diff options
author | Bryan Newbold <bnewbold@archive.org> | 2019-07-01 22:59:14 -0700 |
---|---|---|
committer | Bryan Newbold <bnewbold@archive.org> | 2019-07-01 22:59:14 -0700 |
commit | 9d0b43c288854c9b46e705d58f8ef7acf7fdd629 (patch) | |
tree | aa38e57584d29d8bfb85d8ce18f21d92d774a91b | |
parent | e1b278e15a1b8e131405e4fc4813ae5aae129a15 (diff) | |
download | ia-onion-service-9d0b43c288854c9b46e705d58f8ef7acf7fdd629.tar.gz ia-onion-service-9d0b43c288854c9b46e705d58f8ef7acf7fdd629.zip |
finish device setup
-rw-r--r-- | device_setup.md | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/device_setup.md b/device_setup.md index 8ccb9e3..00d5101 100644 --- a/device_setup.md +++ b/device_setup.md @@ -1,10 +1,14 @@ Hardware: - Intel NUC +- CPU: i5-5250U +- RAM: 4 GByte - 500 GByte SSD (overkill, but was what we had) OS: Ubuntu 16.04 "xenial" (as per EOTK supported) +## OS Install + Download an Ubuntu 16.04 server .iso file, verify checksup, and `dd` it to a USB thumbdrive. Power on the Intel NUC with keyboard and monitor attached, hold F10 to get boot @@ -37,9 +41,53 @@ Reboot, pull USB drive, login as eotk. sudo apt install git + cd ~ + git clone https://git.bnewbold.net/ia-onion-service + cd ia-onion-service + + # you can cut this line out into a shell script or something instead of + # re-typing sudo apt install build-essential cowsay manpages-dev apt-transport-https curl git htop iftop iotop iputils-ping less molly-guard mtr-tiny netbase net-tools openssh-server screen sudo tcpdump tree unattended-upgrades util-linux vim-nox wget ntp fail2ban rkhunter debsums whois lynis + etckeeper + + # whoops, that seemed to install postfix! don't want that! + sudo apt remove postfix + +Ok, some crude security lock-down... + +edit `/etc/ssh/sshd_config`: + + # only these two of the keys + HostKey /etc/ssh/ssh_host_rsa_key + HostKey /etc/ssh/ssh_host_ed25519_key + + PermitRootLogin no + + # hard to disable until keys on the device + #PasswordAuthentication yes + + X11Forwarding no + + # disable sftp + #Subsystem ... + +Then `sudo service ssh restart`. + +For passwordless sudo: + + sudo visudo + # on '%sudo' line, replace the last "ALL" with "NOPASSWD: ALL" + +Ok, ready for SSH login. Look up IP with `ip addr` and login with password as +`eotk`. + +Change password with `passwd`. On laptop, run `ssh-copy-id` (and enter new +passwd) to install your personal SSH key in `authorized_keys2`. +TODO: should probably just disable password login entirely, and use root shell +in person if we need to recover? +Ok, now ready for service setup following `prototyping.md`. |