Encryption of all disks (but /boot) during installation
- create a small partition for /boot (128M is more than enough, usually)
- create a huge partition for the rest
- encrypt the huge partition
- create a LVM on the encrypted partition
- create a volume group on the LVM device
- create volumes for swap, the root fs (/) and /home
- install the system
Keyfile for dm-crypt on USB-Storage or SD-Card with initrd
Generate a random keyfile (e.g.
dd if=/dev/random of=dmcrypt-key bs=4k count=1), add that key to the keys table of your dm-crypted device (
cryptsetup luksAddKey /dev/sda4 dmcrypt-key). Add the keyfile («my-root-key») to a partition labelled «mykeydisk» on the USB stick or the SD card. Save/adjust the following files and update the initrd image. Voilà.
#!/bin/sh # load modules that we need modprobe usb-storage 1>&2 modprobe scsi_mod 1>&2 modprobe sd_mod 1>&2 modprobe ext2 1>&2 # wait a bit sleep 5 udevsettle # if we have the disk, mount it and deliver key, else fall back to # manual passphrase input if [ -h /dev/disk/by-label/mykeydisk ]; then mkdir /usb 1>&2 mount /dev/disk/by-label/mykeydisk /usb 1>&2 cat /usb/my-root-key umount /usb 1>&2 else echo "Passphrase, please: " 1>&2 stty </proc/self/fd/2 -echo read </proc/self/fd/2 -rs -t 10 key stty </proc/self/fd/2 echo echo -n $key fi
sda6_crypt /dev/sda6 none luks,keyscript=/root/cryptodisk/my-initrd-getkey.sh
- http://www.andreasjanssen.de/cryptodisk.html – Festplattenverschlüsselung (dm-crypt, initrd, key on usb stick)
SVN repository (svnserve) per user for svn+ssh://
dpkg-divert --divert /usr/bin/svnserve.bin /usr/bin/svnserve
#!/bin/sh case "$USER" in flip) exec svnserve.bin -r /mnt/nibbler/d1/SVN $@ ;; *) exec svnserve.bin $@ ;; esac
dadm /dev/md0 --run cryptsetup luksOpen /dev/md0 md0_crypt pvscan vgchange -ay bender mount ... /target ... cp -rav /dev/mapper /target/dev
boot kubuntu.iso from memory stick
(in Grub 2)
loopback loop (hd1,1)/kubuntu.iso linux (loop)/casper/vmlinuz boot=casper iso-scan/filename=/kubuntu.iso noeject noprompt -- initrd (loop)/casper/initrd.lz boot
Software * /etc/apt/sources.list o Choose a sensible primary mirror o Ensure use of release codenames (eg. "lenny") instead of synonyms o Confirm security mirror is enabled o Remove references to contrib and non-free * Disable installation of Recommends: echo 'APT::Install-Recommends "0";' > /etc/apt/apt.conf.d/90recommends * Ensure we are up to date security-wise: apt-get update && apt-get dist-upgrade * Setup and configure locales first to avoid annoying Perl warnings. Don't choose All locales; you almost certainly don't want that. apt-get install locales dpkg-reconfigure -plow locales * Install some essential utilities: apt-get install vim-nox ntp openssh-server screen most tree bzip2 unzip moreutils dnsutils htop pwgen telnet manpages manpages-dev vrms acl gawk strace curl tcpdump Users * Before we create any real users, we configure PAM to reject weak passwords. Custom banned passwords can be added to the dictionary by editing /usr/share/dict/cracklib and running update-cracklib. apt-get install libpam-cracklib sed -i -e 's|^password|# |' /etc/pam.d/common-password echo 'password required pam_cracklib.so retry=3 minlen=6 difok=3' >> /etc/pam.d/common-password echo 'password required pam_unix.so use_authtok nullok md5' >> /etc/pam.d/common-password * Configure sudo. I prefer to create a new group instead of re-using adm as that is already used by logfiles. addgroup rootusers adduser myuser adduser myuser rootusers apt-get install sudo echo 'User_Alias ROOTUSERS = %rootusers' >> /etc/sudoers echo 'ROOTUSERS, root ALL=(ALL) ALL' >> /etc/sudoers Mail relay Email remains the primary method to asynchronously inform the system adminstrator that their attention is required. It is assumed that the machine will not handle your day-to-day email (or indeed accept any external mail) but will instead simply forward it elsewhere. We also assume a preference for Exim, but the configurion for Postfix is almost identical. * First, install the mail packages: apt-get install exim4-daemon-light bsd-mailx dpkg-reconfigure exim4-config * During the Exim configuration, choose Internet site and follow all the defaults, ensuring that you only listen on 127.0.0.1 and you are not relaying mail for any other domains. * We then configure forwarding to another email address so we don't have to continually poll this machine for issues: echo 'root: firstname.lastname@example.org' >> /etc/aliases newaliases * Finally, we test mail delivery: echo "Test 1 from $(hostname)" | mail root -s "Test 1 from $(hostname)" The d-i manual has some further advice on this, including the use of "smarthosts". Miscellaneous * Stop Emacs creating backup files everywhere: mkdir -p /etc/emacs/site-start.d echo '(setq backup-inhibited t)' > /etc/emacs/site-start.d/10no-backup.el * Configure Munin: apt-get install munin-node echo 'allow ^188.8.131.52$' >> /etc/munin/munin-node.conf /etc/init.d/munin-node restart For baroque network configurations, you can generate the regular expression line with this script. * Configure molly-guard, a tool for preventing accidental shutdowns. As molly-guard cannot detect shutdowns initiated within a combination of GNU screen and SSH, we configure it to always query the hostname: apt-get install molly-guard echo "ALWAYS_QUERY_HOSTNAME=true" >> /etc/molly-guard/rc * Monitor disk S.M.A.R.T. attributes: apt-get install hddtemp smartmontools sed -i 's|^#start_smartd=yes|start_smartd=yes|' /etc/default/smartmontools /etc/init.d/smartmontools start * Setup backups - I'm quite partial to backupninja because it automates most of the tedious SSH configuration. I adjust the time of the backup to when I'm likely to be around to fix issues and cut down on email noise by not reporting successful backups: apt-get install backupninja hwinfo debconf-utils rdiff-backup sed -i -e 's|^when = everyday at 01:00|when = everyday at 9:30|' /etc/backupninja.conf sed -i -e 's|^reportsuccess = yes|reportsuccess = no|' /etc/backupninja.conf ninjahelper * Filesystems o In /etc/fstab, check noatime is enabled on all filesystems, and acl where needed. o Use tune2fs to adjust how much of the disk is reserved for the superuser - the default of 5% is excessive for large volumes. * Reboot. You should be prompted by molly-guard before your computer restarts.