Basics after server has been created as an instance on a Ganeti cluster
0. starting points
- It is a Debian 9.x (stretch) server, with standard utils and OpenSSH
- The server has an IP address, NAT-ed to the internet
- It has an SSH server, user access only over console
- Name of first user may vary, password has been set during install
1. copy public keys
Copy my public keys to new server. It is done in my home directory on Ganeti node (not on the new instance):
NEW_VM=vm1.lan
FIRST_USER=doka
ssh $FIRST_USER@$NEW_VM 'mkdir .ssh;chmod 700 .ssh;'
cat .ssh/authorized_keys | ssh $FIRST_USER@$NEW_VM 'cat > .ssh/authorized_keys'
ssh $FIRST_USER@$NEW_VM 'chmod 600 .ssh/authorized_keys;'
ssh $FIRST_USER@$NEW_VM
su
mkdir /root/.ssh;chmod 700 /root/.ssh;
cat .ssh/authorized_keys | tee /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
if SSH alerts you, then remove old record:
ssh-keygen -f "/home/user/.ssh/known_hosts" -R IP-of-the-newserver
2. set locale
The locales should be reconfigured before changing password or installing anything. Select local languages, as the second language, next to English, and set English for system language. Defaults will be en_US.UTF8 and hu_HU.UTF8 for me.
dpkg-reconfigure locales
or
# remove existing sets
rm -rf /usr/lib/locale/*
echo "
# This file lists locales that you wish to have built. You can find a list
# of valid supported locales at /usr/share/i18n/SUPPORTED, and you can add
# user defined locales to /usr/local/share/i18n/SUPPORTED. If you change
# this file, you need to rerun locale-gen.
en_US.UTF-8 UTF-8
hu_HU.UTF-8 UTF-8
" > /etc/locale.gen
echo "
# File generated by update-locale
LANG=en_US.UTF-8
LANGUAGE="en_US:en"
" > /etc/default/locale
locale-gen
3. passwords
Now passwords can be set, since the locales are OK!
echo "root:NEWPASSWORD" | chpasswd
echo "doka:NEWPASSWORD" | chpasswd
4. hostname
Check hostname
hostname -f
cat /etc/hostname
and change if needed:
HOSTNAME=vm1.lan
echo "$HOSTNAME
" > /etc/hostname
echo "$HOSTNAME
" > /etc/mailname
hostname --file /etc/hostname
5. timezone
echo "Europe/Berlin" > /etc/timezone
dpkg-reconfigure --frontend noninteractive tzdata
6. harden SSH
SSH hardening: set key authentication only, but do not restart ssh, we’ll do it bit later!
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
allow DSA keys of Ganeti
echo "
# https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html
PubkeyAcceptedKeyTypes=+ssh-dss" >> /etc/ssh/sshd_config
7. update source.list
Replacing /etc/apt/sources.list by Hetzner mirrors for Debian.
echo "
###############################################################################
# Packages and Security Updates from the Hetzner Debian Mirror
deb http://mirror.hetzner.de/debian/packages stretch main contrib non-free
deb http://mirror.hetzner.de/debian/packages stretch-updates main contrib non-free
deb http://mirror.hetzner.de/debian/security stretch/updates main contrib non-free
# Debian
deb http://deb.debian.org/debian/ stretch main contrib non-free
deb http://deb.debian.org/debian/ stretch-updates main contrib non-free
deb http://security.debian.org/ stretch/updates main contrib non-free
" > /etc/apt/sources.list
8. update OS and install few utils
# upgrade
apt-get -y update && apt-get -y upgrade
# utils
apt-get install mc sudo htop iotop pv ifstat screen curl apt-transport-https
9. Clean up
echo "==> Cleaning up packages ..."
# unused dependencies
apt-get autoremove
# apt cache
apt-get clean
# partial package
apt-get autoclean
echo "==> Cleaning up /var ..."
# DDHCP leases
rm /var/lib/dhcp/*
# empty cache
find /var/cache -type f -exec rm -rf {} \;
echo "==> Removing bash history ..."
# remove bash history
unset histfile
FIRST_USER=doka
rm -rf /home/$FIRST_USER/.bash_history &> /dev/null
rm -rf /root/.bash_history &> /dev/null
11. Misc
Set welcome message
echo "Welcome to my Debian 9 server box" > /etc/motd
And we're done!