Version 12 (modified by Daniel Kahn Gillmor, 14 years ago) (diff)


Installing Extras

Syn Cookies

  • Enable syncookies:
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies
  • Preserve syncookies on reboot:
    echo 'net.ipv4.tcp_syncookies=1' >> /etc/sysctl.conf

Install and configure mandatory packages

  • Login as root and install the following packages (if you plan to install postfix, replace esmtp-run with postfix)
    # aptitude install ssh ntp less emacs21-nox cron-apt iproute mailx esmtp-run locales lsof psmisc screen
  • Configure locales to use en_US.UTF-8 (run dpkg-reconfigure locales if necessary)
  • If you installed esmtp-run, edit /etc/esmtprc, configure to send email via our server (which relays all mail from our IP range):
  • Configure cron-apt:
    echo 'MAILON="upgrade"' >> /etc/cron-apt/config
  • Upload the mayfirst public keys to:
  • Configure ssh to only accept connections with auth keys (unless this is a server that should be accessible by members). Edit /etc/ssh/sshd_config and uncomment/change these lines:
    PasswordAuthentication no
    ChallengeResponseAuthentication no
  • Reload ssh:
    # /etc/init.d/ssh reload

Fix Bash

  • Overwrite /root/.bashrc with:
    # ~/.bashrc: executed by bash(1) for non-login shells.
    export PS1='$? \h:\w\$ '
    umask 022
    # You may uncomment the following lines if you want `ls' to be colorized:
    # export LS_OPTIONS='--color=auto'
    # eval "`dircolors`"
    # alias ls='ls $LS_OPTIONS'
    # alias ll='ls $LS_OPTIONS -l'
    # alias l='ls $LS_OPTIONS -lA'
    # Some more alias to avoid making mistakes:
    alias rm='rm -i'
    alias cp='cp -i'
    alias mv='mv -i'
  • Modify the following lines in /etc/skel/.bashrc
    PS1='$? ${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
    PS1='$? ${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
  • Add a .ssh directory and empty authorized_keys file in /etc/skel:
    mkdir /etc/skel/.ssh
    touch /etc/skel/.ssh/authorized_keys

smartmontools (not for domU's)

  • Install smartmontools
    aptitude install smartmontools 
  • Configure smartmontools
    • Edit /etc/default/smartmontools, uncomment:
    • Edit /etc/smart.conf
      • Comment out:
        # DEVICESCAN -m root -M exec /usr/share/smartmontools/smartd-runner 
      • Add lines for the given disks. Run lshw to determine if the disks are ata and require the -d. For example:
        /dev/sda -a -d ata -s (S/../.././01|L/../../6/02) 
        /dev/sdb -a -d ata -s (S/../.././03|L/../../6/04) 
  • restart the daemon:
    /etc/init.d/smartmontools restart

Serial console login (not for domU's)

If you did not use the serial console installer, then perform the following:

  • Edit the /etc/inittab file. Uncomment and modify:
    T0:23:respawn:/sbin/getty -L ttyS0 115200 vt100
  • Refresh:
    $ sudo init q
  • Add the following lines after the timeout line in /boot/grub/menu.1st
    serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1
    terminal --timeout=10 serial console
  • Add the following lines to the Start Default Options. You should already have a line such as:
    # kopt=root=/dev/mapper/vg_servername0-root ro
    add to it, so that your final line says:
    # kopt=root=/dev/mapper/vg_servername0-root ro console=ttyS0,115200n8
  • Refresh grub's config file:
    # update-grub

Encrypted File system

  • Install programs:
    $ sudo aptitude install dmsetup cryptsetup
  • Create an encrypted file system for members:
    • Create the encrypted filesystem (be sure to switch to use which ever device you are using):
      $ cryptsetup luksFormat /dev/sda5
      You will be prompted for a password. Put password in resource db!
    • Add to crypttab
      echo crypt_members /dev/sda5 none luks >> /etc/crypttab
    • Start it
      /etc/init.d/cryptdisks start
    • Create a file system on the partition:
      $ mkfs -t ext3 /dev/mapper/crypt_members
    • Add to fstab:
      echo /dev/mapper/crypt_members /home/members ext3 defaults 0 2 >> /etc/fstab
    • Mount
      mount /home/members

Add Nagios logging

Optionally, you may want to login to and edit the /etc/nagios2/conf.d/servers_mfpl.cfg file to add this server for monitoring.

Add munin logging

You may also want to install munin-node and then add the server to the munin nodes managed by the Tachanka collective.