This is my documentation on how to install a small linux OS that solves the following needs:
- Must serve as a hardened SSH endpoint for a remote LAN
- Must fit onto the SSD boot drive (4G!) of an Intel NUC DE3815TYKE
- Must automatically mount an attached 2.5" SATA drive
- SATA drive must be used for storage and storage only
- This means no OS files on the SATA drive
Having toiled with many different distros and versions, I encountered some common issues:
- I was able to install the OS on the SATA drive, but the NUC refused to boot
it (weird characters on boot that hung forever)
- Every variation of general hanging with unreadable characters and no error messages to go on
- USB live ISOs that would boot and install fine on the SATA drive and then subsequently refuse to boot (see above)
- Installations that would work (!) but be so short on space they wouldn't allow the above requirements on the 4G parititon
I tried the following distros:
- The crazy and now seemingly unfindable custom ISO of ubuntu that Intel made for this thing (worked when it shipped, now who knows where it is)
- Ubuntu server 14LTS, 16LTS, 18LTS, and 19LTS
- All the above install fine and then refuse to boot
- Arch linux 19.x
- Installed fine and booted about a year ago and then ran out of space
- Installed fine recently but refused to boot (boot loop)
Finally I went down a bit of an internet hole and came upon busybox, which I had worked with before in docker images. I didn't know it could be run on-metal, and it turns out alpine is the thing to do just that. The alpine iso is just shy of 700MB, boots quickly, and is super, super easy to set up. No GUI or ncurses - just straight up terminal with very easy prompts. Don't even need to mess with fdisk - it sizes up swap and /dev and /home and all that for you by default - nice!
Totally installed with samba, ssh (openssh, not dropbear), tmux, sudo, and my keys loaded I'm tipping
the scales at about 725MB with a comfy 1.7GB to spare on my NUC SSD. Much much
nicer than the arch install that left about 250MB left over even with just
openssh installed. Nice! And it looks like it's got a nice selection of mirrors
and a package manager, apk
at your disposal. Not sure why more people don't
like alpine.
Just go here and select 'standard' for x86 (tested on alpine-standard-3.10.2-x86.iso).
Needed a USB stick that is 700MB or bigger. Burned with a machine running sudo gnome-fdisk
. Use the legacy boot mode for the NUC (UEFI may work but I haven't
tried). Was running kernel 4.19.67-0-vanilla i686.
Loosely following these instructions, boot from the USB and run setup-alpine
and follow the prompts. DHCP will work for the installer but not work when you boot into the installed system.
-
When booted into the sytem, modify
/etc/network/interfaces
as below:iface eth0 inet static hostname myhostname address 192.168.1.2 netmask 255.255.255.0 gateway 192.168.1.1
-
Delete any partitions on the existing drive
fdisk /dev/sda
Followed by p: print existing partitions d: delete existing paritions t: set type of new parition (83 for ext4 compatible) w: write the changes to disk
-
Reboot the machine (can't format the disk til you do)
-
Format the partition
mkfs.ext4 /dev/sda1
-
Add mount to /etc/fstab
/dev/sda1 /mnt/storage ext4 rw,relatime 0 3
-
Set permissions of the new mount
chmod 0777 /mnt/storage
-
Install samba
apk add samba
-
Set up
/etc/samba/smb.conf
[global] workgroup = WORKGROUP dos charset = cp850 unix charset = ISO-8859-1 force user = greg [storage] browseable = yes writeable = yes path = /mnt/storage
-
Set up the new user
adduser greg
-
Set up the samba password for that user
smbpasswd -a greg
-
Restart the samba service
rc-update add samba rc-service samba start
-
Install sudo with
apk add sudo
-
Add user to sudoers file with
visudo
(run as root) -
Add the following to the bottom:
greg ALL=(ALL) ALL
-
Copy keys onto the server of course, for the
greg
account -
Uncomment the HostKey line
HostKey /etc/ssh/ssh_host_rsa_key
-
Disable root login with ssh
sudo vi /etc/ssh/sshd_config
-
Find ChallengeResponseAuthentication and set to no
ChallengeResponseAuthentication no
-
Find PasswordAuthentication set to no
PasswordAuthentication no
-
Find UsePAM and set to no
UsePAM no
-
Find PermitRootLogin and set to no
PermitRootLogin no
-
Restrict ciphers (add to the end of the file)
KexAlgorithms [email protected] Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr MACs [email protected],[email protected],[email protected]
-
Save and close the file. Reload the ssh server
# /etc/init.d/sshd reload
-
Verify everything's working (will return nothing if everything is ok)
sudo sshd -t
-
Add your pubkey to authorized keys
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
-
Follow these steps
- Change banner
- Change MOTD
- Regenerate moduli (takes about 1.5h for the first command, and 15h for the second one)
-
Finally, when you're done, run the security audit from the above medium link to ensure your ciphers and such are in order