diff --git a/how-to-configure-hardened-debian-server/README.md b/how-to-configure-hardened-debian-server/README.md index 81f68a1..364f0d6 100644 --- a/how-to-configure-hardened-debian-server/README.md +++ b/how-to-configure-hardened-debian-server/README.md @@ -14,7 +14,7 @@ Listed: true ## Requirements -- Virtual private server (VPS) or dedicated server running Debian 10 (buster) or Debian 11 (bullseye) +- Computer, virtual private server (VPS) or dedicated server running Debian 10 (buster) or Debian 11 (bullseye) (lean how to install Debian [here](./misc/how-to-install-luks-encrypted-debian-operating-system-using-bootable-installer/README.md)) - Linux or macOS computer ## Caveats diff --git a/how-to-configure-hardened-debian-server/misc/how-to-create-debian-bootable-installer-on-debian-based-operating-system/README.md b/how-to-configure-hardened-debian-server/misc/how-to-create-debian-bootable-installer-on-debian-based-operating-system/README.md new file mode 100644 index 0000000..4396936 --- /dev/null +++ b/how-to-configure-hardened-debian-server/misc/how-to-create-debian-bootable-installer-on-debian-based-operating-system/README.md @@ -0,0 +1,156 @@ + + +# How to create Debian bootable installer on Debian-based operating system + +## Requirements + +- Computer running Debian-based operating system +- USB flash drive (data will be permanently destroyed) + +## Caveats + +- When copy/pasting commands that start with `$`, strip out `$` as this character is not part of the command + +## Guide + +### Step 1: install dependencies + +``` +$ sudo apt update + +$ sudo apt install curl gnupg +``` + +### Step 2: import “Debian CD signing key” PGP public key + +```console +$ gpg --keyserver keyring.debian.org --recv-keys 0xDA87E80D6294BE9B +gpg: key DA87E80D6294BE9B: public key "Debian CD signing key " imported +gpg: Total number processed: 1 +gpg: imported: 1 +``` + +### Step 3: set [Debian](https://www.debian.org/) release semver environment variable + +> Heads-up: replace `11.2.0` with [latest release](https://www.debian.org/download) semver. + +```shell +DEBIAN_RELEASE_SEMVER=11.2.0 +``` + +### Step 4: download latest version of [Debian](https://www.debian.org/), checksum and associated PGP signature + +> Heads-up: replace `amd64` with architecture of computer on which Debian will be installed (run `dpkg --print-architecture` on Linux to get architecture). + +```console +$ cd /tmp + +$ curl --fail --location --remote-name https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-${DEBIAN_RELEASE_SEMVER}-amd64-netinst.iso + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed +100 359 100 359 0 0 518 0 --:--:-- --:--:-- --:--:-- 517 +100 378M 100 378M 0 0 21.3M 0 0:00:17 0:00:17 --:--:-- 24.3M + +$ curl --fail --location --remote-name https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/SHA512SUMS + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed +100 494 100 494 0 0 713 0 --:--:-- --:--:-- --:--:-- 712 + +$ curl --fail --location --remote-name https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/SHA512SUMS.sign + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed +100 833 100 833 0 0 1032 0 --:--:-- --:--:-- --:--:-- 1032 +``` + +### Step 5: verify integrity of `SHA512SUMS` + +```console +$ gpg --verify SHA512SUMS.sign +gpg: assuming signed data in 'SHA512SUMS' +gpg: Signature made Sat 18 Dec 2021 03:45:36 PM EST +gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B +gpg: Good signature from "Debian CD signing key " [unknown] +gpg: WARNING: This key is not certified with a trusted signature! +gpg: There is no indication that the signature belongs to the owner. +Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B + +$ sha512sum --check --ignore-missing SHA512SUMS +debian-11.2.0-amd64-netinst.iso: OK +``` + +Good signature + +👍 + +OK + +👍 + +### Step 5: create bootable installer + +> WARNING: DO NOT RUN THE FOLLOWING COMMANDS AS-IS. + +> Heads-up: run `sudo fdisk --list` to find device name of USB flash drive to overwrite with bootable installer (`sda` in the following example). + +> Heads-up: replace `sdn` with device name of USB flash drive (`sda` in the following example). + +```console +$ sudo fdisk --list +Disk /dev/nvme0n1: 931.51 GiB, 1000204886016 bytes, 1953525168 sectors +Disk model: Samsung SSD 970 EVO Plus 1TB +Units: sectors of 1 * 512 = 512 bytes +Sector size (logical/physical): 512 bytes / 512 bytes +I/O size (minimum/optimal): 512 bytes / 512 bytes +Disklabel type: gpt +Disk identifier: F053B657-4758-4775-98B1-27256D3B46C9 + +Device Start End Sectors Size Type +/dev/nvme0n1p1 2048 1050623 1048576 512M EFI System +/dev/nvme0n1p2 1050624 2050047 999424 488M Linux filesystem +/dev/nvme0n1p3 2050048 1953523711 1951473664 930.5G Linux filesystem + + +Disk /dev/mapper/nvme0n1p3_crypt: 930.52 GiB, 999137738752 bytes, 1951440896 sectors +Units: sectors of 1 * 512 = 512 bytes +Sector size (logical/physical): 512 bytes / 512 bytes +I/O size (minimum/optimal): 512 bytes / 512 bytes + + +Disk /dev/mapper/debian--vg-root: 930.52 GiB, 999133544448 bytes, 1951432704 sectors +Units: sectors of 1 * 512 = 512 bytes +Sector size (logical/physical): 512 bytes / 512 bytes +I/O size (minimum/optimal): 512 bytes / 512 bytes + + +Disk /dev/sda: 29.88 GiB, 32080200192 bytes, 62656641 sectors +Disk model: Flash Drive +Units: sectors of 1 * 512 = 512 bytes +Sector size (logical/physical): 512 bytes / 512 bytes +I/O size (minimum/optimal): 512 bytes / 512 bytes +Disklabel type: dos +Disk identifier: 0x2a6b8479 + +Device Boot Start End Sectors Size Id Type +/dev/sda1 * 0 774143 774144 378M 0 Empty +/dev/sda2 4060 9243 5184 2.5M ef EFI (FAT-12/16/32) + +$ sudo umount /dev/sdn* +umount: /dev/sda: not mounted. +umount: /dev/sda1: not mounted. +umount: /dev/sda2: not mounted. + +$ sudo dd bs=1M if=debian-${DEBIAN_RELEASE_SEMVER}-amd64-netinst.iso of=/dev/sdn +378+0 records in +378+0 records out +396361728 bytes (396 MB, 378 MiB) copied, 18.4317 s, 21.5 MB/s +``` + +👍 diff --git a/how-to-configure-hardened-debian-server/misc/how-to-create-debian-bootable-installer-on-macos/README.md b/how-to-configure-hardened-debian-server/misc/how-to-create-debian-bootable-installer-on-macos/README.md new file mode 100644 index 0000000..878178b --- /dev/null +++ b/how-to-configure-hardened-debian-server/misc/how-to-create-debian-bootable-installer-on-macos/README.md @@ -0,0 +1,151 @@ + + +# How to create Debian bootable installer on macOS + +## Requirements + +- macOS computer +- USB flash drive (data will be permanently destroyed) + +## Caveats + +- When copy/pasting commands that start with `$`, strip out `$` as this character is not part of the command + +## Guide + +### Step 1: install [Homebrew](https://brew.sh/) + +```console +$ /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)" + +$ uname -m | grep arm64 && echo 'export PATH=$PATH:/opt/homebrew/bin' >> ~/.zshrc && source ~/.zshrc +``` + +### Step 2: disable Homebrew analytics + +```shell +brew analytics off +``` + +### Step 3: install dependencies + +```shell +brew install gnupg +``` + +### Step 4: import “Debian CD signing key” PGP public key + +```console +$ gpg --keyserver keyring.debian.org --recv-keys 0xDA87E80D6294BE9B +gpg: Total number processed: 1 +gpg: imported: 1 +``` + +### Step 5: set [Debian](https://www.debian.org/) release semver environment variable + +> Heads-up: replace `11.2.0` with [latest release](https://www.debian.org/download) semver. + +```shell +DEBIAN_RELEASE_SEMVER=11.2.0 +``` + +### Step 6: download latest version of [Debian](https://www.debian.org/), checksum and associated PGP signature + +```console +$ cd /tmp + +$ curl --fail --location --remote-name https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-${DEBIAN_RELEASE_SEMVER}-amd64-netinst.iso + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed +100 359 100 359 0 0 464 0 --:--:-- --:--:-- --:--:-- 464 +100 378M 100 378M 0 0 20.6M 0 0:00:18 0:00:18 --:--:-- 23.6M + +$ curl --fail --location --remote-name https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/SHA512SUMS + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed +100 494 100 494 0 0 918 0 --:--:-- --:--:-- --:--:-- 918 + +$ curl --fail --location --remote-name https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/SHA512SUMS.sign +``` + +### Step 7: verify integrity of `SHA512SUMS` + +```console +$ gpg --verify SHA512SUMS.sign +gpg: assuming signed data in 'SHA512SUMS' +gpg: Signature made Sat 18 Dec 2021 03:45:36 PM EST +gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B +gpg: Good signature from "Debian CD signing key " [unknown] +gpg: WARNING: This key is not certified with a trusted signature! +gpg: There is no indication that the signature belongs to the owner. +Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B + +$ shasum --algorithm 512 --check --ignore-missing SHA512SUMS +debian-11.2.0-amd64-netinst.iso: OK +``` + +Good signature + +👍 + +OK + +👍 + +### Step 8: create bootable installer + +> WARNING: DO NOT RUN THE FOLLOWING COMMANDS AS-IS. + +> Heads-up: run `diskutil list` to find disk ID of USB flash drive to overwrite with bootable installer (`disk4` in the following example). + +> Heads-up: replace `diskn` and `rdiskn` with disk ID of microSD card (`disk4` and `rdisk4` in the following example) and `debian-11.2.0-amd64-netinst.iso` with current image. + +> Heads-up: please ignore “The disk you attached was not readable by this computer.” error and click “Eject”. + +```console +$ diskutil list +/dev/disk0 (internal): + #: TYPE NAME SIZE IDENTIFIER + 0: GUID_partition_scheme 500.3 GB disk0 + 1: Apple_APFS_ISC 524.3 MB disk0s1 + 2: Apple_APFS Container disk3 494.4 GB disk0s2 + 3: Apple_APFS_Recovery 5.4 GB disk0s3 + +/dev/disk3 (synthesized): + #: TYPE NAME SIZE IDENTIFIER + 0: APFS Container Scheme - +494.4 GB disk3 + Physical Store disk0s2 + 1: APFS Volume Macintosh HD 15.3 GB disk3s1 + 2: APFS Snapshot com.apple.os.update-... 15.3 GB disk3s1s1 + 3: APFS Volume Preboot 412.3 MB disk3s2 + 4: APFS Volume Recovery 807.3 MB disk3s3 + 5: APFS Volume Data 322.3 GB disk3s5 + 6: APFS Volume VM 2.1 GB disk3s6 + +/dev/disk4 (external, physical): + #: TYPE NAME SIZE IDENTIFIER + 0: Apple_partition_scheme *32.1 GB disk4 + 1: Apple_partition_map 4.1 KB disk4s1 + 2: Apple_HFS 2.7 MB disk4s2 + +$ sudo diskutil unmount /dev/diskn +disk4 was already unmounted or it has a partitioning scheme so use "diskutil unmountDisk" instead + +$ sudo diskutil unmountDisk /dev/diskn (if previous step fails) +Unmount of all volumes on disk4 was successful + +$ sudo dd bs=1m if=debian-${DEBIAN_RELEASE_SEMVER}-amd64-netinst.iso of=/dev/rdisk4 +378+0 records in +378+0 records out +396361728 bytes transferred in 15.700749 secs (25244766 bytes/sec) +``` + +👍 diff --git a/how-to-configure-hardened-debian-server/misc/how-to-install-luks-encrypted-debian-operating-system-using-bootable-installer/README.md b/how-to-configure-hardened-debian-server/misc/how-to-install-luks-encrypted-debian-operating-system-using-bootable-installer/README.md new file mode 100644 index 0000000..ba6a1b8 --- /dev/null +++ b/how-to-configure-hardened-debian-server/misc/how-to-install-luks-encrypted-debian-operating-system-using-bootable-installer/README.md @@ -0,0 +1,174 @@ + + +# How to install LUKS-encrypted Debian operating system using bootable installer + +## Requirements + +- Debian-compatible computer with [AES instruction set](https://en.wikipedia.org/wiki/AES_instruction_set) +- Debian bootable installer (learn how to create one on Debian-based operating system [here](../how-to-create-debian-bootable-installer-on-debian-based-operating-system/README.md) or on macOS [there](../how-to-create-debian-bootable-installer-on-macos/README.md)) + +## Guide + +### Step 1: insert bootable installer + +### Step 2: disable [Compatibility Support Module (CSM)](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#CSM_booting) (also known as “Legacy Support”) and enable [Secure Boot](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Secure_Boot) + +> Heads-up: step is non-deterministic given manufacturers use different BIOS keys to boot to BIOS and menus to set [UEFI](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface) features. + +> Heads-up: on some computers, a “Fast Boot” feature is enabled making it hard to enter BIOS keys… disconnecting disk temporarily disables “Fast Boot”. + +On HP EliteDesk 800 G2 Mini, press F10 when HP logo appears, go to “Advanced” tab, select “Secure Boot Configuration”, press enter, select “Legacy Support Disable and Secure Boot Enable” under “Configure Legacy Support and Secure Boot”, press F10, when asked to save changes, select “Yes” and, finally, press enter. + +### Step 3: boot to bootable installer + +> Heads-up: step is non-deterministic given manufacturers use different BIOS keys and default boot orders. + +On HP EliteDesk 800 G2 Mini, press F9 when HP logo appears, select bootable installer device and, finally, press enter. + +### Step 4: start installation + +Select “Install” and press enter. + +### Step 5: select language + +Select language and press enter. + +### Step 6: select location + +Select country, territory or area and press enter. + +### Step 7: configure keyboard + +Select keymap and press enter. + +### Step 8: configure network + +#### Set hostname + +Enter hostname and press enter. + +#### Set domain + +Enter domain (typically left blank) and press enter. + +### Step 9: set up users and passwords + +#### Set root password + +> Heads-up: truly random 5-word passphrase or 12-character password (or longer) recommended. + +Enter root password, press enter, re-enter password and, finally, press enter. + +#### Set full name of new user + +Enter full name of new user and press enter. + +#### Set username of new user + +Enter account username (typically left as-is) and press enter. + +#### Set password of new user + +> Heads-up: truly random 5-word passphrase or 12-character password (or longer) recommended. + +Enter user password, press enter, re-enter password and, finally, press enter. + +### Step 10: configure clock + +Select time zone and press enter. + +### Step 11: partition disks + +#### Set partitioning method + +Select “Guided - use entire disk and set up encrypted LVM” and press enter. + +#### Set disk to partition + +> Heads-up: data on selected device will be permanently destroyed. + +Select device and press enter. + +#### Set partitioning scheme + +Select “All files in one partition (recommended for new users)” and press enter. + +When asked to write changes to disk, select “Yes” and, finally, press enter. + +#### Overwrite encrypted partition + +> Heads-up: can be cancelled at the expense of slightly weaker encryption. + +#### Set encryption passphrase + +> Heads-up: truly random 5-word passphrase or 12-character password (or longer) recommended. + +> Heads-up: can be set to user password at the expense of reduction in security. + +Enter encryption passphrase, press enter, re-enter passphrase and, finally, press enter. + +#### Set volume group size + +Enter amount (typically left as-is) and press enter. + +#### Delete “swap” logical volume + +Select “Configure the Logical Volume Manager” and press enter. + +When asked to write changes to disk, select “Yes” and press enter. + +Select “Delete logical volume”, press enter, select “root” and, finally, press enter. + +Select “Delete logical volume”, press enter, select “swap_1” and, finally, press enter. + +Select “Create logical volume”, press enter, select volume group, press enter, enter “root” as “Logical volume name”, press enter, enter “Logical volume size” (typically left as-is) and, finally, press enter. + +Select “Finish” and press enter. + +Select “LVM” logical volume “#1”, press enter, select “Use as”, press enter, select “Ext4 journaling file system”, press enter, select “Mount point”, press enter, select “/ - the root file system”, press enter, select “Done setting up the partition” and, finally, press enter. + +![Partitions](./partitions.png) + +Select “Finish partitioning and write changes to disk” and press enter. + +When “Do you want to return to the partitioning menu?” warning is displayed, select “No” and, finally, press enter. + +When “Write the changes to disks” prompt is displayed, select “Yes” and, finally, press enter. + +### Step 12: configure package manager + +#### Set archive mirror country + +Select Debian archive mirror country and press enter. + +#### Set archive mirror + +Select Debian archive mirror and press enter. + +#### Set proxy + +Enter HTTP proxy (typically left blank) and press enter. + +### Step 13: configure popularity-contest + +Select “No” and press enter. + +### Step 14: select software + +![Software selection](./software-selection.png) + +Using space bar, disable everything except “SSH server”, select “SSH server” and, finally, press enter. + +### Step 15: finish installation + +Remove bootable installer from computer and press enter. + +👍 diff --git a/how-to-configure-hardened-debian-server/misc/how-to-install-luks-encrypted-debian-operating-system-using-bootable-installer/partitions.png b/how-to-configure-hardened-debian-server/misc/how-to-install-luks-encrypted-debian-operating-system-using-bootable-installer/partitions.png new file mode 100644 index 0000000..e55d2b6 Binary files /dev/null and b/how-to-configure-hardened-debian-server/misc/how-to-install-luks-encrypted-debian-operating-system-using-bootable-installer/partitions.png differ diff --git a/how-to-configure-hardened-debian-server/misc/how-to-install-luks-encrypted-debian-operating-system-using-bootable-installer/software-selection.png b/how-to-configure-hardened-debian-server/misc/how-to-install-luks-encrypted-debian-operating-system-using-bootable-installer/software-selection.png new file mode 100644 index 0000000..e51def3 Binary files /dev/null and b/how-to-configure-hardened-debian-server/misc/how-to-install-luks-encrypted-debian-operating-system-using-bootable-installer/software-selection.png differ