Workstation.org 12.6 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
# -*- org-confirm-babel-evaluate: nil -*-
#+TITLE: Workstation
#+DATE: 11/30/2019
#+TAGS: :blog:guides:nextcloud:desktop:debian:xfce:git:emacs:vmware:python:jupyter:
#+DESCRIPTION:
#+PROPERTY: header-args :cache yes

#+BEGIN_VERSE
This post describes how to bootstrap a general purpose desktop machine running Debian 10.
#+END_VERSE

* Debian 10 Images
:PROPERTIES:
:CUSTOM_ID: Debian_10_Images
:END:


Unfortunately, more often than not, I've found it necessary to use the unofficial version including support for non-free firmware for my machines.

[[https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/][Current and official Debian ISO files]].

[[https://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/current-live/amd64/iso-hybrid/][Current Debian ISO files including non-free firmware]].

I always roll with the *xfce* images. Install Debian 10 to bare metal using a flashed USB drive. Assuming an attached flash USB drive is identified as =/dev/sda= (verify using =lsblk=), flash the ISO to the USB drive using the following.

#+begin_src sh
# First I format the disk and ensure all bits are zero
sudo dd if=/dev/zero of=/dev/sda status=progress
sudo dd if=~/debian-live-10.2.0-amd64-xfce+nonfree.iso of=/dev/sda status=progress
#+end_src

Insert the USB, then boot from the flashed drive and proceed with installation. My default username is =user=.

* Sudo User Account
:PROPERTIES:
:CUSTOM_ID: Sudo_User_Account
:END:

Login as =user=. Then get *root*, once and nevermore, using =su -=. Grant sudo rights to =user=, then login again.

#+BEGIN_SRC sh
usermod -aG sudo user && \
exit
#+END_SRC

Logout and in to receive sudo privileges on the =user= account.

#+BEGIN_SRC sh
xfce4-session-logout -l
#+END_SRC

* TODO Firmware updates
:PROPERTIES:
54
:CUSTOM_ID: Firmware_updates
55
56
:END:

57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

My Lenovo Thinkpad requires some non-free firmware which, unfortunately, I need to enable for full functionality.

** TODO Graphics card
:PROPERTIES:
:CUSTOM_ID: Graphics_card
:END:

The graphics card is an NVIDIA Quadro M2200, which supports multiple monitors with the proper firmware. Download and install the latest driver (version 440.82 as of June 2020). Use [[https://www.nvidia.com/Download/index.aspx][this link]] to search for the latest driver or just install an older version and update it using =apt= (is this true????????).

#+BEGIN_SRC sh
wget https://www.nvidia.com/content/DriverDownload-March2009/confirmation.php?url=/XFree86/Linux-x86_64/440.82/NVIDIA-Linux-x86_64-440.82.run



...

#+END_SRC

See here: https://www.linuxquestions.org/questions/linux-laptop-and-netbook-25/debian-10-buster-on-thinkpad-p51-nvidia-quadro-m2200-4175663184/

** TODO WiFi
:PROPERTIES:
:CUSTOM_ID: WiFi
:END:

See here: https://www.linuxquestions.org/questions/linux-laptop-and-netbook-25/debian-10-buster-on-thinkpad-p51-nvidia-quadro-m2200-4175663184/

** TODO +?
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262

See here: https://www.linuxquestions.org/questions/linux-laptop-and-netbook-25/debian-10-buster-on-thinkpad-p51-nvidia-quadro-m2200-4175663184/

* TODO Tor Package Management
:PROPERTIES:
:CUSTOM_ID: Tor_Package_Management
:END:

For privacy, I use Debian's onion services to download packages from official repositories. First though, this requires installing =tor= and =apt-transport-tor=.

First run =sudo test= to escalate privileges.

#+begin_src sh
sudo apt update && \
sudo apt upgrade -y && \
sudo apt install -y tor apt-transport-tor && \

sudo rm /etc/apt/sources.list && \
sudo bash -c 'cat <<EOT >> /etc/apt/sources.list
# Debian 10, Buster!
# Repos over TOR:
deb tor+http://vwakviie2ienjx6t.onion/debian buster main
deb-src tor+http://vwakviie2ienjx6t.onion/debian buster main

deb tor+http://sgvtcaew4bxjd7ln.onion/debian-security buster/updates main
deb-src tor+http://sgvtcaew4bxjd7ln.onion/debian-security buster/updates main

deb tor+http://vwakviie2ienjx6t.onion/debian buster-updates main
deb-src tor+http://vwakviie2ienjx6t.onion/debian buster-updates main
EOT' && \
sudo apt update
#+end_src 

Thereafter, I download a few based utilities over tor and specify a time-zone.

#+BEGIN_SRC sh
sudo apt install -y net-tools curl vim unzip apt-transport-https software-properties-common autoconf libtool \
lynis flashrom xscreensaver yubikey-manager yubikey-personalization-gui keepassxc nextcloud-desktop xclip \
dnsutils whois apache2-utils && \
sudo timedatectl set-timezone America/Los_Angeles
#+END_SRC

* Enable Firewalls
:PROPERTIES:
:CUSTOM_ID: Enable_Firewall
:END:

Install and enable firealls.

#+begin_src sh
sudo apt install -y ufw && \
sudo ufw --force enable
#+end_src

* Enforce VPN Routing
:PROPERTIES:
:CUSTOM_ID: Enforce_VPN_Routing
:END:

This requires some kind of VPN access. I'm using a low cost VPN provider, PIA. After signing up, the provide authentication credentials, what I'm using below as =vpn_username= and =vpn_password=.

#+begin_src sh
sudo apt install -y openvpn && \
wget --secure-protocol=PFS --https-only https://www.privateinternetaccess.com/openvpn/openvpn.zip && \
unzip openvpn.zip -d openvpn && \
sudo cp openvpn/ca.rsa.2048.crt openvpn/crl.rsa.2048.pem /etc/openvpn/ && \
sudo cp openvpn/US\ California.ovpn /etc/openvpn/local_profile.conf && \
sudo rm -rf openvpn && \
sudo bash -c 'cat <<EOT >> /etc/openvpn/login
vpn_username
vpn_password
EOT' && \
sudo chmod 600 /etc/openvpn/login && \
sudo sed -i '/ca ca.rsa.2048.crt/c\ca /etc/openvpn/ca.rsa.2048.crt' /etc/openvpn/local_profile.conf && \
sudo sed -i '/auth-user-pass/c\auth-user-pass /etc/openvpn/login' /etc/openvpn/local_profile.conf && \
sudo sed -i '/crl-verify crl.rsa.2048.pem/c\crl-verify /etc/openvpn/crl.rsa.2048.pem' /etc/openvpn/local_profile.conf && 
sudo systemctl enable openvpn@local_profile && \
sudo systemctl start openvpn@local_profile && \
sudo bash -c 'cat <<EOT >> /etc/openvpn/restart-service
#/bin/sh

if [ "$(ping -c 3 1.1.1.1 | grep '100% packet loss' )" != "" ]; then
  sudo systemctl restart openvpn@local_profile
fi
EOT' && \
sudo chmod +x /etc/openvpn/restart-service && \
sudo crontab -l | { cat; echo "* * * * * /etc/openvpn/restart-service"; } | sudo crontab -
#+end_src

Test the VPN service initializes using =sudo openvpn --config /etc/openvpn/local_profile.conf= (and exit with =Ctrl-c=).

Verify the service status using =sudo systemctl status openvpn@local_profile= and checking one's public IP using =wget --secure-protocol=PFS --https-only -qO- checkip.dyndns.org=.

* Setup SSH

Create an ssh-key, and update config.

#+BEGIN_SRC sh
ssh-keygen -t ed25519 -C "sentry@bytecache.io" -f "$HOME"/.ssh/id_rsa -N '' && \
bash -c 'cat <<EOT >> ~/.ssh/config
VisualHostKey=yes
LogLevel=VERBOSE
EOT'
#+END_SRC

* Wazuh Agent - Endpoint Security
:PROPERTIES:
:CUSTOM_ID: Wazuh_Agent_-_Endpoint_Security
:END:

Wazuh is an HIDS system, which is a fork of OSSEC built on the ELK stack. I'll install a Wazuh agent that I use to send data to a Wazuh server deployed elsewhere (e.g., on =10.0.0.2=).

#+begin_src sh
sudo apt install curl apt-transport-https lsb-release gnupg2 -y && \
sudo curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - && \
sudo echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list && \
sudo apt update -y && \
sudo WAZUH_MANAGER="192.168.1.2" apt install wazuh-agent -y
#+end_src

For addition steps registering agents to the Wazuh manager, see [[https://documentation.wazuh.com/3.9/user-manual/registering/index.html][the Wazuh guide]].

* Harden Firefox
:PROPERTIES:
:CUSTOM_ID: Harden_Firefox
:END:

Go through all the about:preferences particularly the /search/ and /privacy & security/ settings.

Add and enable the following extensions, in the following order:
1) [[https://www.eff.org/https-everywhere][HTTPS Everywhere]]
2) [[https://www.eff.org/privacybadger][Privacy Badger]]
3) [[https://noscript.net/][NoScript]]
4) [[https://keepassxc.org/docs/keepassxc-browser-migration/][KeePassXC]]
5) [[https://addons.mozilla.org/en-US/firefox/addon/pay-by-privacy-com/][Pay by Privacy.com]]
6) [[https://github.com/marcelklehr/floccus][Floccus]]

* Git
:PROPERTIES:
:CUSTOM_ID: Git
:END:

Live and die by Git. I'm using the handle =sentry=.

#+BEGIN_SRC sh
sudo apt install -y git && \
git config --global user.name "sentry" && \
git config --global user.email "sentry@bytecache.io" && \
#+END_SRC

Copy the SSH key to clipboard.

#+BEGIN_SRC sh
xclip -sel c < ~/.ssh/id_rsa.pub
#+END_SRC

Finally, login to the remote Git repository and store it.

For virtual machines running in VMware with =open-vm-tools= installed, add the following to =~/.ssh/config=:

#+begin_src sh
Host *
    IPQoS lowdelay throughput
#+end_src

* Emacs
:PROPERTIES:
:CUSTOM_ID: Emacs
:END:

Setup my preferred text editor, Emacs.

#+BEGIN_SRC sh
sudo apt install -y emacs elpa-evil twittering-mode graphviz elpa-rainbow-mode && \
mkdir ~/.emacs.d && \
cd ~/.emacs.d && \
git init && \
263
git remote add origin git@git.bytecache.io:ehacks/ehacks.git && \
264
265
git fetch origin && \
git reset --hard origin/master && \
266
git push --set-upstream git@git.bytecache.io:ehacks/ehacks.git master
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
#+END_SRC

* TODO Riot and Whalebird

=Matrix= and =Mastodon= are decentralized, open-source, social networking protocols. =Riot= provides a desktop client to access =Matrix=, while =Whalebird= provides a desktop client for =Mastodon=.

#+BEGIN_SRC sh
sudo wget -O /usr/share/keyrings/riot-im-archive-keyring.gpg https://packages.riot.im/debian/riot-im-archive-keyring.gpg && \
echo "deb [signed-by=/usr/share/keyrings/riot-im-archive-keyring.gpg] https://packages.riot.im/debian/ default main" |
    sudo tee /etc/apt/sources.list.d/riot-im.list && \
sudo apt update && \
sudo apt install -y riot-desktop && \
wget https://github.com/h3poteto/whalebird-desktop/releases/download/4.1.0/Whalebird-4.1.0-linux-x64.deb && \
sudo dpkg -i Whalebird-4.1.0-linux-x64.deb
#+END_SRC

* TODO Virtual Manager
* TODO VMware Workstation Pro
:PROPERTIES:
:CUSTOM_ID: VMware_Workstation_Pro
:END:

This requires virtualization enabled in the laptop's BIOS settings.

#+BEGIN_SRC sh
sudo apt install -y gcc build-essential && \
wget --secure-protocol=PFS --https-only -O /tmp/vmware.bin https://www.vmware.com/go/getworkstation-linux && \
sudo bash /tmp/vmware.bin
#+END_SRC

After a few minutes to download the files, a GUI will popup to complete the installation.

* Python 3
:PROPERTIES:
:CUSTOM_ID: Python_3
:END:

Install various libraries for Python.

#+BEGIN_SRC sh
sudo apt install -y python3-venv && \
pip3 install --upgrade --user pip && \
pip3 install --user jedi autopep8 yapf flake8 flake8-bandit keystone-engine capstone ropper unicorn
pip install virtualenv
#+END_SRC

* R
:PROPERTIES:
:CUSTOM_ID: R
:END:

Install R from CRAN.

#+BEGIN_SRC sh
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys E19F5F87128899B192B1A2C2AD5F960A256A04AF && \
sudo add-apt-repository 'deb https://cloud.r-project.org/bin/linux/debian buster-cran35/' && \
sudo apt update && \
sudo apt install -y r-base
#+END_SRC

* GDB
:PROPERTIES:
:CUSTOM_ID: GDB
:END:

GDB is the GNU Project Debugger, facilitating low level analysis of executable programs by stepping through each operation. GDB comes with Debian, but I also install a few GDB utilities to enhance the debugging process.

#+BEGIN_SRC sh
sudo apt install -y gdb  && \
git clone https://github.com/longld/peda.git ~/peda && \
echo "source ~/peda/peda.py" >> ~/.gdbinit
#+END_SRC

* Radare 2
:PROPERTIES:
:CUSTOM_ID: Radare_2
:END:

Radare2 is a reverse engineering framework.

#+BEGIN_SRC sh
sudo apt install radare2 && \
r2pm init && \
r2pm -i rarop
#+END_SRC
* Bluetooth
:PROPERTIES:
:CUSTOM_ID: Bluetooth
:END:

I use =blueman=, as specified in the [[https://wiki.debian.org/BluetoothUser/a2dp][Debian Bluetooth setup guide]].

#+begin_src sh
sudo apt install -y pulseaudio pulseaudio-module-bluetooth pavucontrol bluez-firmware && \
sudo sed -i '/ExecStart=\/usr\/lib\/bluetooth\/bluetoothd/c\ExecStart=\/usr\/lib\/bluetooth\/bluetoothd --noplugin=sap' /etc/systemd/system/bluetooth.target.wants/bluetooth.service && \
sudo systemctl daemon-reload && \
sudo systemctl restart bluetooth && \
sudo killall pulseaudio && \
sudo apt install -y blueman
#+end_src

* TODO Cell Phone Utilities
:PROPERTIES:
:CUSTOM_ID: Cell_Phone_Utilities
:END:

I have a Pixel 3 running the [[https://grapheneos.org/][GrapheneOS]]. To flash the OS to my cell phone, it requires =abd= and =fastboot=, which are not part of Debian. To add these utilities, I'll download and install the [[https://developer.android.com/studio/releases/platform-tools][Android SDK Platform-Tools]], as follows.

#+BEGIN_SRC sh
cd ~/ && \
wget https://dl.google.com/android/repository/platform-tools-latest-linux.zip && \
sudo unzip platform-tools-latest-linux.zip -d /etc/ && rm platform-tools-latest-linux.zip && \
export PATH="/etc/platform-tools:$PATH"
#+END_SRC