wiki:install_debian_extras

Version 12 (modified by Daniel Kahn Gillmor, 12 years ago) (diff)

--

Installing Extras

Syn Cookies

  • Enable syncookies:
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    
  • Preserve syncookies on reboot:
    echo 'net.ipv4.tcp_syncookies=1' >> /etc/sysctl.conf
    

Install and configure mandatory packages

  • Login as root and install the following packages (if you plan to install postfix, replace esmtp-run with postfix)
    # aptitude install ssh ntp less emacs21-nox cron-apt iproute mailx esmtp-run locales lsof psmisc screen
    
  • Configure locales to use en_US.UTF-8 (run dpkg-reconfigure locales if necessary)
  • If you installed esmtp-run, edit /etc/esmtprc, configure to send email via our bulk.mayfirst.org server (which relays all mail from our IP range):
    hostname=bulk.mayfirst.org
    
  • Configure cron-apt:
    echo 'MAILON="upgrade"' >> /etc/cron-apt/config
    
  • Upload the mayfirst public keys to:
    /root/.ssh/authorized_keys
    
  • Configure ssh to only accept connections with auth keys (unless this is a server that should be accessible by members). Edit /etc/ssh/sshd_config and uncomment/change these lines:
    PasswordAuthentication no
    ChallengeResponseAuthentication no
    
  • Reload ssh:
    # /etc/init.d/ssh reload
    

Fix Bash

  • Overwrite /root/.bashrc with:
    # ~/.bashrc: executed by bash(1) for non-login shells.
    
    export PS1='$? \h:\w\$ '
    umask 022
    
    # You may uncomment the following lines if you want `ls' to be colorized:
    # export LS_OPTIONS='--color=auto'
    # eval "`dircolors`"
    # alias ls='ls $LS_OPTIONS'
    # alias ll='ls $LS_OPTIONS -l'
    # alias l='ls $LS_OPTIONS -lA'
    #
    # Some more alias to avoid making mistakes:
    alias rm='rm -i'
    alias cp='cp -i'
    alias mv='mv -i'
    
  • Modify the following lines in /etc/skel/.bashrc
    PS1='$? ${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
        ;;
    *)
    PS1='$? ${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
    
  • Add a .ssh directory and empty authorized_keys file in /etc/skel:
    mkdir /etc/skel/.ssh
    touch /etc/skel/.ssh/authorized_keys
    

smartmontools (not for domU's)

  • Install smartmontools
    aptitude install smartmontools 
    
  • Configure smartmontools
    • Edit /etc/default/smartmontools, uncomment:
      start_smartd=yes
      
    • Edit /etc/smart.conf
      • Comment out:
        # DEVICESCAN -m root -M exec /usr/share/smartmontools/smartd-runner 
        
      • Add lines for the given disks. Run lshw to determine if the disks are ata and require the -d. For example:
        /dev/sda -a -d ata -s (S/../.././01|L/../../6/02) 
        /dev/sdb -a -d ata -s (S/../.././03|L/../../6/04) 
        
  • restart the daemon:
    /etc/init.d/smartmontools restart
    

Serial console login (not for domU's)

If you did not use the serial console installer, then perform the following:

  • Edit the /etc/inittab file. Uncomment and modify:
    T0:23:respawn:/sbin/getty -L ttyS0 115200 vt100
    
  • Refresh:
    $ sudo init q
    
  • Add the following lines after the timeout line in /boot/grub/menu.1st
    serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1
    terminal --timeout=10 serial console
    
  • Add the following lines to the Start Default Options. You should already have a line such as:
    # kopt=root=/dev/mapper/vg_servername0-root ro
    
    add to it, so that your final line says:
    # kopt=root=/dev/mapper/vg_servername0-root ro console=ttyS0,115200n8
    
  • Refresh grub's config file:
    # update-grub
    

Encrypted File system

  • Install programs:
    $ sudo aptitude install dmsetup cryptsetup
    
  • Create an encrypted file system for members:
    • Create the encrypted filesystem (be sure to switch to use which ever device you are using):
      $ cryptsetup luksFormat /dev/sda5
      
      You will be prompted for a password. Put password in resource db!
    • Add to crypttab
      echo crypt_members /dev/sda5 none luks >> /etc/crypttab
      
    • Start it
      /etc/init.d/cryptdisks start
      
    • Create a file system on the partition:
      $ mkfs -t ext3 /dev/mapper/crypt_members
      
    • Add to fstab:
      echo /dev/mapper/crypt_members /home/members ext3 defaults 0 2 >> /etc/fstab
      
    • Mount
      mount /home/members
      

Add Nagios logging

Optionally, you may want to login to chun.mayfirst.org and edit the /etc/nagios2/conf.d/servers_mfpl.cfg file to add this server for monitoring.

Add munin logging

You may also want to install munin-node and then add the server to the munin nodes managed by the Tachanka collective.