JiffyBox

This page describes how to install Debian Squeeze with a crypted filesystem on a JiffyBox with 50GB harddisk storage.

Create maschine with temporary Linux system

Go to JiffyBox admin console.

Delete all hard disks and profiles.

Add new Linux installation:

Edit profile Debian:

Rename hard disk Debian Root to Debian Boot.

Delete hard disk Debian Swap.

Start system.

Update system. Install LVM, dm-crypt and debootstrap. Remove unused packages:

# df -h
...
# apt-get update
# apt-get upgrade
# apt-get install dmsetup cryptsetup lvm2 debootstrap
# apt-get purge nano os-prober tasksel tasksel-data telnet ftp 
# apt-get purge curl libcurl3 ca-certificates libidn11 openssl libssh2-1
# apt-get purge xauth libxau6 libx11-6 libxcb1 libxext6 libxmuu1
# apt-get purge logrotate cron iptables man-db groff-base libx11-data libxdmcp6
# apt-get purge info manpages geoip-database cron-apt 
# apt-get purge liblockfile1 heirloom-mailx traceroute netcat-traditional
# apt-get clean
# df -h
...

Shutdown system.

Got to JiffyBox admin console.

Shrink hard disk Debian Boot to 512MB.

Add new hard disk

Add harddisk Debian LVM to profile *Debian' as /dev/xvdb.

Start system.

Encrypt disk and create partitions

Override LVM disk with random data:

# badblocks -s -w -t random -v /dev/xvdb

Encrypt the disk:

# cryptsetup -y -c aes-xts-plain -s 512 luksFormat /dev/xvdb
...

Open the encrypted disk:

# cryptsetup luksOpen /dev/xvdb lukslvm 
...

Create partitions:

# pvcreate /dev/mapper/lukslvm
# vgcreate vg /dev/mapper/lukslvm
# lvcreate -L 4G -n root vg
# lvcreate -L 2G -n var vg
# lvcreate -L 1G -n tmp vg
# lvcreate -L 1G -n home vg
# lvcreate -L 512M -n swap vg

Create file systems:

# mkfs.ext4 /dev/mapper/vg-root
# mkfs.ext4 /dev/mapper/vg-var
# mkfs.ext4 /dev/mapper/vg-tmp
# mkfs.ext4 /dev/mapper/vg-home
# mkswap /dev/mapper/vg-swap

Mount partitions:

# mount /dev/mapper/vg-root /mnt/
# mkdir /mnt/home /mnt/tmp /mnt/var /mnt/boot
# chmod 1777 /mnt/tmp
# mount /dev/mapper/vg-home /mnt/home
# mount /dev/mapper/vg-tmp /mnt/tmp
# mount /dev/mapper/vg-var /mnt/var
# chmod 1777 /mnt/tmp

Install the base system

Debootstrap

Debootstrap:

# debootstrap --arch=amd64 wheezy /mnt http://ftp.de.debian.org/debian/

Chroot into the bootstrap environment:

# mount -o bind /dev /mnt/dev
# mount -t proc none /mnt/proc
# cp /etc/network/interfaces /mnt/etc/network/
# cp /etc/resolv.conf /mnt/etc/
# chroot /mnt

Partitions

Define partitions in /etc/fstab:

/dev/xvda            /boot         ext3  defaults  0  2
/dev/mapper/vg-root  /             ext4  defaults  0  1
/dev/mapper/vg-home  /home         ext4  defaults  0  2
/dev/mapper/vg-tmp   /tmp          ext4  defaults  0  2
/dev/mapper/vg-var   /var          ext4  defaults  0  2
/dev/mapper/vg-swap  none          swap  sw        0  0
proc                 /proc         proc  defaults  0  0

Mount all paritions:

# touch /etc/mtab
# mount -a

Set root password

# passwd root

Configure APT

See Debootstrap.

Configure console

See Debootstrap.

Install basic tools

See Debootstrap.

Basic security

See SSH Server and Shorewall.

Kernel and bootloader

Install kernel and grub:

# apt-get install linux-image-amd64
# apt-get install grub-legacy
# mkdir /boot/grub
# grub-install /dev/xvda 
# rm /boot/grub/*stage*
# update-grub

Edit /boot/grub/menu.lst:

#groot=(hd0)

Symlink boot partition for PV-Grub:

# cd /boot
# rm vmlinuz initrd.img
# mv boot boot-old
# mkdir boot
# cd boot
# ln -s ../grub grub
# update-grub

Install LVM and dm-crypt

# apt-get install dmsetup cryptsetup lvm2

Prepare reboot

Fix /etc/crypttab:

lukslvm /dev/xvdb none luks

Update the initramfs:

# update-initramfs -u

Fix /etc/inittab for XEN, remove all ttys, only add the following single:

1:2345:respawn:/sbin/getty 38400 hvc0

Fix /etc/securetty for XEN, replce xvc0 by hvc0.

Set hostname in /etc/hostname:

www

Set IP and FQDN in /etc/hosts:

<ip> www.example.com www

Reboot.

Boot new system

Connect to console.

Enter passphrase.

Cleanup

Remove fingerprint from known_hosts.

Delete unused stuff from boot partition:

# cd /boot
# rm -rf bin boot-old dev etc home lib media mnt opt 
# rm -rf proc root sbin selinux srv sys tmp usr var
# rm lib64

Reboot.

Final checks

# netstat --tcp -a -n
# iptables -L

Debian security

See Debian Security.


Sources: