Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
What are your first *nix steps?
#1
In my opinion, the first and most important hurdle that should be overcome is logging in by SSH.  Resolving kernel, mounting, networking, etc. issues to bring a box live is fun enough, and I always have a sigh of relief when I get my first successful ssh prompt.

Now that the "hard" part is done I'll share my first steps from that ssh prompt and would like to see what you all think. 
  1. Make sure vim, not basic vi is installed.  I even go so far as to set up vi mode for bash. https://sanctum.geek.nz/arabesque/vi-mode-in-bash/. I know #2 may be more important, but the task of doing 2 without 1 drives me bonkers.
  2. Configure ssh to use private/public shared keys.  https://help.ubuntu.com/community/SSH/OpenSSH/Keys. I up the RSA key length to 4096.  This is where I hold my breath.  Then I turn off the authentication by passphrase.  If I can continue to log in I start breathing again.  By reviewing the logs on my home server, 99.999% of the ssh hack attempts try to leverage default user/passphrase vulnerabilities.  By turning off the passphrase altogether solves the vast majority of hack attempts.
  3. Install tmux.  I used to use screen, but I gave tmux a try and I love it now. I configure multiple sessions based on the work I'm doing, and have multiple windows in each session.  I never 'exit' out, I just log off.  When I log back in I am looking at the exact screen I logged off to.  This also is immensely useful when you start a task that runs a while and you need to log off the server.  By logging out of tmux, it doesn't kill your task.
From experience, trying anything else without these first three is like pulling teeth.
#2
1. Make sure to disable iptables...
2. Install git,zip, remove apache(If any)
3. Install dependencies for project. For website I usually use openlitespeed http://open.litespeedtech.com.
4.Install PHP,NodeJS,Python
5.Change SSH ports
#3
(05-09-2016, 09:07 PM)ajeroth Wrote: Now that the "hard" part is done I'll share my first steps from that ssh prompt and would like to see what you all think. 
  1. Make sure vim, not basic vi is installed.  I even go so far as to set up vi mode for bash. https://sanctum.geek.nz/arabesque/vi-mode-in-bash/. I know #2 may be more important, but the task of doing 2 without 1 drives me bonkers.
  2. Configure ssh to use private/public shared keys.  https://help.ubuntu.com/community/SSH/OpenSSH/Keys. I up the RSA key length to 4096.  This is where I hold my breath.  Then I turn off the authentication by passphrase.  If I can continue to log in I start breathing again.  By reviewing the logs on my home server, 99.999% of the ssh hack attempts try to leverage default user/passphrase vulnerabilities.  By turning off the passphrase altogether solves the vast majority of hack attempts.
  3. Install tmux.  I used to use screen, but I gave tmux a try and I love it now. I configure multiple sessions based on the work I'm doing, and have multiple windows in each session.  I never 'exit' out, I just log off.  When I log back in I am looking at the exact screen I logged off to.  This also is immensely useful when you start a task that runs a while and you need to log off the server.  By logging out of tmux, it doesn't kill your task.
From experience, trying anything else without these first three is like pulling teeth.

It seems like a good plan. A missing point though is setting and enabling iptables (the firewall) right after login in for the first time. Setting up a key-based password-less authentication is of paramount importance too. Screen (or tmux) are essential when session persistence is necessary (to avoid interrupting long running tasks like updating the system or similar.)

All in all, you're on the right path.
fouadChk's Corner on the Web

IN ABSENTIA LUCIS, TENEBRAE VINCUNT
IN THE ABSENCE OF LIGHT, DARKNESS PREVAILS
#4
The first thing i do with a fresh Linux install (base system only, no GUI) is that i run a script i have been developing for years now:
 
Code:
#!/bin/bash

#######################################################################################
# This script sets /etc/hosts file, changes root password, sets the hostname,
# creates user catcher, sets up ssh keys for catcher and root, updates apt-get source
# file, updates OS and installs basing set of packages

#######################################################################################
# TODO: Timestamping

#######################################################################################
# Environment setup

TTicRootPass=password
TTicCatcPass=password
export DEBIAN_FRONTEND=noninteractive
TTicPackList=`cat /home/catcher/scripts/instconf-base-files/TTicPackList`
TTicFilesPath=/home/catcher/scripts/instconf-base-files
TTicPackList=`cat /home/catcher/scripts/instconf-base-files/TTicPackList`
TTLog=/var/log/TTinstconf-base-`date +"$Y$m$d$H$M$S"`.log

#######################################################################################
# Code BEGIN

# Checking parameters

if [ "$#" != "1" ]; then
        echo "[ERR0] - Incorrect number of parameters"
        echo
        echo "instconf-base - HDCS base system installation script"
        echo
        echo "Usage:"
        echo "instconf-base host"
        echo "host\t- hostname of the installed node"
        echo
        echo "Mind that script exits with exit code 1, if no parameters are set"
        echo "or incorrect number of parameters is set"
        exit 1
fi

echo "[INFO] - This is HDCS Base system installation and configuration script."

# Setting hostname

#echo "[INFO] - Setting hostname"
#echo $1 > /etc/hostname
#echo "[ OK ] - Hostname set"

# Hostname setting check

#TTicHostF=`cat /etc/hostname`

#if [ "$1" != "$TTicHostF" ]; then
# echo "[ERR0] - Setting writing hostname into /etc/hostname file failed"
# exit 4
#fi

# Changing root password

#echo "[INFO] - Changing root password"
#echo "root:$TTicRootPass"|chpasswd

#if [ "$?" != "0" ]; then
# echo "[ERR0] - Changing root password failed"
# exit 5
#fi

#echo "[ OK ] - Root password changed"

# Verifying if existing /etc/hosts file already has HDCS Namespace in it

#echo "[INFO] - Verifying existing hosts file"
#TTicExistingHostsFileCheck=`grep "HDCS Namespace" /etc/hosts 2> /dev/null |wc -l`

#if [ "$TTicExistingHostsFileCheck" != "0" ]; then
# echo "[ERR0] - HDCS Namespace already imported! Exiting!"
# exit 2
#else
# echo "[ OK ] - Existing hosts file seems OK"
#fi

# Appending a newline and downloaded namespace into /etc/hosts

#echo "[INFO] - Importing namespace into hosts file"

# Backing up existing hosts file

#mkdir /root/backup 2> /dev/null
#cp /etc/hosts /root/backup/hosts-backup-`date +"%Y%m%d%H%M%S"`

# Adding HDCS namespace to /etc/hosts file

#echo >> /etc/hosts
#cat $TTicFilesPath/TThosts >> /etc/hosts
#echo "[ OK ] - Namespace imported"

# Verifying if imported successfuly

#echo "[INFO] - Verifying imported data"
#TTicImportedHostsCheck=`grep "HDCS Namespace" /etc/hosts 2> /dev/null |wc -l`

#if [ "$TTicImportedHostsCheck" = "1" ]; then
# echo "[ OK ] - Imported Data Seems OK"
#else
# echo "[ERR0] - Imported data NOT OK! Exiting!"
# exit 3
#fi

# Creating user catcher and setting it's password

echo "[INFO] - Creating user catcher"
#adduser --disabled-login --gecos Tomas catcher
#
#if [ "$?" != "0" ]; then
# echo "[WARN] - User creation failed (user catcher)"
#fi

chmod 700 /home/catcher

if [ "$?" != "0" ]; then
echo "[ERR0] - ACL securing catcher's home (chmod 700) failed"
exit 6
fi

echo "[ OK ] - Done creating user catcher"
#echo "[INFO] - Setting catcher's password"
#echo "catcher:$TTicCatcPass"|chpasswd

#if [ "$?" != "0" ]; then
# echo "[ERR0] - Changing catcher's password failed"
# exit 7
#fi

#echo "[ OK ] - Catcher's password set"

# Downloading catcher's rsa keys and known_hosts file from conman storage
# and copying them into .ssh of catcher

#echo "[INFO] - Setting up .ssh files for catcher"
#mkdir /home/catcher/.ssh 2> /dev/null
#chown catcher:catcher /home/catcher/.ssh
#chmod 700 /home/catcher/.ssh
#cat $TTicFilesPath/id_rsac > /home/catcher/.ssh/id_rsa
#cat $TTicFilesPath/id_rsac.pub > /home/catcher/.ssh/id_rsa.pub
#cat $TTicFilesPath/authorized_keys > /home/catcher/.ssh/authorized_keys
#chown catcher:catcher /home/catcher/.ssh/*
#chmod 600 /home/catcher/.ssh/authorized_keys
#chmod 600 /home/catcher/.ssh/id_rsa
#chmod 640 /home/catcher/.ssh/id_rsa.pub
#echo "[ OK ] - Done setting up .ssh files for catcher"

# Downloading root's rsa keys and known_hosts file from conman storage
# and copying them into .ssh of root

#echo "[INFO] - Setting up .ssh files for root"
#mkdir /root/.ssh 2> /dev/null
#chown root:root /root/.ssh
#chmod 700 /root/.ssh
#cat $TTicFilesPath/id_rsar > /root/.ssh/id_rsa
#cat $TTicFilesPath/id_rsar.pub > /root/.ssh/id_rsa.pub
#chown root:root /root/.ssh/*
#chmod 600 /root/.ssh/id_rsa
#chmod 640 /root/.ssh/id_rsa.pub
#echo "[ OK ] - Done setting up .ssh files for root"

# Downloading sources file from conman storage and replacing existing
# /etc/apt/sources.list with it

echo "[INFO] - Installing apt sources file"
mkdir /root/backup 2> /dev/null
cp /etc/apt/sources.list /root/backup/sources.list-backup-`date +"%Y%m%d%H%M%S"`
cat $TTicFilesPath/TTicSL > /etc/apt/sources.list
echo "[ OK ] - Apt sources files installed"

# Update the OS before installing new packages

echo "[INFO] - Updating OS"
apt-get -y --force-yes update > $TTLog 2>&1

if [ "$?" != "0" ]; then
echo "[ERR0] - 'apt-get update' failed in the first run"
exit 8
fi

apt-get -q -y --force-yes upgrade > /dev/null 2>&1

if [ "$?" != "0" ]; then
echo "[ERR0] - 'apt-get -q -y upgrade' failed"
exit 9
fi

echo "[ OK ] - OS update done"

# Downloading the list of packages for base installation from conman remote storage
# and installing them

echo "[INFO] - Installing packages"
apt-get -q -y --force-yes install $TTicPackList > $TTLog 2>&1

if [ "$?" != "0" ]; then
echo "[ERR0] - 'apt-get -q -y install' failed"
exit 10
fi

echo "[ OK ] - Packages installed"

# All seems to be done and OK, informing and exiting

echo "[INFO] - Installation of base system is done. Exiting"

exit 0

When the above script finishes, i have my basic system installed and configured. If i need the machine to be used as a desktop too, i have another, similar script:
Code:
#!/bin/bash

#############################################################################################
# This script imports x2go keyring, x2go repository data, installs x2go client and a bunch of
# other software, sets up catcher's configuration (some .config files, documents, icedove,
# .bash* files, .x2go and .xscreensaver), installs scripts and sets up ACLs

#############################################################################################
# TODO: Error checking
# TODO: Usage message and display
# TODO: Parameter set check

#############################################################################################
# Environment setup
TTin=/var/log/TTinstall.log
export DEBIAN_FRONTEND=noninteractive
TTicPackList=`cat /home/catcher/scripts/instconf-desktop-files/TTicPackList`

#############################################################################################
# Code BEGIN

# Copying files over to /root/

cp /home/catcher/scripts/instconf-desktop-files/* /root/


# Installing a bunch of software

echo "[INFO] - Installing software"

apt-get -y --force-yes install $TTicPackList >> $TTin 2>&1
echo "[ OK ] - Software installed"

# Importing catcher's .config structure

echo "[INFO] - Setting up catcher"

mkdir /home/catcher/.config
chown catcher:catcher /home/catcher/.config
cd
pigz -d /root/dotconfig.tar.gz
tar xf /root/dotconfig.tar
cp -r /root/dotconfig/.config/* /home/catcher/.config/
chown -R catcher:catcher /home/catcher/.config
echo "[ OK ] - Catcher set up"

# Importing Documents

echo "[INFO] - Copying data"

cd
pigz -d documents.tar.gz
tar xf documents.tar
mkdir /home/catcher/Documents
chown catcher:catcher /home/catcher/Documents
mv Documents/* /home/catcher/Documents/
chown -R catcher:catcher /home/catcher/Documents
echo "[ OK ] - Data copyied"

# Allowing catcher to do anything without a password

echo "[INFO] - Setting up sudoers"

echo >> /etc/sudoers
echo "catcher    ALL=NOPASSWD: ALL" >> /etc/sudoers
echo "[ OK ] - Sudoers updated"

# Importing catcher's icedove config

#echo "[INFO] - Setting up icedove configuration"
#cd
#pigz -d ./icedove.tar.gz
#tar xf ./icedove.tar
#mv ./icedove /home/catcher/.icedove
#chown -R catcher:catcher /home/catcher/.icedove
#echo "[ OK ] - Icedove config imported"

# Importing .bash files

echo "[INFO] - Importing .bash* files"
cd
pigz -d ./dotbash.tar.gz
tar xf ./dotbash.tar
cp ./dotbash/r.bashrc /root/.bashrc
cp ./dotbash/c.bashrc /home/catcher/.bashrc
chown catcher:catcher /home/catcher/.bash*
chmod 600 /home/catcher/.bash*
echo "[ OK ] - rc files and history imported for root and catcher"

# Importing some more data for catcher

echo "[INFO] - Importing Notes, Firefox, recents, x2go and such for catcher"

cd
pigz -d moredots.tar.gz
tar xf moredots.tar
mkdir -p /home/catcher/.local/share/notes/Notes

for i in `ls ./moredots/`; do
mv ./moredots/$i /home/catcher/.local/share/notes/Notes/
done

chown -R catcher:catcher /home/catcher/.local
mv ./moredots/.mozilla /home/catcher/.mozilla
chown -R catcher:catcher /home/catcher/.mozilla

echo "[ OK ] - Notes, Firefox, recents, xscreensaver and x2go config imported for catcher"

#echo "[INFO] - Installing x2go client and importing x2goclient config"

# Running external script

#/home/catcher/scripts/instconf-x2goclient

#echo "[ OK ] - x2go client and config setup done"

# Setting up Terminal rc

echo "[INFO] - Setting up terminal rc for catcher"

mkdir -p /home/catcher/.config/Terminal 2> /dev/null
cp /home/catcher/scripts/instconf-desktop-files/terminalrc /home/catcher/.config/Terminal/
chown catcher:catcher /home/catcher/.config/Terminal/terminalrc
chmod 644 /home/catcher/.config/Terminal/terminalrc

echo "[ OK ] - terminalrc for catcher set up"

# Linking scripts into /usr/bin

#echo "[INFO] - Scripts ACL + linking to  /usr/bin"

#for i in `file /home/catcher/scripts/*|grep "Bourne-Again shell script"|awk '{print $1}'|sed 's/://g'`; do
# chmod +x $i
# ln -s $i /usr/bin/`echo $i|awk -F/ '{print $NF}'` > /dev/null 2>&1
#done

#echo "[ OK ] - Scripts done"

# Setting ACL

echo "[INFO] - Setting ACL"
chown -R catcher:catcher /home/catcher
chmod -R 700 /home/catcher
chmod -R 700 /root
echo "[ OK ] - ACL setup done"

# Removing temporary files

echo "[INFO] - Cleaning up"

rm -rf /root/dotconfig*
rm -rf /root/documents*
rm -rf /root/scripts.tar
rm -rf /root/dotbash*
rm -rf /root/moredots*
rm -rf /root/icedove.tar

echo "[ OK ] - All is clean now"

# All seems to be done and OK, exiting

echo "[INFO] - All done, exiting"

exit 0

These are the first 2 steps i do with a new OS installation. Depending on what i want and what i don't want to be done, i'm editing the scripts (mostly commenting out and uncommenting) by hand before i run them.

The second script allowed me to skip the personal configuration of the XFCE environment, which always took a lot of time. Now it's done in a second.

Regards,
catcher
#5
(05-16-2016, 05:58 PM)catcher Wrote: The first thing i do with a fresh Linux install (base system only, no GUI) is that i run a script i have been developing for years now:
(.....................)

Regardless of those scripts content (don't have the time check on them,) what you did (i.e. developing your own setup_scripts) is what every self-respecting sysAdmin must do. I'm pretty sure this kind of tradition is starting to fade away due to the ever-increasing list of automation tools and all sort of point_&_click GUIs/Panels.

Kudos.
fouadChk's Corner on the Web

IN ABSENTIA LUCIS, TENEBRAE VINCUNT
IN THE ABSENCE OF LIGHT, DARKNESS PREVAILS
#6
Since I'm not administering any large scale installations, and just running a linux server for the home, first steps involve apt-get update, apt-get upgrade and apt-get dist-upgrade. Then SSH keys are setup for passwordless SSH login and drivers compiled for the rocketraid card. Once the mechanical storage is available, apt-get samba and setup users/shares. I run a website at home for my own reference, so apache, php and mysql installed and setup (no scripts yet, unfortunately haven't had the time, and I seem to change my mind rather frequently as to how I want to set it up! Oh...almost forgot the ClamAV and freshclam. Can't be too cautious.
[-] The following 1 user Likes joknight's post:
  • Genesis
#7
(05-30-2016, 04:09 PM)joknight Wrote: Since I'm not administering any large scale installations, and just running a linux server for the home, first steps involve apt-get update, apt-get upgrade and apt-get dist-upgrade. Then SSH keys are setup for passwordless SSH login and drivers compiled for the rocketraid card. Once the mechanical storage is available, apt-get samba and setup users/shares. I run a website at home for my own reference, so apache, php and mysql installed and setup (no scripts yet, unfortunately haven't had the time, and I seem to change my mind rather frequently as to how I want to set it up! Oh...almost forgot the ClamAV and freshclam. Can't be too cautious.

Need to start somewhere, and this is the somewhere! You sound so much like me. I like to tinker! Answer me this, how often do you reinstall as you feel it starts to get cluttered?

Do you like Ubuntu or Debian based OS?
There are 10 kinds of people in the world: Those who understand binary and those who don't...
#8
(06-01-2016, 03:40 PM)dmull Wrote:
(05-30-2016, 04:09 PM)joknight Wrote: Since I'm not administering any large scale installations, and just running a linux server for the home, first steps involve apt-get update, apt-get upgrade and apt-get dist-upgrade. Then SSH keys are setup for passwordless SSH login and drivers compiled for the rocketraid card. Once the mechanical storage is available, apt-get samba and setup users/shares. I run a website at home for my own reference, so apache, php and mysql installed and setup (no scripts yet, unfortunately haven't had the time, and I seem to change my mind rather frequently as to how I want to set it up! Oh...almost forgot the ClamAV and freshclam. Can't be too cautious.

Need to start somewhere, and this is the somewhere! You sound so much like me. I like to tinker! Answer me this, how often do you reinstall as you feel it starts to get cluttered?

Do you like Ubuntu or Debian based OS?

Hi dmull,

lately I've been reinstalling rather frequently, but that is due to hardware changes and I think I'm finally happy with the setup. I reckon I'd have to say I prefer ubuntu for the community support, I'm used to it and it seems to do what I want it to efficiently Blush  I have it running vboxheadless at the moment so I can run other test servers and just restore snapshots if I get too carried away lol.

How about you?
#9
I bet I reinstall at least once a month. I never really understood why, but I do. I prefer CentOS installations as I am more fimilar with the OS.
There are 10 kinds of people in the world: Those who understand binary and those who don't...
#10
I remember when I started my VPS for the first time that I completely wore out the OS reinstallation button. Tongue

I have a feeling when I'm going to try out Sentora one of these days, it's probably going to be some of the same.
  




Users browsing this thread:
2 Guest(s)

What are your first *nix steps?516