The Perfect Server - Debian Lenny (Debian 5.0) [ISPConfig 2] - Page 3

4 Install The SSH Server

Debian Lenny does not install OpenSSH by default, therefore we do it now. Run

apt-get install ssh openssh-server

From now on you can use an SSH client such as PuTTY and connect from your workstation to your Debian Lenny server and follow the remaining steps from this tutorial.


5 Install vim-nox (Optional)

I'll use vi as my text editor in this tutorial. The default vi program has some strange behaviour on Debian and Ubuntu; to fix this, we install vim-nox:

apt-get install vim-nox

(You don't have to do this if you use a different text editor such as joe or nano.)


6 Configure The Network

Because the Debian Lenny installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address (please note that I replace allow-hotplug eth0 with auto eth0; otherwise restarting the network doesn't work, and we'd have to reboot the whole system):

vi /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
#allow-hotplug eth0
#iface eth0 inet dhcp
auto eth0
iface eth0 inet static

Then restart your network:

/etc/init.d/networking restart

Then edit /etc/hosts. Make it look like this:

vi /etc/hosts       localhost.localdomain   localhost     server1

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Now run

echo > /etc/hostname
/etc/init.d/ start

Afterwards, run

hostname -f

Both should show


7 Update Your Debian Installation


apt-get update

to update the apt package database and

apt-get upgrade

to install the latest updates (if there are any).


8 Install Some Software

Now we install a few packages that are needed later on. Run

apt-get install binutils cpp fetchmail flex gcc libarchive-zip-perl libc6-dev libcompress-zlib-perl libdb4.6-dev libpcre3 libpopt-dev lynx m4 make ncftp nmap openssl perl perl-modules unzip zip zlib1g-dev autoconf automake1.9 libtool bison autotools-dev g++ build-essential

(This command must go into one line!)


9 Quota

(If you have chosen a different partitioning scheme than I did, you must adjust this chapter so that quota applies to the partitions where you need it.)

To install quota, run

apt-get install quota

Edit /etc/fstab. Mine looks like this (I added ,usrquota,grpquota to the partition with the mount point /):

vi /etc/fstab

# /etc/fstab: static file system information.
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
/dev/sda1       /               ext3    errors=remount-ro,usrquota,grpquota 0       1
/dev/sda5       none            swap    sw              0       0
/dev/hda        /media/cdrom0   udf,iso9660 user,noauto     0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto  0       0

To enable quota, run these commands:

touch /quota.user /
chmod 600 /quota.*
mount -o remount /

quotacheck -avugm
quotaon -avug


10 BIND9 DNS Server


apt-get install bind9

to install BIND9.

For security reasons we want to run BIND chrooted so we have to do the following steps:

/etc/init.d/bind9 stop

Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user bind, chrooted to /var/lib/named. Modify the line: OPTIONS="-u bind" so that it reads OPTIONS="-u bind -t /var/lib/named":

vi /etc/default/bind9

# run resolvconf?

# startup options for the server
OPTIONS="-u bind -t /var/lib/named"

Create the necessary directories under /var/lib:

mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run

Then move the config directory from /etc to /var/lib/named/etc:

mv /etc/bind /var/lib/named/etc

Create a symlink to the new config directory from the old location (to avoid problems when BIND gets updated in the future):

ln -s /var/lib/named/etc/bind /etc/bind

Make null and random devices, and fix permissions of the directories:

mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind

We need to open /etc/rsyslog.d/bind-chroot.conf...

vi /etc/rsyslog.d/bind-chroot.conf

... and add the following line so that we can still get important messages logged to the system logs:

$AddUnixListenSocket /var/lib/named/dev/log

Restart the logging daemon:

/etc/init.d/rsyslog restart

Start up BIND, and check /var/log/syslog for errors:

/etc/init.d/bind9 start

Share this page:

7 Comment(s)

Add comment


From: Anonymous

From Etch onward, it is recommended that users use aptitude instead of apt-get.  Aptitude has advanced dependency handling that can avoid some serious problems in unusual situations. 

From the official debian documentation

" The preferred program for package management from the command line is aptitude, which can perform the same package management functions as apt-get and has proven to be better at dependency resolution."

From: ree


plz edit /etc/init.d/bind9 startup script!! 

to do it follow :

nano /etc/init.d/bind9

then find the PIDFILE def. and edit to look lile that:


and restart bind9: 

/etc/init.d/bind9 restart


From: Yves

This is not necessary. The correct path inside the jail is /var/run/bind/run/

From: Yves

To use IPv6, i.e. listen-on-v6, you need to mount proc inside your chroot:

 mkdir /var/lib/named/proc

 mount -t proc proc /var/lib/named/proc

 Don't forget to create a mount that persists after next reboot, i.e. by adding it to /etc/fstab

From: ROk

In file /etc/network/interfaces DO NOT WRITE DNS adressess. ONLY /etc/resolv.conf

If you will need to specify your DNS servers manually in /etc/resolv.conf, which should look something like this:

search mydomain.example



Else this will be mistakes.

From: Nokao

Do you think that the DNS step is important even for who don't need a DNS server ?


I mean ... is it true that a DNS server only for local software is "a must have" ?

From: Dima

There is no need to manualy create aquota.user and files. They are created automatically by using command quotacheck with appropriate keys ( -c -u -g )