[Ryedale] Debian build for anyone interested

Tue Aug 19 08:25:54 UTC 2008

Hi Folks,

Following a conversation last night with Paul re building production
Debian servers.

Here is my base build process for those who are interested.

1. Download Debian Etch CD1 full version.
2. Verify checksums and signatures so I know what i've got.
3. Write iso to CD
4. Remove network cable from machine I'm installing on
5. Boot machine and start install
6. My machines contain 2 x harddisks and I use software RAID + LVM. NOTE:-
If using PATA disks put one disk on each controller.
7. Create Swap partitions twice size physical memory. One Swap
partition on each disk.
8. Create partitions that will make up RAID 1. One on each disk half
the size of remaining space.
9. Create RAID md device from partitions created in step 8.
10. Now create LVM logical volume group. Then create the following
logical volumes.

lv0   -   /boot   -   100mb
lv1   -   /         -    4gb
lv2   -   /var     -    4gb
lv3   -   /var/log -   4gb
lv4   -   /var/lib/vz/private  - The rest of space

11. Ensure we only do a standard install no other boxes checked.
12. Install sudo and ssh-sever from CD
13. Give non root user full admin rights in /etc/sudoers
14. Remove root access via ssh and restart server.
15. Create firewall with IP tables and only allow outbound access to
debian security
servers.
16. Plug in network cable
17. apt-get update && apt-get dist-upgrade
18. Modify firewall to allow ssh access from local network segment.
19. Disconnect keyboard, mouse, monitor from machine.
20. ssh into machine and remove the following packages

sudo apt-get -s remove --purge policycoreutils
selinux-policy-refpolicy-targeted patch nfs-common portmap tcsh
reportbug procmail
exim4-daemon-light exim4-config exim4-base exim at mailx mutt aptitude
bc bind9-host dc dhcp3-client dhcp3-common m4 libidn11
dmidecode laptop-detect tasksel tasksel-data strace sharutils pidentd
netcat nano mtr-tiny wamerican whois texinfo mpack lsof
python python-central python-minimal python-newt python-selinux
python-semanage python-support python2.4 python2.4-minimal
finger ed installation-report info manpages man-db mime-support
traceroute telnet w3m ftp iamerican ibritish ispell groff-base
libnfsidmap2 liblockfile1 libgssapi2 libisccfg1 libisccc0 libsemanage1
libbind9-0 dictionaries-common doc-debian doc-linux-text
whiptail

21. Stop inetd service
# /etc/init.d/openbsd-inetd stop

22. Add debian repositorys to sources.list
23. Install puppet client and let it build the box as specified by the
puppet master
manifests.

Hope this was of interest.

Martin

PS I have puppet do a whole load of security tweeks as part of it's build.