As of February 2026, the current stable release of Debian is Debian 13 “trixie” (latest point release: 13.3, January 2026). This guide focuses on installing a minimal, headless server edition using the netinst (network installation) image — the most efficient choice for servers.
This approach downloads only essential packages during setup and keeps the system lightweight, secure, and optimized for long-term server use (web servers, databases, containers, file servers, etc.).
1. Preparation
- Hardware requirements (minimal server):
- 64-bit CPU (amd64 recommended; arm64, riscv64, etc., also supported)
- ≥ 1 GB RAM (2–4 GB recommended for comfort)
- ≥ 10–20 GB disk space
- Internet connection (wired Ethernet strongly preferred during install)
- Download the netinst ISO Go to: https://www.debian.org/distrib/netinst Select the small installation image for your architecture (usually amd64): Example direct link pattern: https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-13.3.0-amd64-netinst.iso
- Create bootable media
- USB stick (≥ 1 GB): Use tools like Rufus (Windows), balenaEtcher, dd (Linux/macOS), or Fedora Media Writer.
- Verify the ISO checksum (SHA512SUMS file is on the same download page).
- BIOS/UEFI settings
- Enable UEFI mode if your system uses it (most modern servers do).
- Disable Secure Boot (or enroll Debian keys if you want to keep it).
- Set boot order to USB first.
2. Installation Process (Step-by-Step)
Boot from the USB. The Debian Installer (graphical or text-based) starts.
Select language, location, keyboard → Choose English (United States) or your preference. → Locale and keyboard layout.
Configure the network → Most servers use DHCP → auto-configures. → If static IP needed: enter manually (IP, netmask, gateway, DNS). Very important for netinst — installer downloads packages over the internet.
Set hostname → Example: myserver, web01, db-prod-01 → Avoid spaces/special characters.
Domain name (optional) → e.g., example.local or leave blank for simple setups.
Root password → Set a strong password for the root account. → (You can later disable direct root login and use sudo.)
Create a standard user account → Full name: e.g., “Admin User” → Username: e.g., admin or your name → Strong password → This user will be added to the sudo group automatically.
Disk partitioning For servers, choose one of these (recommended for simplicity and reliability):
Option Best for Notes Guided – use entire disk Most servers Creates / + small /boot + swap Guided – use entire disk and set up LVM Production servers needing snapshots Recommended – easier future resizing & backups Guided – use entire disk and set up encrypted LVM Security-sensitive servers Full disk encryption (LUKS) – passphrase required at boot Manual Advanced / custom layouts e.g., separate /var, /home, /tmp partitions → For most servers: Guided – use entire disk and set up LVM → Write changes to disk when prompted
Software selection (crucial for server) → Uncheck everything except:
- Debian desktop environment → do NOT select (no GUI needed)
- … GNOME / XFCE / etc. → skip
- SSH server → highly recommended (installs OpenSSH)
- standard system utilities → keep checked
→ This keeps the install minimal (~400–700 MB installed).
Package manager mirror → Choose a country → select a mirror (or use deb.debian.org for global anycast). → Proxy: usually none.
Participate in popularity contest? → No (privacy) or Yes (helps Debian).
GRUB boot loader → Yes, install to primary drive (/dev/sda or equivalent).
Finish installation → Reboot (remove USB).
3. First Boot & Basic Post-Installation Configuration
Log in as your standard user (or root).
Update the system immediately:
sudo apt update
sudo apt upgrade -y
sudo apt install sudo locales vim htop curl wget net-tools -y- Enable sudo for your user (if not already)
# As root or with temporary root access
usermod -aG sudo yourusername- Better locale (if needed)
sudo dpkg-reconfigure locales
# Select en_US.UTF-8 UTF-8 (or your language)
sudo locale-gen- Set timezone
sudo dpkg-reconfigure tzdata- Secure SSH (very important for servers)
Edit /etc/ssh/sshd_config:
sudo nano /etc/ssh/sshd_configRecommended changes:
PermitRootLogin no # or prohibit-password
PasswordAuthentication no # after setting up keys
PubkeyAuthentication yes
MaxAuthTries 3
LoginGraceTime 30Then:
sudo systemctl restart ssh- Set up SSH key authentication (from your client machine)
# On your local computer
ssh-keygen -t ed25519
ssh-copy-id yourusername@server-ip- Firewall (use ufw – simple)
sudo apt install ufw -y
sudo ufw allow OpenSSH
sudo ufw enable
sudo ufw status- Automatic security updates (strongly recommended)
sudo apt install unattended-upgrades apt-listchanges -y
sudo dpkg-reconfigure --priority=low unattended-upgrades
# Answer Yes to automatic updates4. Recommended Next Steps for a Server
- Install fail2ban → brute-force protection sudo apt install fail2ban -y
- Set up NTP time sync (usually already active via systemd-timesyncd)
- Create swap file if RAM is low (e.g., 2–4 GB)
sudo fallocate -l 2G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
# Make permanent
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab- Monitor logs: journalctl -u ssh, tail -f /var/log/auth.log
- Backup critical files: /etc, /home, databases
Debian servers are designed to run for 5+ years with minimal intervention — focus on security hardening, monitoring (prometheus/node-exporter, netdata), and regular apt update && apt upgrade.