aboutsummaryrefslogtreecommitdiffstats
path: root/device_setup.md
blob: 00d510122ab34aa79d54a54cda835a04fdc883a0 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93

Hardware:
- Intel NUC
- CPU: i5-5250U
- RAM: 4 GByte
- 500 GByte SSD (overkill, but was what we had)

OS: Ubuntu 16.04 "xenial" (as per EOTK supported)

## OS Install

Download an Ubuntu 16.04 server .iso file, verify checksup, and `dd` it to a USB thumbdrive.

Power on the Intel NUC with keyboard and monitor attached, hold F10 to get boot
menu and select the USB drive (I didn't use UEFI).

Install as english/USA.

Hostname: ia-onion1

User: eotk
Password: eotk-changeme

Did not encrypt homedir; want device to come back up automatically after a
power fault.

Select unencrypted full LVM volume.

Select "install security upgrades automatically".

Install:
- standard system utilities
- OpenSSH server

Have grub overwrite MBR

Reboot, pull USB drive, login as eotk.

    sudo apt update
    sudo apt upgrade

    sudo apt install git

    cd ~
    git clone https://git.bnewbold.net/ia-onion-service
    cd ia-onion-service

    # you can cut this line out into a shell script or something instead of
    # re-typing
    sudo apt install build-essential cowsay manpages-dev apt-transport-https
        curl git htop iftop iotop iputils-ping less molly-guard mtr-tiny netbase
        net-tools openssh-server screen sudo tcpdump tree unattended-upgrades
        util-linux vim-nox wget ntp fail2ban rkhunter debsums whois lynis
        etckeeper

    # whoops, that seemed to install postfix! don't want that!
    sudo apt remove postfix

Ok, some crude security lock-down...

edit `/etc/ssh/sshd_config`:

    # only these two of the keys
    HostKey /etc/ssh/ssh_host_rsa_key
    HostKey /etc/ssh/ssh_host_ed25519_key

    PermitRootLogin no

    # hard to disable until keys on the device
    #PasswordAuthentication yes

    X11Forwarding no

    # disable sftp
    #Subsystem ...

Then `sudo service ssh restart`.

For passwordless sudo:

    sudo visudo
    # on '%sudo' line, replace the last "ALL" with "NOPASSWD: ALL"

Ok, ready for SSH login. Look up IP with `ip addr` and login with password as
`eotk`.

Change password with `passwd`. On laptop, run `ssh-copy-id` (and enter new
passwd) to install your personal SSH key in `authorized_keys2`.

TODO: should probably just disable password login entirely, and use root shell
in person if we need to recover?

Ok, now ready for service setup following `prototyping.md`.