Packages (Buster)

From Hexwiki
Revision as of 18:28, 21 January 2021 by Vekseid (talk | contribs) (→‎ntpsec-ntpdate)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

This document covers package management itself, in addition to documenting some smaller packages that I use.

Apt

I tend to use aptitude rather than apt-get, personally, and I always turn off 'auto-resolve dependencies' and 'install recommended packages automatically'.

  • apt-get install aptitude aptitude-doc-en apt-transport-https lsb-release ca-certificates curl

Your mileage may vary, but I try to know something about every component going into my system.

  • /etc/apt/sources.list
deb http://deb.debian.org/debian/ buster main
deb-src http://deb.debian.org/debian/ buster main

deb http://security.debian.org/debian-security buster/updates main
deb-src http://security.debian.org/debian-security buster/updates main

deb http://deb.debian.org/debian/ buster-updates main
deb-src http://deb.debian.org/debian/ buster-updates main

deb http://ftp.us.debian.org/debian/ buster-backports main
deb-src http://ftp.us.debian.org/debian/ buster-backports main

If running PHP, you may want to go for the package maintainer's repo. Run: 

curl -sSL -o /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'

Generally a good idea to try to find your closest mirror. Sometimes your host even provides a mirror - will certainly make them happier if you use it.

To save time, I automatically run apt-get update hourly, through cron:

  • /etc/cron.hourly/apt-get-update
#!/bin/sh
#/etc/cron.hourly/apt-get-update
# Much simpler than the cron-apt package.
/usr/bin/apt-get update
/usr/bin/apt-get -dy upgrade

Run: 

chmod 0750 /etc/cron.hourly/apt-get-update

This automatically checks for updates, and downloads them, but it does not apply them.

Package Additions

  • conntrack sysstat iotop lm-sensors sash libpam-tmpdir zip unzip libdigest-whirlpool-perl acct nmap cgdb sudo
    • You may want to devote some time to what acct and sysstat can do for you.
  • Development: apt-get install fakeroot debhelper build-essential

Package Removal

Debian has some defaults that you probably do not need on a server:

  • Careful purge: task-ssh-server (be sure not to lose your actual ssh server).
  • Basic Purge: task-english console-setup-linux isc-dhcp-client isc-dhcp-common laptop-detect libx11-data libxau6 libxdmcp6 portmap tasksel xauth xkb-data
  • The culturally insensitive may also purge: console-setup console-terminus kbd keyboard-configuration
    • /etc/console-setup may need to get removed manually

ntpsec-ntpdate

Significantly more lightweight than ntp, easier to configure and one less server to run. If you have a number of machines at a site, you may want to run one server and have the others pull off of it. Beyond this, though,

You will need to create the config:

  • /etc/ntpsec/ntp.conf
# /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntpsec/ntp.drift
leapfile /usr/share/zoneinfo/leap-seconds.list

# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
#statsdir /var/log/ntpsec/
#statistics loopstats peerstats clockstats
#filegen loopstats file loopstats type day enable
#filegen peerstats file peerstats type day enable
#filegen clockstats file clockstats type day enable

# Comment this out if you have a refclock and want it to be able to discipline
# the clock by itself (e.g. if the system is not connected to the network).
tos minclock 4 minsane 3

# Specify one or more NTP servers.

# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
# pick a different set every time it starts up.  Please consider joining the
# pool: <https://www.pool.ntp.org/join.html>
# I switched to Google's servers, as ntpdate tends to pick one and fails hard if there's an issue rather than trying a different server.
server time1.google.com iburst
server time2.google.com iburst
server time3.google.com iburst
server time4.google.com iburst
#server time.cloudflare.com
#pool 0.debian.pool.ntp.org iburst
#pool 1.debian.pool.ntp.org iburst
#pool 2.debian.pool.ntp.org iburst
#pool 3.debian.pool.ntp.org iburst

# Note that Google implements leap smearing. Don't combine leap-smearing and non-leap-smearing servers.

# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
# for details.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.

# By default, exchange time with everybody, but don't allow configuration.
restrict default kod nomodify nopeer noquery limited

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1
  • /etc/cron.hourly/ntpdate
#!/bin/sh
#/etc/cron.hourly/ntpdate
#ntpdate autorun
# -4 forces ipv4, -6 forces ipv6. 
if [ -f /usr/sbin/ntpdate-debian ]; then
   /usr/sbin/ntpdate-debian -4B >/dev/null
fi
  • Run:
chmod 0750 /etc/cron.hourly/ntpdate

Random silly packages

  • fortunes (and friends), cowsay, filters
    • Is good to greet visitors with a talking cow. Reminds you how seriously you should take your job.
  • bsdgames, nethack-console, slashem
    • One of these decades I will get around to ascending...
Debian Buster
Initial: Designing a Server - IPMI Installation - Second Steps

Core: Network - OpenSSH - Packages - sysctl.conf - Iptables - Security - User Management

Stack: Unbound - MariaDB - Nginx - PHP (7)

Mail

Mail Setup - Mail Tables - OpenDKIM - Mail and DNS - Spamassassin - ClamAV - Postfix - Dovecot - Reputation Management

Logs and Security: RKHunter - Logging - Logcheck - Backups - AppArmor
Retrieved from "http://hexwiki.com/w/index.php?title=Packages_(Buster)&oldid=377"