Initial Tasks on a new openVZ container (virtual Server)

Flattr this!

Normally openVZ Containers are cloned or prepared with pre-built images. So we need to update a few settings after deployment.

Localize Debian Mirrors

If your Debian Mirrors are too far away, it will take very long to install stuff with apt-get. So have a look at the Debian Mirror List and select any which are located near your server and have a better throughput and ping.

Go to your sources.list file located at /etc/apt/ and update the servers.

deb http://ftp.us.debian.org/debian stable main contrib
deb http://ftp.debian.org/debian/ wheezy-updates main contrib
deb http://security.debian.org/ wheezy/updates main contrib

Comment unwanted servers and add your localized better ones.

#deb http://ftp.us.debian.org/debian stable main contrib
deb http://ftp.at.debian.org/debian/ stable main contrib
#deb http://ftp.at.debian.org/debian/ wheezy-updates main contrib
deb http://ftp.at.debian.org/debian/ wheezy-updates main contrib
deb http://security.debian.org/ wheezy/updates main contrib

Add Backports Repository to Sources List

Sometimes our Debian Stable Repository does not contain packages we need, but Debian Testing contains it, and it was backported to stable. So we need to adapt our system to the Backports sources.
Debian Backports are recompiled packages from testing (mostly) and unstable (in a few cases only, e.g. security updates) in a stable environment so that they will run without new libraries (whenever it is possible) on a Debian stable distribution.

Add Backports Sources to your sources.list file.

deb http://http.debian.net/debian wheezy-backports main

There are also localized Mirrors available.

deb http://http.debian.net/debian wheezy-backports main

With this updated sources.list, we can install backported packages too.

Locales and Timezone

The system should be told which timezone it is using.

 dpkg-reconfigure tzdata

Get root and type dpkg-reconfigure locales and select the locale(s) you want to generate. At the end, you’ll be asked which one should be the default.

dpkg-reconfigure locales

Regenerate SSH Keys

On Virtual Servers or Containers ssh keys are often generated with lack of entropy, or they are cloned or other security implications. It often appears SSH-Keys are identically.
Create after some work on the Server new Keys is always a good idea. At least do it when you do your initial setup. Do some work on the Server, apt-get update && apt-get upgrade -y && apt-get install htop bmon vim in the meantime to collect some entropy.

Delete all old keys for root

rm /etc/ssh/ssh_host_*

and generate new Keys

dpkg-reconfigure openssh-server

Finally, you need to update ~/.ssh/known_hosts files on client computers
http://www.cyberciti.biz/faq/howto-regenerate-openssh-host-keys/

Create New User

Create new User, set home directory, create home directory, create SSH Keys

root@kopimi:~# useradd kopimi -d /home/kopimi/ -s /bin/bash
root@kopimi:~# mkdir /home/kopimi
root@kopimi:~# chown kopimi:kopimi /home/kopimi
root@kopimi:~# passwd kopimi
root@kopimi:~# su kopimi
kopimi@kopimi:/root$ cd
kopimi@kopimi:/home/kopimi$ 
kopimi@kopimi:/home/kopimi$ mkdir .ssh
kopimi@kopimi:/home/kopimi$ chmod 0700 .ssh
kopimi@kopimi:/home/kopimi$ cd .ssh
kopimi@kopimi:/home/kopimi/.ssh$ ssh-keygen -t rsa -b 4096

Set Up SSH With Public-Key Authentication

Its a good idea to setup Public Key Authentication and disable Password Authentication to stop all these bruteforce kiddies.

On the client side copy the id_rsa.pub Public Key to the Remote Host

cave@laptop:~$ cd .ssh
cave@laptop:~/.ssh$ ls
id_rsa    id_rsa.pub  known_hosts  known_hosts.old
cave@laptop:~/.ssh$ scp -p id_rsa.pub remoteuser@remotehost:/root/

Backup your client ssh keys, they are important now!

On the Server we need to create in an authorized_keys file.

root@kopimi:~# mkdir ~/.ssh
root@kopimi:~#  chmod 700 ~/.ssh
root@kopimi:~# cat id_rsa.pub >> ~/.ssh/authorized_keys

Edit sshd_config

root@kopimi:~# cd /etc/ssh/  
root@kopimi:/etc/ssh# vi sshd_config

Set following value:

AuthorizedKeysFile    %h/.ssh/authorized_keys

restart ssh

root@megafr1:/etc/ssh# /etc/init.d/ssh restart
[ ok ] Restarting OpenBSD Secure Shell server: sshd.

logout and login again. If it works without password, disable password login completely

PasswordAuthentication no

and restart ssh again.
https://www.howtoforge.com/set-up-ssh-with-public-key-authentication-debian-etch

Comments are closed.