Wiki

Clone wiki

linode_jumpbox_config / base_install

part of the linode_jumpbox_config project

summary

Do a basic, somewhat-secured setup of a linode via any of 3 processes:

  • manual: unautomated
  • script: manually rebuild your linode, shell into it, then run a normal script
  • StackScript: rebuild your linode using a StackScript

Note that all of the above processes (and basically everything on this page) assume that you have already successfully completed the pre-install process.

For definitions of terms special to these instructions, see the project glossary.

manual

Follow steps in linode.com docs=

  1. Getting Started
  2. Securing Your Server

with one exception: I do not currently disable the root login entirely, though I do disable root login via SSH. This is because I currently don't know how to run some parts of the OpenVPN install merely as sudo: i.e., that install seems (in parts) to require running from su -.

script

minimal_secure_debian-based_linode_config.sh runs on the linode "normally": i.e., not as a StackScript. Accordingly, to run it,

  1. On your client, complete the pre-script process (not the pre-StackScript process) below.
  2. From your linode, complete the script base install (not the StackScript base install) below.

pre-script process

  1. From your Linode Dashboard:

    1. Rebuild the linode: follow link= Rebuild. In the resulting page,

      1. Select OS=Debian (probably latest version available).
      2. Fill-in your desired root password.
      3. Take other defaults.
      4. Hit button= Rebuild (and OK to confirm).

      Will take a bit of time (usually less than a minute), returning to status= Powered Off

    2. Boot the linode: hit button= Boot (and OK to confirm). Will take a bit of time (usually less than a minute).

  2. From your client:

    1. Define MYNODE_IPV4 (your linode's IPv4 IP#), preferably by sourceing previously-written private.properties:

      source ${PATH_TO_PROJECT}/scripts/private.properties
      
    2. Reset the local SSH key for your user on the linode:

      ssh-keygen -f ${HOME}/.ssh/known_hosts -R ${MYNODE_IPV4}
      
    3. Copy scripts and dependencies to linode 'rootspace' (usually /root/). The easiest way to do this is scp ${PATH_TO_PROJECT}/scripts/* root@${MYNODE_IPV4}:, but you can also individually copy

    4. SSH into linode as root (since you have not yet created a user account):

      ssh root@${MYNODE_IPV4}
      

script base install

From a root shell on your linode:

  1. Run the install script (s/whatever/ your desired password /):

    MYNODE_USER_PASSWORD='whatever' /root/minimal_secure_debian-based_linode_config.sh
    
  2. After the script runs to completion (without error):

    1. logout (aka Ctrl-D) as root.
  1. Copy scripts and dependencies to your new user's linode homespace, either individually/manually or with

    scp ${PATH_TO_PROJECT}/scripts/* ${MYNODE_USER_NAME}@${MYNODE_IPV4}:
    

    This will also test that you created your user correctly.

StackScript

Not currently supported: I have a StackScript for this task, but it is currently broken. To fix it, I need to

  • add logging-to-file to facilitate debug
  • discover either
    • how to make the StackScript get .properties from the client
    • how to run the StackScript after [creating the base image, copying the properties]

testing

As directed by the script, from your client, verify that

  1. you cannot now SSH in as user=root

  2. you can now SSH in as the user you created, with key and without challenge, e.g.:

    ssh ${MYNODE_USER_NAME}@${MYNODE_IPV4}
    
  3. your sudo iptables -L output

    1. resembles this output of mine
    2. resembles the listing at this linode doc
    3. ... and your ability to sudo tests that you set your user password correctly.
  4. your desired packages (esp for your editor) are installed

Updated