Debian GNU/Linux

Notes. Links.

Encrypted Disk

Encryption of all disks (but /boot) during installation

• create a small partition for /boot (128M is more than enough, usually)
• create a huge partition for the rest
• encrypt the huge partition
• create a LVM on the encrypted partition
• create a volume group on the LVM device
• create volumes for swap, the root fs (/) and /home
• install the system

Keyfile for dm-crypt on USB-Storage or SD-Card with initrd

Generate a random keyfile (e.g. dd if=/dev/random of=dmcrypt-key bs=4k count=1), add that key to the keys table of your dm-crypted device (cryptsetup luksAddKey /dev/sda4 dmcrypt-key). Add the keyfile («my-root-key») to a partition labelled «mykeydisk» on the USB stick or the SD card. Save/adjust the following files and update the initrd image. Voilà.

my-initrd-getkey.sh:

#!/bin/sh

# load modules that we need
modprobe usb-storage 1>&2
modprobe scsi_mod 1>&2
modprobe sd_mod 1>&2
modprobe ext2 1>&2

# wait a bit
sleep 5
udevsettle

# if we have the disk, mount it and deliver key, else fall back to
# manual passphrase input

if [ -h /dev/disk/by-label/mykeydisk ]; then
        mkdir /usb 1>&2
        mount /dev/disk/by-label/mykeydisk /usb 1>&2
        cat /usb/my-root-key
        umount /usb 1>&2
else
        echo "Passphrase, please: " 1>&2
        stty </proc/self/fd/2 -echo
        read </proc/self/fd/2 -rs -t 10 key
        stty </proc/self/fd/2 echo
        echo -n $key
fi

/etc/crypttab

sda6_crypt /dev/sda6 none luks,keyscript=/root/cryptodisk/my-initrd-getkey.sh

Links

• http://www.andreasjanssen.de/cryptodisk.html – Festplattenverschlüsselung (dm-crypt, initrd, key on usb stick)

SVN repository (svnserve) per user for svn+ssh://

dpkg-divert --divert /usr/bin/svnserve.bin /usr/bin/svnserve

/usr/bin/svnserve

#!/bin/sh
case "$USER" in
        flip)
                exec svnserve.bin -r /mnt/nibbler/d1/SVN $@
                ;;
        *)
                exec svnserve.bin $@
                ;;
esac

md/lvm/dm stress

dadm /dev/md0 --run
cryptsetup luksOpen /dev/md0 md0_crypt
pvscan
vgchange -ay bender
mount ... /target
...
cp -rav /dev/mapper /target/dev

boot kubuntu.iso from memory stick

(in Grub 2)

loopback loop (hd1,1)/kubuntu.iso
linux (loop)/casper/vmlinuz boot=casper iso-scan/filename=/kubuntu.iso noeject noprompt --
initrd (loop)/casper/initrd.lz
boot

Installation

Stolen from: http://chris-lamb.co.uk/2009/06/03/checklist-configuring-debian-system/.

Software

    *

      /etc/apt/sources.list
          o Choose a sensible primary mirror
          o Ensure use of release codenames (eg. "lenny") instead of synonyms
          o Confirm security mirror is enabled
          o Remove references to contrib and non-free
    *

      Disable installation of Recommends:

      echo 'APT::Install-Recommends "0";' > /etc/apt/apt.conf.d/90recommends

    *

      Ensure we are up to date security-wise:

      apt-get update && apt-get dist-upgrade

    *

      Setup and configure locales first to avoid annoying Perl warnings. Don't choose All locales; you almost certainly don't want that.

      apt-get install locales
      dpkg-reconfigure -plow locales

    *

      Install some essential utilities:

      apt-get install vim-nox ntp openssh-server screen most tree bzip2 unzip moreutils dnsutils htop pwgen telnet manpages manpages-dev vrms acl gawk strace curl tcpdump

Users

    *

      Before we create any real users, we configure PAM to reject weak passwords. Custom banned passwords can be added to the dictionary by editing /usr/share/dict/cracklib and running update-cracklib.

      apt-get install libpam-cracklib
      sed -i -e 's|^password|# |' /etc/pam.d/common-password
      echo 'password required    pam_cracklib.so retry=3 minlen=6 difok=3' >> /etc/pam.d/common-password
      echo 'password required    pam_unix.so use_authtok nullok md5' >> /etc/pam.d/common-password

    *

      Configure sudo. I prefer to create a new group instead of re-using adm as that is already used by logfiles.

      addgroup rootusers
      adduser myuser
      adduser myuser rootusers
      apt-get install sudo
      echo 'User_Alias ROOTUSERS  = %rootusers' >> /etc/sudoers
      echo 'ROOTUSERS, root     ALL=(ALL) ALL' >> /etc/sudoers

Mail relay

Email remains the primary method to asynchronously inform the system adminstrator that their attention is required.

It is assumed that the machine will not handle your day-to-day email (or indeed accept any external mail) but will instead simply forward it elsewhere. We also assume a preference for Exim, but the configurion for Postfix is almost identical.

    *

      First, install the mail packages:

      apt-get install exim4-daemon-light bsd-mailx
      dpkg-reconfigure exim4-config

    *

      During the Exim configuration, choose Internet site and follow all the defaults, ensuring that you only listen on 127.0.0.1 and you are not relaying mail for any other domains.
    *

      We then configure forwarding to another email address so we don't have to continually poll this machine for issues:

      echo 'root: you@example.com' >> /etc/aliases
      newaliases

    *

      Finally, we test mail delivery:

      echo "Test 1 from $(hostname)" | mail root -s "Test 1 from $(hostname)"

The d-i manual has some further advice on this, including the use of "smarthosts".
Miscellaneous

    *

      Stop Emacs creating backup files everywhere:

      mkdir -p /etc/emacs/site-start.d
      echo '(setq backup-inhibited t)' > /etc/emacs/site-start.d/10no-backup.el

    *

      Configure Munin:

      apt-get install munin-node
      echo 'allow ^123.123.123.123$' >> /etc/munin/munin-node.conf
      /etc/init.d/munin-node restart

      For baroque network configurations, you can generate the regular expression line with this script.
    *

      Configure molly-guard, a tool for preventing accidental shutdowns. As molly-guard cannot detect shutdowns initiated within a combination of GNU screen and SSH, we configure it to always query the hostname:

      apt-get install molly-guard
      echo "ALWAYS_QUERY_HOSTNAME=true" >> /etc/molly-guard/rc

    *

      Monitor disk S.M.A.R.T. attributes:

      apt-get install hddtemp smartmontools
      sed -i 's|^#start_smartd=yes|start_smartd=yes|' /etc/default/smartmontools
      /etc/init.d/smartmontools start

    *

      Setup backups - I'm quite partial to backupninja because it automates most of the tedious SSH configuration. I adjust the time of the backup to when I'm likely to be around to fix issues and cut down on email noise by not reporting successful backups:

      apt-get install backupninja hwinfo debconf-utils rdiff-backup
      sed -i -e 's|^when = everyday at 01:00|when = everyday at 9:30|' /etc/backupninja.conf
      sed -i -e 's|^reportsuccess = yes|reportsuccess = no|' /etc/backupninja.conf
      ninjahelper

    *

      Filesystems
          o In /etc/fstab, check noatime is enabled on all filesystems, and acl where needed.
          o Use tune2fs to adjust how much of the disk is reserved for the superuser - the default of 5% is excessive for large volumes.
    *

      Reboot. You should be prompted by molly-guard before your computer restarts.

created: 2009-04-07, updated: 2015-09-16