Hello and welcome! You have stumbled across Rahul Sandhu’s Personal Less Well Written Handbook. These are my personal notes for installing, maintaining a gentoo system, with some other random things thrown in. Now for the unfun bit:
Disclaimer: When following any tutorials or running/executing any commands or scripts mentioned in this handbook, you (the reader) accept full responsibility for any damage done to your computer. The things mentioned in here have only been tested for my use case and my systems, so I cannot guarantee they will work for yours.
Now that that is over, feel free to look through my handbook!
First up, installing Gentoo. This installation will be for amd64 UEFI systems. I will use systemd as the init system, systemdboot as the bootloader and btrfs with full luks encryption for the root partition
Obtaining the Gentoo Live ISO
Now we need to obtain the iso for the live media we will use to install Gentoo. This can be found on the downloads page here. I use the admin cd myself.
Creating a bootable usb drive
Now we need to create a usb drive to boot off. If you have a unix or unix-like box (Any linux distro, macOS, *BSD) you can use dd:
dd if=/home/rahulsandhu/admincd.iso of=/dev/sdb bs=1M status=progress
Don’t forget to substitute ‘if=‘ with the path to the iso you downloaded and ‘of=‘ with the path to your usb drive!
Now, boot off the drive from your UEFI’s boot loader and plug in an ethernet cable/setup wifi. For instructions on how to setup wifi, have a look at this page. You can test that you have internet access with ping:
Setting up SSH access
Now we need to setup ssh access to the live media. After booting it, set the root password:
Then, ssh into the computer from another box (replace 10.0.0.103 with your ip):
Now, you should have access to a gui where you can copy and paste commands to make your life easier.
Partitioning the drives
Next, we need to partition the drives. As stated earlier, our root filesystem will be btrfs. Our layout will look something like this:
|/dev/nvme0n1p1||vfat32||550M||EFI system partition|
|/dev/nvme0n1p2||(swap)||RAM size * 2||Swap partition|
|/dev/nvme0n1p3||btrfs||Rest of the disk||Root partition|
/dev/nvme0n1 is for my system. Make sure to replace it with your drive or else you will loose all data on that drive!
Securing a Linux home server
If you recently set up a linux home server, security should be a top priority. Before setting up any network services, especially ones exposed to the web, your server should have some basic security precautions in place. This is specifically targeted to Gentoo, but a lot of the measures taken here can be extrapolated to other distributions, accounting for some minor configuration changes.
Changing the SSH port
As most servers are run headless, securing SSH is one of the first things you’ll want to do. Changing the port is one of the most effective ways to prevent bot attacks, especially if you plan to expose ssh access to your server to the world wide web. To do this, we need to edit the file /etc/ssh/sshd_config. We need to uncomment the line “#Port 22” and replace it with the desired port. In my case, I went with port 2445. So now, that line looks like this: “Port 2445”.
Now, we need to restart the ssh service. On openrc based systems, we can use “rc-service sshd restart”, and on systemd based systems, we can use “systemctl restart sshd”. After that, try ssh’ing back into the system with “ssh -p 2445 username@hostname”, replacing 2445 with your selected port and username and hostname with their respective counterparts. If all goes well, you should be back at your terminal.
Disabling root SSH login
Allowing remote access to the root account can be a huge security concern. To help mitigate this, we can disable ssh login to the root account, and use a tool such as sudo, doas or su to elevate privileges.
To do this, we need to uncomment the line “PermitRootLogin no”. Then, restart the ssh service like before with either “rc-service sshd restart” or “systemctl restart sshd”, and you should be good to go.
Setting up SSH keys
Now, we can set up ssh keys to our server. We can generate secure keys with “ssh-keygen -t ed25519”. After generating them, we can copy them to our server using scp. To do this, we can use “scp -P 2445 ~/.ssh/id_ed25519.pub username@hostname:/home/username/.ssh/authorized_keys”, replacing 2445, username and hostname with their respective counterparts. Now, you should be able to ssh back into your server with your new ssh keys.
Disabling password authentication
Now we have keys setup, we can disable password authentication, requiring our keys to login to the server remotely. To do this, uncomment the line “PasswordAuthentication no” in /etc/ssh/sshd_config, and restart sshd like before with either “rc-service sshd restart” or “systemctl restart sshd”. Now, try ssh’ing into the server from another machine without the keys, and you should not be able to login.
Setting up fail2ban
Finally, we can setup fail2ban.