Steve Borba

My notes, I hope they help you, feel free to comment/add to them

Basic Linux Setup


apt install -y netscript-ipfilter vim open-vm-tools

sudo useradd steve -c "Borba, Steven J Jr" -m -G sudo -s /bin/bash
sudo -usteve mkdir -p -m=0700 ~steve/.ssh
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDm17k7lt1wuRsDGTs/xRCHtgy5byA2/EYmd0pJ0hmaYQns5D8XMXf6QsxQ6TBO1lkhZI8Nb1+V/An4Pc3M8R4Ftt5QIb8oyQqMOjRN8K8fFawK62eSgkDLmULb0Su3MFy9uSdbmDSaFGvK5dCNnUQKbViXLTHp7WFl/CR8NvD1ZCGtuU4FCQtpaLhL80AwwdcSXNXo5dKExG5XLSNHJdwk1lvEOMQz2VRqZbbvCgi2Aol+JWN97OLEnZBWhQjLksVwsbgHrgbtquwmQdjMX1WLBSgkhUo7i4+I0BgOdkdwSLdk7ZGq9a0syOIgvsaMkKt4T/fp/MAAiHtKgOGYsSTrcIcKm9BHbnuxjHPllKsivq22cTyguLQd/2hMdl/IWJhB675+C3v4uCKgm9RjSj72Iczmr1xODTEQNHO71v9Vxj3JVrk72umJMUCVYW0PxdfHDnihOwej39z45aLXz3UhrjUVHmWtFdhox7NThV7HYHlOVWaL9KLjJihPCDJ84/8= steve@sborba" | sudo -usteve tee ~steve/.ssh/authorized_keys
sudo chmod 600 ~steve/.ssh/authorized_keys

echo "net.ipv4.tcp_timestamps = 0
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1" >> /etc/sysctl.conf
sysctl -p

echo "*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT ! -i lo -j DROP
COMMIT" > /etc/iptables.rules
iptables-restore < /etc/iptables.rules

echo '#!/bin/sh
iptables-restore < /etc/iptables.rules' > /etc/network/if-pre-up.d/iptables
chmod +x /etc/network/if-pre-up.d/iptables

echo "UseDNS no" >> /etc/ssh/sshd_config

echo "This system is considered private and proprietary and is subject to audit.
The unauthorized access, use or modification of this or any other computer
systems or networks or of the data contained therein or in transit
thereto/therefrom is a criminal violation of federal and state laws and will
be prosecuted to the fullest extent of the law." > /etc/issue
rm /etc/issue.net
ln -s /etc/issue /etc/issue.net
sed s_#Banner_Banner_ /etc/ssh/sshd_config -i

echo "
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
" >> /etc/apt/apt.conf.d/20auto-upgrades

sed -E 's_//(.*)-updates";_\1-updates";_' /etc/apt/apt.conf.d/50unattended-upgrades -i

systemctl disable atd
systemctl disable lvm2-lvmetad
systemctl mask lvm2-lvmetad

vmware-toolbox-cmd timesync enable

apt-get update && apt-get dist-upgrade -y && apt-get -y autoremove && reboot

To authenticate against radius (ACS server)


apt install libpam-radius-auth
vim /etc/pam_radius_auth.conf
  (update settings)
vim /etc/pam.d/sshd /etc/pam.d/sudo
add: auth sufficient pam_radius_auth.so

To Authenticate agains TACACS:


apt install libpam-tacplus
vim /etc/pam.d/sshd /etc/pam.d/sudo
Add:
  auth sufficient pam_tacplus.so server=IP/HOST secret=SECRET

To Authenticate against Kerberos (AD)


apt install libpam-krb5
vi /etc/krb5.conf

Example configuration file (you may need edit pam, but I didn’t on 16.04):


[libdefaults]
	default_realm = EXAMPLE.COM
	ticket_lifetime = 24h
	dns_lookup_realm = false
	dns_lookup_kdc = false

# The following krb5.conf variables are only for MIT Kerberos.
	krb4_config = /etc/krb.conf
	krb4_realms = /etc/krb.realms
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
	proxiable = true

[realms]
  EXAMPLE.COM = {
	kdc = dc.example.com:88
	admin_server = dc1.example.com:749
	default_domain = example.com
}

[domain_realm]
	.example.com = EXAMPLE.COM
	example.com = EXAMPLE.COM

[login]
	krb4_convert = true
	krb4_get_tickets = false

[logging]
	default = FILE:/var/log/krb5libs.log
	kdc = FILE:/var/log/krb5kdc.log
	admin_server = FILE:/var/log/kadmind.log

[appdefaults]
  pam = {
	debug = false
	ticket_lifetime = 36000
	renew_lifetime = 36000
	forwardable = true
	krb4_convert = false
}

Another thing I like to do is add OTP for sudo (also, instead of generating multiple tokens, you can copy that file to other instances).


apt install libpam-google-authenticator
google-authenticator -t -D -f -w 3 -r 10 -R 15 -s /root/.google_authenticator_sudo

echo "
auth required /lib/x86_64-linux-gnu/security/pam_google_authenticator.so secret=/root/.google_authenticator_sudo user=root" >> /etc/pam.d/sudo
sudo useradd steve -c "Borba, Steven J Jr" -m -G sudo -s /bin/bash
sudo su steve
cd ~
mkdir .ssh
chmod 700 .ssh
vi .ssh/authorized_keys
chmod 600 .ssh/authorized_keys
exit

echo 'steve ALL=(ALL) NOPASSWD:ALL' | sudo tee -a /etc/sudoers.d/90-cloud-init-users

sudo apt -y update
sudo apt -y dist-upgrade

sudo rm /etc/update-motd.d/10-help-text /etc/update-motd.d/50-motd-news /etc/update-motd.d/91-release-upgrade

sudo vi /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1"
GRUB_CMDLINE_LINUX="ipv6.disable=1"
sudo update-grub

THESE="multipathd.service atd.service fwupd.service fwupd-refresh.service upower.service udisks2.service motd-news.service"
for Service in $THESE; do sudo systemctl stop $Service; sudo systemctl disable $Service ; done

sudo vi /etc/apt/apt.conf.d/50unattended-upgrades 

sudo sed -E 's_//(.*)-updates";_\1-updates";_' /etc/apt/apt.conf.d/50unattended-upgrades -i
sudo sed 's_//Unattended-Upgrade::AutoFixInterruptedDpkg "true";_Unattended-Upgrade::AutoFixInterruptedDpkg "true";_' /etc/apt/apt.conf.d/50unattended-upgrades -i
sudo sed 's_//Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";_Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";_' /etc/apt/apt.conf.d/50unattended-upgrades -i
sudo sed 's_//Unattended-Upgrade::Remove-New-Unused-Dependencies "true";_Unattended-Upgrade::Remove-New-Unused-Dependencies "true";_' /etc/apt/apt.conf.d/50unattended-upgrades -i
sudo sed 's_//Unattended-Upgrade::Remove-Unused-Dependencies "false";_Unattended-Upgrade::Remove-Unused-Dependencies "true";_' /etc/apt/apt.conf.d/50unattended-upgrades -i
sudo sed 's_//Unattended-Upgrade::Automatic-Reboot "false";_Unattended-Upgrade::Automatic-Reboot "true";_' /etc/apt/apt.conf.d/50unattended-upgrades -i
sudo sed 's_//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";_Unattended-Upgrade::Automatic-Reboot-WithUsers "true";_' /etc/apt/apt.conf.d/50unattended-upgrades -i
sudo sed 's_//Unattended-Upgrade::Automatic-Reboot-Time "02:00";_Unattended-Upgrade::Automatic-Reboot-Time "02:00";_' /etc/apt/apt.conf.d/50unattended-upgrades -i

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>