Jafner/homelab
1
1
Fork 0
Code Issues 15 Pull Requests Actions Packages Projects Releases Wiki Activity

Document Host Setup and Security Standards #86

New Issue
Closed
opened 2023-03-11 14:31:15 -08:00 by Jafner · 15 comments
Jafner commented 2023-03-11 14:31:15 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

Write a document describing how hosts are secured as part of a standard deployment of a new host.

  • Latest Debian base image
  • Non-root user (w/ sudo)
  • SSH: Disable password authentication
  • SSH: Disable root login
  • SSH: Require 2FA
  • SSH: Key management (how to roll out new key)

It is also probably a good idea to identify weaknesses or other shortcomings in the current model.

Write a document describing how hosts are secured as part of a standard deployment of a new host. - Latest Debian base image - Non-root user (w/ sudo) - SSH: Disable password authentication - SSH: Disable root login - SSH: Require 2FA - SSH: Key management (how to roll out new key) It is also probably a good idea to identify weaknesses or other shortcomings in the current model.
Jafner commented 2023-03-11 14:31:15 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

assigned to @Jafner

assigned to @Jafner
Jafner commented 2023-03-11 14:32:12 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

changed the description

changed the description
Jafner commented 2023-10-04 22:59:00 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

changed title from Document Host Security Standards to Document Host {+Setup and +}Security Standards

changed title from **Document Host Security Standards** to **Document Host {+Setup and +}Security Standards**
Jafner commented 2023-10-05 09:34:32 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

Create Admin User

  1. Get su perms. Either via sudo, su -, or by logging in as the root user.
  2. adduser admin to create the non-root admin user.
  3. usermod -aG sudo admin to add the new user to the sudo group.
  4. sudo visudo and append this line to the end of the file: admin ALL=(ALL) NOPASSWD:ALL to enable passwordless sudo.

After these, you can sudo su admin to log into the new user account.

https://www.cyberciti.biz/faq/add-new-user-account-with-admin-access-on-linux/
https://www.cyberciti.biz/faq/linux-unix-running-sudo-command-without-a-password/

### Create Admin User 1. Get su perms. Either via `sudo`, `su -`, or by logging in as the root user. 2. `adduser admin` to create the non-root admin user. 3. `usermod -aG sudo admin` to add the new user to the sudo group. 4. `sudo visudo` and append this line to the end of the file: `admin ALL=(ALL) NOPASSWD:ALL` to enable passwordless sudo. After these, you can `sudo su admin` to log into the new user account. https://www.cyberciti.biz/faq/add-new-user-account-with-admin-access-on-linux/ https://www.cyberciti.biz/faq/linux-unix-running-sudo-command-without-a-password/
Jafner commented 2023-10-05 10:14:16 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

Configure Secure SSH

  1. mkdir -p /home/admin/.ssh && echo "<insert pubkey here>" >> /home/admin/.ssh/authorized_keys Add pubkey to authorized_keys. Make sure to place the correct SSH pubkey in the command before copying.
  2. sudo apt install libpam-google-authenticator to install the Google 2FA PAM.
  3. google-authenticator to configure the 2FA module. Use the following responses when prompted:
  • Do you want authentication tokens to be time-based? y
  • Do you want me to update your "/home/$USER/.google_authenticator" file? y
  • Do you want to disallow multiple uses of the same authentication token? y
  • Do you want to do so? n (refers to increasing time skew window)
  • Do you want to enable rate-limiting? y We enter our TOTP secret key into our second authentication method and save our one-time backup recovery codes.
  1. sudo nano /etc/pam.d/sshd to edit the PAM configuration, and add this line to the top of the file auth sufficient pam_google_authenticator.so nullok

5a. sudo nano /etc/ssh/sshd_config to open the SSH daemon config for editing. Make sure the following assertions exist:

  • PubkeyAuthentication yes
  • AuthenticationMethods publickey,keyboard-interactive
  • PasswordAuthentication no
  • ChallengeResponseAuthentication yes
  • UsePAM yes

5b. echo $'PubkeyAuthentication yes\nAuthenticationMethods publickey,keyboard-interactive\nPasswordAuthentication no\nChallengeResponseAuthentication yes\nUsePAM yes' | sudo tee /etc/ssh/sshd_config.d/ssh.conf to perform the above as a one-liner. Requires a version of OpenSSH/Linux that supports sourcing sshd config from the /etc/ssh/sshd_config.d/*.conf path.

  1. sudo systemctl restart sshd.service to restart the SSH daemon.
### Configure Secure SSH 1. `mkdir -p /home/admin/.ssh && echo "<insert pubkey here>" >> /home/admin/.ssh/authorized_keys` Add pubkey to authorized_keys. Make sure to place the correct SSH pubkey in the command before copying. 2. `sudo apt install libpam-google-authenticator` to install the Google 2FA PAM. 3. `google-authenticator` to configure the 2FA module. Use the following responses when prompted: * Do you want authentication tokens to be time-based? `y` * Do you want me to update your "/home/$USER/.google_authenticator" file? `y` * Do you want to disallow multiple uses of the same authentication token? `y` * Do you want to do so? `n` (refers to increasing time skew window) * Do you want to enable rate-limiting? `y` We enter our TOTP secret key into our second authentication method and save our one-time backup recovery codes. 4. `sudo nano /etc/pam.d/sshd` to edit the PAM configuration, and add this line to the top of the file `auth sufficient pam_google_authenticator.so nullok` 5a. `sudo nano /etc/ssh/sshd_config` to open the SSH daemon config for editing. Make sure the following assertions exist: * `PubkeyAuthentication yes` * `AuthenticationMethods publickey,keyboard-interactive` * `PasswordAuthentication no` * `ChallengeResponseAuthentication yes` * `UsePAM yes` 5b. `echo $'PubkeyAuthentication yes\nAuthenticationMethods publickey,keyboard-interactive\nPasswordAuthentication no\nChallengeResponseAuthentication yes\nUsePAM yes' | sudo tee /etc/ssh/sshd_config.d/ssh.conf` to perform the above as a one-liner. Requires a version of OpenSSH/Linux that supports sourcing sshd config from the `/etc/ssh/sshd_config.d/*.conf` path. 6. `sudo systemctl restart sshd.service` to restart the SSH daemon.
Jafner commented 2023-10-05 10:19:49 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

changed the description

changed the description
Jafner commented 2023-10-05 10:30:10 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

Install Basic Packages

  1. sudo apt install curl nano inxi git htop

Install Docker

  1. curl -fsSL https://get.docker.com | sudo sh This is the most convenient and least safe way to do this. If this script is ever compromised, we'd be fucked.
  2. sudo systemctl enable docker to enable the Docker service.
  3. sudo usermod -aG docker $USER to add the current user (should be non-root admin) to docker group.
  4. logout to relog and apply the new permissions.
### Install Basic Packages 1. `sudo apt install curl nano inxi git htop` #### Install Docker 1. `curl -fsSL https://get.docker.com | sudo sh` This is the most convenient and least safe way to do this. If this script is ever compromised, we'd be fucked. 2. `sudo systemctl enable docker` to enable the Docker service. 3. `sudo usermod -aG docker $USER` to add the current user (should be non-root admin) to docker group. 4. `logout` to relog and apply the new permissions.
Jafner commented 2023-10-05 12:01:51 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

mentioned in issue #92

mentioned in issue #92
Jafner commented 2023-10-05 14:18:03 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

Clone the homelab repo

  1. Create a new Gitlab personal access token for the device at Personal Access Tokens. Should be named like warlock and have the following scopes: read_api, read_user, read_repository.
  2. mkdir ~/homelab ~/data && cd ~/homelab/ && git init && git config core.sparseCheckout true && git config pull.ff only to init the repository with sparse checkout enabled.
  3. git remote add -f origin https://<pat-name>:<pat-value>@gitlab.jafner.net/Jafner/homelab.git to add the repo with authentication via read-only personal access token. NOTE: Make sure to replace <pat-name> with the name of the personal access token, and replace <pat-value> with the key for the personal access token.
  4. echo "$HOSTNAME/" > .git/info/sparse-checkout to configure sparse checkout for the host.
  5. git checkout main to switch to the main branch with the latest files.
### Clone the homelab repo 1. Create a new Gitlab personal access token for the device at [Personal Access Tokens](https://gitlab.jafner.net/-/profile/personal_access_tokens). Should be named like `warlock` and have the following scopes: `read_api`, `read_user`, `read_repository`. 2. `mkdir ~/homelab ~/data && cd ~/homelab/ && git init && git config core.sparseCheckout true && git config pull.ff only` to init the repository with sparse checkout enabled. 3. `git remote add -f origin https://<pat-name>:<pat-value>@gitlab.jafner.net/Jafner/homelab.git` to add the repo with authentication via read-only personal access token. NOTE: Make sure to replace `<pat-name>` with the name of the personal access token, and replace `<pat-value>` with the key for the personal access token. 4. `echo "$HOSTNAME/" > .git/info/sparse-checkout` to configure sparse checkout for the host. 5. `git checkout main` to switch to the main branch with the latest files.
Jafner commented 2023-10-05 14:39:33 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

Set the Hostname

  1. sudo hostnamectl set-hostname <hostname> to set the hostname.
  2. sudo nano /etc/hosts and edit the old value for 127.0.1.1 to use the new hostname.
### Set the Hostname 1. `sudo hostnamectl set-hostname <hostname>` to set the hostname. 2. `sudo nano /etc/hosts` and edit the old value for `127.0.1.1` to use the new hostname.
Jafner commented 2023-10-05 14:58:31 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

Current map of IPs to old and new hostnames:

IP Old hostname New hostname Migrated?
192.168.1.1 router wizard
192.168.1.10 joey-nas barbarian
192.168.1.11 truenas monk
192.168.1.23 joey-server or jafner.net fighter
192.168.1.24 joey-seedbox or jafner.chat warlock
192.168.1.31 WYSE-B8H3JV2 paladin
192.168.1.32 WYSE-B8D2JV2 ranger
192.168.1.33 WYSE-B8N8JV2 cleric
143.110.151.123 jafner.tools druid
Current map of IPs to old and new hostnames: | IP | Old hostname | New hostname | Migrated? | |:--:|:------------:|:------------:|:---------:| | 192.168.1.1 | `router` | `wizard` | :white_check_mark: | | 192.168.1.10 | `joey-nas` | `barbarian` | :white_check_mark: | | 192.168.1.11 | `truenas` | `monk` | :white_check_mark: | | 192.168.1.23 | `joey-server` or `jafner.net` | `fighter` | :white_check_mark: | | 192.168.1.24 | `joey-seedbox` or `jafner.chat` | `warlock` | :white_check_mark: | | 192.168.1.31 | `WYSE-B8H3JV2` | `paladin` | :white_check_mark: | | 192.168.1.32 | `WYSE-B8D2JV2` | `ranger` | :white_check_mark: | | 192.168.1.33 | `WYSE-B8N8JV2` | `cleric` | :white_check_mark: | | 143.110.151.123 | `jafner.tools` | `druid` | :white_check_mark: |
Jafner commented 2023-10-05 15:42:17 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

Update VyOS

  1. Navigate to VyOS nightly builds and copy the link for the most recent build.
  2. SSH into the VyOS host and run add system image <link to build image>
  3. When prompted, answer yes (default) to:
    1. Would you like to save current configuration directory and config file? (Yes/No) [Yes]
    2. Would you like to save the SSH host keys from your current configuration? (Yes/No) [Yes]
  4. Reboot into the new image.

Note: If you do not want the most recent image to be used by default, you can use the command set system image default-boot <image>
You can view available system images with show system image, which will include telling you which is currently the default boot image.
You can delete old system images with delete system image <image>

Set up SSH 2FA on VyOS

  1. generate system login username vyos otp-key hotp-time rate-limit 3 rate-time 30 window-size 3 to generate the key and print out the commands to add it to the given user.
  2. set system login user vyos authentication otp key <key> to configure the new key for the user.
### Update VyOS 1. Navigate to [VyOS nightly builds](https://vyos.net/get/nightly-builds/) and copy the link for the most recent build. 2. SSH into the VyOS host and run `add system image <link to build image>` 3. When prompted, answer yes (default) to: 1. Would you like to save current configuration directory and config file? (Yes/No) [Yes] 2. Would you like to save the SSH host keys from your current configuration? (Yes/No) [Yes] 4. Reboot into the new image. Note: If you do not want the most recent image to be used by default, you can use the command `set system image default-boot <image>` You can view available system images with `show system image`, which will include telling you which is currently the default boot image. You can delete old system images with `delete system image <image>` ### Set up SSH 2FA on VyOS 1. `generate system login username vyos otp-key hotp-time rate-limit 3 rate-time 30 window-size 3` to generate the key and print out the commands to add it to the given user. 2. `set system login user vyos authentication otp key <key>` to configure the new key for the user.
Jafner commented 2023-10-05 15:49:12 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

Set Host Name in VyOS

configure; set system host-name <hostname>; commit; save; exit

### Set Host Name in VyOS `configure; set system host-name <hostname>; commit; save; exit`
Jafner commented 2023-10-06 15:21:54 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

mentioned in commit 7c0bcdd546

mentioned in commit 7c0bcdd546f52bcf56cb303d1e45b13fa2fbfbe4
Jafner commented 2023-12-12 09:09:58 -08:00
Copy Link

Closing. Further work will go under #110 and #111

Closing. Further work will go under #110 and #111
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: Jafner/homelab#86
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?