diff options
authorBryan Newbold <bnewbold@archive.org>2019-07-01 22:59:14 -0700
committerBryan Newbold <bnewbold@archive.org>2019-07-01 22:59:14 -0700
commit9d0b43c288854c9b46e705d58f8ef7acf7fdd629 (patch)
parente1b278e15a1b8e131405e4fc4813ae5aae129a15 (diff)
finish device setup
1 files changed, 48 insertions, 0 deletions
diff --git a/device_setup.md b/device_setup.md
index 8ccb9e3..00d5101 100644
--- a/device_setup.md
+++ b/device_setup.md
@@ -1,10 +1,14 @@
- Intel NUC
+- CPU: i5-5250U
+- RAM: 4 GByte
- 500 GByte SSD (overkill, but was what we had)
OS: Ubuntu 16.04 "xenial" (as per EOTK supported)
+## OS Install
Download an Ubuntu 16.04 server .iso file, verify checksup, and `dd` it to a USB thumbdrive.
Power on the Intel NUC with keyboard and monitor attached, hold F10 to get boot
@@ -37,9 +41,53 @@ Reboot, pull USB drive, login as eotk.
sudo apt install git
+ cd ~
+ git clone https://git.bnewbold.net/ia-onion-service
+ cd ia-onion-service
+ # you can cut this line out into a shell script or something instead of
+ # re-typing
sudo apt install build-essential cowsay manpages-dev apt-transport-https
curl git htop iftop iotop iputils-ping less molly-guard mtr-tiny netbase
net-tools openssh-server screen sudo tcpdump tree unattended-upgrades
util-linux vim-nox wget ntp fail2ban rkhunter debsums whois lynis
+ etckeeper
+ # whoops, that seemed to install postfix! don't want that!
+ sudo apt remove postfix
+Ok, some crude security lock-down...
+edit `/etc/ssh/sshd_config`:
+ # only these two of the keys
+ HostKey /etc/ssh/ssh_host_rsa_key
+ HostKey /etc/ssh/ssh_host_ed25519_key
+ PermitRootLogin no
+ # hard to disable until keys on the device
+ #PasswordAuthentication yes
+ X11Forwarding no
+ # disable sftp
+ #Subsystem ...
+Then `sudo service ssh restart`.
+For passwordless sudo:
+ sudo visudo
+ # on '%sudo' line, replace the last "ALL" with "NOPASSWD: ALL"
+Ok, ready for SSH login. Look up IP with `ip addr` and login with password as
+Change password with `passwd`. On laptop, run `ssh-copy-id` (and enter new
+passwd) to install your personal SSH key in `authorized_keys2`.
+TODO: should probably just disable password login entirely, and use root shell
+in person if we need to recover?
+Ok, now ready for service setup following `prototyping.md`.