[[PageOutline]] = Installing Extras = == Syn Cookies == * Enable syncookies: {{{ echo 1 > /proc/sys/net/ipv4/tcp_syncookies }}} * Preserve syncookies on reboot: {{{ echo 'net.ipv4.tcp_syncookies=1' >> /etc/sysctl.conf }}} == Install and configure mandatory packages == * Login as root and install the following packages (if you plan to install postfix, replace esmtp-run with postfix) {{{ # aptitude install ssh ntp less emacs21-nox cron-apt iproute mailx esmtp-run locales lsof psmisc screen }}} * Configure locales to use en_US.UTF-8 (run dpkg-reconfigure locales if necessary) * If you installed esmtp-run, edit /etc/esmtprc, configure to send email via our bulk.mayfirst.org server (which relays all mail from our IP range): {{{ hostname=bulk.mayfirst.org }}} * Configure cron-apt: {{{ echo 'MAILON="upgrade"' >> /etc/cron-apt/config }}} * Upload the [wiki:mfpl_admin_public_ssh_keys mayfirst public keys] to: {{{ /root/.ssh/authorized_keys }}} * Configure ssh to only accept connections with auth keys (unless this is a server that should be accessible by members). Edit /etc/ssh/sshd_config and uncomment/change these lines: {{{ PasswordAuthentication no ChallengeResponseAuthentication no }}} * Reload ssh: {{{ # /etc/init.d/ssh reload }}} == Fix Bash == * Overwrite /root/.bashrc with: {{{ # ~/.bashrc: executed by bash(1) for non-login shells. export PS1='$? \h:\w\$ ' umask 022 # You may uncomment the following lines if you want `ls' to be colorized: # export LS_OPTIONS='--color=auto' # eval "`dircolors`" # alias ls='ls $LS_OPTIONS' # alias ll='ls $LS_OPTIONS -l' # alias l='ls $LS_OPTIONS -lA' # # Some more alias to avoid making mistakes: alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' }}} * Modify the following lines in /etc/skel/.bashrc {{{ PS1='$? ${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ ' ;; *) PS1='$? ${debian_chroot:+($debian_chroot)}\u@\h:\w\$ ' }}} * Add a .ssh directory and empty authorized_keys file in /etc/skel: {{{ mkdir /etc/skel/.ssh touch /etc/skel/.ssh/authorized_keys }}} == Serial console login (not for DomU's, only dom0's!) == If you did not use the serial console installer, then perform the following: * Edit the /etc/inittab file. Uncomment and modify: {{{ T0:23:respawn:/sbin/getty -L ttyS0 115200 vt100 }}} * Refresh: {{{ $ sudo init q }}} * Add the following lines after the timeout line in `/boot/grub/menu.1st` {{{ serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1 terminal --timeout=10 serial console }}} * Add the following lines to the Start Default Options. You should already have a line such as: {{{ # kopt=root=/dev/mapper/vg_servername0-root ro }}} add to it, so that your final line says: {{{ # kopt=root=/dev/mapper/vg_servername0-root ro console=ttyS0,115200n8 }}} * Refresh grub's config file: {{{ # update-grub }}} == Encrypted File system == * Install programs: {{{ $ sudo aptitude install dmsetup cryptsetup }}} * Create an encrypted file system for members: * Create the encrypted filesystem (be sure to switch to use which ever device you are using): {{{ $ cryptsetup luksFormat /dev/sda5 }}} You will be prompted for a password. Put password in resource db! * Add to crypttab {{{ echo crypt_members /dev/sda5 none luks >> /etc/crypttab }}} * Start it {{{ /etc/init.d/cryptdisks start }}} * Create a file system on the partition: {{{ $ mkfs -t ext3 /dev/mapper/crypt_members }}} * Add to fstab: {{{ echo /dev/mapper/crypt_members /home/members ext3 defaults 0 2 >> /etc/fstab }}} * Mount {{{ mount /home/members }}} == Add Nagios logging == Optionally, you may want to login to `chun.mayfirst.org` and edit the `/etc/nagios2/conf.d/servers_mfpl.cfg` file to add this server for monitoring. == Add munin logging == You may also want to install munin-node and then add the server to the munin nodes managed by the Tachanka collective.