Skip to content

Instantly share code, notes, and snippets.

@robcee

robcee/VMSetupExample.md

Last active December 17, 2015 23:19
Show Gist options
  • Save robcee/2437643 to your computer and use it in GitHub Desktop.
Save robcee/2437643 to your computer and use it in GitHub Desktop.
Download ZIP
Setting up SSH, Firewall, etc on a VM
Raw
VMSetupExample.md

VM Setup Instructions

Log in to your machine

ssh 111.111.111.111 -l root

Add wheel group

sudo /usr/sbin/groupadd wheel

Edit sudoers

sudo vim /etc/sudoers

add to /etc/sudoers

Allows people in group wheel to run all commands

%sudo ALL=(ALL) ALL
%wheel  ALL=(ALL) NOPASSWD:ALL

Add non root user

/usr/sbin/adduser bob

/usr/sbin/usermod -a -G wheel demo

Make an .ssh dir and add a pub key

mkdir ~/.ssh

Generate a pub key for something like Github

ssh-keygen -t rsa

Upload your local machine key to the server

scp ~/.ssh/id_rsa.pub [email protected]:

Rename your uploaded key and set permissions

mv ~/id_rsa.pub ~/.ssh/authorized_keys

chown -R bob:bob ~/.ssh

chmod 700 ~/.ssh

chmod 600 ~/.ssh/authorized_keys

Change your ssh config

sudo vim /etc/ssh/sshd_config
Protocol 2
UsePrivilegeSeparation yes
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

Edit iptables

sudo vim /etc/iptables.up.rules

*filter
-A INPUT -i lo -j ACCEPT 
-A INPUT -d 127.0.0.0/255.0.0.0 ! -i lo -j REJECT --reject-with icmp-port-unreachable 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -p tcp -m tcp --dport 3690 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT 
COMMIT

/sbin/iptables-restore < /etc/iptables.up.rules

Set iptables to start automatically

sudo vim /etc/network/if-pre-up.d/iptables

#!/bin/sh

/sbin/iptables-restore < /etc/iptables.up.rules

sudo chmod +x /etc/network/if-pre-up.d/iptables

Reload ssh

sudo /etc/init.d/ssh reload

Change locale

sudo /usr/sbin/locale-gen en_US.UTF-8

sudo /usr/sbin/update-locale LANG=en_US.UTF-8

Update packages

sudo aptitude update

sudo aptitude safe-upgrade

sudo aptitude install build-essential

Set timezone

dpkg-reconfigure tzdata

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment