents are deleted when system boots |
Useful commands
Here's a list of commands you might need sooner or later.
| whoami | Shows the name of the user that is currently logged into the system |
| w | Show who is doing what from where |
| finger <username> | Shows user info |
| reboot | Reboot computer; you can also use <Ctrl> + <Alt> + <Del> |
| halt | Shut down your computer |
| su | Switch user; use "su -" to switch to root user |
| top | Show summary of running processes and memory usage |
| ps aux | Show a list of all processes; use |grep [string] to show only entries that contain "string" |
| kill <process id> | Kill process with specified id |
| killall -9 <name> | Kills all processe with specified "name" |
| mount <device> <target> | Mount a filsystem |
| mount -a | Mount everything in /etc/fstab |
| ls | Lists directory contents; use "ls -al" to see file details and hidden files |
| cd <directory> | Change working directory to "directory"; use <Tab> to complete directory- and file names |
| pwd | Print current Working Directory |
| wc <filename> | Counts number of newlines, words, and bytes in specified file |
| cat <filename> | Show contents of the file specified |
| more <filename> | Show contents of the file specified, page by page (for viewing plain text files) |
| cp <source> <target> | Copy specified file(s); use "cp -R <directory>" to copy entire directory |
| mv <source> <target> | Move specified file(s); use "mv -R <directory>" to move entire directory |
| rm <filename> | Deletes "filename"; use "rm -R <directory>" to delete entire directory and it's contents |
| rm `find . | grep <filename>` | Deletes all files with the name "filename" in the current directory and all directories below |
| scp -pr <file/dir> <user>@<ipaddr>:/<directory> | Copies files or directories via SSH |
| dpkg -i <filename> | Install a .deb file |
| tar -xvf foo.tar | Unpack a .tar file |
| gzip -dv foo.gz | Unpack a .gz file |
| tar -xzvf foo.tar.gz | Unpack a .tar.gz file |
| tar -xjvf filename.bz2 | Unpack a .bz2 file |
| bzip2 -d <filename> | Unpack a .bz2 file |
| tar -czvf archive.tar.gz files | Pack files into archive.tar.gz |
| find / -name 'string*.*' | Search for files beginning with "string" |
| find / |grep string | Search for files containing "string" |
| find . -type f -exec chmod a-x {} \; | Removes any execute permissions from all files in the current directory and it's subdirectories |
| find . -type f -exec touch -c -d "+1 hour" -r {} {} \; | Adds one hour to every file's modification and access time |
| find . -type f -mtime +14 -exec rm -v {} \; | Deletes all files in the current directory older than 14 days |
| which <program> | Shows the location of specified program |
| whereis <program> | Shows the directory or directories the specified program uses |
| date | Show or set system date and time |
| cal | Show calendar; use "ncal" for different lay-out |
| check and read your email | |
| <command> --help | Shows short description and parameters for "command" |
| man <command> | Shows manual for "command" |
| cfdisk | Shows information for partitions on your hard disk(s) and allows you to modify them; similar to fdisk under DOS |
| df | Shows file system information and free space |
| du -h --max-depth=1 | Shows directory sizes |
| ifconfig | Shows TCP/IP settings; similar to Windows NT/2k/XP ipconfig |
| ifconfig eth0 down | Takes down the network interface eth0 |
| ifconfig eth0 up <ip address> | Takes up eth0 with given IP address |
| route add default gw <gateway> metric 1 | Adds a network route to the routing table |
| dmesg | Prints kernel log |
| uname -a | Prints system info |
| lsof | Lists open files |
| lsof -Pni | Lists open sockets |
| traceroute <hostame/IP> | Show network route to given host; to troubleshoot network problems |
| whois <domain/IP> | Shows whois information about given domain name or IP address |
| ftp <server> | Connects to give FTP server |
| wget <URL> | Downloads the file at given URL to the current directory |
| wget -N -x -nH --cut-dirs=1 -r -l inf ftp://user:pass@host/dir | Downloads everything in <dir> to the current local directory |
| postqueue -p | Shows the postfix mail queue |
| postsuper -d <messageid> | Removes the message from the mail queue |
| somecommand >/dev/null 2>&1 | Suppress output by sending it to trash |
Basic customization
APT package management system
APT is for Advanced Package Tool. APT will get packes you want to install from a configured location. You can check the installation sources if you want.
vi /etc/apt/sources.list
Press the <d> key twice to delete a line. Press <i> to insert text and <Esc> to move around the file again. If you make a mistake you can quit vi by typing ":q!" without the quotes. Once you have the desired result you can save and quit with ":wq".
APT allows you to easily install software and updates as they become available. You might want to edit the sources to include packages from the contrib and non-free repositories. Also I prefer to use the FTP protocol over HTTP for downloading the sometimes large files.
Your sources.list file should look something like this, where XX is the country code for you nearest mirror.
deb-src ftp://ftp.XX.debian.org/debian/ etch main contrib non-free
deb http://security.debian.org/ etch/updates main contrib non-free
deb-src http://security.debian.org/ etch/updates main contrib non-free
Run these two commands to check for updates:
apt-get update
apt-get upgrade
If you get a message "The following packages have been kept back" when you upgrade, you should run a dist upgrade:
apt-get dist-upgrade
APT lets you install client applications and server software. Software installed with apt-get will automatically be updated with the apt-get upgrade command as updates become available.
Below is a list with the most important commands and options.
| apt-setup | Configure APT-sources |
| apt-cache search <name> | Look for package "name" in list of all available packages |
| apt-get install <name> | Installs package "name"; use --reinstall to reinstall a package |
| apt-get remove <name> | Remove package "name" |
| apt-get autoclean | Remove unused .deb files |
| apt-get clean | Remove all .deb files |
| aptitude purge <name> | Remove package "name" and it's config files |
Midnight Commander
The first application I always install on a Debian Linux machine is Midnight Commander (MC). MC is a file manager that also includes a great text editor (mcedit), FTP connectivity and a lot more. You can install MC using the apt-get command.
apt-get install mc zip unzip bzip2
This will install mc, mcedit, zip, unzip and bzip2. The ZIP tools are used within MC to browse through compressed files. You can start MC by typing "mc" at the prompt. Press <F9> to open the menu. If you want you can change MC preferences under the "options" menu.
Personally I always change "Pause after run" to "Always" under the "Configure" menu. At "Layout" I'll turn off "menuBar visible", "hIntbar visible" and "Xterm window title". At "Confirmation" there is "confirm Exit" to turm off.
Also, since Debain Sarge, MC has two additional files in /usr/bin called "mcedit-debian" and "mcview-debian" which I have deleted. I do this because I really like the auto complete you get by pressing tab. And I've never had any trouble without these two files...
Remote management with SSH
Secure SHell can be used to open an encrypted telnet connection to your Debian server from any computer and any platform. The SSH server is no longer installed by default. You can use the apt-get tool to install it. You don't really need to do any configuration.
apt-get install ssh
In order to connect to the server with SSH2 you will need an SSH2 client. A very good SSH client is PuTTY (freeware). If you want, get PuTTY from the official website: http://www.chiark.greenend.org.uk/~sgtatham/putty/. Another program you can download from that website is "pscp" (PuTTY Secure Copy). You can use pscp to copy files between two different hosts (Windows and Linux) using the SSH protocol. Although I usually prefer an FTP client, pscp is still a very useful tool. PuTTY is easy to use but documentation can be found on it's homepage should you need it.
If you want to be able to scroll back up and read previous output you can increase the Lines of scrollback.
Font preference is rather personal but you should check out Consolas. I prefer it on 11 points in size for easy reading.
Make sure you select the UTF-8 character set. In Debian Etch and newer UTF-8 is the default charset.
To save these settings go back to Session. Enter the Host name or IP address. Type a name you like (i called it "Yu" in the screenshot below). Then click Save. Now you can click Open or just double click the new entry you created.
User profiles
If you work from the console very often, you might want to change you bash profile some. To change settings for a single user edit ~/.bashrc or ~/bash_profile. To modify settings for all users edit /etc/profile to your likings.
mcedit ~/.bashrc
This file can contain various user settings. Like if you want to turn off the power save feature of your monitor you can add this line to the file:
setterm -blankTo turn on Num Lock after rebooting:
setleds +numYou can also map aliasses to certain commands. For instance, if you use "ls -al" a lot you can map "l" to this command:
alias ls='ls --color=auto -a'alias l='ls --color=auto -al'
alias ds='du -h --max-depth=1'
alias mail='mail -a "Reply-To: This e-mail address is being protected from spambots. You need JavaScript enabled to view it "'
You'll have to log out and back in again to apply the changes.
Furthermore you can run commands after logging out. For example if you want to clear the screen after logging out:
mcedit ~/.bash_logout
Add these lines:
# When leaving the console clear the screen to increase privacyif [ "$SHLVL" = 1 ]; then
[ -x /usr/bin/clear_console ] && /usr/bin/clear_console -q
fi
User quotas
If you are going to allow other people to use disk space on your server you may want to set a maximum amount of disk space one person may use.
apt-get install quota quotatool
Next the system has to be told what file systems are going to be controlled by the quota system.
mcedit /etc/fstab
Add two parameters to the file system that is mounted as / like this:
# /etc/fstab: static file system information.# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
/dev/sda3 / ext3 errors=remount-ro,usrquota,grpquota 0 1
/dev/sda2 none swap sw 0 0
Once that's done we have to remount the filesystem and create the quota files. Best way to do that is a simple reboot.
reboot
To assign a certain quota to a user you can use either the default edquota command or the quotatool we just installed. This sets a 100MB limit for username.
quotatool -u <username> -b -l 102400 -v /
You can view the current status for all users with the repquota command. This works only for the root user.
Other users can use the quota command. Omit the username to show quota for the user that runs the command. If you allow users shell access you can put this command in the /etc/profile file so that they get to see their quota when they log on. Using the -q switch will only show information when they are over quota.
repquota -as
quota -q <username>
Installing client applications
Basic tools
apt-get install iptraf host whois lsof
The colorful IP Traffic Monitor shows active TCP/IP connections from and to your computer. The host command is used to lookup an IP address or hostname, whois shows contact information for a domain name and lsof shows opened files and network connections.
apt-get install less
The less application is a better "more" used to display text files. It will also allow you to navigate back and forth with the arrow keys when you use the man command, which is just so much better.
apt-get install multitail
MultiTail is similar to tail but adds the possibility to open multiple files at once. You can monitor several log files at the same time in the same terminal window. You can also merge files or monitor directories. And it lets you filter or color code phrases. See the website for more information and examples.
Webmin
Webmin is a web-based administration interface for most Unix and Linux distributions. Debian is also supported. Webmin allows you to change settings of most server applications, manage users and groups, change TCP/IP settings and lots more. Webmin can also be installed with apt-get, but I have found it easier to install manually from the .tar.gz file, because it includes all available modules.
Before you begin installing you must have the link to the Webmin .tar.gz file. You can look for this link on the official Webmin site (http://www.webmin.com/). To install webmin:
apt-get install libnet-ssleay-perl (for secure connection, installs perl as well)
cd /usr/share
wget <link to webmin-x.xxx.tar.gz> (download Webmin installation package)
tar -xzf webmin-x.xxx.tar.gz (unpack archive)
rm webmin-x.xxx.tar.gz (delete archive)
cd webmin-x.xxx
./setup.sh (Run Webmin installation)
During the installation you should use the default options for directory locations. You can use the username and password of your choice. Answer y to Use SSL and y to Start Webmin at boot time.
Once Webmin is fully installed you can open it by loading "https://<ipaddress>:10000/" in your browser.
I personally prefer the "Old Webmin theme" because it is very fast. You can change this setting in "Webmin" -> "Webmin Configuration" -> "Webmin Themes".
Screen
The Screen program is a terminal multiplexor used to run multiple "screens" on one console or SSH session. You can open a screen session, start a program, and detach from the session with the program still running. Screen is often used to run dedicated game servers or time consuming applications.
apt-get install screen
You can start using it by running the executable. Once inside a screen session use Ctrl+a..d to detach from it.
screen (starts a new screen session)
screen -list (show screen sessions)
screen -r <pid> (re-opens screen session, use pid if more then 1 session running)
screen -d (detach running screen sessions)
Server applications
Postfix
Postfix is a fast and reliable SMTP mail server. Out of the four most used MTAs I think it's the most complete and easy to configure. It integrates nicely with SpamAssasin and ClamAV and supports MySQL connectivity.
The official website is filled with documentation and sample configurations.
apt-get install postfix
Read the instructions very carefully and choose the options that fit your situation or needs. If you'd like, have a look at the config file after the installer finishes. Remember to reload postfix if you made changes to the file.
mcedit /etc/postfix/main.cf
/etc/init.d/postfix reload
ProFTPd
One of the most popular FTP servers is ProFTPd. It's easy to configure and well documented.
apt-get install proftpd
Installation is very straight forward. I will be running the server in standalone-mode.You should do some configuration however.
mcedit /etc/proftpd/proftpd.conf
Change the default ServerName to the name of your liking. After IdentLookups add:
UseReverseDNS offTimesGMT off
AllowStoreRestart on
Most of the time you won't really need to log reverse DNS for every connection to your server. The TimesGMT off directive will make the FTP server show times in your local time zone. This is less confusing if the server is configured to the same time zone as most of it's users. If you only use IPv4 you should turn off "UseIPv6".
Also make sure IdentLookups is set to off. If you don't set this most people will get an annoying delay when they are logging into your server.
If your server is behind a NAT device. For example when your server has IP address 192.168.0.1, and according to whatismyip.org your external IP address is different, make sure to add the following line. Where x.x.x.x is the address you see at whatismyip.org. Note that you have to disable any proxy server to see your external IP address!
MasqueradeAddress x.x.x.xUncomment the DefaultRoot ~ setting to keep users inside their home directory. Uncomment PassivePorts and choose a range that you can open in your firewall/NAT to allow passive mode FTP. I use 21050-21059 for example. Change ListOptions to "-al" to have the FTP server list hidden files and directories. For example to see your .htaccess files in your FTP client.
Linux users on the system that have a valid shell can log onto the FTP server. So if you want to enable access for a new user just add the account to the Linux users.
useradd -d /var/www -g www-data -s /bin/bash <newname>
passwd <newname>
If you want Anonymous Access enabled you need to uncomment the Anonymous section. If you also want to enable an Anonymous incoming (upload) directory you have to uncomment the <Directory incoming> part in the <Anonymous ...> section of your proftpd.conf. Be very careful though with this option, since it's very unsafe...
When running a server with anonymous access you should set the maximum number of connections per client in the Anonymous section, with this line:
Save your settings and reload proftpd:
/etc/init.d/proftpd restart
If you have enabled an Anonymous incoming directory you need to create it and change ownership.
mkdir ~ftp/incoming
chown ftp:nogroup ~ftp/incoming
MySQL5
MySQL 5 is currently the default Candidate in Etch. It's very easy to install and you only need to check some minor configuration.
apt-get install mysql-server
You can find the MySQL config file here:
mcedit /etc/mysql/my.cnf
By default only localhost can open a connection to the database. Most people use SQL managers and tools from a workstation to manage their server. For more a more flexible setup close port 3306 using a firewall, so that strangers can't access the MySQL server from the internet but you can. Search for "bind-address" and comment it out. Save your changes and restart MySQL.
/etc/init.d/mysql restart
Then to add a new user and change the root password (replace "yourname" en "newpass"):
mysql -u root mysql
mysql> UPDATE user SET Password=PASSWORD('newpass') WHERE user='root';
mysql> FLUSH PRIVILEGES;
mysql> GRANT ALL PRIVILEGES ON *.* TO 'yourname'@'%' IDENTIFIED BY 'newpass' WITH GRANT OPTION;
mysql> QUIT;
Next time you want to use the MySQL console you must specify that you want to use a password with the -p option:
mysql -u root -p
Important note: When restoring your old mysql.user database/table from back-up, u need to make sure the new "debian-sys-maint" user doesn't get an old password. When this happens you will get an error "Failed" when (re)starting MySQL. In your log you will see something like "Access denied for user: 'debian-sys-maint@localhost' (Using password: YES)". MySQL will run this way but you should still fix the debian-sys-maint user account. Here's how...
Open the file /etc/mysql/debian.cnf and note (or copy) the password mentioned there. Execute these two queries from the MySQL console to set the correct password (replace "newpass"):
update mysql.user set Password=password('newpass') where User='debian-sys-maint';
flush privileges;
You should now be able to start MySQL without errors.
Apache2
Well known webserver. Installation doesn't require any user intervention. When the installation is complete you can open "http://<ipaddress>" in your browser to see if the server is running. The default website directory is /var/www/.
apt-get install apache2-mpm-prefork
I need the prefork variant because PHP5 won't work on a multi threaded Apache. When running just one website you don't need to do any configuration. Apache2 has it's main config file at /etc/apache2/apache2.conf. You can add custom configs to the conf.d directory which will make it easier to upgrade to a new version later on.
To properly use host header names for multiple websites on one IP address you will have to do this once:
mcedit /etc/apache2/conf.d/default
Add these lines:
NameVirtualHost ip_addressLogLevel emerg
LogFormat "combined"
<Directory /home/*/web>
AllowOverride All
Options All -Indexes
</Directory>
<Directory /home/*/beta>
AllowOverride All
Options All -Indexes
</Directory>
Now reload Apache.
/etc/init.d/apache2 reload
PHP5
PHP is a programming language for the web. PHP5 has many new features compared to PHP4. There are several ways to install PHP. But since most of the servers I installed are used for shared hosting I use suPHP.
suPHP is used to run PHP scripts as the user that owns them. This causes more load on the server and is a little slower, but it has many advantages. For starters it will allow CMS applications to write to a user's web directory without the need for the user to fiddle with permissions. It will also set the correct owner on HTTP uploaded files (very common with CMS and image gallery tools). Files uploaded with the correct owner will be added to the user's quota and can be changed or deleted with an FTP client. Finally it should be slightly more secure.
apt-get install libapache2-mod-suphp php5-cgi php5-cli php5-gd php5-mysql
The cli package is a command-line interpreter you can use to test a script on the command-line, or schedule certain tasks by running the script from cron. The gd package is used for image manipulation and such.
Because I use the group www-data (GID 33) for my web user accounts and their files are in /home/<domain_name> I have to change suPHP's config a little.
mcedit /etc/suphp/suphp.conf
The docroot setting has to be /home and min_gid has to be 33. I've also set the umask to the Linux/ProFTPd default of 0022. Finally make sure the values for x-httpd-php and x-suphp-cgi are encapsulated in quotes, since that will be required in version 0.7.0 and higher of suPHP!
If you still get errors check out the log at /var/log/suphp/suphp.log
Note that suPHP doesn't support the use of php_flag, php_value or php_admin_value in .htaccess files or in you Apache configs. If you use them anyway you will get a nice 500 Internal Server Error.
If you want to make changes to the global settings you should create a new file in /etc/php5/conf.d which will be included automatically overwriting the defaults. This way your custom config won't be lost if you upgrade the software and default php.ini file. Here are some settings you should take a look at.
mcedit /etc/php5/conf.d/default.ini
File could look something like this:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Default customized settings ;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Prevent usage of unsecure functions
disable_functions = dl,set_time_limit,exec,shell_exec,system,passthru,popen,pclose,proc_open,proc_close,proc_get_status,proc_terminate,proc_nice,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,diskfreespace,disk_free_space,disk_total_space
; Allow users to upload bigger files
upload_max_filesize = 10M
; Don't set old (and deprecated) $HTTP_*_VARS for better performance
register_long_arrays = Off
; Set output buffer for better performance
output_buffering = 4096
; Disable $argc and $argv which aren't used by cgi
register_argc_argv = Off
; Don't automatically add slashes to all input data, instead use addslashes() for data you are saving to a database
magic_quotes_gpc = Off
; Don't hash variables into $_ENV, use getenv() instead
variables_order = "GPCS"
; Log all errors for more stable, predicatable and secure code
error_reporting = E_ALL
; Cleaner code
allow_call_time_pass_reference = Off
; Don't allow <? ?> style tags for better portability
short_open_tag = Off
MySQL and GD modules should already be enabled automatically in seperate .ini files in /etc/php5/conf.d/
Restart Apache whenever you make any changes:
/etc/init.d/apache2 restart
SNMP
SNMP is for Simple Network Management Protocol. It can be used for various tasks. One of which is CPU, memory and network monitoring with a program like MRTG (see below).
apt-get install snmp snmpd
Now, look for "com2sec" in the config file "/etc/snmp/snmpd.conf". Make sure the "paranoid" and "readwrite" lines are commented out with "#". And the "readonly" line is not. If you are collecting data from another PC you will need to give it access by editing the "/etc/default/snmpd" file and removing the " 127.0.0.1" part from SNMPDOPTS. Save your changes and restart.
/etc/init.d/snmpd restart
If you need to secure the snmpd server by source IP address you can change the "default" portion of com2sec (in /etc/snmp/snmpd.conf) to an IP address or subnet. Or use the "agentaddress" configuration option (see "man snmpd.conf").
Test the new config with the snmpwalk command.
snmpwalk -Os -v 1 -c public localhost memory
snmpwalk -On -v 1 -c public <IPaddress> system
If all is installed correctly you will see some information. OID examples are:
| snmpwalk -Os -v 1 -c public <IP> 1.3.6.1.2.1.25.3.3.1.2.x | Windows XP CPU usage |
| snmpwalk -On -v 1 -c public localhost processor | Available processor properties |
| snmpwalk -On -v 1 -c public localhost host | Available host properties |
| snmpwalk -Os -v 1 -c public <IP> | All available properties |
MRTG (Multi Router Traffic Grapher)
MRTG can be used to generate graphs of all sorts of server performance like CPU and network utilization, free memory and much more. There's extensive documentation at the official website. The MRTG settings are in /etc/mrtg.cfg. Before using it altogether you will need to create the workdir for MRTG as it will not do this for you.
apt-get install mrtg
mkdir /var/www/mrtg
With the default configuration file MRTG doesn't really do anything. You will need to add configuration directives for the devices you want to monitor. There are many examples on the internet and there is a library on the MRTG homepage. But you can also generate a config for almost any kind of network device with the cfgmaker command. To add graphs for the network interfaces on your Debian server use:
cfgmaker localhost >> /etc/mrtg.cfg
Here are sample configs to graph Linux CPU and memory usage.
# CPU usage localhostTarget[localhost.cpu]: 1.3.6.1.4.1.2021.10.1.3.2&1.3.6.1.4.1.2021.10.1.3.2:public@127.0.0.1 * 100
Options[localhost.cpu]: gauge, integer, noi
MaxBytes[localhost.cpu]: 1000
YLegend[localhost.cpu]: Load average
ShortLegend[localhost.cpu]: %
LegendO[localhost.cpu]: load:
Title[localhost.cpu]: localhost -- Load average
PageTop[localhost.cpu]: <h1>localhost -- Load average</h1>
# Memory usage localhost
Target[localhost.mem]: 1.3.6.1.2.1.25.2.3.1.5.1&1.3.6.1.2.1.25.2.3.1.6.1:public@127.0.0.1
Options[localhost.mem]: gauge, integer
kilo[localhost.mem]: 1024
kMG[localhost.mem]: k,M,G,T,P
MaxBytes[localhost.mem]: 10485760
YLegend[localhost.mem]: Memory usage
ShortLegend[localhost.mem]: B
LegendI[localhost.mem]: total:
LegendO[localhost.mem]: used:
Title[localhost.mem]: localhost -- Memory usage
PageTop[localhost.mem]: <h1>localhost -- Memory usage</h1>
After you've added SNMP sources MRTG will start to collect data and generate pages and images in the specified directory. You can use the indexmaker command to create a summary page, containing graphs with the most recent data. Of course you can also make your own pages.
indexmaker /etc/mrtg.cfg > /var/www/mrtg/index.html
Go ahead and check it out by opening http://<ipaddress>/mrtg/index.html Remember though that MRTG runs every 5 minutes so it can take a little while for the graphs to be built.
MRTG has a ton of options you can play with. If you will be generating a lot of graphs you may want to know that you can use the underscore to specify a global value that is applied to all items. Use ^ to prefix a value to all items and $ to suffix. Here's an example of how you can use this:
Options[^]: growright,unknaszero,noinfo,nopercent,nobanner,nolegend,pngdatePageTop[^]: <h1>
PageTop[$]: </h1>
Colours[_]: BLUE#99CCCC,RED#CC0000,DARK GREEN#006600,VIOLET#ff00ff
PageFoot[_]: <p> </p>
AddHead[_]: \n
<style type="text/css">
body {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 10pt;
}
</style>
If you want to query a Windows PC you'll most likely have to install and configure the SNMP service and also add a read-only community name "public" in the SNMP service settings. Here are a few sample configs to get graphs from a Windows computer:
# Windows PC network trafficTarget[mywindows.traf]: /<ipaddress>:public@<ipaddress>:
kilo[mywindows.traf]: 1024
SetEnv[mywindows.traf]: MRTG_INT_IP="<ipaddress>" MRTG_INT_DESCR="LAN"
MaxBytes[mywindows.traf]: 2883584
AbsMax[mywindows.traf]: 14417920
Title[mywindows.traf]: mywindows -- Network traffic
PageTop[mywindows.traf]: mywindows -- Network traffic
# CPU usage on Windows
Target[mywindows.cpu]: WaLK0.1.3.6.1.2.1.25.3.3.1.2&WaLK1.1.3.6.1.2.1.25.3.3.1.2:public@<ipaddress>
Options[mywindows.cpu]: gauge, integer
Unscaled[mywindows.cpu]: dwmy
MaxBytes[mywindows.cpu]: 100
YLegend[mywindows.cpu]: CPU load
ShortLegend[mywindows.cpu]: %
LegendI[mywindows.cpu]: core 1:
LegendO[mywindows.cpu]: core 2:
Title[mywindows.cpu]: mywindows -- CPU load
PageTop[mywindows.cpu]: mywindows -- CPU load
# Processes/Users Windows
Target[mywindows.procs]: 1.3.6.1.2.1.25.1.6.0&1.3.6.1.2.1.25.1.5.0:public@<ipaddress>
Options[mywindows.procs]: gauge, integer
MaxBytes[mywindows.procs]: 523444000
YLegend[mywindows.procs]: Processes/Users
ShortLegend[mywindows.procs]:
LegendI[mywindows.procs]: procs:
LegendO[mywindows.procs]: users:
Title[mywindows.procs]: mywindows -- Processes/Users
PageTop[mywindows.procs]: mywindows -- Processes/Users
After changing your MRTG config file you should manually run mrtg to see if your config file contains any errors:
mrtg /etc/mrtg.cfg
Network Time Protocol daemon
The nptd application is used to synchronize local system time with very acurate servers on the internet. The daemon can also distribute this time to the rest of the computers on your local network.
apt-get install ntp rdate
You can configure it to use any time source you want by editing /etc/ntp.conf. There are extended lists of public NTP servers at support.ntp.org. There are also server pools you can use. As always restart the daemon after making changes.
To manually correct (large) time differences you can use the "rdate" tool.
rdate <ntp_server_address>
Samba Windows File Sharing
Samba can be used to connect to directories shared on networked Windows computers. The server allows you to share directories on your Linux computer so that Windows PC's can access them.
Client
apt-get install smbclient smbfs
The installer will ask for a workgroup/domain name first. If you don't know what to enter here, just use "WORKGROUP". The smbclient program is used to browse the shared directories on a Windows computer. Type ?<Enter> to see a list of available commands.
smbclient //<IPaddress>/<SharedFolder> -U <UserName>
You can also mount an smb shared folder, making it easy to work with the files and directories.
cd /mnt
mkdir <mountname>
mount -t smbfs -o username=<UserName> //<IPaddress>/<SharedFolder> /mnt/<mountname>
After providing a password you should be able to cd into the newly created directory and view/manipulate the files and directories in there. For a more permanent solution we'll have to add the connection to the /etc/fstab file. Add a new line like the one below.
//<IPaddress>/<SharedFolder> /mnt/<mountname> smbfs username=<Username>,password=<Password> 0 0Server
apt-get install samba
At the end of the installation process you will see a list of Unix users that have been imported into the list of Samba users. If the installer has imported your account you will still have to set it's password.
smbpasswd <myname>
Remember that new Unix users do not automatically get a Samba account! So if you need to add a new user that can use the file share on your Debian server you must add both the Unix user and the Samba user.
useradd -m -s /bin/bash -U <newuser>
smbpasswd -a <newuser>
Furthermore in an attempt to make Samba as secure as posible it will not allow anyone to write to their home directory. You will have to change this in the Samba config file.
mcedit /etc/samba/smb.conf
Search for [homes] and change the read only setting in this section to no. As always reload Samba's configuration by restarting the deamon.
/etc/init.d/samba restart
Cross-distribution package installation
This section describes how to install a Debian package from a distribution or branch other than the distribution the server is running. You can use this method to install a newer version of a specific package, or a package that is not yet in the stable branch. The examples are based on PHP5, but you can replace that with the package you need. The method described here is very tricky, so you should only use it if you have no other choice.
First thing we need to do is let the Apt system know we want to include packages from the testing distribution.
mcedit /etc/apt/sources.list
Add two lines to include the distribution you need, like unstable:
deb ftp://ftp.debian.org/debian/ unstable main contrib non-freedeb-src ftp://ftp.debian.org/debian/ unstable main contrib non-free
Now we have to download the lists with available packages, no software is installed at this point.
apt-get update
Having downloaded the lists with all available packages you can view package information with the apt-cache command.
apt-cache policy php5
apt-cache policy mysql-server
You can see the installed version of an application, the latest available version and a list of what version is in what distribution. You'll also see a number (100, 500, etc) in the Version Table which indicates the priority.
Packages in testing and unstable should normally have a lower priority than packages in stable. If you include more then one branch you must create a preferences file or all packages will come from testing when you install/upgrade! You should only pin a higher priority to the specific packages you need from the less stable branch. Also read man apt_preferences.
mcedit /etc/apt/preferences
Make it so it looks like this:
Package: php5Pin: release a=unstable
Pin-Priority: 900
Package: *
Pin: release a=unstable
Pin-Priority: 200
Now have a look at this again:
apt-cache policy php5
apt-cache policy mysql-server
For more information on a package use:
apt-cache show -a php5
Use apt-show-versions for an overview of installed software (this tool isn't installed to Debian by default).
apt-get install apt-show-versions
apt-show-versions | fgrep /testing
As you will discover sooner or later this way of obtaining newer versions of software will work for some applications. But when an application depends on (newer versions of) other packages it won't allow you to install the package you want unless you get more from the less stable branch.
Dotdeb
So how then do you get new packages and not make a mess of your server? This is where backport repositories come in.
A very useful one is Dotdeb, which has very up-to-date versions of PHP and MySQL. These packages have been backported from testing or unstable to work with the stable distribution. To add this repository all you need to do is add these lines to your sources.list file:
deb http://packages.dotdeb.org/ stable alldeb-src http://packages.dotdeb.org/ stable all
Now do an update again. As discussed before you can view the new installation candidate with apt-cache.
apt-get update
apt-cache policy php5
apt-cache policy mysql-server
See http://www.dotdeb.org/ for more information and mirrors.
Backports.org
This is one of the largest backport repositories for Debian. If you are going to use this one you should pin the proper priorities for the packages you need.
Say you want to install a recent version of Mutt. Open /etc/apt/sources.list, and add this line at the bottom:
deb http://www.backports.org/debian etch-backports main contrib non-freeNow import the GPG key and run an update.
wget -O - http://backports.org/debian/archive.key | apt-key add -
apt-get update
Next open /etc/apt/preferences, making a new file if it doesn't exist already. Add these lines:
Package: mutt
Pin: release a=etch-backports
Pin-Priority: 999
Package: *
Pin: release a=etch-backports
Pin-Priority: 200
Now run apt-get install mutt as usual.
An alternative to using /etc/apt/preferences is this:
apt-get -t etch-backports install mutt
See http://backports.org/ for more information and mirrors.
Debian Volatile
Debian Volatile adds new versions of mainly spam filtering and virus scanning packages. If you use SpamAssassin, ClamAV, etc. you should seriously consider using Volatile. This is what you need to add to your sources.list:
deb ftp://ftp.nl.debian.org/debian-volatile/ etch/volatile main contrib non-freedeb-src ftp://ftp.nl.debian.org/debian-volatile/ etch/volatile main contrib non-free
Now see the magic:
apt-get update
apt-cache policy clamav
apt-cache policy spamassassin
