User:WavyEbuilder/Handbook

From Gentoo Wiki
Jump to:navigation Jump to:search

Introduction

Hello and welcome! You have stumbled across Rahul Sandhu’s Personal Less Well Written Handbook. These are my personal notes for installing, maintaining a gentoo system, with some other random things thrown in. Now for the unfun bit:

Warning
Disclaimer: When following any tutorials or running/executing any commands or scripts mentioned in this handbook, you (the reader) accept full responsibility for any damage done to your computer. The things mentioned in here have only been tested for my use case and my systems, so I cannot guarantee they will work for yours.

Now that that is over, feel free to look through my handbook!

Installing Gentoo

First up, installing Gentoo. This installation will be for amd64 UEFI systems. I will use systemd as the init system, systemdboot as the bootloader and btrfs with full luks encryption for the root partition

Obtaining the Gentoo Live ISO

Now we need to obtain the iso for the live media we will use to install Gentoo. This can be found on the downloads page here. I use the admin cd myself.

Creating a bootable usb drive

Now we need to create a usb drive to boot off. If you have a unix or unix-like box (Any linux distro, macOS, *BSD) you can use dd:

root #dd if=/home/rahulsandhu/admincd.iso of=/dev/sdb bs=1M status=progress
Warning
Don’t forget to substitute ‘if=‘ with the path to the iso you downloaded and ‘of=‘ with the path to your usb drive!

Now, boot off the drive from your UEFI’s boot loader and plug in an ethernet cable/setup wifi. For instructions on how to setup wifi, have a look at this page. You can test that you have internet access with ping:

root #ping gentoo.org

Setting up SSH access

Now we need to setup ssh access to the live media. After booting it, set the root password:

root #passwd

Then, ssh into the computer from another box (replace 10.0.0.103 with your ip):

root #ssh root@10.0.0.103

Now, you should have access to a gui where you can copy and paste commands to make your life easier.

Partitioning the drives

Next, we need to partition the drives. As stated earlier, our root filesystem will be btrfs. Our layout will look something like this:

Partition Filesystem Size Description
/dev/nvme0n1p1 vfat32 550M EFI system partition
/dev/nvme0n1p2 (swap) RAM size * 2 Swap partition
/dev/nvme0n1p3 btrfs Rest of the disk Root partition
Warning
/dev/nvme0n1 is for my system. Make sure to replace it with your drive or else you will loose all data on that drive!

Securing a Linux home server

Introduction

If you recently set up a linux home server, security should be a top priority. Before setting up any network services, especially ones exposed to the web, your server should have some basic security precautions in place. This is specifically targeted to Gentoo, but a lot of the measures taken here can be extrapolated to other distributions, accounting for some minor configuration changes.

Configuring SSH

Changing the SSH port

As most servers are run headless, securing SSH is one of the first things you’ll want to do. Changing the port is one of the most effective ways to prevent bot attacks, especially if you plan to expose ssh access to your server to the world wide web. To do this, we need to edit the file /etc/ssh/sshd_config. We need to uncomment the line “#Port 22” and replace it with the desired port. In my case, I went with port 2445. So now, that line looks like this: “Port 2445”.

Now, we need to restart the ssh service. On openrc based systems, we can use “rc-service sshd restart”, and on systemd based systems, we can use “systemctl restart sshd”. After that, try ssh’ing back into the system with “ssh -p 2445 username@hostname”, replacing 2445 with your selected port and username and hostname with their respective counterparts. If all goes well, you should be back at your terminal.

Disabling root SSH login

Allowing remote access to the root account can be a huge security concern. To help mitigate this, we can disable ssh login to the root account, and use a tool such as sudo, doas or su to elevate privileges.

To do this, we need to uncomment the line “PermitRootLogin no”. Then, restart the ssh service like before with either “rc-service sshd restart” or “systemctl restart sshd”, and you should be good to go.

Setting up SSH keys

Now, we can set up ssh keys to our server. We can generate secure keys with “ssh-keygen -t ed25519”. After generating them, we can copy them to our server using scp. To do this, we can use “scp -P 2445 ~/.ssh/id_ed25519.pub username@hostname:/home/username/.ssh/authorized_keys”, replacing 2445, username and hostname with their respective counterparts. Now, you should be able to ssh back into your server with your new ssh keys.

Disabling password authentication

Now we have keys setup, we can disable password authentication, requiring our keys to login to the server remotely. To do this, uncomment the line “PasswordAuthentication no” in /etc/ssh/sshd_config, and restart sshd like before with either “rc-service sshd restart” or “systemctl restart sshd”. Now, try ssh’ing into the server from another machine without the keys, and you should not be able to login.

Setting up fail2ban

Finally, we can setup fail2ban.