RamNode logo
    Sign UpLogin
    Back to Cloud VPS Documentation

    Initial Server Setup for Debian 13

    Everything you need to go from a fresh Debian 13 (Trixie) instance to a production-ready web server

    This guide walks you through every essential step after launching a fresh Debian 13 (Trixie) Cloud VPS — from system updates and user creation through installing a complete LEMP or LAMP web server stack. Debian is known for its rock-solid stability, minimal footprint, and extensive package repositories. Like Ubuntu, it uses apt for package management and supports UFW for firewall management. Where dedicated documentation already exists for a topic, we link directly to it so you can dive deeper without duplicated information.

    What You'll Set Up

    System updates and package management
    Non-root sudo user with SSH key access
    UFW firewall and SSH hardening
    Swap space and automatic security updates
    LEMP stack (Nginx + MariaDB + PHP)
    LAMP stack (Apache + MariaDB + PHP)

    Prerequisites

    • • A RamNode Cloud VPS running Debian 13 (Trixie)
    • • Root SSH access to the server (see SSH Keys)
    • • A domain name pointed at your server's IP (optional, but required for SSL)

    1. System Updates

    After your first SSH login, update the package index and upgrade all installed packages to their latest versions:

    Update and upgrade packages
    apt update && apt upgrade -y

    Debian minimal images may not include common utilities. Install essential tools:

    Install essential utilities
    apt install curl wget gnupg2 software-properties-common apt-transport-https ca-certificates lsb-release -y

    If a kernel update was installed, reboot to load it:

    Reboot if needed
    reboot

    2. Hostname & Timezone

    Setting a proper hostname and timezone is important for logging, scheduled tasks, and SSL certificates. We have a dedicated guide covering both topics in detail:

    Setting Hostname and Timezone →

    Configure hostnames (simple or FQDN), update /etc/hosts, set the timezone with timedatectl, and enable NTP synchronization.

    Quick reference:

    Set hostname and timezone
    # Set the hostname
hostnamectl set-hostname your-server.example.com

# Set timezone to UTC (recommended for servers)
timedatectl set-timezone UTC

# Verify
hostnamectl
timedatectl

    3. Create a Sudo User

    Running everything as root is a security risk. Create a regular user with sudo privileges. Note that Debian does not install sudo by default on minimal images — install it first:

    Install sudo and create user
    # Install sudo if not present
apt install sudo -y

# Create a new user (replace 'deploy' with your preferred username)
adduser deploy

# Add the user to the sudo group
usermod -aG sudo deploy

    Copy your SSH key to the new user so you can log in without a password:

    Copy SSH keys to new user
    # As root, copy the authorized_keys file
rsync --archive --chown=deploy:deploy ~/.ssh /home/deploy

    Test the new user before proceeding — open a new terminal and connect:

    Test SSH as the new user
    ssh deploy@YOUR_SERVER_IP

    ⚠️ Important: Do not close your root session until you've confirmed the new user can log in and run sudo commands successfully.

    4. SSH Hardening

    Once your sudo user is working, harden SSH by disabling root login and password authentication:

    Edit SSH configuration
    sudo nano /etc/ssh/sshd_config

    Find and update these settings:

    /etc/ssh/sshd_config
    PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
    Restart SSH
    sudo systemctl restart ssh

    Related Documentation

    5. Firewall Setup (UFW)

    Debian does not ship with UFW pre-installed, but it's the simplest firewall frontend for iptables/nftables. Install it and allow only the ports you need:

    Install and configure UFW
    # Install UFW
sudo apt install ufw -y

# Allow SSH (always do this first!)
sudo ufw allow OpenSSH

# Allow HTTP and HTTPS for web traffic
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Enable the firewall
sudo ufw enable

# Verify status
sudo ufw status verbose
    UFW Basics — Full Guide →

    Rate limiting, application profiles, port ranges, subnet rules, logging, and more.

    ⚠️ Warning: Always allow SSH before enabling UFW. If you're using Security Groups in the Cloud Control Panel, note that UFW and Security Groups work independently — both must allow traffic for it to reach your server.

    6. Swap Space

    Adding swap space provides a safety net when your applications temporarily exceed available RAM. This is especially useful on smaller instances.

    Swap Partition — Full Guide →

    Detailed instructions for creating swap files, tuning swappiness, and sizing recommendations per VPS plan.

    Quick setup for a 2 GB swap file:

    Create a swap file
    # Create a 2G swap file
sudo fallocate -l 2G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile

# Make it permanent
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab

# Verify
free -h

    7. Automatic Security Updates

    Keeping your server patched against known vulnerabilities is critical. Debian supports unattended-upgrades just like Ubuntu.

    Automatic Security Updates — Full Guide →

    Complete walkthrough for Ubuntu/Debian, RHEL/AlmaLinux/Rocky, openSUSE, and Arch Linux — including email notifications and automatic reboots.

    Quick-start for Debian 13:

    Enable unattended-upgrades
    sudo apt install unattended-upgrades apt-listchanges -y
sudo dpkg-reconfigure -plow unattended-upgrades

    8. LEMP Stack (Nginx + MariaDB + PHP)

    The LEMP stack uses Nginx as the web server, MariaDB as the database (the default DB on Debian), and PHP for server-side processing. It's the most popular stack for WordPress, Laravel, and other PHP applications.

    8a. Install Nginx

    Install Nginx
    sudo apt install nginx -y
sudo systemctl enable nginx
sudo systemctl start nginx

    Verify Nginx is running by visiting http://YOUR_SERVER_IP — you should see the default Nginx welcome page.

    8b. Install MariaDB

    Install MariaDB
    sudo apt install mariadb-server -y
sudo systemctl enable mariadb

    Run the security script to set a root password and remove insecure defaults:

    Secure MariaDB installation
    sudo mysql_secure_installation

    Recommended answers: set a strong root password, switch to unix_socket authentication (n if you want password auth), remove anonymous users (Y), disallow remote root login (Y), remove test database (Y), and reload privilege tables (Y).

    Database Deployment Guides

    For more advanced database setups, see our dedicated guides:

    8c. Install PHP

    Debian 13 ships with PHP 8.4 in its repositories. Install PHP-FPM and common extensions:

    Install PHP and common extensions
    sudo apt install php-fpm php-mysql php-cli php-curl php-gd php-mbstring php-xml php-zip -y

    Verify the PHP version and check that php-fpm is running:

    Verify PHP
    php -v
sudo systemctl status php8.4-fpm

    8d. Configure an Nginx Virtual Host

    Create a server block for your domain. Replace example.com with your actual domain:

    Create Nginx server block
    server {
    listen 80;
    server_name example.com www.example.com;
    root /var/www/example.com/html;
    index index.php index.html;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php8.4-fpm.sock;
    }

    location ~ /\.ht {
        deny all;
    }
}
    Enable the site
    # Create the web root
sudo mkdir -p /var/www/example.com/html
sudo chown -R www-data:www-data /var/www/example.com

# Save the config above to:
sudo nano /etc/nginx/sites-available/example.com

# Enable it
sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/

# Test and reload
sudo nginx -t
sudo systemctl reload nginx

    8e. Test PHP Processing

    Create a test file
    echo '<?php phpinfo(); ?>' | sudo tee /var/www/example.com/html/info.php

    Visit http://example.com/info.php. If you see the PHP info page, your LEMP stack is working. Delete this file afterward — it exposes sensitive configuration details:

    Remove test file
    sudo rm /var/www/example.com/html/info.php

    9. LAMP Stack (Apache + MariaDB + PHP)

    The LAMP stack uses Apache instead of Nginx. Choose LAMP if your application relies on .htaccess files or Apache-specific modules. If you already installed Nginx in Step 8, skip this section — running both web servers on the same ports will cause conflicts.

    ⚠️ Choose one: Install either the LEMP stack (Step 8) or the LAMP stack (Step 9), not both. They serve the same purpose with different web servers.

    9a. Install Apache

    Install Apache
    sudo apt install apache2 -y
sudo systemctl enable apache2
sudo systemctl start apache2

    Verify Apache is running by visiting http://YOUR_SERVER_IP.

    9b. Install MariaDB

    The MariaDB installation is the same as in the LEMP stack above (Step 8b).

    Install and secure MariaDB
    sudo apt install mariadb-server -y
sudo systemctl enable mariadb
sudo mysql_secure_installation

    9c. Install PHP for Apache

    Apache uses libapache2-mod-php instead of php-fpm:

    Install PHP with Apache module
    sudo apt install php libapache2-mod-php php-mysql php-cli php-curl php-gd php-mbstring php-xml php-zip -y

    9d. Configure an Apache Virtual Host

    Apache virtual host
    <VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/example.com/html

    <Directory /var/www/example.com/html>
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
    CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined
</VirtualHost>
    Enable the site
    # Create web root
sudo mkdir -p /var/www/example.com/html
sudo chown -R www-data:www-data /var/www/example.com

# Save the config above to:
sudo nano /etc/apache2/sites-available/example.com.conf

# Enable site and mod_rewrite
sudo a2ensite example.com.conf
sudo a2enmod rewrite
sudo a2dissite 000-default.conf

# Test and reload
sudo apache2ctl configtest
sudo systemctl reload apache2

    9e. Test PHP Processing

    Create and test
    echo '<?php phpinfo(); ?>' | sudo tee /var/www/example.com/html/info.php
# Visit http://example.com/info.php, then remove:
sudo rm /var/www/example.com/html/info.php

    10. SSL Certificates

    Once you have a domain pointed at your server and a web server running, add free SSL/TLS certificates from Let's Encrypt using Certbot. Our dedicated guide covers everything in detail:

    Let's Encrypt via Certbot — Full Guide →

    Install Certbot, obtain certificates for Nginx or Apache, configure auto-renewal, and troubleshoot common issues.

    Quick-start:

    Install Certbot and obtain SSL
    # For Nginx
sudo apt install certbot python3-certbot-nginx -y
sudo certbot --nginx -d example.com -d www.example.com

# For Apache
sudo apt install certbot python3-certbot-apache -y
sudo certbot --apache -d example.com -d www.example.com

# Verify auto-renewal
sudo certbot renew --dry-run

    Next Steps

    Your Debian 13 server is now secured, updated, and running a full web server stack. Here are some recommended next steps depending on what you plan to deploy:

    Deploy an Application

    → WordPress Deployment Guide→ Laravel Deployment Guide→ Ghost CMS Deployment Guide→ Browse All Deployment Guides

    Harden Security

    → Fail2Ban Guide→ CrowdSec Guide→ SSH 2FA Setup

    Use Docker Instead

    If you prefer containerized deployments over bare-metal stacks:

    → Docker Basics Guide→ Docker Compose Guide

    Monitor Your Server

    → Basic Resource Monitoring→ Uptime Kuma Guide→ Netdata Guide
    More Deployment GuidesView Cloud VPS Plans