KVM è un'infrastruttura di virtualizzazione del kernel Linux. KVM attualmente supporta una completa virtualizzazione usando Intel VT o AMD-V

Configurazione: 100GB disco qcow2 e 1GB swap, rete bridge breig0, server VNC (non interferisce con le regole di iptables in basso), dispositivo RNG /dev/random, processore opteron_g3, <emulator> /usr/bin/kvm

tasksel: --- ambiente desktop, --- server di stampa, +++ server ssh

apt-get install htop iotop jnettop git p7zip lynis colordiff tmux wipe netcat-openbsd tcpdump iperf w3m pv nmap zerofree iputils-tracepath parted logcheck mosh rsync mtr-tiny curl command-not-found checksecurity debsums rkhunter clamav snoopy build-essential checkinstall cmake dpkg-dev diffutils monkeysphere iptables-persistent vim fdupes ssmtp

software per log e sicurezza: Possono essere configurati per mandare mail, per ora scrivono in /var/log/ e in /var/mail/eigen logcheck: scrive un riassunto dei log, cercando di eliminare tutte le righe inutili. checksecurity: fa una serie di controlli su problemi di sicurezza comuni tiger: controlla la configurazione del sistema alla ricerca di problemi rkhunter: cerca rootkit sul sitema unhide: cerca processi nascosti debsums: controlla gli hash di tutti i pacchetti installati (binari e file di configurazione) clamav: antivirus snoopy: logga tutte le execve() con syslog VIVA LA PARANOIA!! :D

alcuni sono pesanti ed è inutile farli girare sempre chmod -x /etc/cron.daily/tripwire chmod +x /etc/cron.d/logcheck

Per aggiornare i pacchetti apt-get update && aptitude full-upgrade

Per aggiornare la cache di apt-file e command-not-found apt-file update update-command-not-found

Modifiche ai file di configurazione:


  1. DISABLE_TESTS=suspscan hidden_procs deleted_files packet_cap_apps apps

DISABLE_TESTS=suspscan deleted_files packet_cap_apps apps

.bashrc export LS_OPTIONS='--color=auto' eval "`dircolors`" alias ls='ls $LS_OPTIONS' alias ll='ls $LS_OPTIONS -l' alias l='ls $LS_OPTIONS -lA'



if [ -n "$force_color_prompt" ]; then

   if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
       # We have color support; assume it's compliant with Ecma-48
       # (ISO/IEC-6429). (Lack of such support is extremely rare, and such
       # a case would tend to support setf rather than setaf.)


if [ "$color_prompt" = yes ]; then

   PS1='${debian_chroot:+($debian_chroot)}\[\033[01;31m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '


   PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '

fi unset color_prompt force_color_prompt

/etc/ssh/sshd_config AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u PasswordAuthentication no

per adesso c'è la chiave dei nodi. è da rimuovere dopo aver configurato monkeysphere (aggiungere i certificatori con "monkeysphere-authentication add-identity-certifier $fingerprint" e gli id autorizzati in .monkeysphere/authorized_user_ids) /root/.ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCr+J+hhlUnYhKLOnW55aZhJrdHHSQU9XXoP0DcMuvIQ3+SYV6ZZJLMvcdN7puSdkcKiK9DEpsN8uCWfIsxu8LkWJfq6Q/DUBkwvXgKlpbisFaj82ucy7ioiZ1aEc6LMQ/VxG4iHCnGXjWqNLA9sB9lgVDXD29lm8n/i99DHNI8TLHzV9aXz3uR39IqvD4zFBZPSsoDvZ9BsOC6TIUl+Ua0lx1olJxwGawK9he52G55RHhMI+NYj5/wMp80kOhtzRN5F0wRt08Yv2Wu0Kx9akRJBOmI+CcfxxEk7Fcg/kCHG8evS4i4chSMBbBLjOhTk/+Q6nbT3TNIeG2LAtUpml2f node_key@eigenlab

/etc/monkeysphere/monkeysphere-authentication.conf LOG_LEVEL=DEBUG RAW_AUTHORIZED_KEYS="%h/.ssh/authorized_keys"

/etc/crontab 0 * * * * root /usr/sbin/monkeysphere-authentication update-users &> /dev/null

/etc/cron.d/logcheck mailto=""


  1. Generated by iptables-save v1.4.21 on Sat May 2 23:51:15 2015
  • filter

-A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -j REJECT --reject-with icmp-port-unreachable COMMIT

  1. Completed on Sat May 2 23:51:15 2015


  1. Generated by ip6tables-save v1.4.21 on Sat May 2 23:51:15 2015
  • filter
INPUT DROP [2:200]

-A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -j REJECT --reject-with icmp6-port-unreachable COMMIT

  1. Completed on Sat May 2 23:51:15 2015

/etc/resolv.conf domain eigenlab.org search eigenlab.org nameserver nameserver

/etc/network/interfaces auto lo iface lo inet loopback

  1. The primary network interface

allow-hotplug eth0

  1. iface eth0 inet dhcp

auto eth0 iface eth0 inet static


iface eth0 inet6 static

       address 2a00:1508:1:f010::1:33
       netmask 64
       gateway 2a00:1508:1:f010::101

/etc/pam.d/su auth required pam_wheel.so


  1. Config file for sSMTP sendmail
  2. The person who gets all mail for userids < 1000
  3. Make this empty to disable rewriting.


  1. The place where the mail goes. The actual machine name is required no
  2. MX records are consulted. Commonly mailhosts are named mail.domain.com


  1. Where will the mail seem to come from?
  2. rewriteDomain=
  1. The full hostname


  1. Are users allowed to set their own From: address?
  2. YES - Allow the user to specify their own From: address
  3. NO - Use the system generated From: address
  4. FromLineOverride=YES

UseTLS=YES UseSTARTTLS=YES rewriteDomain=eigenlab.org AuthUser=tuttisuitetti@eigenlab.org AuthPass=Passw0rd

Dopo aver clonato la macchina base bisogna modificare questi file /etc/network/interfaces cambiare ip /etc/hostname aggiornare hostname /etc/hosts rm /etc/ssh/ssh_host_* && dpkg-reconfigure openssh-server Per evitare che tutte le chiavi siano uguali