mico/systems-guide
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
a615f2d7cc
systems-guide/00_setup.md

118 lines
3.2 KiB
Markdown
Raw Blame History

# Setting up a new machine
This guides assumes you are on a fresh machine running AlmaLinux 9 or 10, ssh-ed as `root`.
It will show how to install required packages, configure firewalls, lock the server to just SSH and create an `admin` user.
## Installing initial packages
First Update system
```sh
dnf update -y && dnf upgrade -y
```
Then install the neccessary packages
```sh
dnf install -y epel-release firewalld bind-utils git fail2ban neovim
```
`epel-release` is neccessary to get fail2ban and some later dependencies
It stands for "extra packages for enterprise linux".
## Closing the Firewall to anything but SSH
We are gonna close the firewall to anything but SSH for now.
We dont have anything running on the server yet anyway.
```sh
# Enable firewalld
systemctl enable --now firewalld
# This will set the default firewall zone to DROP, which means traffic will get dropped by default.
# Later on you will want to change this to zone=public so you can serve traffic over http/https
firewall-cmd --set-default-zone=drop &&
firewall-cmd --add-service=ssh --permanent &&
firewall-cmd --reload
```
⚠️ *`drop` zone will just drop all traffic if you dont configure it to use `public` zone like we show in [Firewall](02_firewall.md) section. If connections time out this is likely the reason.*
## Unattended upgrades
```sh
dnf install -y dnf-automatic
systemctl enable --now dnf-automatic.timer
```
## Enabling fail2ban
This will keep the masses of bots of trying to SSH / log into our server by banning their ips if they are annoying us.
Create a new jail file at `/etc/fail2ban/jail.local`
```toml
[sshd]
enabled = true
```
Start it
```sh
systemctl enable --now fail2ban
```
## Creating the admin user
To avoid using `root` user we are gonna create a new user with `sudo` privileges and prevent logging into root via `ssh`.
The password for `admin` user is in our Bitwarden.
```sh
adduser admin
passwd admin # Will prompt you for a new password
usermod -aG wheel admin # Give elevated (sudo) privileges to the user
```
### Add the SSH key to `admin` user's authorized keys so you can SSH into it
Switch to `admin` account
```sh
su -i admin
```
Create files and paste your public key
```sh
cd ~ # in case you arent in $HOME dir
mkdir .ssh
nvim .ssh/authorized_keys # paste relevant SSH public keys in here
```
Try opening a new terminal and ssh-ing into `admin` user on the server, it should work.
### Locking the `root` account
⚠️ *Be sure you can SSH with another sudo enabled account like `admin` otherwise you WILL LOCK YOURSELF out of the machine.*
Go back to `root` account now, otherwise you will need to `sudo` the commands below.
The following commands will lock out the root by configuring `/etc/ssh/sshd_config` file.
```sh
sed -i 's/#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/#PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
systemctl restart sshd
````
If done correctly `root` is no longer available.
### Accessing the `root` account locally thru another account
Even though we went thru the trouble of setting up a dedicated admin user, you can still switch into `root` account by simply executing:
```sh
sudo -i
```
It will prompt you for `admin` password and then log into `root`.
Reference in New Issue View Git Blame Copy Permalink