Difference between revisions of "Initial Debian Server Setup"

From IARC 207 Wiki
Jump to navigation Jump to search
Line 73: Line 73:
 
Great, if you've made it this far then you should have a decently secure system, nearly ready for deployment.  There are a few more pacakges it is smart to install...  kind of depends on what you are doing whether you add all of them or not but there first are a good move.
 
Great, if you've made it this far then you should have a decently secure system, nearly ready for deployment.  There are a few more pacakges it is smart to install...  kind of depends on what you are doing whether you add all of them or not but there first are a good move.
  
<pre> apt-get install nmap ntp less imagemagick python mailutils fail2ban ser2net git telnet screen wget curl python-pandas</pre>
+
<pre> apt-get install nmap ntp less imagemagick python mailutils fail2ban ser2net git telnet screen wget curl</pre>
 
* '''nmap''' is useful for checking out the internet presence of your device.  Kind of optional but nice to have installed if you need it at a later date.
 
* '''nmap''' is useful for checking out the internet presence of your device.  Kind of optional but nice to have installed if you need it at a later date.
 
** https://packages.debian.org/stable/nmap
 
** https://packages.debian.org/stable/nmap
Line 89: Line 89:
 
* ''telnet'' useful for testing ser2net's operation.
 
* ''telnet'' useful for testing ser2net's operation.
 
* ''screen'' useful for testing the usb to serial device
 
* ''screen'' useful for testing the usb to serial device
* ''python-pandas'' useful python package
 
 
* ''curl'' utility for grabbing web pages / data from servers
 
* ''curl'' utility for grabbing web pages / data from servers
 
* ''wget'' utility for grabbing web pages / data from servers
 
* ''wget'' utility for grabbing web pages / data from servers

Revision as of 18:13, 3 November 2016

IARC Server List

Step by step (roughly) procedure for getting a Debian-ARM server up and running for remote deployment as a serial radio base or a number of other things

Been meaning to put this together for a while.

Download media

A lot of these ARM based systems have a microSD or SD card image that can be flashed from an online source. I like to use the most recent stable version of Debian if it's available and also the minimum size image so that less extra cruft is installed (don't need a window manager etc)
The RaspberryPis work well, too but have less horsepower under the hood:
https://www.raspberrypi.org/downloads/raspbian/
This is more powerful but doesn't come with a vanilla kernel (this means long term updating is harder):
http://wiki.solid-run.com/doku.php?id=products:imx6:overview:flashsdcard

We also have a few units (the DreamPlug and the GuruPlug) from GlobalScale but the power supplies have become flaky over time and I think the cubox-i is current favorite.
https://www.globalscaletechnologies.com/

I guess in addition, also using intel based NUC which is slightly larger, maybe more powerful but the cpu instruction set is x86 rather than ARM. For Debian, that means nothing but it should also mean we can run loggernet for linux further afield. (this is on my later in the winter list).

First step

  1. Download the current image of the OS available online to your computer
    1. http://wiki.solid-run.com/doku.php?id=products:imx6:software:os:debian
    2. https://www.raspberrypi.org/downloads/raspbian/
  2. Flash it to the appropriate media (microSD or SD card typically). Something like this:
    1. sudo dd if=~/Downloads/ignition.img of=/dev/rdisk2 bs=4096 (cubox-i example)
    2. sudo dd if=2015-11-21-raspbian-jessie-lite.img of=/dev/rdisk2 bs=4096 (Raspberry Pi example)
  3. Look up online the default user / password to get into the system once it is up and running, too.
    1. A simple search for something like "Raspberry pi default user name and password" should get you close.
  4. Once you're up and running, log in as the default user and then let's do some set up in an interactive sudo session:
 sudo -i

For raspberry pi, change keyboard layout to US

Default is UK English layout... before you change the passwords you should get a US layout keyboard. Here is a good resource
https://wiki.debian.org/Keyboard

dpkg-reconfigure keyboard-configuration
 service keyboard-setup restart

Create user accounts

(junk name here not what you might see on our systems)

 adduser scientist

give the user extended permissions

https://wiki.debian.org/sudo

adduser scientist sudo

Tighten up remote ssh access

Been having some issues with port scanning and automated log in attempts from all over the world. You can initially lock things down by disabling the default account from ssh login (after creating your first other user in the previous step). First up, edit the ssh server configuration. The file is found in /etc/ssh/sshd_config:

 editor /etc/ssh/sshd_config

Add these lines to that file (or verify that they are there / double check that you aren't duplicating and creating confusion for the daemon):

 
## Disable root login:
PermitRootLogin no
##specify which users can log in over ssh:
AllowUsers scientist

With that out of the way, restart the ssh server and you have taken a step towards better securing the system:

service ssh restart

Update Firewall:

Firewall is complicated. I'm not 100% I have this correct but it's quite a bit more secure than the defaults and such. It's worth its own entry though:

update apt & all packages

apt-get update
apt-get upgrade

Raspberry Pi specific: Resize Partition

Run this utility as root:

raspi-config

One of the options (the first one) is:

1 Expand Filesystem            Ensures that all of the SD card storage is available to the OS  

Select that and the file system will go from the default, like 1.3 GB and expand to consume the whole card. See here for a bit more discussion:
http://raspberrypi.stackexchange.com/questions/499/how-can-i-resize-my-root-partition

Install additional packages

Great, if you've made it this far then you should have a decently secure system, nearly ready for deployment. There are a few more pacakges it is smart to install... kind of depends on what you are doing whether you add all of them or not but there first are a good move.

 apt-get install nmap ntp less imagemagick python mailutils fail2ban ser2net git telnet screen wget curl
  • nmap is useful for checking out the internet presence of your device. Kind of optional but nice to have installed if you need it at a later date.
  • ntp is the time server, used to get internet time. It should be installed by default but I have found it isn't alway. So, best to be explicit and install it here.
  • less is a simple command line utility for reading text files. A gain, it should be installed by default but I have run into it not being installed.
  • imagemagick is a great command line based image manipulation library. Used by a few different utilities. I think we use it to resize / slice automatically generated plots, and to do some other stuff in Barrow.
  • python common programming language we use extensively and should be added to the system.
  • mailutils is a simple email package. Used by crontab & the security updates system (as well as others I'm forgetting) to give you status information.
  • fail2ban is used to lockdown ssh a bit further than the default ip tables rules. It blocks IP addresses that try to log in too often with a bad user/password. Intended to reduce workload of these simple computers handling garbage so they can focus on serving as a serial base station etc.
  • ser2net pretty solid utility for getting serial port access (or usb to serial access) via sockets. This is the primary thing we use to handle getting data logger information available over the internet. For multipoint radios, there is also a ser2nets which can allow more than one LoggerNet instance to access the radio network simultaneously. I haven't used ser2nets but have thought about experimenting with it.
  • git we use this for distributing datapro and other utilities
  • telnet useful for testing ser2net's operation.
  • screen useful for testing the usb to serial device
  • curl utility for grabbing web pages / data from servers
  • wget utility for grabbing web pages / data from servers

Automatically install security updates:

The last generally mandatory package to add is the Unattended security updates. There are couple packages to install but there are also some configs to modify It's best to just read this page.
https://wiki.debian.org/UnattendedUpgrades
But, I can also give you a hint that you'll need to do at least these three things from the command line:

apt-get install unattended-upgrades apt-listchanges
editor /etc/apt/apt.conf.d/50unattended-upgrades
editor /etc/apt/apt.conf.d/20auto-upgrades

Other packages

So, those are typically the base to get you up and running. Then, this next set are slightly more specialized. If you are going to do any data processing or use the WERC data retrieval tools these are good to install:

 apt-get install build-essential libdbi-perl libconfig-yaml-perl python-numpy python-tz liblockfile-simple-perl libdbi-perl bc 

check timezone

Important to confirm we are using UTC:

sudo dpkg-reconfigure tzdata 

Next steps

So, at this point you have a system that has now been tailored to generic deployment. With that out of the way there are some specific things and tools / scripts that are nice to give you a bit more feedback. For example. it needs to tell you its IP address routinely so there are some things to set up in order to make that happen like:

  • set up a private key in the scientist user account so you can automate the transfer
  • set up the crontab so that the automated stuff is configured to happen... do all of this from your user account rather than your root account.
 
mkdir ~/bin
nano ~/bin/main_cron
  • add something like this to the file main_cron to transmit the IP address every 10 minutes:
*/10 * * * * /sbin/ifconfig > /home/scientist/grayling_ip.txt
*/10 * * * * scp -oport=2222 /home/scientist/grayling_ip.txt user@ngeedata.iarc.uaf.edu:/home/user/remote_ips/
  • add this to the crontab:
 crontab ~/bin/main_cron
  • confirm that it is in the crontab:
 crontab -l

Great,

  • set up a few more bash scripts... running out of steam here I'm just going to list commands for a bit and then annotate later.
  • this gets Ross' csv utilities with datapro plus a number of other things installed
cd ~/bin/
git clone https://github.com/rwspicer/csv_utilities.git
python ~/bin/csv_utilities/get_ip.py --infile=/home/scientist/extra/grayling_ip.txt --outfile=/home/scientist/grayling_ip
  • also need to configure ser2net:
sudo nano /etc/ser2net.conf
  • remove the existing lines at the bottom of the configuration and add this:
    • specifying the port as 7808
    • data type is raw (default is telnet)
    • serial to usb device is /dev/ttyUSB0
    • speed and data information (this is standard of most of our serial things though the baud rate may change depending on application): 115200 8DATABITS NONE 1STOPBIT
    • a few additional parameters to close the connection and reset the radio after each use: HANGUP_WHEN_DONE RTSCTS LOCAL
# IARC radio
7808:raw:25:/dev/ttyUSB0:115200 8DATABITS NONE 1STOPBIT HANGUP_WHEN_DONE RTSCTS LOCAL
  • now, reload ser2net daemon with new configuration:
service ser2net restart
  • next, test your setup:
 telnet localhost 7808
    • then hit enter a bunch and watch for a reply from the data logger. If you see it, awesome. to close the program, hold down the control key and press the close bracket key. This will bring up a new prompt:
<CONTROL><]>
    • then:
close
  • if that works, fantastic. If that doesn't, try connecting directly to the serial port using screen:
sudo screen /dev/ttyUSB0 9600
    • If that works, awesome! To quit screen then enter:
<CONTROL> - <A>  (press and hold control, then press A)
<COLON>
<TYPE> quit </TYPE>
  • if that works, then you have a good serial connection and may just need to tweak the ser2net configuration.
    • I just noticed here that
      service ser2net restart
      didn't properly reload the configuration file. However this did:
service ser2net stop
service ser2net start

Yet to come

So, at this point you have a solid serial server. There is often more functionality you can add though depending on how things go. For instance, the speed test bash script may need to be installed, there might be webcam