How I configure my new systems

On this page I try to explain how I usually configure new systems. This might be very Ubuntu/Debian based. I hope that someone finds this helpful and if there are (security) issues, people let me know. When I have configuration files, I will link to them instead of putting them on this page to avoid duplicating them and having outdated clones. It should also be said that when I give commands, they are usually ran as root.. ## ufw ``` ufw allow 113 ufw allow 631 ufw allow 100XX ufw limit 22 ufw enable ``` * Allow all traffic to the following ports: * 113 - identd/authd (for IRC) * 631 - CUPS * I don't know how else to allow LAN connections to pass it, I should learn direct iptables. * In [CUPS settings](::1:631) ensure that you don't have `Allow printing from the internet` checked. * 100XX * My unstandard SSH port for routers which don't allow WAN port to be forwarded to different LAN port. Based on computer number. * Limit traffoc to the following ports: * 22 - SSH * I only keep this open to not break compatibility with my `~/.ssh/config` files and having ufw protecting it in addition to sshguard shouldn't hurt. (Sshguard is more sensitive though). ## sshd `/etc/ssh/sshd_config` * Under the `Port 22` line I add another port `Port 100XX` where the last two numbers depend on the computer number. * I uncomment the both listenaddresses `::0` and `0.0.0.0`. * I uncomment `Protocol 2` * I change `LogLevel` to `LogLevel VERBOSE` * I uncomment and change the line `PasswordAuthentication no` to this. * So logging in without SSH keys is not allowed. * I uncomment the line `Banner /etc/issue.net` * So `/etc/issue.net` with content that you put there is shown to users who SSH before logging in. ## sshguard * `apt-get update;apt-get install sshguard` Sshguard should work out-of-the-box. This section should be below apt (because apt was never configured), but I will let it be here for now. ## network-manager If you are going to use `interfaces` file, you must change the line `managed=false` to `managed=true` in `/etc/NetworkManager/NetworkManager.conf`. Otherwise you cannot connect to anywhere. The line `dns=dnsmasq` should also be commented there for dnsmasq. ## interfaces **I only do this for devices which are connected by cable and I cannot get this to work with WLAN!** This configuration is unlikely to change, so I am going to paste it here. `/etc/network/interfaces`: ``` # interfaces(5) file used by ifup(8) and ifdown(8) auto lo iface lo inet loopback auto eth0 allow-hotplug eth0 iface eth0 inet static address 10.0.0.2 netmask 255.0.0.0 gateway 10.0.0.1 dns-nameservers ::1 8.8.8.8 8.8.4.4 iface eth0 inet6 auto ``` This works for ethernet for me. This does the following to `eth0`: * Sets IPv4 * address to 10.0.0.2 * netmask to 255.0.0.0 * gateway to 10.0.0.1 * nameservers to ::1, 8.8.8.8 and 8.8.4.4 * I don't have native IPv6 so I am using other IPv4 DNS servers. * `::1`? * Local DNS cache (dnsmasq) ## hosts `/etc/hosts` This is mostly default hosts file. The only thing I have done is to map `::1` to `localhost` and `HOSTNAMEHERE`, because by default, localhost points only to IPv4 address `127.0.0.1`. As you can probably guess, `HOSTNAMEHERE` should be replaced with your `hostname`. ``` ::1 localhost ::1 HOSTNAMEHERE 127.0.0.1 localhost 127.0.1.1 HOSTNAMEHERE # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ``` ## apt ### colours This is simply copy-pasting to root shell until sources.list. ``` echo 'APT::Color "1";' > /etc/apt/apt.conf.d/99color ``` ### progress bar ``` echo 'Dpkg::Progress-Fancy "1";' > /etc/apt/apt.conf.d/99progressbar ``` ### sources.list I always replace the entries of default mirrors with `http.debian.net` or Ubuntu's `mirrors.txt`. [Link to my sources.list files.](https://github.com/Mkaysi/shell-things/tree/gh-pages/sources.list) **Debian: replace `stable` or `testing` with the code name or you will encounter surprises when `testing` becomes `stable` and `unstable` becomes `testing`!** `unstable` becoming `testing` shouldn't affect so much, but I warned you. ## dnsmasq `apt-get install dnsmasq` and it should start working. It's not used before you tell `resolv.conf` to use it and this is where `resolvconf` comes. ## resolvconf `apt-get install resolvconf` and resolvconf should start keeping your `/etc/resolv.conf` in order. I usually modify the file `/etc/resolvconf/resolv/resolv.conf.d/head` and add my nameservers there so they will always be on top of nameserver list. [My /etc/resolvconf/resolv.conf.d/head.](https://raw.githubusercontent.com/Mkaysi/shell-things/gh-pages/etc/resolvconf/resolv.conf.d/head) At time of writing this section `2014-07-14` I am still missing native IPv6, so I have IPv6 Google DNS commented and I don't recommend OpenDNS. ## miredo Miredo should start working when installed, `apt-get install miredo`. Teredo for Linux. Native IPv4 or other tunnel than Teredo gets preferred even if you configure gai.conf below. ### gai.conf Uncomment (remove the `#` from the following lines except the last): ``` label ::1/128 0 label ::/0 1 label 2002::/16 2 label ::/96 3 label ::ffff:0:0/96 4 label fec0::/10 5 #label fc00::/7 6 ``` This makes Teredo a little more prioritized, but Google Chrome still avoids it and with other browsers you don't get more than 7 points from IPv6 test. With actual tunnel you would get full points. ## molly-guard `apt-get install molly-guard` and the commands to poweroff, reboot etc. start asking you for hostname if you are connected with SSH. I always uncomment line `ALWAYS_QUERY_HOSTNAME=true` in `/etc/molly-guard/rc`, because I am always poewring off wrong hosts even if I am on them locally. ## oidentd `apt-get install oidentd` and oidentd works. It doesn't necressarily need additional configuration unless you are public shell host or something.