new-machine.orig.md

This is probably not relevant anymore. When the next host is created,
review these docs and add what's missing to [new-machine](new-machine).

* set a hostname - pick an unused one from https://svn.torproject.org/svn/projects/misc-sysadmin/onion-names.txt
* sane base setup
    echo "Apt::Install-Recommends 0;" > /etc/apt/apt.conf.d/local-recommends &&
    apt-get install locales-all rsync sudo zsh subversion git-core mtr-tiny ntp &&
    cat /dev/null > /etc/default/locale

* fix TZ
    echo 'Etc/UTC' > /etc/timezone &&
    dpkg-reconfigure tzdata -pcritical -fnoninteractive

* ssh setup
    cd /etc/ssh/ && rm -f ssh_host_dsa_key ssh_host_dsa_key.pub ssh_host_key ssh_host_key.pub &&
    mkdir -p /etc/ssh/userkeys && ln -s /root/.ssh/authorized_keys /etc/ssh/userkeys/root &&
    sed -i -e 's/^HostKey.*_dsa_key/# &/;
               s/^X11Forwarding yes/X11Forwarding no/;
               $ a AuthorizedKeysFile /etc/ssh/userkeys/%u
               $ a AuthorizedKeysFile2 /var/lib/misc/userkeys/%u' sshd_config &&
    (cd / && env -i /etc/init.d/ssh restart)
* re-key ssh
    cd /etc/ssh/ && rm -f ssh_host_rsa_key ssh_host_rsa_key.pub &&
    dpkg-reconfigure openssh-server

* torproject sources list entry:

sudo apt-key add - << EOF &&
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.9 (GNU/Linux)

mQENBEvgZPYBCADQeFoNmFWv156s+JPiUv6vFZb1sm3sx5g61Wel38MYgEuYEdan
mFnULzdRc5ScCqXD9iC7vJtAFWv9xobQkpffy8uQNAL6Dom/4A4z8Ywhdt8qwZWt
qeJQ5HSv/ollXW1jd5B+VCFaLh70PMbooitq8F5uBbVhFzvd4XxbBIWw2PzFzBbI
0daBpEdwjrtNH/E+M+ZQLMtaYyTZ1vMx+KmP2hrWtKyK4ZLmr+/2rxmoJrFGQwmp
uBohXRHMrekrdbHPfJHPXqj4SgpP9DRj2MPemQLRByHX6Hll6xy0GKkBhg1Em5Qr
GCCFXIiSS/kP16f7hpyBxke859m/RXLzCHHDABEBAAG0I2RiLnRvcnByb2plY3Qu
b3JnIGFyY2hpdmUga2V5IDIwMTAtiQE8BBMBAgAmBQJL4GT2AhsDBQkFo5qABgsJ
CAcDAgQVAggDBBYCAwECHgECF4AACgkQwsdoQg4eEkBqFAf8DtnZo0flz0IkmKDU
D1FBAl6SHE5HN7f57mW/0CLMSvWohSKIouSBJH4dUTM8484Z15ikSRW9urzv9dsW
w24+9EEaxBBVJqoJIMZmvqaM452kZ/zwQR4NBIGxhSJ8UblpQ0gttMB90oVoAx9a
2erJUD8sRwCxcwPTE3fQMJZEu6oB5jIPnQQAPOznMO19CJmnZIlzWPALFC3NPRSX
QFEZPO9CGHzpB4UDzpoBctTpTfHot33ep1c5qaLfRkmTIdImqNe2gRykglHXHCa5
BLU4M6In3gMIoeUFeRzbE7eTm1j7NDUG3EbQf5aguRSWMWbIGWAnZdTH5ZhzSb72
fVoq6g==
=dBbT
-----END PGP PUBLIC KEY BLOCK-----
EOF
if ! [ -e /etc/apt/sources.list.d/db.torproject.org.list ] ; then
        echo 'deb     http://db.torproject.org/torproject-admin          lenny            main' | sudo tee /etc/apt/sources.list.d/db.torproject.org.list
fi

* install userdir-ldap
    apt-get update &&  apt-get install userdir-ldap

* fix nsswitch for ud fu.  (you might have to restart sshd here)
    sed -i -e 's/^passwd:[:space:](:space:)\+compat$/passwd:         compat db/;
              s/^group:[:space:](:space:)\+compat$/group:          db compat/;
              s/^shadow:[:space:](:space:)\+compat$/shadow:         compat db/' \
        /etc/nsswitch.conf
    (cd / && env -i /etc/init.d/ssh restart)

* add pam_mkhomedir to common-session:
    grep pam_mkhomedir /etc/pam.d/common-session || \
    echo "session optional        pam_mkhomedir.so skel=/etc/skel umask=0022" >> /etc/pam.d/common-session

* setup sudo
    grep '^%adm' /etc/sudoers || echo '%adm    ALL=(ALL) ALL' >> /etc/sudoers
    grep '^%adm.*apt-get' /etc/sudoers || echo '%adm    ALL=(ALL) NOPASSWD: /usr/bin/apt-get update, /usr/bin/apt-get dist-upgrade, /usr/bin/apt-get clean' >> /etc/sudoers

* add host to ud-ldap
  : on alberti : && sudo -u sshdist ud-generate && sudo -H ud-replicate

* fix resolver
  sed -i -e 's/search localdomain/search torproject.org/' /etc/resolv.conf

* do one ud-replicate:
  echo alberti.torproject.org,alberti,db.torproject.org,db,38.229.70.7 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqFvZsXVYuzrgDO7IbBjeBO5WKk+sXmb0rRzPcSwIRTaMS4h3QdLDG1VjeNA5CUeAjTOYC0hAWZiXzfsl4u0KwNJUWRGZCclbIt6V7Tk74mM0405A+y0JP3NwUnTevcRcVxiDo8mrI85y5MXvipaWnPdGYayL09h9EeNDzBVKNZooCeKQBqkejhH69gyy4gdN9HgfMep3uOInyjr86W49pZ4n7CXoVt8QkTWtoBX/qPHK8igqX/dcYkOgCclVYRrQ1G4FbxEOGD+QzwPnCGDWCUgapFXoqh7HpG0Xfg5iDXGFcIu1JgDdr/SFJkr6hmYjW0gmkge0ihGj7GZ6onWhzQ== root@alberti > /etc/ssh/ssh_known_hosts &&
  ud-replicate

* apply phobos' sudo defaults
  sed -i -e '
          /^Defaults/ a Defaults mail_badpass\
Defaults mail_no_host\
Defaults mail_no_perms\
Defaults tty_tickets\
Defaults insults\
Defaults !lecture
      ' /etc/sudoers
* try to become root using sudo.

* disable password auth with ssh (again: once you verified you can log in and become root using keys.)
    #vi /etc/ssh/sshd_config
    #  | PasswordAuthentication no

    if grep '^PasswordAuthentication' /etc/ssh/sshd_config; then
      sed -i -e 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config;
    else
      sed -i -e '$ a PasswordAuthentication no' /etc/ssh/sshd_config
    fi &&
    (cd / && env -i /etc/init.d/ssh restart)

* get rid of unneeded network services:

  dpkg --purge portmap nfs-common

  dpkg --purge exim4 exim4-base exim4-config exim4-daemon-light  at bsd-mailx
  userdel -r Debian-exim

* install postfix
  apt-get install postfix postfix-cdb bsd-mailx

  rm /etc/mailname

  cat > /etc/postfix/main.cf << 'EOF'
# See /usr/share/postfix/main.cf.dist for a commented, more complete version

mydomain = torproject.org
myorigin = $myhostname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls=yes

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

alias_maps =
        hash:/etc/aliases
        cdb:/var/lib/misc/thishost/mail-forward
alias_database = hash:/etc/aliases
mydestination = $myhostname
                localhost.$mydomain
                localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
EOF

   env -i /etc/init.d/postfix restart

   sed -i -e 's/^root:.*/root: torproject-admin@torproject.org/' /etc/aliases && newaliases


* install root admin key
  echo 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEA2ToYPcCcP+/+E8dVlorOeeQpAauQN2rHF8LBy0BPzY9W4x0eMkPI5r5vDSN48+w9W/SELTd1ZFy7d2n6bjt06W0+78YwLeRN4wOoyiryh3yd2Kiy74Plb81RRx+Px9erh0mpMF9krnWfGyrr+q8be2ACWNHLiSUyx5PC5QmetBH+Ug7O+NpAL/grmLgdzkOEzaatrI+re1RyfwvJQ6ZC3Wc+KKUOVvB6zoRk9qegUydvx1NX5SrfDQrBzFBv6vcL0N1TESxDx8Pu6uFFsuWWBlhb3AKZKJEtLV8AqGQ007A3oK5PP/fdUvgKOcbw3bWXZKy/dgcH+httQPPt8brmXtRvNgXozsH6soegnoWA/opNVHcWwLjfk9mFMGLvY5zzX26xg9sVnBK1dI6geqGhv20oWIcIqEhmFr0HQnCIE9tMRb6jDmzymXoX2gnR2nfgpg81jLFSYm/BJYjISVrLAFy50N+4HcJ/VYTO/KBVoERfkz88LK5p2zOQNdMNSN4WIGizl6G7lQrFAZAkdk2dfaIA/PkxVXG0/Rfh+R2z94UCiAfc06FzkYRfFreThpgPWI4B/QFcBQ0MsxuQzl+ea3jRVKRGyKHpwRtjh2Ebt0YfCpyn1ZfU+enLIYJ0TmpC6HXpWiSc8qSaP6gMF0ULqZUtip1NfJiaEkUyhR5XbIU= Peter Palfrader - torproject adm key (2010-01-09)' >> /root/.ssh/authorized_keys &&
  wc -l /root/.ssh/authorized_keys

* clean away broken firewall
  rm -f /etc/network/if-pre-up.d/iptables /etc/iptables.rules /etc//iptables.up.rules
  for j in INPUT FORWARD OUTPUT; do iptables -P $j ACCEPT; done; iptables -F

* set new root password

* sane editor
  sudo apt-get install vim && sudo  update-alternatives --set editor /usr/bin/vim.basic


* add more software
apt-get install ferm git-core logwatch rkhunter munin-node sudo fail2ban htop etckeeper wget

* configure the firewall
* take ferm defaults, but need something for ferm here.

* rkhunter
rkhunter --update --propupd

* fail2ban:
/etc/init.d/fail2ban start

* copy munin-node.conf from schmitzi to /etc/munin/
* on new host:
sudo /etc/init.d/munin-node restart
* on schmitzi, add the host to /etc/munin/munin.conf