Difference between revisions of "Setup - Kali Linux"

Revision as of 23:24, 7 February 2020 (view source) Renau (Talk | contribs) (→‎Server Disk) ← Older edit		Revision as of 02:19, 12 February 2020 (view source) Renau (Talk | contribs) (→‎Basic Setup) Newer edit →
Line 25:		Line 25:
	systemctl enable ntp.service		systemctl enable ntp.service
	systemctl start  ntp.service		systemctl start  ntp.service
		+
		+
		+	If you have several ethernets (private network for server)
		+	# /etc/network/interfaces
		+	iface eth1 inet static
		+	address 192.168.3.XXX  # mada0 xxx =100 , mada1 xxx==101
		+	netmask 255.255.255.0
		+
		+	Restart network if needed
		+	systemctl restart networking
	== Firewall Setup==		== Firewall Setup==

---

Revision as of 02:19, 12 February 2020

Create Install Setup

Create a bootable USB from Kali linux

https://www.kali.org/docs/usb/kali-linux-live-usb-install/

Use default partition (single partition and swap around same as memory)

GUI install works fine. Default options

Account Setup

Create a local account that does not match in name the SOE LDAP. E.g: jrenau vs renau

Basic Setup

SSH Server (not for laptop, just desktop and servers)

apt-get install openssh-server
systemctl enable ssh.service
systemctl start  ssh.service

Get the time in sync with NTP

systemctl enable ntp.service
systemctl start  ntp.service

If you have several ethernets (private network for server)

# /etc/network/interfaces
iface eth1 inet static
address 192.168.3.XXX  # mada0 xxx =100 , mada1 xxx==101
netmask 255.255.255.0

Restart network if needed

systemctl restart networking

Firewall Setup

Setup the firewall:

apt-get install ufw
ufw default deny
ufw reject auth
ufw limit ssh/tcp
ufw logging off

The next line is only needed the first time you install the package.

ufw enable

Follow it by enabling ufw with systemctl.

systemctl enable ufw.service

Finally, query the rules being applied via the status command.

ufw status

Determinism for QEMU/ESESC/LiveHD/....

mmap problem for qemu, enable perf monitoring for everyone, no randomization (determinism)

echo "vm.mmap_min_addr = 4096"             >>/etc/sysctl.d/10-masc.conf
echo "fs.inotify.max_user_watches = 65535" >>/etc/sysctl.d/10-masc.conf
echo "kernel.randomize_va_space = 0"       >>/etc/sysctl.d/10-masc.conf
echo "kernel.perf_event_paranoid = -1"     >>/etc/sysctl.d/10-masc.conf

restart sysctl or wait for reboot

systemctl restart systemd-sysctl.service

Packages

Get Atom/Bazel repos

Get Atom package

curl -L https://packagecloud.io/AtomEditor/atom/gpgkey | apt-key add -
echo "deb [arch=amd64] https://packagecloud.io/AtomEditor/atom/any/ any main" > /etc/apt/sources.list.d/atom.list
apt update
apt install atom

Get Bazel package

curl https://bazel.build/bazel-release.pub.gpg | sudo apt-key add -
echo "deb [arch=amd64] https://storage.googleapis.com/bazel-apt stable jdk1.8" | sudo tee /etc/apt/sources.list.d/bazel.list
apt update
apt install bazel

Get Basic Packages

Go to a Kali Linux machine (mada4?), dump the packages installed

dpkg --get-selections | grep -v deinstall > installed_packages.txt

Go to your new machine, and install the missing packages

cut -f 1 installed_packages.txt | xargs apt-get install -y

NOTE: There may be some conflicts with the older kali machine. My suggestion is to upgrade to the latest version before. At the end, there may be also issues for packages like atom

Backports (zfs and related stuff)

1. vi /etc/apt/sources.list.d/buster-backports.list

deb http://deb.debian.org/debian buster-backports main contrib deb-src http://deb.debian.org/debian buster-backports main contrib

LDAP

ldap directory access

Copy the cacerts from SOE (firedance in example)

scp -r renau@firedance:/etc/openldap/cacerts /etc/ldap/
scp -r renau@firedance:/etc/openldap/ldap.conf /etc/ldap/ldap.conf.soe
sed -s/openldap/ldap/g /etc/ldap/ldap.conf.soe >/etc/ldap/ldap.conf

Now you should be able to execute the following command.

ldapsearch -x LLL

pam

Use default options of this two packages

apt install libnss-ldap
apt-get install nss-updatedb

Edit /etc/nsswitch.conf to have ldap

passwd:         files systemd ldap
group:          files systemd ldap
shadow:         files ldap

Update the pam_ldap.conf

cp /etc/ldap/ldap.conf /etc/pam_ldap.conf

Get the nss_ldap

scp mada0:/etc/*nss_ldap.conf /etc/libnss_ldap.conf

After this, you should have a getent

getent passwd | grep -i renau

security

Restrict access only to masc/vlsi/vama groups Add to /etc/security/access.conf

+ : root : ALL
+ : (masc) : ALL
+ : (vlsi) : ALL
+ : (vama) : ALL
-:ALL :ALL

Server Disk

https://www.tecmint.com/create-raid-5-in-linux/

Get mdad

apt install mdadm 

Make sure that the disks have GPT partition

parted /dev/XXX
(parted) mklabel gpt
(parted) quit

Create a single partition for full disk type RAID (29)

fdisk /dev/XXX

Sample sequence

fdisk /dev/disk/by-id/nvme-Micron_9300_MTFDHAL6T4TDR_1943249XXXX
Command (m for help): p
Disk /dev/disk/by-id/nvme-Micron_9300_MTFDHAL6T4TDR_194324955FD6: 5.84 TiB, 6401252745216 bytes, 12502446768 sectors
Disk model: Micron_9300_MTFDHAL6T4TDR               
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: A80D3A07-8B7A-47F6-96AC-D470B50E5BDE

Command (m for help): n
Partition number (1-128, default 1): 
First sector (34-12502446734, default 2048): 
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-12502446734, default 12502446734):  

Created a new partition 1 of type 'Linux filesystem' and of size 5.8 TiB.

Command (m for help): t
Selected partition 1
Partition type (type L to list all types): 29
Changed type of partition 'Linux filesystem' to 'Linux RAID'.

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

Create the /dev/md0

mdadm --create /dev/md0 --level=5 --raid-devices=7 /dev/disk/by-id/nvme-Micron_9300_MTFDHAL6T4TDR_1943249?????

Wait (or not) until the RAID is created

watch -n1 cat /proc/mdstat

Check the RAID status

mdadm --detail /dev/md0

Install BTRFS package

apt install btrfs-progs

Format disk

mkfs.btrfs /dev/md0

Create a module (full disk)

btrfs subvolume create /mnt/full

Create a snapshot

btrfs subvolume snapshot /mnt/full /mnt/snap-1

Delete a snapshot

btrfs subvolume delete /mnt/snap-1

List volumes/snapshots

btrfs subvolume list /mnt/

ZFS (server)

WARNING DO NOT INSTALL THIS. It has issues upgrading kernel. Kept for documentation reasons

This explains the ZFS setup for large filesystem server (not for desktop)

Get the latest kernel and headers

apt update
apt install linux-headers-`uname -r`

Set backports for ZFS

# vi /etc/apt/preferences.d/90_zfs
Package: libnvpair1linux libuutil1linux libzfs2linux libzpool2linux spl-dkms zfs-dkms zfs-test zfsutils-linux zfsutils-linux-dev zfs-zed
Pin: release n=buster-backports
Pin-Priority: 990

Install zfs packages

apt install zfsutils-linux zfs-dkms spl-dkms