The purpose of this setup is to provide a low power remote administration and access device which can also be used for monitoring via Zabbix.
xzcat 20231109_raspi_4_bookworm.img.xz | dd of=/dev/sdX bs=64k oflag=dsync status=progress
passwd
/run/media/username/RASPIROOT/lib/systemd/system
ln -s ../ssh.service ./multi-user.target.wants/ssh.service
vim .../RASPIROOT/etc/ssh/sshd_config
and uncomment or set
PermitRootLogin prohibit-password
ssh-keygen
Now go to your local SSH folder
cd ~./ssh
and append the public key to the authorized_keys file of the root account for the Pi
cat rpi_key_ed25519.pub >> .../RASPIROOT/root/.ssh/authorized_keys
ssh -i ~/.ssh/rpi_key_ed25519 root@192.168.1.37
passwd
apt update && apt upgrade && reboot
Install some utilities
apt install vim wget vlan sudo tmux locales
Set your hostname
vim /etc/hostname
Edit hosts
vim /etc/hosts
and add
127.0.1.1 yourHostName
Set your timezone
ln -sf /usr/share/zoneinfo/America/Los_Angeles /etc/localtime
Set your locale
dpkg-reconfigure locales
Set swappiness (to reduce SD card writes)
vim /etc/sysctl.conf
Add
vm.swappiness=1
Set the /tmp folder to run in RAM (https://wiki.archlinux.org/title/tmpfs)
vim /etc/fstab
Add
tmpfs /tmp tmpfs mode=1777,nosuid,nodev,size=512M 0 0
vim /etc/network/interfaces.d/eth0
On each interface (change from eth0 to wlan0 or other) that you want to configure do one of the following
DHCP no VLAN is default so do nothing
Static IP on VLAN 222
auto eth0
iface eth0 inet manual
auto eth0.222
iface eth0.222 inet static
address 10.10.10.1/24
vlan-raw-device eth0
gateway 10.10.10.254
dns-nameservers 10.10.0.2
DHCP on VLAN 222
auto eth0
iface eth0 inet manual
auto eth0.222
iface eth0.222 inet dhcp
vlan-raw-device eth0
Restart network
ifdown eth0 && ifup eth0 && ifup eth0.222 (if vlan 222 is used)
vim /etc/adduser.conf
Set
DIR_MODE=0700
adduser bobberson && adduser bobberson sudo && exit
Login as sudo user to continue
sudo apt install firefox-esr xserver-xorg remmina tigervnc-viewer network-manager-openvpn network-manager-ssh network-manager-config-connectivity-debian network-manager-gnome gnome-keyring seahorse keepassx lightdm xfce4 xfce4-goodies synaptic (add this if you want to keep the # of packages install to a minimum) --no-install-recommends
Reboot
sudo reboot
https://wiki.debian.org/nftables#Use_firewalld
All traffic is permitted by default otherwise
sudo systemctl enable nftables.service sudo vim /etc/nftables.conf
Add the following firewall config:
flush ruleset
table inet firewall {
chain inbound_ipv4 {
# accepting ping (icmp-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
# icmp type echo-request limit rate 5/second accept
}
chain inbound_ipv6 {
# accept neighbour discovery otherwise connectivity breaks
#
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
# accepting ping (icmpv6-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
# icmpv6 type echo-request limit rate 5/second accept
}
chain inbound {
# By default, drop all traffic unless it meets a filter
# criteria specified by the rules that follow below.
type filter hook input priority 0; policy drop;
# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }
# Allow loopback traffic.
iifname lo accept
# Jump to chain according to layer 3 protocol using a verdict map
meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }
# Allow SSH on port TCP/22 and allow TANG TCP/7500 and VNC Server TCP/5908
# for IPv4 and IPv6.
tcp dport { 22,7500, 5908} accept
# Uncomment to enable logging of denied inbound traffic
# log prefix "[nftables] Inbound Denied: " counter drop
}
chain forward {
# Drop everything (assumes this device is not a router)
type filter hook forward priority 0; policy drop;
}
# no need to define output chain, default policy is accept if undefined.
}
Reload and enable service
sudo systemctl restart nftables.service
Check the rules by
sudo nft list ruleset
https://blog.cyberfront.org/index.php/2021/10/27/debian-fail2ban/
https://github.com/fail2ban/fail2ban/discussions/3575
Install fail2ban
sudo apt install fail2ban && sudo systemctl enable fail2ban
Configure Jail
sudo vim /etc/fail2ban/jail.d/defaults-debian.conf
Set the following:
[DEFAULT] banaction = nftables banaction_allports = nftables-multiport [sshd] backend=systemd enabled = true
Check status to make sure it's working (then afterward try to get yourself banned!)
sudo systemctl restart fail2ban sudo fail2ban-client status sshd
Enable encryption of /home/user directories (https://wiki.archlinux.org/title/User:Lukeus_Maximus)
Note: as long as the user is logged this means their encrypted data will be mounted and that any root user can gain access (similar to other filesystem encryption schemes).
Note: if there are any files (hidden or not) in the users home dir, gocryptfs won't be able to mount there.
sudo apt-get install gocryptfs rsync lsof fuse libpam-mount
Create a folder for the users encrypted data, when prompted for a password from gocryptfs use the same password that the user uses to login so automount will work
sudo mkdir /home/bobberson.cipher sudo chown bobberson:bobberson /home/bobberson.cipher sudo gocryptfs -init /home/bobberon.cipher sudo chmod 700 /home/bobberson.cipher
Record your master key and name it username@hostname.gocryptfs.masterkey
Temporarily allow root to login via SSH
sudo vim /etc/ssh/sshd_config
Add the line
PermitRootLogin yes
Restart sshd and logout
sudo systemctl restart sshd exit
Login as root (or a different sudo user from the user you're encrypting the home dir for). The user whose homedir is being encrypted must be completely logged off the system. Check by running
w
As root and with bobberson completely logged out
mv /home/bobberson /home/bobberson.old mkdir -m 700 /home/bobberson chown bobberson:bobberson /home/bobberson chown -R bobberson:bobberson /home/bobberson.cipher
Mount the encrypted archive and copy the data from the old home directory (be sure to use the trailing / on the source directory, otherwise it will copy the directory itself and not the contents)
gocryptfs /home/bobberson.cipher /home/bobberson rsync -av /home/bobberson.old/ /home/bobberson fusermount -u /home/bobberson chown -R bobberson:bobberson sudo chmod 700 /home/bobberson.cipher
Setup automount on login
vim /etc/fuse.conf
Uncomment
user_allow_other
Configure PAM
vim /etc/security/pam_mount.conf.xml
Add a new XML tag just before </pam_mount> (it's at the end, and be sure to change the user to your username)
<volume user="bobberson" fstype="fuse" options="nodev,nosuid,quiet,nonempty,allow_other" path="/usr/bin/gocryptfs#/home/%(USER).cipher" mountpoint="/home/%(USER)" />
Create /etc/pam.d/homedirs to: (though I need to double check the following creation of files, I don't know of they're necessary)
vim /etc/pam.d/homedirs
Add
#%PAM-1.0 auth optional pam_mount.so password optional pam_mount.so session required pam_mkhomedir.so session optional pam_mount.so
vim /etc/pam.d/system-local-login
Add
#%PAM-1.0 auth include login auth include homedirs account include login account include homedirs password include login password include homedirs session include login session include homedirs
Copy to /etc/pam.d/system-remote-login
cp /etc/pam.d/system-local-login /etc/pam.d/system-remote-login
Logout as root and login as your sudo user
Check your home dir, it should have all the files of the original temp dir. Make test file and folder, it should show up as encrypted file names/folders in your ciper dir.
If everything looks good disable root access via ssh
sudo vim /etc/ssh/sshd_config
Set
PermitRootLogin no
Restart sshd
sudo systemctl restart sshd
Delete the bobberson.old folder
rm -rf /home/bobberson.old
https://wiki.archlinux.org/title/TigerVNC
We will need to modify some default paths since we are encrypting the home directory, pay attention to the addition of .ciper to environment paths.
sudo apt install tigervnc-standalone-server dbus-x11 sudo cp /usr/lib/systemd/system/tigervncserver@.service /etc/systemd/system/tigervncserver@.service
Edit path for default VNC folder
Note: this change is needed since your home dir is encrypted and the systemd service won't be able to read it until you login, so the .vnc server will need to be in your .ciper folder unencrypted for the service to start. Or you'll need to login via ssh, restart the service and stay logged into ssh while vnc is being used.
sudo vim /etc/tigervnc/vncserver-config-defaults
Uncomment and set the VNC user dir as follows
Default: $vncUserDir = "$ENV{HOME}.cipher/.vnc";
Add user to user config
sudo vim /etc/tigervnc/vncserver.users
Add
:8=bobberson
Start VNC server to set password, don't use read-only password
vncserver
Set the default config for your user
vim /home/bobberson.cipher/.vnc/config
Add
session=xfce geometry=1600x900 localhost alwaysshared
Reload, enable and restart service
sudo systemctl daemon-reload sudo systemctl enable tigervncserver@:8 sudo systemctl restart tigervncserver@:8
https://unix.stackexchange.com/questions/43398/is-it-possible-to-keep-a-vnc-server-alive-after-log-out
If you want to be able to log out of xfce via VNC and have the tigervncserver restart automatically do this:
sudo systemctl edit tigervncserver@:8
Add
[Service] Restart=on-success RestartSec=10
and…
sudo systemctl daemon-reload sudo systemctl enable tigervncserver@:8 sudo systemctl restart tigervncserver@:8
On a remote computer on the same subnet listen for port 5908 over ssh, open a console and type
ssh -L 5908:127.0.0.1:5908 -C -N -l bobberson vnc.server.ip.address
Open open your VNC viewer and use localhost:5908 or in a console type
vncviewer localhost:5908
Because it's the pits using SSH over a high latency connection…
Install
sudo apt install mosh
Add firewall ports (since this is a small server for a select few we are only going to open 5 ports)
sudo vim /etc/firewall/enable.sh
Add
iptables -A INPUT -p udp --dport 60000:60005 -m state --state NEW -j ACCEPT
Restart firewall
sudo systemctl restart firewall
To connect just use mosh instead of ssh
mosh remoteuser@remotecomputer
https://semanticlab.net/sysadmin/encryption/Network-bound-disk-encryption-in-ubuntu-20.04/
Use this if you're using NBDE for any of your RHEL/CentOS/Rocky installs.
Install packages
sudo apt install tang jose
Edit default port Tang listens on
sudo systemctl edit tangd.socket
Add the following for port 7500
[Unit] Description=Tang Server socket [Socket] ListenStream=7500 Accept=true [Install] WantedBy=sockets.target
Edit your firewall and add port 7500 if you haven't already
Enable and start the service
sudo systemctl daemon-reload sudo systemctl enable tangd.socket sudo systemctl start tangd.socket
https://www.zabbix.com/documentation/5.0/manual/installation/install
Go to https://www.zabbix.com/download_sources#50LTS → choose 5.0 LTS → copy link and
wget https://cdn.zabbix.com/zabbix/sources/stable/5.0/zabbix-5.0.14.tar.gz tar xvfz zabbix-release.gz
Create user and group
sudo addgroup --system --quiet zabbix sudo adduser --quiet --system --disabled-login --ingroup zabbix --home /var/lib/zabbix --no-create-home zabbix
Install required packages for source
sudo apt install libmariadb-dev libxml2-dev libsnmp-dev libevent-dev libopenipmi-dev libcurl4-nss-dev libpcre++-dev gcc make
Configure
cd zabbix-release ./configure --enable-server --enable-agent --with-mysql --enable-ipv6 --with-net-snmp --with-libcurl --with-libxml2 --with-openipmi sudo make install
Install required packages for runtime
sudo apt install apache2 php7.4-common php7.4-xml php7.4-mysql mariadb-server php-php-gettext php-gd php-bcmath php7.4-common php-xml php-mbstring php-ldap ibapache2-mod-php
Edit php.ini
sudo vim /etc/php/7.4/apache2/php.ini
I needed to set the following
post_max_size = 16M max_execution_time = 300 max_input_time = 300 date.timezone = America/Los_Angeles
Enable and start services
sudo systemctl enable mariadb && sudo systemctl restart mariadb sudo systemctl enable apache2 && sudo systemctl restart apache2
Secure mysql
sudo mysql_secure_installation
Create database
sudo mysql -uroot -p create database zabbix character set utf8 collate utf8_bin; create user zabbix@localhost identified by 'password'; grant all privileges on zabbix.* to zabbix@localhost; quit;
Import mysql schema
cd database/mysql sudo mysql -uzabbix -p<password> zabbix < schema.sql sudo mysql -uzabbix -p<password> zabbix < images.sql sudo mysql -uzabbix -p<password> zabbix < data.sql
Add password to zabbix_server.conf
sudo vim /usr/local/etc/zabbix_server.conf
Set your database password
DBpassword=yourpassword
Copy init.d scripts
sudo cp misc/init.d/debian/* /etc/init.d sudo reboot
Add firewall port for active checks (tcp 10051)
sudo vim /etc/firewall/enable.sh
Add
#TCP port for Zabbix active checks iptables -A INPUT -p tcp --dport 10051 -m state --state NEW -j ACCEPT
Restart firewall
sudo systemctl restart firewall
sudo mkdir /var/www/html/zabbix cd ui sudo cp -a . /var/www/html/zabbix
Launch firefox and go to http:\\localhost\zabbix to start the setup. After you create the php file it has you download, delete the .example file in the same dir. Even though you can't go past finish, reloading http:\\localhost\zabbix should take you to the login; the username Admin and password zabbix (note, user and pass are both case sensitive). Note: use the ip of your computer for the server hostname, otherwise services might not work.
https://wiki.debian.org/AppArmor/HowToUse
Because you want to try to do your best, or at least the best you can do with the tools and time available to you; SELinux doesn't appear to be in this kernel… or I didn't give it enough effort.
Install utils
sudo apt install apparmor-utils apparmor-profiles apparmor-profiles-extra