Debian Template Image Preparation and Cloning
ROUGH DRAFT
Fresh Install of VM
Fresh Debian Installation
To be documented
Post-install Ubuntu Configuration
- Go to the Console tab and Power On the VM
- Once it comes up, login to your VM
- Get the VM IP:
ip addr - SSH to the VM and login as your unprivileged user
- su to root (enter the root password)
su - - Edit sources.list
deb http://deb.debian.org/debian bookworm main non-free-firmware deb-src http://deb.debian.org/debian bookworm main non-free-firmware deb http://security.debian.org/debian-security bookworm-security main non-free-firmware deb-src http://security.debian.org/debian-security bookworm-security main non-free-firmware deb http://deb.debian.org/debian bookworm-updates main non-free-firmware deb-src http://deb.debian.org/debian bookworm-updates main non-free-firmware - Install sudo and add your user to sudo group
apt-get install sudo usermod -aG sudo johndoe - Logout and reconnect via SSH
-
Run any available upgrades and reboot
sudo apt update && sudo apt upgrade -y && sudo reboot -
Set up Chrony for time sync
sudo apt install -y chrony && \ sudo systemctl restart chrony && \ chronyc tracking | grep --color=auto -e ^ -e "Last offset.*" - Add /usr/sbin to default PATH
sudo bash -c 'echo '\''PATH="/usr/sbin:$PATH"'\'' >> /etc/profile.d/usr_sbin_path.sh'
VIM Tweaks
sudo apt install vimsudo update-alternatives --config editorTemplate Image Prep
Set up OpenSSH Key Reconfiguration
If you simply clone a Debian image without resetting the OpenSSH server host keys, an attacker can take those host keys and perform a MITM SSH attack on any system that was cloned from the same image. So we have to make sure those are reset before we make the image, and then automatically regenerated on the next boot.
Copy/Paste/Run this entire chunk of script into your terminal (creates process that checks for missing keys at boot, and regenerates them if missing):
if [ `systemctl is-enabled openssh-reconfigure.service 2> /dev/null > /dev/null || true && false` ] ; then \
echo "OpenSSH Key Reconfiguration Service already installed." ; \
else
sudo bash -c 'cat << EOF > /usr/local/sbin/openssh-reconfigure
#!/bin/bash
test -f /etc/ssh/ssh_host_dsa_key || dpkg-reconfigure openssh-server
EOF'
sudo chmod 700 /usr/local/sbin/openssh-reconfigure
sudo bash -c 'cat << EOF > /etc/systemd/system/openssh-reconfigure.service
[Unit]
Description=OpenSSH Key Reconfiguration Service
Before=ssh.service
[Service]
Type=simple
ExecStart=/usr/local/sbin/openssh-reconfigure
[Install]
WantedBy=multi-user.target
EOF' ; \
sudo chmod 644 /etc/systemd/system/openssh-reconfigure.service ; \
sudo systemctl enable openssh-reconfigure.service ; \
fisudo /bin/rm -v /etc/ssh/ssh_host_*Clear the Machine ID
Run this:
sudo bash -c "truncate -s0 /etc/machine-id ; \
rm /var/lib/dbus/machine-id ; \
ln -s /etc/machine-id /var/lib/dbus/machine-id"Genericize the interface config
Make these alterations to /etc/network/interfaces in the enX0 section. Leave the comments for the image/template user to understand what needs to happen to re-activate networking
iface enX0 inet dhcp
#iface enX0 inet static
# address 192.168.160.XXX
# netmask 255.255.254.0
# gateway 192.168.160.1
# dns-nameservers 192.168.160.105
Clear the Bash, VIM, and other history
Run this:
rm -rf ~/.viminfo ~/.Xauthority ~/.cache
sudo bash -c 'rm -rf ~/.viminfo ~/.Xauthority ~/.cache'
sudo bash -c 'echo -n "" > /var/log/wtmp'
sudo bash -c 'echo -n "" > /var/log/btmp'
sudo bash -c 'echo -n "" > /var/log/lastlog'
### These should always run last
sudo bash -c 'truncate -s0 ~/.bash_history ; history -c'
truncate -s0 ~/.bash_history ; history -cShutdown
Run this:
sudo shutdown -h now