==== Debian 11 (Buster) Remote Admin Host on a Raspberry Pi 4 ====
The purpose of this setup is to provide a low power remote administration and access device which can also be used for monitoring via Zabbix.
* Install Raspbian first and update the eeprom to the latest version
* Download the xz compress image for Debian 10 from [[https://raspi.debian.net/tested-images/|https://raspi.debian.net/tested-images/]]
* Decompress and image image to a microsd card
xzcat 20210718_raspi_4_bullseye.img.xz | dd of=/dev/sdX bs=64k oflag=dsync status=progress
* Boot and login with root and no password then set the root password
passwd
* Update and reboot
apt update && apt upgrade && reboot
==== Base Install & Initial Config ====
Install XFCE some other utilities
apt install vim wget vlan sudo tmux locales
Set your hostname
vim /etc/hostname
Edit hosts
vim /etc/hosts
and add
127.0.1.1 yourHostName
Set your timezone
ln -sf /usr/share/zoneinfo/America/Los_Angeles /etc/localtime
Set your locale
dpkg-reconfigure locales
Set swappiness (to reduce SD card writes)
vim /etc/sysctl.conf
Add
vm.swappiness=1
Set the /tmp folder to run in RAM (https://wiki.archlinux.org/title/tmpfs)
sudo vim /etc/fstab
Add
tmpfs /tmp tmpfs mode=1777,nosuid,nodev,size=512M 0 0
==IP Address and VLAN==
vim /etc/network/interfaces.d/eth0
On each interface (change from eth0 to wlan0 or other) that you want to configure do one of the following
DHCP no VLAN is default so do nothing
Static IP on VLAN 222
auto eth0
iface eth0 inet manual
auto eth0.222
iface eth0.222 inet static
address 10.10.10.1/24
vlan-raw-device eth0
gateway 10.10.10.254
dns-nameservers 10.10.0.2
DHCP on VLAN 222
auto eth0
iface eth0 inet manual
auto eth0.222
iface eth0.222 inet dhcp
vlan-raw-device eth0
Restart network
ifdown eth0 && ifup eth0 && ifup eth0.222 (if vlan 222 is used)
==Disable world readable permissions when creating users==
vim /etc/adduser.conf
Set
DIR_MODE=0750
==Create sudo user==
adduser bobberson && adduser bobberson sudo && exit
Login as sudo user to continue
==Install GUI==
sudo apt install firefox-esr xserver-xorg remmina tigervnc-viewer network-manager-openvpn network-manager-ssh network-manager-config-connectivity-debian network-manager-gnome gnome-keyring seahorse keepassx lightdm xfce4 xfce4-goodies synaptic (add this if you want to keep the # of packages install to a minimum) --no-install-recommends
Reboot
sudo reboot
==== Firewall ====
[[https://wiki.debian.org/DebianFirewall|https://wiki.debian.org/DebianFirewall]] \\
All traffic is permitted by default otherwise
sudo vim /etc/systemd/system/firewall.service
Add the following
[Unit]
Description=Add Firewall Rules to iptables
[Service]
Type=oneshot
ExecStart=/etc/firewall/enable.sh
#ExecStart=/etc/firewall/enable6.sh #For IPV6
[Install]
WantedBy=multi-user.target
Create the firewall rules file
sudo mkdir /etc/firewall
sudo vim /etc/firewall/enable.sh
Add the following
#!/bin/sh
# A very basic IPtables / Netfilter script /etc/firewall/enable.sh
PATH='/sbin'
# Flush the tables to apply changes
iptables -F
# Default policy to drop 'everything' but our output to internet
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Allow established connections (the responses to our outgoing traffic)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow local programs that use loopback (Unix sockets)
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
# Uncomment this line to allow incoming SSH/SCP connections to this machine,
# for traffic from 10.20.0.2 (you can use also use a network definition as
# source like -s 10.20.0.0/22).
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
Reload and enable service
sudo chmod 700 /etc/firewall/enable.sh
sudo systemctl daemon-reload
sudo systemctl enable firewall
sudo systemctl restart firewall
Check the rules by
sudo iptables -L
====Fail2ban ====
Install fail2ban
sudo apt install fail2ban && sudo systemct enable fail2ban && sudo systemctl restart fail2ban
==== Encryption of Home Dirs ====
Enable encryption of /home/user directories ([[https://wiki.archlinux.org/title/User:Lukeus_Maximus|https://wiki.archlinux.org/title/User:Lukeus_Maximus]])
Note: as long as the user is logged this means their encrypted data will be mounted and that any root user can gain access (similar to other filesystem encryption schemes).
Note: if there are any files (hidden or not) in the users home dir, gocryptfs won't be able to mount there.
sudo apt-get install gocryptfs rsync lsof fuse libpam-mount
Create a folder for the users encrypted data, when prompted for a password from gocryptfs use the same password that the user uses to login so automount will work
sudo mkdir /home/bobberson.cipher
sudo chown bobberson:bobberson /home/bobberson.cipher
sudo gocryptfs -init /home/bobberon.cipher
sudo chmod 700 /home/bobberson.cipher
Record your master key and name it username@hostname.gocryptfs.masterkey
Temporarily allow root to login via SSH
sudo vim /etc/ssh/sshd_config
Add the line
PermitRootLogin yes
Restart sshd and logout
sudo systemctl restart sshd
exit
Login as root (or a different sudo user from the user you're encrypting the home dir for). The user whose homedir is being encrypted must be completely logged off the system. Check by running
w
As root and with bobberson completely logged out
mv /home/bobberson /home/bobberson.old
mkdir -m 700 /home/bobberson
chown bobberson:bobberson /home/bobberson
chown -R bobberson:bobberson /home/bobberson.cipher
Mount the encrypted archive and copy the data from the old home directory (be sure to use the trailing / on the source directory, otherwise it will copy the directory itself and not the contents)
gocryptfs /home/bobberson.cipher /home/bobberson
rsync -av /home/bobberson.old/ /home/bobberson
fusermount -u /home/bobberson
chown -R bobberson:bobberson
sudo chmod 700 /home/bobberson.cipher
Setup automount on login
vim /etc/fuse.conf
Uncomment
user_allow_other
Configure PAM
vim /etc/security/pam_mount.conf.xml
Add a new XML tag just before (it's at the end, and be sure to change the user to your username)
Create /etc/pam.d/homedirs to: (though I need to double check the following creation of files, I don't know of they're necessary)
vim /etc/pam.d/homedirs
Add
#%PAM-1.0
auth optional pam_mount.so
password optional pam_mount.so
session required pam_mkhomedir.so
session optional pam_mount.so
vim /etc/pam.d/system-local-login
Add
#%PAM-1.0
auth include login
auth include homedirs
account include login
account include homedirs
password include login
password include homedirs
session include login
session include homedirs
Copy to /etc/pam.d/system-remote-login
cp /etc/pam.d/system-local-login /etc/pam.d/system-remote-login
Logout as root and login as your sudo user
Check your home dir, it should have all the files of the original temp dir. Make test file and folder, it should show up as encrypted file names/folders in your ciper dir.
If everything looks good disable root access via ssh
sudo vim /etc/ssh/sshd_config
Set
PermitRootLogin no
Restart sshd
sudo systemctl restart sshd
Delete the bobberson.old folder
rm -rf /home/bobberson.old
==== VNC Server ====
https://wiki.archlinux.org/title/TigerVNC \\
We will need to modify some default paths since we are encrypting the home directory, pay attention to the addition of .ciper to environment paths.
== Install Packages ==
sudo apt install tigervnc-standalone-server dbus-x11
sudo cp /usr/lib/systemd/system/tigervncserver@.service /etc/systemd/system/tigervncserver@.service
Edit path for default VNC folder
Note: this change is needed since your home dir is encrypted and the systemd service won't be able to read it until you login, so the .vnc server will need to be in your .ciper folder unencrypted for the service to start. Or you'll need to login via ssh, restart the service and stay logged into ssh while vnc is being used.
sudo vim /etc/tigervnc/vncserver-config-defaults
Uncomment and set the VNC user dir as follows
Default: $vncUserDir = "$ENV{HOME}.cipher/.vnc";
Add user to user config
sudo vim /etc/tigervnc/vncserver.users
Add
:8=bobberson
Start VNC server to set password, don't use read-only password
vncserver
Set the default config for your user
vim /home/bobberson.cipher/.vnc/config
Add
session=xfce
geometry=1600x900
localhost
alwaysshared
Reload, enable and restart service
sudo systemctl daemon-reload
sudo systemctl enable tigervncserver@:8
sudo systemctl restart tigervncserver@:8
https://unix.stackexchange.com/questions/43398/is-it-possible-to-keep-a-vnc-server-alive-after-log-out \\
If you want to be able to log out of xfce via VNC and have the tigervncserver restart automatically do this:
sudo systemctl edit tigervncserver@:8
Add
[Service]
Restart=on-success
RestartSec=10
and...
sudo systemctl daemon-reload
sudo systemctl enable tigervncserver@:8
sudo systemctl restart tigervncserver@:8
On a remote computer on the same subnet listen for port 5908 over ssh, open a console and type
ssh -L 5908:127.0.0.1:5908 -C -N -l bobberson vnc.server.ip.address
Open open your VNC viewer and use localhost:5908 or in a console type
vncviewer localhost:5908
====Mosh====
Because it's the pits using SSH over a high latency connection...
Install
sudo apt install mosh
Add firewall ports (since this is a small server for a select few we are only going to open 5 ports)
sudo vim /etc/firewall/enable.sh
Add
iptables -A INPUT -p udp --dport 60000:60005 -m state --state NEW -j ACCEPT
Restart firewall
sudo systemctl restart firewall
To connect just use mosh instead of ssh
mosh remoteuser@remotecomputer
====Tang====
https://semanticlab.net/sysadmin/encryption/Network-bound-disk-encryption-in-ubuntu-20.04/ \\
Use this if you're using NBDE for any of your RHEL/CentOS/Rocky installs.
Install packages
sudo apt install tang jose
Edit default port Tang listens on
sudo systemctl edit tangd.socket
Add the following for port 7500
[Socket]
ListenStream=
ListenStream=7500
Edit your firewall and add port 7500
sudo vim /etc/firewall/enable.sh
Add
#TCP port for Tang server
iptables -A INPUT -p tcp --dport 7500 -m state --state NEW -j ACCEPT
Enable and start the service
sudo systemctl daemon-reload
sudo systemctl restart firewall
sudo systemctl enable tangd.socket
sudo systemctl start tangd.socket
====Zabbix=====
https://www.zabbix.com/documentation/5.0/manual/installation/install \\
Go to https://www.zabbix.com/download_sources#50LTS -> choose 5.0 LTS -> copy link and
wget https://cdn.zabbix.com/zabbix/sources/stable/5.0/zabbix-5.0.14.tar.gz
tar xvfz zabbix-release.gz
Create user and group
sudo addgroup --system --quiet zabbix
sudo adduser --quiet --system --disabled-login --ingroup zabbix --home /var/lib/zabbix --no-create-home zabbix
Install required packages for source
sudo apt install libmariadb-dev libxml2-dev libsnmp-dev libevent-dev libopenipmi-dev libcurl4-nss-dev libpcre++-dev gcc make
Configure
cd zabbix-release
./configure --enable-server --enable-agent --with-mysql --enable-ipv6 --with-net-snmp --with-libcurl --with-libxml2 --with-openipmi
sudo make install
Install required packages for runtime
sudo apt install apache2 php7.4-common php7.4-xml php7.4-mysql mariadb-server php-php-gettext php-gd php-bcmath php7.4-common php-xml php-mbstring php-ldap ibapache2-mod-php
Edit php.ini
sudo vim /etc/php/7.4/apache2/php.ini
I needed to set the following
post_max_size = 16M
max_execution_time = 300
max_input_time = 300
date.timezone = America/Los_Angeles
Enable and start services
sudo systemctl enable mariadb && sudo systemctl restart mariadb
sudo systemctl enable apache2 && sudo systemctl restart apache2
Secure mysql
sudo mysql_secure_installation
Create database
sudo mysql -uroot -p
create database zabbix character set utf8 collate utf8_bin;
create user zabbix@localhost identified by 'password';
grant all privileges on zabbix.* to zabbix@localhost;
quit;
Import mysql schema
cd database/mysql
sudo mysql -uzabbix -p zabbix < schema.sql
sudo mysql -uzabbix -p zabbix < images.sql
sudo mysql -uzabbix -p zabbix < data.sql
Add password to zabbix_server.conf
sudo vim /usr/local/etc/zabbix_server.conf
Set your database password
DBpassword=yourpassword
Copy init.d scripts
sudo cp misc/init.d/debian/* /etc/init.d
sudo reboot
Add firewall port for active checks (tcp 10051)
sudo vim /etc/firewall/enable.sh
Add
#TCP port for Zabbix active checks
iptables -A INPUT -p tcp --dport 10051 -m state --state NEW -j ACCEPT
Restart firewall
sudo systemctl restart firewall
==Setup Web Server==
sudo mkdir /var/www/html/zabbix
cd ui
sudo cp -a . /var/www/html/zabbix
Launch firefox and go to http:\\localhost\zabbix to start the setup. After you create the php file it has you download, delete the .example file in the same dir. Even though you can't go past finish, reloading http:\\localhost\zabbix should take you to the login; the username Admin and password zabbix (note, user and pass are both case sensitive). Note: use the ip of your computer for the server hostname, otherwise services might not work.
====App Armor====
https://wiki.debian.org/AppArmor/HowToUse \\
Because you want to try to do your best, or at least the best you can do with the tools and time available to you; SELinux doesn't appear to be in this kernel... or I didn't give it enough effort.
Install utils
sudo apt install apparmor-utils apparmor-profiles apparmor-profiles-extra