Skip to content

Instantly share code, notes, and snippets.

@hypothermic

hypothermic/arch_server.md

Last active September 10, 2020 22:40
Show Gist options
  • Save hypothermic/8dafcb4650b2207a060e93b663af4cb5 to your computer and use it in GitHub Desktop.
Save hypothermic/8dafcb4650b2207a060e93b663af4cb5 to your computer and use it in GitHub Desktop.
Download ZIP
Arch server installation
Raw
arch_server.md

Arch server installation

Archlinux is perfect for minimal servers because it does not come with bloatware programs like other OSes (ex. centos, rhel, deb, etc) do and therefore reduces the potential attack surface. One of the biggest benefits due to Arch's rolling release cycle is that you will get security updates within hours, instead of days to months if you're using ubuntu, centos, etc. However, it must be configured in a right manner and great care must be taken on every action.

Installation guide

  1. Boot into Live ISO and switch to root user (su) if not already using
  2. Create root and swap partitions on disk you want to use.
    1. Open cfdisk using cfdisk /dev/sdX and select dos label type
    2. Create root partition
      1. Hit [New]
      2. Partition Size: (total - swap size) gigabytes
      3. Select Primary
      4. Hit [Bootable]
    3. Create swap partition
      1. Hit [New]
      2. Partition Size: (swap size)
      3. Select Primary
    4. Hit [Write] and confirm by typing "yes"
    5. Hit [Quit]
    6. Create ext4 filesystem on root partition using mkfs.ext4 /dev/sdX1
    7. Create and enable swap on swap partition using mkswap /dev/sdX2 && swapon /dev/sdX2
  3. Mount root partition to /mnt using mount /dev/sdX1 /mnt
  4. Install the base system and kernel with pacstrap -i /mnt base base-devel linux linux-devel
  5. Generate fstab with genfstab -U -p /mnt >> /mnt/etc/fstab
  6. Chroot into live installation by using arch-chroot /mnt
  7. If you want to enable DHCP (dynamic IP)
    1. Install dhcpcd pacman -S dhcpcd
    2. Enable its service systemctl enable dhcpcd@YOUR_NETWORK_INTERFACE_NAME
  8. Set up date+time
    1. Edit /etc/locale.gen with your favourite text editor (install nano with pacman -S nano, install vi with pacman -S vi). Uncomment the two lines with your locale (both the UTF-8 and the ISO one).
    2. Run locale-gen
    3. Run echo LANG=en_US.UTF-8 > /etc/locale.conf
    4. Run export LANG=en_US.UTF-8
    5. Run ln -s /usr/share/zoneinfo/Europe/Amsterdam > /etc/localtime
    6. Configure hardware clock to UTC hwclock --systohc --utc
  9. Setup network hostname echo MY_HOSTNAME > /etc/hostname
  10. Add a privileged user
    1. Create user useradd -m -g users -G wheel,storage,power -s /bin/bash NEW_USERNAME
    2. Set password passwd NEW_USERNAME
    3. Install sudo pacman -S sudo
    4. Edit /etc/sudoers by executing visudo command, or EDITOR=rnano;visudo
      1. Write the following defaults at the top of the file and modify them to your preferences 
        Defaults env_reset
Defaults editor=/usr/bin/rnano, !env_editor
Defaults timestamp_timeout=0
Defaults lecture="never"
Defaults insults
Defaults requiretty
Defaults log_host, log_year, logfile="/var/log/sudo.log"
      2. Allow the user full access 
        NEW_USERNAME ALL=(ALL) ALL
    5. Disable root account or scramble root password usermod -p ! root
  11. Install ssh server
    1. Install package by running pacman -S openssh
    2. Enable it's service with systemctl enable sshd.service
  12. Install GRUB bootloader
    1. Install packages with pacman -S grub os-prober
    2. Optionally, edit the bootloader configuration in /etc/default/grub
    3. Install onto the disk which contains the root partition grub-install --recheck /dev/sdX
    4. Generate the configuration file grub-mkconfig -o /boot/grub/grub.cfg
  13. Reboot into OS
    1. Exit chroot exit
    2. Unmount root fs umount -R /mnt
    3. Reboot reboot
    4. When reboot is completed, a login prompt will appear and SSH will be open on port 22. Make sure to install a firewall (iptables, ufw, whatever) because everything is accessible right now!!

Best practices after install

  1. Disable root login by changing it's shell to /sbin/nologin or equivalent and running usermod -p '!' root and changing PermitRootLogin in /etc/ssh/sshd_config to no. Make sure to restart openssh with systemctl restart sshd.service
  2. Change SSH port from 22 to something else (WARNING: make sure the new port is allowed in firewall!!), this can be done by editing the setting in /etc/ssh/sshd_config and systemctl restart sshd.service
  3. Install a firewall (iptables, ufw) and block all incoming ports except for the SSH port and whatever you need (80 for http, 443 for https, etc)
  4. Disable IPv6, more info on the wiki: https://wiki.archlinux.org/index.php/IPv6#Disable_IPv6
  5. Disable password SSH login and only use asymmetrical login (public key)
  6. Install antivirus (ClamAV, Maldet)
  7. Install rootkit prevention: https://wiki.archlinux.org/index.php/Rkhunter
  8. Stop bruteforce attacks using Fail2ban, Denyhosts, CSF, firewall rate limiting
  9. Create a snapshot every time before you upgrade the system using pacman -Syu because OS updates may break any software.
  10. Disable shell history (history -c && echo 'unset HISTFILE >> ~/.bash_profile')

Interesting links

https://www.reddit.com/r/archlinux/comments/4g7lx1/arch_linux_on_production_server/d2fbfdq/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment