|
Size: 5527
Comment: firewall notes
|
Size: 3861
Comment: remove spurious heading
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 3: | Line 3: |
| * RPi OS Lite on RPi Model 4 * Based on Debian buster (10) x32 * Located at home |
* RPi Model 4 (aarch64, 4-core, 4gb RAM) * RPi OS Lite 64-bit (Bookworm) * LAN MAC `e4:5f:01:1c:c6:ea` * WLAN MAC `e4:5f:01:1c:c6:eb` * located at home |
| Line 9: | Line 11: |
| Line 12: | Line 13: |
| * Flash the image * touch `ssh` on boot partition * Fire it up * Login as pi//raspberry, set new passwd * ssh-copy-id * sudo to root and copy authorized_keys to root's * Login directly as root * hostnamectl set-hostname vector.thighhighs.top * Packages {{{ |
This is the most generic stuff to do for initial setup, before tweaking it to a specific use. === OS imaging === Using the Raspberry Pi Imager app, start with '''RPi OS Lite 64-bit''', suitable for the RPi 3B+ It lets you make some customisations before flashing, which is really nice: * Set hostname to '''vector''' * Enable SSH * Password auth, make a new secure password and record it in 1Password * Set username and password * `furinkan // <the password you just created>` * No WLAN * Set locale to Australia/Sydney, us keyboard * Disable telemetry Prepare DHCP server with static address for the LAN MAC address. Put in the card and let it boot, should be fairly quick. === First login === 1. Login as `furinkan@vector` and copy your SSH key there {{{ ssh-copy-id furinkan@vector }}} 1. sudo up and copy your SSH key to root's account as well {{{ sudo -i ssh-keygen -t ed25519 touch ~/.ssh/authorized_keys chmod 0600 ~/.ssh/authorized_keys cat ~furinkan/.ssh/authorized_keys >> ~/.ssh/authorized_keys }}} 1. Login again directly as root 1. Set the hostname with domain as well now {{{ hostnamectl set-hostname vector.thighhighs.top }}} 1. Install base packages {{{ |
| Line 22: | Line 50: |
| apt install vim screen locales bash-completion dpkg-reconfigure locales apt full-upgrade reboot |
apt install -y vim git screen ack apt autoremove apt full-upgrade -y |
| Line 27: | Line 54: |
| * Disable IPv6 privacy addresses {{{ # Already disabled in sysctl sysctl -a | grep tempaddr # Fix it in dhcp client config, /etc/dhcpcd.conf slaac hwaddr }}} * Set editor {{{ echo "export EDITOR=vim" > /etc/profile.d/editor-vim.sh }}} * Set timezone {{{ timedatectl set-timezone Australia/Sydney }}} * Disable HashKnownHosts in `/etc/ssh/ssh_config` * More packages {{{ apt install wget curl net-tools ack jq make mlocate elinks nmap whois |
1. More packages {{{ apt install wget curl net-tools jq make mlocate elinks nmap whois |
| Line 45: | Line 59: |
| * Configure screen: curl -o ~/.screenrc https://gist.githubusercontent.com/barneydesmond/d16c5201ed9d2280251dfca7c620bb86/raw/.screenrc * Configure top yourself * Set static IPv4 config in `/etc/dhcpcd.conf` because this will be a network services box {{{ option ntp_servers interface eth0 static ip_address=192.168.1.20/24 static routers=192.168.1.1 static domain_name_servers=8.8.8.8 1.1.1.1 8.8.4.4 |
1. Edit `/etc/pam.d/sshd` and remove `user_readenv=1`, this will keep the logs tidy 1. Disable HashKnownHosts for SSH client {{{ echo -e "Host *\n HashKnownHosts no" > /etc/ssh/ssh_config.d/20-disable-hashknownhosts.conf }}} 1. Configure shell * Edit `/root/.bashrc` to enable colours * Set the default editor to vim.basic: {{{ update-alternatives --config editor }}} * Add shell history timestamping {{{ cat <<EOF >> ~/.bashrc # Timestamped shell FTW export HISTTIMEFORMAT='%Y-%m-%d %H:%M:%S ' EOF }}} 1. Configure vim {{{ cat <<EOF > ~/.vimrc set nocompatible syntax on set background=dark set hlsearch set modeline set scrolloff=3 EOF |
| Line 55: | Line 85: |
| Now take an image of the system after shrinking the filesystem {{{ | === Disable wifi and bluetooth and other stuff === I'm using vector as a network appliance, so I don't need the radios: https://sleeplessbeastie.eu/2022/06/01/how-to-disable-onboard-wifi-and-bluetooth-on-raspberry-pi-4/ 1. Add dtoverlays to your `/boot/config.txt` to disable the radios: {{{ cat <<EOF >> /boot/config.txt dtoverlay=disable-wifi dtoverlay=disable-bt EOF }}} 1. Let's also disable sound {{{ sed -r -i 's,^dtparam=audio=on$,dtparam=audio=off,' /boot/config.txt }}} 1. Disable bluetooth and modem services {{{ systemctl disable --now hciuart systemctl disable --now bluetooth.target systemctl disable --now bluetooth.service systemctl disable --now ModemManager.service }}} 1. For some reason this isn't working on the RPi4? Whatever, nuke the software packages as well {{{ apt purge -y bluez bluez-firmware wpasupplicant rm -rfv /etc/wpa_supplicant apt autoremove -y }}} 1. No keyboard means no hotkeys needed {{{ apt purge -y triggerhappy }}} 1. Reboot === Tools config === 1. Configure screen {{{ curl -o ~/.screenrc https://gist.githubusercontent.com/barneydesmond/d16c5201ed9d2280251dfca7c620bb86/raw/.screenrc }}} 1. Configure `top`: `z x c s 1.5 <Enter> e 0 1 W q` == Save a copy == Now take an image of the system by putting the card in another system, after shrinking the filesystem {{{ |
| Line 60: | Line 130: |
== Unifi controller == Notes and script from here: https://community.ui.com/questions/UniFi-Installation-Scripts-or-UniFi-Easy-Update-Script-or-UniFi-Lets-Encrypt-or-UniFi-Easy-Encrypt-/ccbc7530-dd61-40a7-82ec-22b17f027776 * wget https://get.glennr.nl/unifi/install/unifi-6.2.17.sh * Grow partition with cfdisk, then FS with resize2fs * bash unifi-6.2.17.sh * Setup new empty site, create local admin account * Import site from old controller * Update DNS to point unifi to vector This SSL cert thing doesn't work, yet it should be exactly the perfect method. -_- `java -jar /usr/lib/unifi/lib/ace.jar import_key_cert STAR_thighhighs_top.key.stripped STAR_thighhighs_top.crt` Instead I used this thing, it's stashed in `/root/unifi-import-cert.sh` {{{ # Backup previous keystore cp /var/lib/unifi/keystore /var/lib/unifi/keystore.backup.$(date +%F_%R) # Convert cert to PKCS12 format openssl pkcs12 -export \ -inkey /etc/ssl/STAR_thighhighs_top.key \ -in /etc/ssl/STAR_thighhighs_top.crt \ -out /etc/ssl/STAR_thighhighs_top.p12 \ -name unifi -password pass:unifi # Install certificate keytool -importkeystore \ -deststorepass aircontrolenterprise \ -destkeypass aircontrolenterprise \ -destkeystore /var/lib/unifi/keystore \ -srckeystore /etc/ssl/STAR_thighhighs_top.p12 \ -srcstoretype PKCS12 \ -srcstorepass unifi \ -alias unifi \ -noprompt # Restart UniFi controller systemctl restart unifi }}} == network == Static IPv4 address via /etc/dhcpcd.conf IPv6 stuff works by SLAAC as usual. {{{ slaac hwaddr option ntp_servers interface eth0 static ip_address=192.168.1.20/24 static routers=192.168.1.1 static domain_name_servers=8.8.8.8 1.1.1.1 8.8.4.4 }}} == IPv6 == Autoconfigured, slaac hwaddr, not externally accessible == services == * Unifi controller * Pihole DNS and DHCP server == Pihole == Straightforward basic install, no conflict with other installed services. * Pi-hole DNS (IPv4): 192.168.1.20 * Pi-hole DNS (IPv6): 2404:e80:42e3:0:e65f:1ff:fe1c:c6ea Admin UI at https://pihole.thighhighs.top/admin/ TLS works \o/ https://discourse.pi-hole.net/t/enabling-https-for-your-pi-hole-web-interface/5771/17 == Firewall == As per https://docs.pi-hole.net/main/prerequisites/ I've installed ufw and locked things down. Limit and fail2ban would be good to do as well: https://www.raspberrypi.org/documentation/configuration/security.md {{{ apt install ufw ufw allow ssh ufw enable # Unifi stuff - https://help.ui.com/hc/en-us/articles/218506997-UniFi-Ports-Used ufw allow 8443/tcp ufw allow 8080/tcp ufw allow 3478/udp ufw allow 5515/udp ufw allow 5514/udp ufw allow 8843/tcp ufw allow 6789/tcp ufw allow 8880/tcp ufw allow 10001/udp ufw allow 1900/udp # Pihole stuff - https://docs.pi-hole.net/main/prerequisites/#ufw ufw allow http ufw allow https ufw allow domain ufw allow 67/udp ufw allow 67/tcp ufw allow 546:547/udp }}} == Disable wifi and bluetooth on RPi == I'm using vector as a network appliance, so I don't need the radios. https://sleeplessbeastie.eu/2018/12/31/how-to-disable-onboard-wifi-and-bluetooth-on-raspberry-pi-3/ Edit your /boot/config.txt and add: {{{ dtoverlay=disable-wifi dtoverlay=disable-bt }}} * The linked page above uses pi3-disable-foo, which are deprecated names == systemd-timesyncd config == RPi OS ships with systemd-timesyncd enabled by default, for SNTP functionality. Configure it in /etc/systemd/timesyncd.conf {{{ [Time] NTP=ntp.on.net 0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org }}} Leave the rest, just restart the daemon with `systemctl restart systemd-timesyncd.service` |
vector
- RPi Model 4 (aarch64, 4-core, 4gb RAM)
- RPi OS Lite 64-bit (Bookworm)
LAN MAC e4:5f:01:1c:c6:ea
WLAN MAC e4:5f:01:1c:c6:eb
- located at home
Contents
Build notes
This is the most generic stuff to do for initial setup, before tweaking it to a specific use.
OS imaging
Using the Raspberry Pi Imager app, start with RPi OS Lite 64-bit, suitable for the RPi 3B+
It lets you make some customisations before flashing, which is really nice:
Set hostname to vector
- Enable SSH
- Password auth, make a new secure password and record it in 1Password
- Set username and password
furinkan // <the password you just created>
- No WLAN
- Set locale to Australia/Sydney, us keyboard
- Disable telemetry
Prepare DHCP server with static address for the LAN MAC address.
Put in the card and let it boot, should be fairly quick.
First login
Login as furinkan@vector and copy your SSH key there
ssh-copy-id furinkan@vector
sudo up and copy your SSH key to root's account as well
sudo -i ssh-keygen -t ed25519 touch ~/.ssh/authorized_keys chmod 0600 ~/.ssh/authorized_keys cat ~furinkan/.ssh/authorized_keys >> ~/.ssh/authorized_keys
- Login again directly as root
Set the hostname with domain as well now
hostnamectl set-hostname vector.thighhighs.top
Install base packages
apt update apt install -y vim git screen ack apt autoremove apt full-upgrade -y
More packages
apt install wget curl net-tools jq make mlocate elinks nmap whois updatedb reboot
Edit /etc/pam.d/sshd and remove user_readenv=1, this will keep the logs tidy
Disable HashKnownHosts for SSH client
echo -e "Host *\n HashKnownHosts no" > /etc/ssh/ssh_config.d/20-disable-hashknownhosts.conf
- Configure shell
Edit /root/.bashrc to enable colours
Set the default editor to vim.basic:
update-alternatives --config editor
Add shell history timestamping
cat <<EOF >> ~/.bashrc # Timestamped shell FTW export HISTTIMEFORMAT='%Y-%m-%d %H:%M:%S ' EOF
Configure vim
cat <<EOF > ~/.vimrc set nocompatible syntax on set background=dark set hlsearch set modeline set scrolloff=3 EOF
Disable wifi and bluetooth and other stuff
I'm using vector as a network appliance, so I don't need the radios: https://sleeplessbeastie.eu/2022/06/01/how-to-disable-onboard-wifi-and-bluetooth-on-raspberry-pi-4/
Add dtoverlays to your /boot/config.txt to disable the radios:
cat <<EOF >> /boot/config.txt dtoverlay=disable-wifi dtoverlay=disable-bt EOF
Let's also disable sound
sed -r -i 's,^dtparam=audio=on$,dtparam=audio=off,' /boot/config.txt
Disable bluetooth and modem services
systemctl disable --now hciuart systemctl disable --now bluetooth.target systemctl disable --now bluetooth.service systemctl disable --now ModemManager.service
For some reason this isn't working on the RPi4? Whatever, nuke the software packages as well
apt purge -y bluez bluez-firmware wpasupplicant rm -rfv /etc/wpa_supplicant apt autoremove -y
No keyboard means no hotkeys needed
apt purge -y triggerhappy
- Reboot
Tools config
Configure screen
curl -o ~/.screenrc https://gist.githubusercontent.com/barneydesmond/d16c5201ed9d2280251dfca7c620bb86/raw/.screenrc
Configure top: z x c s 1.5 <Enter> e 0 1 W q
Save a copy
Now take an image of the system by putting the card in another system, after shrinking the filesystem
e2fsck -f /dev/mmcblk0p2 resize2fs /dev/mmcblk0p2 2G dd bs=4M count=600 if=/dev/mmcblk0 | pv -br | gzip --fast > 2021-04-20_vector_img_pre_unifi.img.gz