==== Debian 12 (Buster) Remote Admin Host on a Raspberry Pi 4 ====
The purpose of this setup is to provide a low power remote administration and access device which can also be used for monitoring via Zabbix.
* Install Raspbian first and update the eeprom to the latest version
* Download the xz compress image for Debian 12 from [[https://raspi.debian.net/tested-images/|https://raspi.debian.net/tested-images/]]
* Decompress and image image to a microsd card
xzcat 20231109_raspi_4_bookworm.img.xz | dd of=/dev/sdX bs=64k oflag=dsync status=progress
* Boot and login with root and no password then set the root password, or if you have no HDMI connection and need to setup headless then read on lower down...
passwd
==Headless Setup/Login==
* Mount the RASPIROOT on a Linux Disro, use a terminal and navigate to it's systemd folder. For me this is in /run/media/username/RASPIROOT/lib/systemd/system
* Enable the SSH server by creating a symbolic link: ln -s ../ssh.service ./multi-user.target.wants/ssh.service
* Enable root login with ssh keys vim .../RASPIROOT/etc/ssh/sshd_config and uncomment or set PermitRootLogin prohibit-password
* Create a private/public key pair to allow root login to the Pi without a password (BTW, there is no root password so SSH login without this isn't possible on first boot). When running the ssh-keygen command, give the keypair a name unique to the Pi you're configuring: ssh-keygen Now go to your local SSH folder cd ~./ssh and append the public key to the authorized_keys file of the root account for the Pi cat rpi_key_ed25519.pub >> .../RASPIROOT/root/.ssh/authorized_keys
* Boot the Pi with the a network cable connected then scan your network for the new IP. Once found login using the SSH key, for example: ssh -i ~/.ssh/rpi_key_ed25519 root@192.168.1.37
* Once logged in via SSH change the root password: passwd
* Update and reboot
apt update && apt upgrade && reboot
==== Base Install & Initial Config ====
Install some utilities
apt install vim wget vlan sudo tmux locales
Set your hostname
vim /etc/hostname
Edit hosts
vim /etc/hosts
and add
127.0.1.1 yourHostName
Set your timezone
ln -sf /usr/share/zoneinfo/America/Los_Angeles /etc/localtime
Set your locale
dpkg-reconfigure locales
Set swappiness (to reduce SD card writes)
vim /etc/sysctl.conf
Add
vm.swappiness=1
Set the /tmp folder to run in RAM (https://wiki.archlinux.org/title/tmpfs)
vim /etc/fstab
Add
tmpfs /tmp tmpfs mode=1777,nosuid,nodev,size=512M 0 0
==IP Address and VLAN==
vim /etc/network/interfaces.d/eth0
On each interface (change from eth0 to wlan0 or other) that you want to configure do one of the following
DHCP no VLAN is default so do nothing
Static IP on VLAN 222
auto eth0
iface eth0 inet manual
auto eth0.222
iface eth0.222 inet static
address 10.10.10.1/24
vlan-raw-device eth0
gateway 10.10.10.254
dns-nameservers 10.10.0.2
DHCP on VLAN 222
auto eth0
iface eth0 inet manual
auto eth0.222
iface eth0.222 inet dhcp
vlan-raw-device eth0
Restart network
ifdown eth0 && ifup eth0 && ifup eth0.222 (if vlan 222 is used)
==Disable world readable permissions when creating users==
vim /etc/adduser.conf
Set
DIR_MODE=0700
==Create sudo user==
adduser bobberson && adduser bobberson sudo && exit
Login as sudo user to continue
==Install GUI (if planning on using it via VNC==
sudo apt install firefox-esr xserver-xorg remmina tigervnc-viewer network-manager-openvpn network-manager-ssh network-manager-config-connectivity-debian network-manager-gnome gnome-keyring seahorse keepassx lightdm xfce4 xfce4-goodies synaptic (add this if you want to keep the # of packages install to a minimum) --no-install-recommends
Reboot
sudo reboot
==== Firewall ====
[[https://wiki.debian.org/nftables#Use_firewalld]] \\
All traffic is permitted by default otherwise
sudo systemctl enable nftables.service
sudo vim /etc/nftables.conf
Add the following firewall config:
flush ruleset
table inet firewall {
chain inbound_ipv4 {
# accepting ping (icmp-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
# icmp type echo-request limit rate 5/second accept
}
chain inbound_ipv6 {
# accept neighbour discovery otherwise connectivity breaks
#
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
# accepting ping (icmpv6-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
# icmpv6 type echo-request limit rate 5/second accept
}
chain inbound {
# By default, drop all traffic unless it meets a filter
# criteria specified by the rules that follow below.
type filter hook input priority 0; policy drop;
# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }
# Allow loopback traffic.
iifname lo accept
# Jump to chain according to layer 3 protocol using a verdict map
meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }
# Allow SSH on port TCP/22 and allow TANG TCP/7500 and VNC Server TCP/5908
# for IPv4 and IPv6.
tcp dport { 22,7500, 5908} accept
# Uncomment to enable logging of denied inbound traffic
# log prefix "[nftables] Inbound Denied: " counter drop
}
chain forward {
# Drop everything (assumes this device is not a router)
type filter hook forward priority 0; policy drop;
}
# no need to define output chain, default policy is accept if undefined.
}
Reload and enable service
sudo systemctl restart nftables.service
Check the rules by
sudo nft list ruleset
====Fail2ban ====
https://blog.cyberfront.org/index.php/2021/10/27/debian-fail2ban/ \\
https://github.com/fail2ban/fail2ban/discussions/3575
Install fail2ban
sudo apt install fail2ban && sudo systemctl enable fail2ban
Configure Jail
sudo vim /etc/fail2ban/jail.d/defaults-debian.conf
Set the following:
[DEFAULT]
banaction = nftables
banaction_allports = nftables-multiport
[sshd]
backend=systemd
enabled = true
Check status to make sure it's working (then afterward try to get yourself banned!)
sudo systemctl restart fail2ban
sudo fail2ban-client status sshd
==== Encryption of Home Dirs ====
Enable encryption of /home/user directories ([[https://wiki.archlinux.org/title/User:Lukeus_Maximus|https://wiki.archlinux.org/title/User:Lukeus_Maximus]])
Note: as long as the user is logged this means their encrypted data will be mounted and that any root user can gain access (similar to other filesystem encryption schemes).
Note: if there are any files (hidden or not) in the users home dir, gocryptfs won't be able to mount there.
sudo apt-get install gocryptfs rsync lsof fuse libpam-mount
Create a folder for the users encrypted data, when prompted for a password from gocryptfs use the same password that the user uses to login so automount will work
sudo mkdir /home/bobberson.cipher
sudo chown bobberson:bobberson /home/bobberson.cipher
sudo gocryptfs -init /home/bobberon.cipher
sudo chmod 700 /home/bobberson.cipher
Record your master key and name it username@hostname.gocryptfs.masterkey
Temporarily allow root to login via SSH
sudo vim /etc/ssh/sshd_config
Add the line
PermitRootLogin yes
Restart sshd and logout
sudo systemctl restart sshd
exit
Login as root (or a different sudo user from the user you're encrypting the home dir for). The user whose homedir is being encrypted must be completely logged off the system. Check by running
w
As root and with bobberson completely logged out
mv /home/bobberson /home/bobberson.old
mkdir -m 700 /home/bobberson
chown bobberson:bobberson /home/bobberson
chown -R bobberson:bobberson /home/bobberson.cipher
Mount the encrypted archive and copy the data from the old home directory (be sure to use the trailing / on the source directory, otherwise it will copy the directory itself and not the contents)
gocryptfs /home/bobberson.cipher /home/bobberson
rsync -av /home/bobberson.old/ /home/bobberson
fusermount -u /home/bobberson
chown -R bobberson:bobberson
sudo chmod 700 /home/bobberson.cipher
Setup automount on login
vim /etc/fuse.conf
Uncomment
user_allow_other
Configure PAM
vim /etc/security/pam_mount.conf.xml
Add a new XML tag just before (it's at the end, and be sure to change the user to your username)
Create /etc/pam.d/homedirs to: (though I need to double check the following creation of files, I don't know of they're necessary)
vim /etc/pam.d/homedirs
Add
#%PAM-1.0
auth optional pam_mount.so
password optional pam_mount.so
session required pam_mkhomedir.so
session optional pam_mount.so
vim /etc/pam.d/system-local-login
Add
#%PAM-1.0
auth include login
auth include homedirs
account include login
account include homedirs
password include login
password include homedirs
session include login
session include homedirs
Copy to /etc/pam.d/system-remote-login
cp /etc/pam.d/system-local-login /etc/pam.d/system-remote-login
Logout as root and login as your sudo user
Check your home dir, it should have all the files of the original temp dir. Make test file and folder, it should show up as encrypted file names/folders in your ciper dir.
If everything looks good disable root access via ssh
sudo vim /etc/ssh/sshd_config
Set
PermitRootLogin no
Restart sshd
sudo systemctl restart sshd
Delete the bobberson.old folder
rm -rf /home/bobberson.old
==== VNC Server ====
https://wiki.archlinux.org/title/TigerVNC \\
We will need to modify some default paths since we are encrypting the home directory, pay attention to the addition of .ciper to environment paths.
== Install Packages ==
sudo apt install tigervnc-standalone-server dbus-x11
sudo cp /usr/lib/systemd/system/tigervncserver@.service /etc/systemd/system/tigervncserver@.service
Edit path for default VNC folder
Note: this change is needed since your home dir is encrypted and the systemd service won't be able to read it until you login, so the .vnc server will need to be in your .ciper folder unencrypted for the service to start. Or you'll need to login via ssh, restart the service and stay logged into ssh while vnc is being used.
sudo vim /etc/tigervnc/vncserver-config-defaults
Uncomment and set the VNC user dir as follows
Default: $vncUserDir = "$ENV{HOME}.cipher/.vnc";
Add user to user config
sudo vim /etc/tigervnc/vncserver.users
Add
:8=bobberson
Start VNC server to set password, don't use read-only password
vncserver
Set the default config for your user
vim /home/bobberson.cipher/.vnc/config
Add
session=xfce
geometry=1600x900
localhost
alwaysshared
Reload, enable and restart service
sudo systemctl daemon-reload
sudo systemctl enable tigervncserver@:8
sudo systemctl restart tigervncserver@:8
https://unix.stackexchange.com/questions/43398/is-it-possible-to-keep-a-vnc-server-alive-after-log-out \\
If you want to be able to log out of xfce via VNC and have the tigervncserver restart automatically do this:
sudo systemctl edit tigervncserver@:8
Add
[Service]
Restart=on-success
RestartSec=10
and...
sudo systemctl daemon-reload
sudo systemctl enable tigervncserver@:8
sudo systemctl restart tigervncserver@:8
On a remote computer on the same subnet listen for port 5908 over ssh, open a console and type
ssh -L 5908:127.0.0.1:5908 -C -N -l bobberson vnc.server.ip.address
Open open your VNC viewer and use localhost:5908 or in a console type
vncviewer localhost:5908
====Mosh====
Because it's the pits using SSH over a high latency connection...
Install
sudo apt install mosh
Add firewall ports (since this is a small server for a select few we are only going to open 5 ports)
sudo vim /etc/firewall/enable.sh
Add
iptables -A INPUT -p udp --dport 60000:60005 -m state --state NEW -j ACCEPT
Restart firewall
sudo systemctl restart firewall
To connect just use mosh instead of ssh
mosh remoteuser@remotecomputer
====Tang====
https://semanticlab.net/sysadmin/encryption/Network-bound-disk-encryption-in-ubuntu-20.04/ \\
Use this if you're using NBDE for any of your RHEL/CentOS/Rocky installs.
Install packages
sudo apt install tang jose
Edit default port Tang listens on
sudo systemctl edit tangd.socket
Add the following for port 7500
[Unit]
Description=Tang Server socket
[Socket]
ListenStream=7500
Accept=true
[Install]
WantedBy=sockets.target
Edit your firewall and add port 7500 if you haven't already
Enable and start the service
sudo systemctl daemon-reload
sudo systemctl enable tangd.socket
sudo systemctl start tangd.socket
====Zabbix=====
https://www.zabbix.com/documentation/5.0/manual/installation/install \\
Go to https://www.zabbix.com/download_sources#50LTS -> choose 5.0 LTS -> copy link and
wget https://cdn.zabbix.com/zabbix/sources/stable/5.0/zabbix-5.0.14.tar.gz
tar xvfz zabbix-release.gz
Create user and group
sudo addgroup --system --quiet zabbix
sudo adduser --quiet --system --disabled-login --ingroup zabbix --home /var/lib/zabbix --no-create-home zabbix
Install required packages for source
sudo apt install libmariadb-dev libxml2-dev libsnmp-dev libevent-dev libopenipmi-dev libcurl4-nss-dev libpcre++-dev gcc make
Configure
cd zabbix-release
./configure --enable-server --enable-agent --with-mysql --enable-ipv6 --with-net-snmp --with-libcurl --with-libxml2 --with-openipmi
sudo make install
Install required packages for runtime
sudo apt install apache2 php7.4-common php7.4-xml php7.4-mysql mariadb-server php-php-gettext php-gd php-bcmath php7.4-common php-xml php-mbstring php-ldap ibapache2-mod-php
Edit php.ini
sudo vim /etc/php/7.4/apache2/php.ini
I needed to set the following
post_max_size = 16M
max_execution_time = 300
max_input_time = 300
date.timezone = America/Los_Angeles
Enable and start services
sudo systemctl enable mariadb && sudo systemctl restart mariadb
sudo systemctl enable apache2 && sudo systemctl restart apache2
Secure mysql
sudo mysql_secure_installation
Create database
sudo mysql -uroot -p
create database zabbix character set utf8 collate utf8_bin;
create user zabbix@localhost identified by 'password';
grant all privileges on zabbix.* to zabbix@localhost;
quit;
Import mysql schema
cd database/mysql
sudo mysql -uzabbix -p zabbix < schema.sql
sudo mysql -uzabbix -p zabbix < images.sql
sudo mysql -uzabbix -p zabbix < data.sql
Add password to zabbix_server.conf
sudo vim /usr/local/etc/zabbix_server.conf
Set your database password
DBpassword=yourpassword
Copy init.d scripts
sudo cp misc/init.d/debian/* /etc/init.d
sudo reboot
Add firewall port for active checks (tcp 10051)
sudo vim /etc/firewall/enable.sh
Add
#TCP port for Zabbix active checks
iptables -A INPUT -p tcp --dport 10051 -m state --state NEW -j ACCEPT
Restart firewall
sudo systemctl restart firewall
==Setup Web Server==
sudo mkdir /var/www/html/zabbix
cd ui
sudo cp -a . /var/www/html/zabbix
Launch firefox and go to http:\\localhost\zabbix to start the setup. After you create the php file it has you download, delete the .example file in the same dir. Even though you can't go past finish, reloading http:\\localhost\zabbix should take you to the login; the username Admin and password zabbix (note, user and pass are both case sensitive). Note: use the ip of your computer for the server hostname, otherwise services might not work.
====App Armor====
https://wiki.debian.org/AppArmor/HowToUse \\
Because you want to try to do your best, or at least the best you can do with the tools and time available to you; SELinux doesn't appear to be in this kernel... or I didn't give it enough effort.
Install utils
sudo apt install apparmor-utils apparmor-profiles apparmor-profiles-extra