1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
Hardware:
- Intel NUC
- CPU: i5-5250U
- RAM: 4 GByte
- 500 GByte SSD (overkill, but was what we had)
OS: Ubuntu 16.04 "xenial" (as per EOTK supported)
## OS Install
Download an Ubuntu 16.04 server .iso file, verify checksup, and `dd` it to a USB thumbdrive.
Power on the Intel NUC with keyboard and monitor attached, hold F10 to get boot
menu and select the USB drive (I didn't use UEFI).
Install as english/USA.
Hostname: ia-onion1
User: eotk
Password: eotk-changeme
Did not encrypt homedir; want device to come back up automatically after a
power fault.
Select unencrypted full LVM volume.
Select "install security upgrades automatically".
Install:
- standard system utilities
- OpenSSH server
Have grub overwrite MBR
Reboot, pull USB drive, login as eotk.
sudo apt update
sudo apt upgrade
sudo apt install git
cd ~
git clone https://git.bnewbold.net/ia-onion-service
cd ia-onion-service
# you can cut this line out into a shell script or something instead of
# re-typing
sudo apt install build-essential cowsay manpages-dev apt-transport-https
curl git htop iftop iotop iputils-ping less molly-guard mtr-tiny netbase
net-tools openssh-server screen sudo tcpdump tree unattended-upgrades
util-linux vim-nox wget ntp fail2ban rkhunter debsums whois lynis
etckeeper
# whoops, that seemed to install postfix! don't want that!
sudo apt remove postfix
Ok, some crude security lock-down...
edit `/etc/ssh/sshd_config`:
# only these two of the keys
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
PermitRootLogin no
# hard to disable until keys on the device
#PasswordAuthentication yes
X11Forwarding no
# disable sftp
#Subsystem ...
Then `sudo service ssh restart`.
For passwordless sudo:
sudo visudo
# on '%sudo' line, replace the last "ALL" with "NOPASSWD: ALL"
Ok, ready for SSH login. Look up IP with `ip addr` and login with password as
`eotk`.
Change password with `passwd`. On laptop, run `ssh-copy-id` (and enter new
passwd) to install your personal SSH key in `authorized_keys2`.
TODO: should probably just disable password login entirely, and use root shell
in person if we need to recover?
Ok, now ready for service setup following `prototyping.md`.
|