Featured image of post My Linux Server Config
Linux

My Linux Server Config

Essential tools and configurations I use on my Debian servers

Server Essentials

SSH with Key Authentication

To secure your server, configure SSH to allow only key-based authentication and disable password logins. Also, create a non-root user for SSH access and disable root login:

  1. Create a new user and add to sudo group:

    1
2

    sudo adduser user
sudo usermod -aG sudo user

    Replace user with your preferred username.

  2. Add your public key to the new user:

    • Copy your public key from your PC to the server for the new user: 
      1

      ssh-copy-id user@your_server_ip
    • Or manually append your public key to /home/user/.ssh/authorized_keys.

  3. Edit the SSH daemon configuration:

    • Open the SSH config file: 
      1

      sudo nvim /etc/ssh/sshd_config
    • Set or update these lines: 
      1
2
3
4
5

      PubkeyAuthentication yes
PasswordAuthentication no
PermitRootLogin no
ChallengeResponseAuthentication no
UsePAM no

  4. Restart SSH service:

    1

    sudo systemctl restart ssh

Note:

  • Before closing your root session, open a new terminal and test logging in as the new user.
  • Disabling password authentication and root login increases security by preventing brute-force and privilege escalation attacks.

Important:
Keep your SSH private key secure. If you lose your key, you will lose access to the server. Always keep a backup in a safe place, such as another device you own or a secure storage location.

File Sharing with SMB

For network file sharing between Linux and other systems, I use Samba. Check my detailed Samba configuration guide for implementation details.

Security Monitoring

  • fail2ban: Essential for protecting against brute force attacks by monitoring log files and banning suspicious IP addresses.

  1. Install fail2ban:

    1
2

    sudo apt update
sudo apt install fail2ban

  2. Basic configuration:

    • Copy the default config to create a local override: 
      1

      sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
    • Edit /etc/fail2ban/jail.local to adjust settings (e.g., ban time, findtime, maxretry).

  3. Enable and start the service:

    1

    sudo systemctl enable --now fail2ban

  4. Check status:

    1
2

    sudo fail2ban-client status
sudo fail2ban-client status sshd

fail2ban will now monitor for suspicious activity and ban offending IPs automatically. For more advanced configuration, refer to the official documentation or add custom jails as needed.

Docker Containers

I run several services in Docker containers for easy management:

  • Homepage: A simple dashboard for my services
  • VSCode Server: Cloud-based VS Code instance for remote development
  • Immich: Self-hosted photo and video backup solution
  • Calibre: E-book management and server
  • FreshRSS: RSS feed aggregator
  • Vikunja: Personal wiki and note-taking app
  • Nextcloud: Self-hosted cloud storage and collaboration platform
  • Paperless: Document management system
  • Portainer: Web UI for Docker management
  • \ Uptime Kuma: Service monitoring and uptime checker
  • \ Grafana: Metrics visualization platform (works with Prometheus)
  • Beszel: Simple, lightweight server monitoring

Note:
For home server monitoring, I now use Beszel instead of Uptime Kuma or Grafana. In the past, I used those tools, but found Beszel provides simple, lightweight status checks and metrics that are sufficient for most personal setups.

Securing Docker with userns-remap (Optional)

For enhanced security, you can enable Docker’s user namespace remapping feature (userns-remap). This isolates container processes from the host by mapping container users to non-root users on the host.

How to enable userns-remap:

  1. Edit or create the Docker daemon config:

    1
2

    sudo mkdir -p /etc/docker
sudo nvim /etc/docker/daemon.json

    Add:

    1
2
3

    {
  "userns-remap": "default"
}

  2. Restart Docker:

    1

    sudo systemctl restart docker

Docker will now run containers with remapped user IDs, reducing the risk of privilege escalation from containers to the host.

Important:
Enabling userns-remap will make all your existing Docker images and containers inaccessible. They will not be deleted, but Docker will not see them under the new user namespace. You can revert the change to regain access, or migrate images/containers as needed.

This is optional, but highly recommended for internet-exposed servers. Some images may require adjustments to work with userns-remap.

User Namespace Known Limitations:

  • The following Docker features are incompatible with user namespaces:
    • Sharing PID or NET namespaces with the host (--pid=host or --network=host)
    • External volume/storage drivers that do not support user mappings
    • Using --privileged mode without also specifying --userns=host

Disabling Namespace Remapping for a Container:

If user namespaces are enabled on the daemon, all containers use them by default. To disable user namespaces for a specific container (e.g., for privileged containers), add the --userns=host flag to your docker run or docker create command:

1

docker run --userns=host ...

Note: The container filesystem will still be owned by the remapped user (e.g., 231072), which may cause issues for programs expecting root ownership (like sudo or setuid binaries).

You can also check:
Docker Rootless Mode (docs.docker.com)
Running Docker in rootless mode is another way to improve security, especially in multi-user environments.

Laptop Server Specifics

Disabling Display on Boot

For headless laptop servers, I disable the display during boot:

  1. Install required package:

    1

    sudo apt install vbetool

  2. Turn display off:

    1

    sudo vbetool dpms off

  3. To turn back on:

    1

    sudo vbetool dpms on

To auto turn off screen I use crontab. sudo crontab -e

1

@reboot sleep 60 && /usr/sbin/vbetool dpms off

Preventing Sleep When Lid Closed

To keep the server running when lid is closed:

  1. Edit the login manager configuration:

    1

    sudo nano /etc/systemd/logind.conf

  2. Change:

    1

    #HandleLidSwitch=suspend

    To:

    1

    HandleLidSwitch=ignore

  3. Restart the service:

    1

    sudo systemctl restart systemd-logind

Boot Optimization

Skipping GRUB Menu

To speed up boot time by skipping the GRUB menu:

  1. Edit GRUB configuration:

    1

    sudo vim /etc/default/grub

  2. Modify these lines:

    1
2

    GRUB_TIMEOUT=0
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"

  3. Update GRUB:

    1

    sudo update-grub

Oracle Cloud Free Tier Tips

To prevent Oracle from reclaiming your ARM instances due to inactivity:

Use NeverIdle - a simple tool that keeps your instance active by periodically utilizing resources.
I usually run this with screen. To keep running NeverIdle in the background.

1
2
3
4

# Example installation
wget https://github.com/layou233/NeverIdle/releases/latest/download/NeverIdle-linux-arm64 -O NeverIdle
chmod +x NeverIdle
./NeverIdle -c 2h -m 2 -n 4h

This configuration:

  • Uses 2 CPU cores every 2 hours (-c 2h -m 2)
  • Performs network activity every 4 hours (-n 4h)

Power Optimization with powertop & AutoASPM

To reduce power consumption, I use powertop and the AutoASPM script to automatically tune power settings.

Powertop 

1
2

sudo apt update
sudo apt install powertop

This command applies recommended power-saving settings:

1

sudo powertop --auto-tune

To run this automatically at startup, add it to root’s crontab:

1

sudo crontab -e

Add this line at the end:

1

@reboot /usr/sbin/powertop --auto-tune

AutoASPM

This is a script that enables PCIe ASPM (Active State Power Management) for better power savings.
See: AutoASPM GitHub

Install and run AutoASPM:

1
2
3

git clone https://github.com/notthebee/AutoASPM.git
cd AutoASPM
sudo python3 autoasmp.py

Note: Always test power-saving settings for stability, especially on servers. Some devices may not support all ASPM states.