tech_documents:rpi:debian_radmin

Debian 11 (Buster) Remote Admin Host on a Raspberry Pi 4

The purpose of this setup is to provide a low power remote administration and access device which can also be used for monitoring via Zabbix.

  • Install Raspbian first and update the eeprom to the latest version
  • Download the xz compress image for Debian 10 from https://raspi.debian.net/tested-images/
  • Decompress and image image to a microsd card
xzcat 20210718_raspi_4_bullseye.img.xz | dd of=/dev/sdX bs=64k oflag=dsync status=progress
  • Boot and login with root and no password then set the root password
passwd
  • Update and reboot
 apt update && apt upgrade && reboot

Base Install & Initial Config

Install XFCE some other utilities 

 
apt install vim wget vlan sudo tmux locales

Set your hostname 

vim /etc/hostname

Edit hosts 

vim /etc/hosts

and add 

127.0.1.1 yourHostName

Set your timezone 

ln -sf /usr/share/zoneinfo/America/Los_Angeles /etc/localtime

Set your locale 

dpkg-reconfigure locales

Set swappiness (to reduce SD card writes) 

vim /etc/sysctl.conf

Add 

vm.swappiness=1

Set the /tmp folder to run in RAM (https://wiki.archlinux.org/title/tmpfs) 

sudo vim /etc/fstab

Add 

tmpfs /tmp tmpfs mode=1777,nosuid,nodev,size=512M 0 0
IP Address and VLAN
vim /etc/network/interfaces.d/eth0

On each interface (change from eth0 to wlan0 or other) that you want to configure do one of the following

DHCP no VLAN is default so do nothing

Static IP on VLAN 222 

auto eth0
iface eth0 inet manual

auto eth0.222
iface eth0.222 inet static
        address 10.10.10.1/24
        vlan-raw-device eth0
        gateway 10.10.10.254
        dns-nameservers 10.10.0.2

DHCP on VLAN 222 

auto eth0
iface eth0 inet manual

auto eth0.222
iface eth0.222 inet dhcp
        vlan-raw-device eth0

Restart network 

ifdown eth0 && ifup eth0 && ifup eth0.222 (if vlan 222 is used)
Disable world readable permissions when creating users
vim /etc/adduser.conf

Set 

DIR_MODE=0750
Create sudo user
adduser bobberson && adduser bobberson sudo && exit

Login as sudo user to continue

Install GUI
sudo apt install firefox-esr xserver-xorg remmina tigervnc-viewer network-manager-openvpn network-manager-ssh network-manager-config-connectivity-debian network-manager-gnome gnome-keyring seahorse keepassx lightdm xfce4 xfce4-goodies synaptic (add this if you want to keep the # of packages install to a minimum) --no-install-recommends

Reboot 

sudo reboot

Firewall

https://wiki.debian.org/DebianFirewall
All traffic is permitted by default otherwise 

sudo vim /etc/systemd/system/firewall.service

Add the following 

[Unit]
Description=Add Firewall Rules to iptables

[Service]
Type=oneshot
ExecStart=/etc/firewall/enable.sh
#ExecStart=/etc/firewall/enable6.sh  #For IPV6

[Install]
WantedBy=multi-user.target

Create the firewall rules file 

sudo mkdir /etc/firewall
sudo vim /etc/firewall/enable.sh

Add the following 

#!/bin/sh
# A very basic IPtables / Netfilter script /etc/firewall/enable.sh

PATH='/sbin'

# Flush the tables to apply changes
iptables -F

# Default policy to drop 'everything' but our output to internet
iptables -P FORWARD DROP
iptables -P INPUT   DROP
iptables -P OUTPUT  ACCEPT

# Allow established connections (the responses to our outgoing traffic)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow local programs that use loopback (Unix sockets)
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT

# Uncomment this line to allow incoming SSH/SCP connections to this machine,
# for traffic from 10.20.0.2 (you can use also use a network definition as
# source like -s 10.20.0.0/22).
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

Reload and enable service 

sudo chmod 700 /etc/firewall/enable.sh
sudo systemctl daemon-reload
sudo systemctl enable firewall
sudo systemctl restart firewall

Check the rules by 

sudo iptables -L

Fail2ban

Install fail2ban 

sudo apt install fail2ban && sudo systemct enable fail2ban && sudo systemctl restart fail2ban

Encryption of Home Dirs

Enable encryption of /home/user directories (https://wiki.archlinux.org/title/User:Lukeus_Maximus)

Note: as long as the user is logged this means their encrypted data will be mounted and that any root user can gain access (similar to other filesystem encryption schemes).

Note: if there are any files (hidden or not) in the users home dir, gocryptfs won't be able to mount there. 

sudo apt-get install gocryptfs rsync lsof fuse libpam-mount

Create a folder for the users encrypted data, when prompted for a password from gocryptfs use the same password that the user uses to login so automount will work 

sudo mkdir /home/bobberson.cipher
sudo chown bobberson:bobberson /home/bobberson.cipher
sudo gocryptfs -init /home/bobberon.cipher
sudo chmod 700 /home/bobberson.cipher

Record your master key and name it username@hostname.gocryptfs.masterkey

Temporarily allow root to login via SSH 

sudo vim /etc/ssh/sshd_config

Add the line 

PermitRootLogin yes

Restart sshd and logout 

sudo systemctl restart sshd
exit

Login as root (or a different sudo user from the user you're encrypting the home dir for). The user whose homedir is being encrypted must be completely logged off the system. Check by running 

w

As root and with bobberson completely logged out 

mv /home/bobberson /home/bobberson.old
mkdir -m 700 /home/bobberson
chown bobberson:bobberson /home/bobberson
chown -R bobberson:bobberson /home/bobberson.cipher

Mount the encrypted archive and copy the data from the old home directory (be sure to use the trailing / on the source directory, otherwise it will copy the directory itself and not the contents) 

gocryptfs /home/bobberson.cipher /home/bobberson
rsync -av /home/bobberson.old/ /home/bobberson
fusermount -u /home/bobberson
chown -R bobberson:bobberson
sudo chmod 700 /home/bobberson.cipher

Setup automount on login 

vim /etc/fuse.conf

Uncomment 

user_allow_other

Configure PAM 

vim /etc/security/pam_mount.conf.xml

Add a new XML tag just before </pam_mount> (it's at the end, and be sure to change the user to your username) 

<volume user="bobberson" fstype="fuse" options="nodev,nosuid,quiet,nonempty,allow_other"
path="/usr/bin/gocryptfs#/home/%(USER).cipher" mountpoint="/home/%(USER)" />

Create /etc/pam.d/homedirs to: (though I need to double check the following creation of files, I don't know of they're necessary) 

vim /etc/pam.d/homedirs

Add 

#%PAM-1.0
auth      optional                   pam_mount.so
password  optional                   pam_mount.so
session   required                   pam_mkhomedir.so
session   optional                   pam_mount.so
vim /etc/pam.d/system-local-login

Add 

#%PAM-1.0

auth      include   login
auth      include   homedirs
account   include   login
account   include   homedirs
password  include   login
password  include   homedirs
session   include   login
session   include   homedirs

Copy to /etc/pam.d/system-remote-login 

cp /etc/pam.d/system-local-login /etc/pam.d/system-remote-login

Logout as root and login as your sudo user

Check your home dir, it should have all the files of the original temp dir. Make test file and folder, it should show up as encrypted file names/folders in your ciper dir.

If everything looks good disable root access via ssh 

sudo vim /etc/ssh/sshd_config

Set 

PermitRootLogin no

Restart sshd 

sudo systemctl restart sshd

Delete the bobberson.old folder 

rm -rf /home/bobberson.old

VNC Server

https://wiki.archlinux.org/title/TigerVNC

We will need to modify some default paths since we are encrypting the home directory, pay attention to the addition of .ciper to environment paths.

Install Packages
sudo apt install tigervnc-standalone-server dbus-x11
sudo cp /usr/lib/systemd/system/tigervncserver@.service /etc/systemd/system/tigervncserver@.service

Edit path for default VNC folder

Note: this change is needed since your home dir is encrypted and the systemd service won't be able to read it until you login, so the .vnc server will need to be in your .ciper folder unencrypted for the service to start. Or you'll need to login via ssh, restart the service and stay logged into ssh while vnc is being used. 

sudo vim /etc/tigervnc/vncserver-config-defaults

Uncomment and set the VNC user dir as follows 

Default: $vncUserDir = "$ENV{HOME}.cipher/.vnc";

Add user to user config 

sudo vim /etc/tigervnc/vncserver.users

Add 

:8=bobberson

Start VNC server to set password, don't use read-only password 

vncserver

Set the default config for your user 

vim /home/bobberson.cipher/.vnc/config

Add 

session=xfce
geometry=1600x900
localhost
alwaysshared

Reload, enable and restart service 

sudo systemctl daemon-reload
sudo systemctl enable tigervncserver@:8
sudo systemctl restart tigervncserver@:8

https://unix.stackexchange.com/questions/43398/is-it-possible-to-keep-a-vnc-server-alive-after-log-out
If you want to be able to log out of xfce via VNC and have the tigervncserver restart automatically do this: 

sudo systemctl edit tigervncserver@:8

Add 

[Service]
Restart=on-success
RestartSec=10

and… 

sudo systemctl daemon-reload
sudo systemctl enable tigervncserver@:8
sudo systemctl restart tigervncserver@:8

On a remote computer on the same subnet listen for port 5908 over ssh, open a console and type 

ssh -L 5908:127.0.0.1:5908 -C -N -l  bobberson vnc.server.ip.address

Open open your VNC viewer and use localhost:5908 or in a console type 

vncviewer localhost:5908

Mosh

Because it's the pits using SSH over a high latency connection…

Install 

sudo apt install mosh

Add firewall ports (since this is a small server for a select few we are only going to open 5 ports) 

sudo vim /etc/firewall/enable.sh

Add 

iptables -A INPUT -p udp --dport 60000:60005 -m state --state NEW -j ACCEPT

Restart firewall 

sudo systemctl restart firewall

To connect just use mosh instead of ssh 

mosh remoteuser@remotecomputer

Tang

https://semanticlab.net/sysadmin/encryption/Network-bound-disk-encryption-in-ubuntu-20.04/
Use this if you're using NBDE for any of your RHEL/CentOS/Rocky installs.

Install packages 

sudo apt install tang jose

Edit default port Tang listens on 

sudo systemctl edit tangd.socket

Add the following for port 7500 

[Socket]
ListenStream=
ListenStream=7500

Edit your firewall and add port 7500 

sudo vim /etc/firewall/enable.sh

Add 

#TCP port for Tang server
iptables -A INPUT -p tcp --dport 7500 -m state --state NEW -j ACCEPT

Enable and start the service 

sudo systemctl daemon-reload
sudo systemctl restart firewall
sudo systemctl enable tangd.socket
sudo systemctl start tangd.socket

Zabbix

https://www.zabbix.com/documentation/5.0/manual/installation/install

Go to https://www.zabbix.com/download_sources#50LTS → choose 5.0 LTS → copy link and 

wget https://cdn.zabbix.com/zabbix/sources/stable/5.0/zabbix-5.0.14.tar.gz
tar xvfz zabbix-release.gz

Create user and group 

sudo addgroup --system --quiet zabbix
sudo adduser --quiet --system --disabled-login --ingroup zabbix --home /var/lib/zabbix --no-create-home zabbix

Install required packages for source 

sudo apt install libmariadb-dev libxml2-dev libsnmp-dev libevent-dev libopenipmi-dev libcurl4-nss-dev libpcre++-dev gcc make

Configure 

cd zabbix-release
./configure --enable-server --enable-agent --with-mysql --enable-ipv6 --with-net-snmp --with-libcurl --with-libxml2 --with-openipmi
sudo make install

Install required packages for runtime 

sudo apt install apache2 php7.4-common php7.4-xml php7.4-mysql mariadb-server php-php-gettext php-gd php-bcmath php7.4-common php-xml php-mbstring php-ldap ibapache2-mod-php

Edit php.ini 

sudo vim /etc/php/7.4/apache2/php.ini

I needed to set the following 

post_max_size = 16M
max_execution_time = 300
max_input_time = 300
date.timezone = America/Los_Angeles

Enable and start services 

sudo systemctl enable mariadb && sudo systemctl restart mariadb
sudo systemctl enable apache2 && sudo systemctl restart apache2

Secure mysql 

sudo mysql_secure_installation

Create database 

sudo mysql -uroot -p
create database zabbix character set utf8 collate utf8_bin;
create user zabbix@localhost identified by 'password';
grant all privileges on zabbix.* to zabbix@localhost;
quit;

Import mysql schema 

cd database/mysql
sudo mysql -uzabbix -p<password> zabbix < schema.sql
sudo mysql -uzabbix -p<password> zabbix < images.sql
sudo mysql -uzabbix -p<password> zabbix < data.sql

Add password to zabbix_server.conf 

sudo vim /usr/local/etc/zabbix_server.conf

Set your database password 

DBpassword=yourpassword

Copy init.d scripts 

sudo cp misc/init.d/debian/* /etc/init.d
sudo reboot

Add firewall port for active checks (tcp 10051) 

sudo vim /etc/firewall/enable.sh

Add 

#TCP port for Zabbix active checks
iptables -A INPUT -p tcp --dport 10051 -m state --state NEW -j ACCEPT

Restart firewall 

sudo systemctl restart firewall
Setup Web Server
sudo mkdir /var/www/html/zabbix
cd ui
sudo cp -a . /var/www/html/zabbix

Launch firefox and go to http:\\localhost\zabbix to start the setup. After you create the php file it has you download, delete the .example file in the same dir. Even though you can't go past finish, reloading http:\\localhost\zabbix should take you to the login; the username Admin and password zabbix (note, user and pass are both case sensitive). Note: use the ip of your computer for the server hostname, otherwise services might not work.

App Armor

https://wiki.debian.org/AppArmor/HowToUse
Because you want to try to do your best, or at least the best you can do with the tools and time available to you; SELinux doesn't appear to be in this kernel… or I didn't give it enough effort.

Install utils 

sudo apt install apparmor-utils apparmor-profiles apparmor-profiles-extra
  • tech_documents/rpi/debian_radmin.txt
  • Last modified: 2021/07/23 04:28
  • by jacob.hydeman