Setting up Ubuntu Server or Debian


vi /etc/hostname # short name is fine
hostname HOSTNAME # idem
vi /etc/hosts # long name FOLLOWED BY short name

#older releases,
#systemctl status resolvconf
#systemctl stop resolvconf
#systemctl disable resolvconf

#17.10/artful and debian9/stretch,
systemctl status systemd-resolved
systemctl stop systemd-resolved
systemctl disable systemd-resolved

cd /etc/
ls -lhF resolv.conf*
mv resolv.conf resolv.conf.dist
cat > resolv.conf <<-EOF
search example.local
cat resolv.conf

Note: no symlink for resolv.conf

Ubuntu 17.10/artful

cp -pi /etc/netplan/01-netcfg.yaml /etc/netplan/01-netcfg.yaml.dist
vi /etc/netplan/01-netcfg.yaml

      dhcp4: no
      dhcp6: no
       - x.x.x.x/xx
      gateway4: x.x.x.x

dpkg -l | grep ifupdown #should be empty
dpkg -l | grep netscript #should be empty
#systemctl restart systemd-networkd.service
netplan generate
netplan apply
ping -c1

Note. this is yaml, indentation is important

Note. if you need to setup static routes e.g.,

   - to: x.x.x.x/xx
     via: x.x.x.x


Or simply disable netplan all together. Switch to old school /etc/network/interfaces,

apt update
apt install ifupdown

and disable netplan with a kernel argument,


Debian 9/stretch

cp -pi /etc/network/interfaces /etc/network/interfaces.dist
vi /etc/network/interfaces

#   address x.x.x.x/xx
#   gateway x.x.x.x
    #   dns-nameservers
    #   dns-search example.local

    #cd /etc/network/interfaces.d/
    #cp 50-cloud-init.cfg 50-cloud-init.cfg.dist
    #vi 50-cloud-init.cfg


Tweak the SSH daemon,

groupadd -g 11 wheel
usermod -a -G wheel root
mv /etc/ssh/sshd_config /etc/ssh/sshd_config.dist
sed -r '/^[[:space:]]*#/d; /^[[:space:]]*$/d' /etc/ssh/sshd_config.dist | tee /etc/ssh/sshd_config.dist.clean > /etc/ssh/sshd_config
vi /etc/ssh/sshd_config

#Port XXXX
AllowGroups wheel
PermitRootLogin without-password
StrictModes yes
PasswordAuthentication no
X11Forwarding no

#service ssh restart
systemctl restart ssh

Put your SSH keys in place so you can connect as wheeled user and possibly as root,

mkdir ~/.ssh/
chmod 700 ~/.ssh/
vi ~/.ssh/authorized_keys

(paste your pub key)

chmod 600 ~/.ssh/authorized_keys

(you should now be able to connect remotely)

And in case you also do ssh client from there, it is easier to see the hosts you are dealing with into known_hosts clearly,

cp -pi /etc/ssh/ssh_config /etc/ssh/ssh_config.dist
vi /etc/ssh/ssh_config

        HashKnownHosts no
        GSSAPIAuthentication no

Clean-up your package sources configuration,

cd /etc/apt/
mv sources.list sources.list.dist
sed '/^[[:space:]]*$/d; /^[[:space:]]*#/d' sources.list.dist > sources.list

for example (xenial),

deb xenial         main restricted universe multiverse
deb xenial-backports   main restricted universe multiverse
#deb xenial-proposed   main restricted universe multiverse
deb xenial-security    main restricted universe multiverse
deb xenial-updates     main restricted universe multiverse

or add missing repositories for Ubuntu,

sed '/^[[:space:]]*$/d; /^[[:space:]]*#/d; s/main$/main restricted universe/' \
    sources.list.dist > sources.list

or for Debian,

sed '/^[[:space:]]*$/d; /^[[:space:]]*#/d; s/main$/main contrib non-free/' \
    sources.list.dist > sources.list

Alternatively, you can build your own sources list with this helper:

Finally, in case you told the installer you are in the US while you are, say in Russia,

mv -i /etc/apt/sources.list /etc/apt/sources.list.dist
sed "
" /etc/apt/sources.list.dist > /etc/apt/sources.list
tail /etc/apt/sources.list
unset country

In case you are using an APT/HTTP proxy,

#nmap -p 3142 x.x.x.x
vi /etc/apt/apt.conf.d/02proxy

Acquire::http { Proxy "http://x.x.x.x:3142"; };

Update/upgrade the system,

apt update
apt full-upgrade
apt autoremove
dpkg -l | grep ^rc
dpkg -l | grep ^rc | awk '{print $2}' | xargs dpkg --purge

Clean-up the old kernels,

uname -r
dpkg -l | egrep 'linux-(image|headers|extra)' | grep ^i
dpkg --purge ...

Enable / disable automatic updates,

apt install unattended-upgrades
#dpkg -l | grep  unattended-upgrades
dpkg-reconfigure -plow unattended-upgrades

or do it manually,

date | mailx -s `hostname` root
cd /etc/apt/apt.conf.d/
vi 50unattended-upgrades

Unattended-Upgrade::Mail "root";

vi 20auto-upgrades 

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

Install a few more packages. Starting with packages that are not for Docker containers,

cd ~/
list=`sed '/^#/d' ubuntu.hw.lst`
export DEBIAN_FRONTEND=noninteractive
apt install `echo $list` # w.o double quote
rm -f ubuntu.hw.lst
unset list

and continuing with the list that is shared with some troubleshooting-enabled Docker containers,

list=`sed '/^#/d; /^$/d' ubuntu.server.lst`
export DEBIAN_FRONTEND=noninteractive
apt install `echo $list` # w.o double quote
rm -f ubuntu.server.lst
unset list

systemctl status postfix
systemctl stop postfix
systemctl disable postfix
systemctl get-default
systemctl set-default
update-alternatives --config editor
==> elvis-tiny

Eventually switch to Netfilter,

ufw disable

Unless this is a XEN guest, see Time Setup.

Tweak your environment

Setup GNU/Screen

Eventually install Docker

Eventually run an Apache or NGINX reverse-proxy.

Upgrading to new Ubuntu release

lsb_release -a
df -h
dpkg -l | grep ^ rc
apt update
apt full-upgrade
apt autoremove
dpkg -l | grep ^ rc

iptables -I INPUT -p tcp --dport 1022 -j ACCEPT

make sure grub is in place,


make sure there’s a few bytes left for the system to start fine,

df -h

and reboot,


Fixing the locales

Check the current setting,


(Re-)Generate the locale,

apt install language-pack-en-base
locale-gen en_US.UTF-8
update-locale en_US.UTF-8
dpkg-reconfigure locales
cat /etc/default/locale

LANGUAGE and LC_ALL are still missing. Add those the brutal way,

vi /etc/bash.bashrc

export LANGUAGE="en_US.UTF-8"
export LC_ALL="en_US.UTF-8"

source /etc/bash.bashrc

NFS server ready

apt install rpcbind nfs-kernel-server
vi /etc/exports

/data           *(rw,async,no_subtree_check,no_root_squash)

exportfs -ra


showmount -e localhost


NFS client ready

install nfs client to mount nfs shares,

    apt install nfs-common

setup some mount point,

showmount -e x.x.x.x
cp -pi /etc/fstab /etc/fstab.dist
mkdir -p /data/
touch /data/NOT_MOUNTED
vi /etc/fstab

x.x.x.x:/data /data nfs auto 0 0
#x.x.x.x:/data /data nfs _netdev,rw 0 0

mount /data


Revert to the default set of packages


Revert to default installed pkgs,

dpkg --get-selections >output
dpkg --set-selections <output
apt-get dselect-upgrade