This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ==== BASIC SETUP ==== **1. Document machine info** Go to the specific [[homelab_assets|page for the machine]] (create it from the [[new_machine_template|new machine template]] if it doesn't exist) and edit the machine name (as defined during initial OS install), IP address (even if it will be changed later) and - in parentheses - “(DHCP/Static)”. Also document the [[polynesian_gods_goddesses|admin username]]/password and the OS and version. For each step that follows, add it to the documentation. All of the above helps to ensure that a) if something goes amiss later, you won’t have to totally reinstall the OS to recover and b) if the question arises “was _____ done?” there won’t be any doubts. **2. Login to server and run system updates** ssh root@[server_ip] apt update && apt upgrade -y 4.1. Give server a static IP address (Armbian) armbian-config Select “Network” then “IP” Find line for Ethernet adapter - should be “eth0” or start with “en” - press Enter Select “Static” On next dialog, change IP address to desired IP Edit Netmask, Gateway Update documentation with new static IP 4.2. Give server a static IP address (Debian) From terminal window (Ctrl+Alt+T): sudo hostname [new hostname] exit Reestablish SSH connection: ssh root@[ip_address] **3.1. Change server hostname (Armbian)** armbian-config select Personal select Hostname enter new hostname exit armbian-config logout (and back in) **3.2. Change server hostname (Debian)** From terminal window (Ctrl+Alt+T): sudo hostname [new hostname] exit Reestablish SSH connection: ssh root@[ip_address] 5. Enable automatic updates apt install -y unattended-upgrades dpkg-reconfigure --priority=low unattended-upgrades [yes] 6. Install micro (text editor) apt install -y micro 7. Create limited user and give sudo privileges adduser [username] usermod -aG sudo [username] You should, at this point, switch to the user account you just created... su [username] 8. Change SSH port & disable IPv6 ssh [username]@[server_ip] sudo micro /etc/ssh/sshd_config Uncomment the line that says “Port 22” and change 22 to a random 4 digit port number. Document it. Uncomment “AddressFamily” line and change “any” to “inet” (disables IPv6) save and exit sudo systemctl restart sshd 9. Download and setup .aliases wget github.com/don-ferris/bash-aliases/raw/main/.aliases echo 'source ~/.aliases' >> ~/.bashrc && cat ~/.bashrc source ~/.bashrc && alias Review aliases SECURE SSH 1. Create public/private key pair mkdir ~/.ssh && chmod 700 ~/.ssh logout ssh-keygen -b 4096 (Enter to accept default location; skip passphrase) cd ~/.ssh && ssh-copy-id $USER@[server_ip] -p [new ssh port] 2. Disable root login (Hackers can try forever to brute force a root login and they’ll FAIL every time) sudo micro /etc/passwd Find and go to root user line (should be the first line) and change “/bin/bash” (at end of line) to “/bin/no login” save and exit sudo micro /etc/ssh/sshd_config Find “PermitRootLogin” line and change “yes” to “no” Technically, we’ve already covered this by changing root’s shell to /bin/nologin but we’re going to do this anyway - because why not?! Note that while we have now disabled root login, it doesn’t affect our ability to switch to and use the root account once we’re logged in via SSH. Uncomment the lines "MaxAuthTries" and "MaxSessions" 3. Disable password logins (RSA keys only) Find “PasswordAuthentication” line, uncomment it, and change “yes” to “no” Save and exit sudo systemctl restart sshd Test before logging out - verify that everything works properly by opening a new terminal window (on the workstation) and try logging into the server - ssh [username]@[server_ip] -p [port] If there are problems, troubleshoot and fix while you’re still logged in (in the other terminal window). 4. Fail2ban - Lockout IPs after multiple failed connection attempts sudo apt install -y fail2ban sudo bash -c 'echo "ignoreip = 10.10.10.x" > /etc/fail2ban/jail.d/00-sshd.conf' sudo bash -c 'echo "port = [custom SSH port]" >> /etc/fail2ban/jail.d/00-sshd.conf' sudo bash -c 'echo "findtime = 1m" >> /etc/fail2ban/jail.d/00-sshd.conf' sudo bash -c 'echo "maxretry = 5" >> /etc/fail2ban/jail.d/00-sshd.conf' sudo bash -c 'echo "bantime = 10m" >> /etc/fail2ban/jail.d/00-sshd.conf' systemctl enable fail2ban (authenticate 4 times) sudo systemctl start fail2ban systemctl status fail2ban Check jail status (any time)... sudo fail2ban-client status sshd CHECK PORTS & ENABLE/CONFIGURE FIREWALL 1. Review open ports sudo ss -tulpn Look over the listed ports. You’ll see 0.0.0.0:[custom SSH port #] (the one you setup above). Google for information on any open ports that you don’t recognize. 2. Install and enable UFW firewall sudo apt install -y ufw Open port for SSH logins: sudo ufw allow [custom SSH port #] sudo ufw enable sudo ufw status (review output) Switch to a different/new terminal window and confirm ability to login 3. Disable ping sudo bash -c 'echo "net.ipv4.icmp_echo_ignore_all=1" >> /etc/sysctl.conf' sudo bash -c 'echo "net.ipv6.icmp.echo_ignore_all=1" >> /etc/sysctl.conf' apply the changes: sudo sysctl -p test by trying to ping from your workstation INSTALL DOCKER AND DOCKER-COMPOSE (Also installs Python3) sudo apt install -y docker.io && sudo docker version sudo apt install -y docker-compose && sudo docker-compose version Update AppArmor sudo apt install -y apparmor Run system update sudo apt update && sudo apt upgrade -y Run Docker commands without sudo sudo groupadd docker sudo usermod -aG docker $USER Relogin sudo su $USER 6. Test Docker (and no-sudo) docker run hello-world