Debian, new installation: Difference between revisions

From Andreida
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
== ssh ==
== ssh ==

=== copy ssh key from Linux ===
* if "ssh-add -L" shows something, just use
* if "ssh-add -L" shows something, just use
ssh-copy-id <ip>
ssh-copy-id <ip>
Line 6: Line 8:
* copy ssh-key (authorized_keys or dsa_name.public) to the servers ~/.ssh directory
* copy ssh-key (authorized_keys or dsa_name.public) to the servers ~/.ssh directory
ssh-copy-id -i <file> <server>
ssh-copy-id -i <file> <server>

=== copy ssh key from Windows ===

scp id_rsa.pub user@server:.ssh/
ssh user@server
cd .ssh
cat id_rsa.pub >> authorized_keys
exit
ssh user@server

=== after the copy ===


* ssh-server: /etc/ssh/sshd_config
* ssh-server: /etc/ssh/sshd_config
Line 32: Line 45:
* relogin or get warnings each time you use apt-get
* relogin or get warnings each time you use apt-get


if you still get weird warning like
if you still get weird warnings like
perl: warning: Setting locale failed
perl: warning: Setting locale failed


Line 107: Line 120:
== Firewall ufw ==
== Firewall ufw ==
https://wiki.archlinux.org/index.php/Ufw
https://wiki.archlinux.org/index.php/Ufw


Check the info about firehol below before you use this!



* install it
* install it
Line 204: Line 221:
== DNS ==
== DNS ==
* Type A: Name -> IP
* Type A: Name -> IP
* Type PTR: IP -> Name (PTR is set for the machine, not for the domain, so check the settings for the machine)
* Type PTR: IP -> Name
* Type MX: Mail-Server
* Type MX: Mail-Server



{| class="wikitable"
|+ Example
|-
! Hostname !! Type !! Address
|-
| @ || MX (Mail) || mail.example.com
|-
| mail || A (Address) || 41.42.43.44
|-
| 41.42.43.44 || PTR (reverse DNS) || mail.example.com
|}


== Hostname ==
== Hostname ==

Latest revision as of 13:56, 21 November 2020

ssh

copy ssh key from Linux

  • if "ssh-add -L" shows something, just use
ssh-copy-id <ip>

otherwise

  • copy ssh-key (authorized_keys or dsa_name.public) to the servers ~/.ssh directory
ssh-copy-id -i <file> <server>

copy ssh key from Windows

scp id_rsa.pub user@server:.ssh/
ssh user@server
cd .ssh
cat id_rsa.pub >> authorized_keys
exit
ssh user@server

after the copy

  • ssh-server: /etc/ssh/sshd_config
    • change the ssh port
    • test the login with the key
    • disable login without key (PasswordAuthentication)
    • ensure GSSAPI is disabled
  • remove motd in /etc/pam.d/sshd
# session    optional     pam_motd.so
  • restart ssh and relogin

copy auth file

Instead of copying your public key you can just copy your authorized_keys file from your .ssh dir. Something like:

scp .ssh/authorized_keys newserver:
ssh newserver
mkdir .ssh
chmod 700 .ssh
mv authorized_keys .ssh/

locale

dpkg-reconfigure locales

I use en_US.UTF-8 UTF-8-8 (as default use: none)

  • relogin or get warnings each time you use apt-get

if you still get weird warnings like

perl: warning: Setting locale failed

do the following

cd /etc
grep LC_ALL *

Perhaps you need to comment entries in /etc/profile or some other sourced file

vim

Install

apt-get install vim gpm vim-doc exuberant-ctags

use the ~/.exrc from http://wiki.andreas-duffner.de/index.php/Vi#.7E.2F.exrc

.bashrc

Install

apt-get install bash-completion

~/.bashrc


# Source global definitions
if [ -f /etc/bash.bashrc ]; then
        . /etc/bash.bashrc
fi

# If not running interactively, don't do anything
case $- in
    *i*) ;;
      *) return;;
esac

# don't put duplicate lines or lines starting with space in the history.
# See bash(1) for more options
HISTCONTROL=ignoreboth

# append to the history file, don't overwrite it
shopt -s histappend

# date/time for history
export HISTTIMEFORMAT='%F %T '

# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize

# colors for ls
alias ls='ls --color=auto'

# colors for grep
alias grep='grep --color=auto'


# complete many things with tab
. /etc/bash_completion

# use vim for some edit actions, for example crontab
export VISUAL=/usr/bin/vim

# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
    PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
    ;;
*)
    ;;
esac

export PATH=$PATH:/home/<PATH-TO-YOUR-SCRIPTS>

Firewall ufw

https://wiki.archlinux.org/index.php/Ufw


Check the info about firehol below before you use this!


  • install it
apt-get install ufw
  • disable IP6 if you want in /etc/default/ufw
IPV6=no
  • disable pings in /etc/ufw/sysctl.conf:
net/ipv4/icmp_echo_ignore_all=1
  • custom ssh port in /etc/ufw/applications.d/myssh (do not indent the lower lines, interact with the title)
[myssh]
title=MySsh
description=default ssh, different port
ports=5089/tcp
  • allow ssh with protected connection or you can loose your connection
ufw limit MySsh
  • start it and enable it for system restarts:
ufw enable
  • check the status
ufw status [verbose]
  • log to custom location, edit /etc/rsyslog.d/20-ufw.conf

or use instead firehol, it is better, but not working with all virtual machines if you don't have certain kernel files:

Firewall firehol

  • install
apt-get install firehol
  • allow in /etc/default/firehol
START_FIREHOL=YES
  • correct the get-iana script (there is no more get-iana in the new firehol
cd /usr/src 
wget http://firehol.org/download/releases/1.297/firehol-1.297.tar.gz
tar -xzf firehol-1.297.tar.gz
cd firehol-1.297/
cp get-iana.sh /usr/sbin/get-iana
chmod +x /usr/sbin/get-iana

firehol.conf creation

Let firehol create the config for you and edit it. Have a look at the following example to get an idea what you will need. Create the conf file so: (and then edit it !)

firehol helpme > /etc/firehol/firehol.conf


  • edit /etc/firehol/firehol.conf
  • add custom ssh above all interfaces
server_mySsh_ports="tcp/5000"
client_mySsh_ports="default"
  • below use:
server mySsh accept

custom file for firehol messags

  • add under the custom servers:
FIREHOL_LOG_PREFIX="firehol: "
  • create /etc/rsyslog.d/firehol.conf
:msg, contains, "firehol: " -/var/log/firehol.log
& ~

Important: your interface names + the above constant must be short, so rename your interfaces to something like ifWWW or ifCorp.

  • restart firehol and rsyslog

firehol.conf example

sample for /etc/firehol/firehol.conf

#!/sbin/firehol
interface eth0 interface1 src not "${UNROUTABLE_IPS} X.x.x.x y.y.y.y/zz" dst n.n.n.n
server_mySsh_ports="tcp/5000"
client_mySsh_ports="default"
policy drop
protection strong
server ICMP accept
server mySsh accept
client all accept

Logfile rotation

Logfile rotation in /etc/logrotate.d/firehol

/var/log/firehol.log
{
   rotate 7
   daily
   missingok
   notifempty
   delaycompress
   compress
   postrotate
   invoke-rc.d rsyslog reload > /dev/null
   endscript
}

DNS

  • Type A: Name -> IP
  • Type PTR: IP -> Name (PTR is set for the machine, not for the domain, so check the settings for the machine)
  • Type MX: Mail-Server


Example
Hostname Type Address
@ MX (Mail) mail.example.com
mail A (Address) 41.42.43.44
41.42.43.44 PTR (reverse DNS) mail.example.com

Hostname

  • /etc/hosts
  • /etc/hostname
  • /etc/mailname

/etc/hosts

127.0.0.1 localhost.localdomain localhost
x.x.x.x   name     name.domain.tld

/etc/hostname

full domain:

mypc.mydomain.com

/etc/mailname

full domain

You should have the short name too behind x.x.x.x

Misc

make sure last can work

touch /var/log/wtmp


Non free firmware

edit /etc/apt/sources.list and add to

 deb http://ftp.de.debian.org/debian/ jessie main 

the word non-free, so it looks like

deb http://ftp.de.debian.org/debian/ jessie main non-free

then use it

 apt-get install firmware-linux-nonfree