The "regular" distro installation process with Hetzner is a pain in the ass. They have a limited number of KVM devices so you have to open a support ticket requesting one. The options are "ASAP" and by appointment. In my experience, "ASAP" has been anywhere from 10 minutes to an hour and "by appointment" starts the next day. When they attach the KVM, you get an email with a URL, username, and password. After opening the URL, you'll see which device they've given you. One is modern and can be used perfectly fine in a browser. The other I've had is archaic and can only be interacted with through a Java applet that crashed on both my Arch installation and in an Ubuntu 20.04 VM. I was unimpressed.

If you want to install a custom operating system aside from their two-click deployments, option one is to upload an ISO through the KVM. This has no progress or status indicator until the upload is finished; at which point there will be a small notification in the window that disappears after a short period of time. It's very easy to miss. Option two is providing credentials for a SAMBA server containing the image you'd like installed. Both of these options are terribly slow.

Thankfully, they have a much simpler way to set things up.

Note: if you're used to working with systems from other providers, this may not be the same process. Read carefully.

The Rescue System

Hetzner's Rescue System is the simplest way I've found to get Debian set up; as part of that system, they provide a script called installimage which automates almost everything, including software RAID.

To activate it, go to [https:robot.your-server.de The Robot], click Server, expand the one you're setting up, click the Rescue tab, and activate the rescue system for your architecture (likely 64-bit). ''Take note of the generated password at the bottom.'' Go to the Reset tab, select the power button, send the signal, wait a few seconds, select the power button again, and send the signal again. When your server finishes booting, you'll be able to connect to the rescue system.

SSH into the root account and enter the generated password. ''Don't lose it. It will be needed later.'' You should now see something like this.


  Welcome to the Hetzner Rescue System.

  This Rescue System is based on Debian 10 (buster) with a custom
  kernel. You can install software as in a normal system.

  To install a new operating system from one of our prebuilt
  images, run 'installimage' and follow the instructions.

  More information at https://docs.hetzner.com/


Rescue System up since 2021-01-23 05:18 +01:00

Hardware data:

   CPU1: AMD Ryzen 7 3700X 8-Core Processor (Cores 16)
   Memory:  64258 MB
   Disk /dev/nvme0n1: 1024 GB (=> 953 GiB) 
   Disk /dev/nvme1n1: 1024 GB (=> 953 GiB) 
   Total capacity 1907 GiB with 2 Disks

Network data:
   eth0  LINK: yes
         MAC:  a8:a1:59:3b:18:4a
         IPv6: 2a01:4f9:3a:1f11::2/64
         Intel(R) Gigabit Ethernet Network Driver

root@rescue ~ #

From here, you should just be able to run installimage. A menu will appear in your terminal asking what distro you want; for this guide, choose Debian then go with the latest minimal version. Read the info screen, press OK, take a look at the configuration file. If you have 2 or more disks, I recommend leaving software RAID enabled and leaving it at RAID 1.

RAID IS NOT A BACKUP! It simply ensures that, should one drive fail, the server will continue running. You should be taking your own, automated backups. When a drive fails, contact Hetzner support, have them replace it as soon as possible, then rebuild your array.

Set your hostname according to what's on the main Debian page and work out your partitions. The defaults are perfectly suitable but, if you want a different setup, this is the place to make that change.

The IMAGE line is what determines the OS that will be installed. By default, it's set to what you entered at the initial screen, the minimal version of the latest Debian release.

Glance over the file once or twice more to ensure everything is satisfactory. If it is, hit F2, press Enter, hit F10, and confirm the changes. All that's left is to watch everything get set up!

After it's complete, type reboot, press Enter, wait a couple minutes then SSH back in with the same password.

You may see an error about the remote host's identification having been modified. This is expected. Simply remove the offending line from ~/.ssh/known_hosts.

The Actual System

  • install sudo

  • add users

    • adduser user

  • add user to sudo group

    • usermod -aG sudo user

  • copy ssh keys and rc file

  • disable xforwarding

  • disable password login

  • disable root login

  • restart sshd

  • remove root password

    • passwd -d root

  • review SSH logs to ensure no one brute-forced a session during setup


Rebuilding a RAID array