Servermanagement with Cockpit on Debian 10

Cockpit is an easy and simple remote management software for Linux servers. It is now included in Debian 10 Buster.
It runs on several Linux distributions, including Debian, Ubuntu, Fedora, CentOS, RHEL and Arch Linux.
With Cockpit, you can manage multiple Linux servers via your web browser. Here is an simple setup to get started with Cockpit.

Installation

Installation is very simple:

apt install cockpit

Now open https://YOUR_SERVER:9090 with your Browser.

You should now be able to log in with any system user. (Include root!)

Firewall

Cockpit uses firewalld to interact with the system’s firewall. But there is a litte bug in iptables Version 1.8.2.
You need to install Version 1.8.3 from debian backports first!

Edit ‘/etc/apt/sources.list’ add the following line:

deb http://deb.debian.org/debian buster-backports main

Now install the new iptables with:

apt update
apt-get -t buster-backports install "iptables"

Now install firewalld:

apt install firewalld

After the installation Cockpit Web GUI becomes unavailable because it is now blocked by the firewall.

You can add it by port:

firewall-cmd --zone=public --add-port=9090/tcp --permanent

Or with the service name:

firewall-cmd --zone=public --add-service=cockpit --permanent

After any changes, reload firewalld:

firewall-cmd --reload

You can see your settings with:

firewall-cmd --zone=public --list-all

Example output:

public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

Now open your Browser again. You can now manage your firewall with cockpit:

Note: If you want to manage the firewall on other servers (see next step) you have to install firewalld on this servers, too.

More Servers

Ensure that your user has ssh access to all machines and is in the sudoers group.

apt install sudo
adduser sebastian sudo

Install packages on other systems. You need to install the ‘cockpit-bridge’. All other packages are optional, but you need ‘cockpit-system’ to see the system status.

apt install cockpit-bridge cockpit-system cockpit-networkmanager cockpit-packagekit

Now add the machines to your primary cockpit server:

Here is an example for update your system via cockpit. ‘cockpit-packagekit’ is required for this feature:

Note: If you want to manage docker or virtual machines on one of the servers, you may want to install ‘cockpit-docker’ or ‘cockpit-machines’.

Disable root login

Cockpit allows the root user to login using his password, even when sshd is configured to not permit root login.

Edit ‘/etc/pam.d/cockpit’ and add the following line:

auth requisite pam_succeed_if.so uid >= 1000

Now only users can login into Cockpit.

Install from backports

We already installed the latest iptables from debain backports. Debian currently install Version 188 of cockpit but 218 is the latest release (at this time).

apt-get -t buster-backports install "cockpit"

Install Version 217 on your system. It is up to you, whether you want to use a stable release or the one from the backports.

(Screenshot of version 217)