From 9d0b43c288854c9b46e705d58f8ef7acf7fdd629 Mon Sep 17 00:00:00 2001 From: Bryan Newbold Date: Mon, 1 Jul 2019 22:59:14 -0700 Subject: finish device setup --- device_setup.md | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/device_setup.md b/device_setup.md index 8ccb9e3..00d5101 100644 --- a/device_setup.md +++ b/device_setup.md @@ -1,10 +1,14 @@ Hardware: - Intel NUC +- CPU: i5-5250U +- RAM: 4 GByte - 500 GByte SSD (overkill, but was what we had) OS: Ubuntu 16.04 "xenial" (as per EOTK supported) +## OS Install + Download an Ubuntu 16.04 server .iso file, verify checksup, and `dd` it to a USB thumbdrive. Power on the Intel NUC with keyboard and monitor attached, hold F10 to get boot @@ -37,9 +41,53 @@ Reboot, pull USB drive, login as eotk. sudo apt install git + cd ~ + git clone https://git.bnewbold.net/ia-onion-service + cd ia-onion-service + + # you can cut this line out into a shell script or something instead of + # re-typing sudo apt install build-essential cowsay manpages-dev apt-transport-https curl git htop iftop iotop iputils-ping less molly-guard mtr-tiny netbase net-tools openssh-server screen sudo tcpdump tree unattended-upgrades util-linux vim-nox wget ntp fail2ban rkhunter debsums whois lynis + etckeeper + + # whoops, that seemed to install postfix! don't want that! + sudo apt remove postfix + +Ok, some crude security lock-down... + +edit `/etc/ssh/sshd_config`: + + # only these two of the keys + HostKey /etc/ssh/ssh_host_rsa_key + HostKey /etc/ssh/ssh_host_ed25519_key + + PermitRootLogin no + + # hard to disable until keys on the device + #PasswordAuthentication yes + + X11Forwarding no + + # disable sftp + #Subsystem ... + +Then `sudo service ssh restart`. + +For passwordless sudo: + + sudo visudo + # on '%sudo' line, replace the last "ALL" with "NOPASSWD: ALL" + +Ok, ready for SSH login. Look up IP with `ip addr` and login with password as +`eotk`. + +Change password with `passwd`. On laptop, run `ssh-copy-id` (and enter new +passwd) to install your personal SSH key in `authorized_keys2`. +TODO: should probably just disable password login entirely, and use root shell +in person if we need to recover? +Ok, now ready for service setup following `prototyping.md`. -- cgit v1.2.3