Debian, new installation: Difference between revisions
From Andreida
(Created page with "== ssh == * if "ssh-add -L" shows something, just use ssh-copy-id <ip> * copy ssh-key (authorized_keys or dsa_name.public) to the servers ~/.ssh directory ssh-copy-id -i <fi...") |
(→ssh) |
||
| Line 2: | Line 2: | ||
* if "ssh-add -L" shows something, just use |
* if "ssh-add -L" shows something, just use |
||
ssh-copy-id <ip> |
ssh-copy-id <ip> |
||
otherwise |
|||
* copy ssh-key (authorized_keys or dsa_name.public) to the servers ~/.ssh directory |
* copy ssh-key (authorized_keys or dsa_name.public) to the servers ~/.ssh directory |
||
ssh-copy-id -i <file> <server> |
ssh-copy-id -i <file> <server> |
||
* ssh-server: /etc/ssh/sshd_config |
* ssh-server: /etc/ssh/sshd_config |
||
** change the ssh port |
** change the ssh port |
||
Revision as of 05:01, 25 April 2017
ssh
- if "ssh-add -L" shows something, just use
ssh-copy-id <ip>
otherwise
- copy ssh-key (authorized_keys or dsa_name.public) to the servers ~/.ssh directory
ssh-copy-id -i <file> <server>
- ssh-server: /etc/ssh/sshd_config
- change the ssh port
- test the login with the key
- disable login without key (PasswordAuthentication)
- ensure GSSAPI is disabled
- remove motd in /etc/pam.d/sshd
# session optional pam_motd.so
- restart ssh and relogin
copy auth file
Instead of copying the your public key you can just copy your authorized_keys file from your .ssh dir. Something like:
scp .ssh/authorized_keys newserver: ssh newserver mkdir .ssh chmod 700 .ssh mv authorized_keys .ssh/
locale
dpkg-reconfigure locales
I use en_US.UTF-8 UTF-8-8 (as default use: none)
- relogin or get warnings each time you use apt-get
if you still get weird warning like
perl: warning: Setting locale failed
do the following
cd /etc grep LC_ALL *
Perhaps you need to comment entries in /etc/profile or some other sourced file
vim
Install
apt-get install vim gpm vim-doc exuberant-ctags
use the ~/.exrc from http://wiki.andreas-duffner.de/index.php/Vi#.7E.2F.exrc
.bashrc
Install
apt-get install bash-completion
~/.bashrc
# Source global definitions
if [ -f /etc/bash.bashrc ]; then
. /etc/bash.bashrc
fi
# If not running interactively, don't do anything
case $- in
*i*) ;;
*) return;;
esac
# don't put duplicate lines or lines starting with space in the history.
# See bash(1) for more options
HISTCONTROL=ignoreboth
# append to the history file, don't overwrite it
shopt -s histappend
# date/time for history
export HISTTIMEFORMAT='%F %T '
# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize
# colors for ls
alias ls='ls --color=auto'
# colors for grep
alias grep='grep --color=auto'
# complete many things with tab
. /etc/bash_completion
# use vim for some edit actions, for example crontab
export VISUAL=/usr/bin/vim
# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
;;
*)
;;
esac
export PATH=$PATH:/home/<PATH-TO-YOUR-SCRIPTS>
Firewall ufw
https://wiki.archlinux.org/index.php/Ufw
- install it
apt-get install ufw
- disable IP6 if you want in /etc/default/ufw
IPV6=no
- disable pings in /etc/ufw/sysctl.conf:
net/ipv4/icmp_echo_ignore_all=1
- custom ssh port in /etc/ufw/applications.d/myssh (do not indent the lower lines, interact with the title)
[myssh] title=MySsh description=default ssh, different port ports=5089/tcp
- allow ssh with protected connection or you can loose your connection
ufw limit MySsh
- start it and enable it for system restarts:
ufw enable
- check the status
ufw status [verbose]
- log to custom location, edit /etc/rsyslog.d/20-ufw.conf
or use instead firehol, it is better, but not working with all virtual machines if you don't have certain kernel files:
Firewall firehol
- install
apt-get install firehol
- allow in /etc/default/firehol
START_FIREHOL=YES
- correct the get-iana script (there is no more get-iana in the new firehol
cd /usr/src wget http://firehol.org/download/releases/1.297/firehol-1.297.tar.gz tar -xzf firehol-1.297.tar.gz cd firehol-1.297/ cp get-iana.sh /usr/sbin/get-iana chmod +x /usr/sbin/get-iana
firehol.conf creation
Let firehol create the config for you and edit it. Have a look at the following example to get an idea what you will need. Create the conf file so: (and then edit it !)
firehol helpme > /etc/firehol/firehol.conf
- edit /etc/firehol/firehol.conf
- add custom ssh above all interfaces
server_mySsh_ports="tcp/5000" client_mySsh_ports="default"
- below use:
server mySsh accept
custom file for firehol messags
- add under the custom servers:
FIREHOL_LOG_PREFIX="firehol: "
- create /etc/rsyslog.d/firehol.conf
:msg, contains, "firehol: " -/var/log/firehol.log & ~
Important: your interface names + the above constant must be short, so rename your interfaces to something like ifWWW or ifCorp.
- restart firehol and rsyslog
firehol.conf example
sample for /etc/firehol/firehol.conf
#!/sbin/firehol
interface eth0 interface1 src not "${UNROUTABLE_IPS} X.x.x.x y.y.y.y/zz" dst n.n.n.n
server_mySsh_ports="tcp/5000"
client_mySsh_ports="default"
policy drop
protection strong
server ICMP accept
server mySsh accept
client all accept
Logfile rotation
Logfile rotation in /etc/logrotate.d/firehol
/var/log/firehol.log
{
rotate 7
daily
missingok
notifempty
delaycompress
compress
postrotate
invoke-rc.d rsyslog reload > /dev/null
endscript
}
DNS
- Type A: Name -> IP
- Type PTR: IP -> Name
- Type MX: Mail-Server
Hostname
- /etc/hosts
- /etc/hostname
- /etc/mailname
/etc/hosts
127.0.0.1 localhost.localdomain localhost x.x.x.x name name.domain.tld
/etc/hostname
full domain:
mypc.mydomain.com
/etc/mailname
full domain
You should have the short name too behind x.x.x.x
Misc
make sure last can work
touch /var/log/wtmp
Non free firmware
edit /etc/apt/sources.list and add to
deb http://ftp.de.debian.org/debian/ jessie main
the word non-free, so it looks like
deb http://ftp.de.debian.org/debian/ jessie main non-free
then use it
apt-get install firmware-linux-nonfree
