Debian, new installation: Difference between revisions

ssh

copy ssh key from Linux

• if "ssh-add -L" shows something, just use

ssh-copy-id <ip>

otherwise

• copy ssh-key (authorized_keys or dsa_name.public) to the servers ~/.ssh directory

ssh-copy-id -i <file> <server>

copy ssh key from Windows

scp id_rsa.pub user@server:.ssh/
ssh user@server
cd .ssh
cat id_rsa.pub >> authorized_keys
exit
ssh user@server

after the copy

• ssh-server: /etc/ssh/sshd_config
  • change the ssh port
  • test the login with the key
  • disable login without key (PasswordAuthentication)
  • ensure GSSAPI is disabled
• remove motd in /etc/pam.d/sshd

# session    optional     pam_motd.so

• restart ssh and relogin

copy auth file

Instead of copying your public key you can just copy your authorized_keys file from your .ssh dir. Something like:

scp .ssh/authorized_keys newserver:
ssh newserver
mkdir .ssh
chmod 700 .ssh
mv authorized_keys .ssh/

locale

dpkg-reconfigure locales

I use en_US.UTF-8 UTF-8-8 (as default use: none)

• relogin or get warnings each time you use apt-get

if you still get weird warnings like

perl: warning: Setting locale failed

do the following

cd /etc
grep LC_ALL *

Perhaps you need to comment entries in /etc/profile or some other sourced file

vim

Install

apt-get install vim gpm vim-doc exuberant-ctags

use the ~/.exrc from http://wiki.andreas-duffner.de/index.php/Vi#.7E.2F.exrc

.bashrc

Install

apt-get install bash-completion

~/.bashrc

# Source global definitions
if [ -f /etc/bash.bashrc ]; then
        . /etc/bash.bashrc
fi

# If not running interactively, don't do anything
case $- in
    *i*) ;;
      *) return;;
esac

# don't put duplicate lines or lines starting with space in the history.
# See bash(1) for more options
HISTCONTROL=ignoreboth

# append to the history file, don't overwrite it
shopt -s histappend

# date/time for history
export HISTTIMEFORMAT='%F %T '

# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize

# colors for ls
alias ls='ls --color=auto'

# colors for grep
alias grep='grep --color=auto'


# complete many things with tab
. /etc/bash_completion

# use vim for some edit actions, for example crontab
export VISUAL=/usr/bin/vim

# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
    PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
    ;;
*)
    ;;
esac

export PATH=$PATH:/home/<PATH-TO-YOUR-SCRIPTS>

Firewall ufw

https://wiki.archlinux.org/index.php/Ufw

Check the info about firehol below before you use this!

• install it

apt-get install ufw

• disable IP6 if you want in /etc/default/ufw

IPV6=no

• disable pings in /etc/ufw/sysctl.conf:

net/ipv4/icmp_echo_ignore_all=1

• custom ssh port in /etc/ufw/applications.d/myssh (do not indent the lower lines, interact with the title)

[myssh]
title=MySsh
description=default ssh, different port
ports=5089/tcp

• allow ssh with protected connection or you can loose your connection

ufw limit MySsh

• start it and enable it for system restarts:

ufw enable

• check the status

ufw status [verbose]

• log to custom location, edit /etc/rsyslog.d/20-ufw.conf

or use instead firehol, it is better, but not working with all virtual machines if you don't have certain kernel files:

Firewall firehol

• install

apt-get install firehol

• allow in /etc/default/firehol

START_FIREHOL=YES

• correct the get-iana script (there is no more get-iana in the new firehol

cd /usr/src 
wget http://firehol.org/download/releases/1.297/firehol-1.297.tar.gz
tar -xzf firehol-1.297.tar.gz
cd firehol-1.297/
cp get-iana.sh /usr/sbin/get-iana
chmod +x /usr/sbin/get-iana

firehol.conf creation

Let firehol create the config for you and edit it. Have a look at the following example to get an idea what you will need. Create the conf file so: (and then edit it !)

firehol helpme > /etc/firehol/firehol.conf

• edit /etc/firehol/firehol.conf
• add custom ssh above all interfaces

server_mySsh_ports="tcp/5000"
client_mySsh_ports="default"

• below use:

server mySsh accept

custom file for firehol messags

• add under the custom servers:

FIREHOL_LOG_PREFIX="firehol: "

• create /etc/rsyslog.d/firehol.conf

:msg, contains, "firehol: " -/var/log/firehol.log
& ~

Important: your interface names + the above constant must be short, so rename your interfaces to something like ifWWW or ifCorp.

• restart firehol and rsyslog

firehol.conf example

sample for /etc/firehol/firehol.conf

#!/sbin/firehol
interface eth0 interface1 src not "${UNROUTABLE_IPS} X.x.x.x y.y.y.y/zz" dst n.n.n.n
server_mySsh_ports="tcp/5000"
client_mySsh_ports="default"
policy drop
protection strong
server ICMP accept
server mySsh accept
client all accept

Logfile rotation

Logfile rotation in /etc/logrotate.d/firehol

/var/log/firehol.log
{
   rotate 7
   daily
   missingok
   notifempty
   delaycompress
   compress
   postrotate
   invoke-rc.d rsyslog reload > /dev/null
   endscript
}

DNS

• Type A: Name -> IP
• Type PTR: IP -> Name
• Type MX: Mail-Server

Hostname

• /etc/hosts
• /etc/hostname
• /etc/mailname

/etc/hosts

127.0.0.1 localhost.localdomain localhost
x.x.x.x   name     name.domain.tld

/etc/hostname

full domain:

mypc.mydomain.com

/etc/mailname

full domain

You should have the short name too behind x.x.x.x

Misc

make sure last can work

touch /var/log/wtmp

Non free firmware

edit /etc/apt/sources.list and add to

 deb http://ftp.de.debian.org/debian/ jessie main 

the word non-free, so it looks like

deb http://ftp.de.debian.org/debian/ jessie main non-free

then use it

 apt-get install firmware-linux-nonfree