aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--device_setup.md48
1 files changed, 48 insertions, 0 deletions
diff --git a/device_setup.md b/device_setup.md
index 8ccb9e3..00d5101 100644
--- a/device_setup.md
+++ b/device_setup.md
@@ -1,10 +1,14 @@
Hardware:
- Intel NUC
+- CPU: i5-5250U
+- RAM: 4 GByte
- 500 GByte SSD (overkill, but was what we had)
OS: Ubuntu 16.04 "xenial" (as per EOTK supported)
+## OS Install
+
Download an Ubuntu 16.04 server .iso file, verify checksup, and `dd` it to a USB thumbdrive.
Power on the Intel NUC with keyboard and monitor attached, hold F10 to get boot
@@ -37,9 +41,53 @@ Reboot, pull USB drive, login as eotk.
sudo apt install git
+ cd ~
+ git clone https://git.bnewbold.net/ia-onion-service
+ cd ia-onion-service
+
+ # you can cut this line out into a shell script or something instead of
+ # re-typing
sudo apt install build-essential cowsay manpages-dev apt-transport-https
curl git htop iftop iotop iputils-ping less molly-guard mtr-tiny netbase
net-tools openssh-server screen sudo tcpdump tree unattended-upgrades
util-linux vim-nox wget ntp fail2ban rkhunter debsums whois lynis
+ etckeeper
+
+ # whoops, that seemed to install postfix! don't want that!
+ sudo apt remove postfix
+
+Ok, some crude security lock-down...
+
+edit `/etc/ssh/sshd_config`:
+
+ # only these two of the keys
+ HostKey /etc/ssh/ssh_host_rsa_key
+ HostKey /etc/ssh/ssh_host_ed25519_key
+
+ PermitRootLogin no
+
+ # hard to disable until keys on the device
+ #PasswordAuthentication yes
+
+ X11Forwarding no
+
+ # disable sftp
+ #Subsystem ...
+
+Then `sudo service ssh restart`.
+
+For passwordless sudo:
+
+ sudo visudo
+ # on '%sudo' line, replace the last "ALL" with "NOPASSWD: ALL"
+
+Ok, ready for SSH login. Look up IP with `ip addr` and login with password as
+`eotk`.
+
+Change password with `passwd`. On laptop, run `ssh-copy-id` (and enter new
+passwd) to install your personal SSH key in `authorized_keys2`.
+TODO: should probably just disable password login entirely, and use root shell
+in person if we need to recover?
+Ok, now ready for service setup following `prototyping.md`.