Difference between pages "Package:Sshguard" and "Install/BootLoader"

(Difference between pages)
 
(Emerging GRUB)
 
Line 1: Line 1:
{{Ebuild
+
<noinclude>
|Summary=protects hosts from brute force attacks against ssh
+
{{InstallPart|boot loader configuration}}
|CatPkg=app-admin/sshguard
+
</noinclude>
|Maintainer=
+
=== Installing a Bootloader ===
}}
+
 
__TOC__
+
These install instructions show you how to use GRUB to boot using BIOS (old-school) or UEFI (new-school).
'''sshguard''' is an intrusion prevention system.  sshguard parses server logs, determines malicious activity, and then bans malicious users via firewall rules.  sshguard is written in C so it does not tax an interprator.
+
 
 +
==== Old School (BIOS) ====
 +
 
 +
If you're using the BIOS to boot, setting up GRUB, the bootloader, is pretty easy.
  
== Installation ==
+
To use this recommended boot method, first emerge <code>boot-update</code>. This will also cause <code>grub-2</code> to be merged, since it is a dependency of <code>boot-update</code>.
=== Emerge ===
+
To install sshguard:
+
  
 
<console>
 
<console>
###i## emerge app-admin/sshguard
+
(chroot) # ##i##emerge boot-update
 
</console>
 
</console>
  
=== Configuration ===
+
Then, edit <code>/etc/boot.conf</code> and specify "<code>Funtoo Linux genkernel</code>" as the <code>default</code> setting at the top of the file, replacing <code>"Funtoo Linux"</code>.  
sshguard does not have a configuration file. sshguard is controlled by flags passed to it upon execution.
+
  
/etc/conf.d/sshguard is where flags & log path can be passed to the sshguard service.
+
<code>/etc/boot.conf</code> should now look like this:
  
==== Rules ====
+
<pre>
{{file|name=/etc/conf.d/sshguard|desc=overly strict rules|body=
+
boot {
SSHGUARD_OPTS="-p 3600 -s 3600 -a 20"}}
+
generate grub
 +
default "Funtoo Linux genkernel"  
 +
timeout 3
 +
}
  
==== Logs ====
+
"Funtoo Linux" {
sshguard will fail to start unless it has proper authorization logs to monitor.
+
kernel bzImage[-v]
 +
}
  
{{file|name=/etc/conf.d/sshguard|desc=syslog-ng log location|body=
+
"Funtoo Linux genkernel" {
SSHGUARD_OPTS="${SSHGUARD_OPTS} -l /var/log/messages"}}
+
kernel kernel[-v]
 +
initrd initramfs[-v]
 +
params += real_root=auto
 +
}  
  
== Iptables ==
+
"Funtoo Linux better-initramfs" {
=== IP v4 ===
+
kernel vmlinuz[-v]
Generate blank iptables rules, and start iptables as outlined [[Iptables#First_Run|here]].
+
initrd /initramfs.cpio.gz
 +
}
 +
</pre>
  
Insert these rules to allow sshguard to ban malicious users.
+
Please read <code>man boot.conf</code> for further details.
 +
 
 +
===== Running grub-install and boot-update =====
 +
 
 +
Finally, we will need to actually install the GRUB boot loader to your disk, and also run <code>boot-update</code> which will generate your boot loader configuration file:
  
 
<console>
 
<console>
###i## iptables -N sshguard
+
(chroot) # ##i##grub-install --no-floppy /dev/sda
 +
(chroot) # ##i##boot-update
 
</console>
 
</console>
  
&& to block all trafic from offenders
+
Now you need to update your boot loader configuration file:
 +
<console>
 +
(chroot) # ##i##boot-update
 +
</console>
 +
You only need to run <code>grub-install</code> when you first install Funtoo Linux, but you need to re-run <code>boot-update</code> every time you modify your <code>/etc/boot.conf</code> file, so your changes are applied on next boot.
 +
 
 +
==== New School (UEFI) ====
 +
 
 +
If you're using UEFI to boot, setting up the boot loader is a bit more complicated for now, but this process will be improving soon. Perform the following steps.
 +
 
 +
===== Emerging GRUB =====
 +
 
 +
You will still use GRUB as a boot loader, but before emerging grub, you will need to enable EFI booting. To do this,
 +
add the following line to <code>/etc/make.conf</code>:
 +
 
 +
For x86-64bit systems:
 +
 
 +
<pre>
 +
GRUB_PLATFORMS="efi-64"
 +
</pre>
 +
 
 +
For x86-32bit systems:
 +
 
 +
<pre>
 +
GRUB_PLATFORMS="efi-32"
 +
</pre>
 +
 
 +
Then, <code>emerge boot-update</code>. You will notice <code>grub</code> and <code>efibootmgr</code> getting pulled in as dependencies. This is expected and good:
  
 
<console>
 
<console>
###i## iptables -A INPUT -j sshguard
+
(chroot) # ##i##emerge boot-update
 
</console>
 
</console>
  
== Boot Service ==
+
===== Installing GRUB =====
=== OpenRC ===
+
 
To start sshguard immediately:
+
Now, for the magic of getting everything in place for booting. You should copy your kernel and initramfs (if you have one -- you will if you are following the default install) to <tt>/boot</tt>. GRUB will boot those. But how do we get UEFI to boot GRUB? Well, we need to run the following command (for 32 bit simply set it as i386-efi):
 +
 
 
<console>
 
<console>
###i## rc-service sshguard start
+
(chroot) # ##i##grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id="Funtoo Linux [GRUB]" --recheck /dev/sda
 
</console>
 
</console>
 +
This command will simply install all the stuff to <tt>/boot/EFI</tt> and <tt>/boot/grub</tt> that your system needs to boot. In particular, the <tt>/boot/EFI/grub/grubx64.efi</tt> file will be created. This is the GRUB boot image that UEFI will load and start.
 +
 +
A more detailed explanation of the flags used in the above command:
 +
* <code>--target=x86_64-efi</code>: Tells GRUB that we want to install it in a way that allows it to boot in UEFI
 +
* <code>--efi-directory=/boot</code>: All GRUB UEFI files will be installed in ''/boot''
 +
* <code>--bootloader-id="Funtoo Linux [GRUB]"</code>: This flag is not necessary for GRUB to boot. However, it allows you to change the text of the boot option in the UEFI BIOS. The stuff in the quotes can be set to anything that you would like.
 +
* <code>--recheck</code>: If a device map already exists on the disk or partition that GRUB is being installed on, it will be removed.
 +
* <code>/dev/sda</code>:The device that we are installing GRUB on.
 +
 +
===== Configuring GRUB =====
 +
 +
OK, now UEFI has the GRUB image it needs to boot. But we still need to configure GRUB itself so it finds and boots your kernel and initramfs. This is done by performing the following steps. Since boot-update doesn't yet support UEFI, we will use boot-update, but then edit our <code>/boot/grub/grub.cfg</code> to support UEFI booting.
 +
 +
First, you will need to edit <code>/etc/boot.conf</code>. Format this as you would if you were booting without UEFI. If you are not sure how this should look, below is an example of what it could look like if you are booting from an unencrypted ext4 partition:
 +
 +
{{file|name=/etc/boot.conf|desc=|body=
 +
boot {
 +
        generate grub
 +
        default "Funtoo Linux"
 +
        timeout 3
 +
}
 +
 +
"Funtoo Linux" {
 +
        kernel vmlinuz[-v]
 +
        params += rootfstype=ext4 root=/dev/sda2
 +
}
 +
}}
 +
 +
After you have edited your <code>/etc/boot.conf</code> file, run <code>boot-update</code>. You should now have a <code>/boot/grub/grub.cfg</code> file, which you can edit using the following command:
  
To start sshguard upon reboot:
 
 
<console>
 
<console>
###i## rc-update add sshguard default
+
# ##i##nano /boot/grub/grub.cfg
 
</console>
 
</console>
  
== External Resources ==
 
*http://www.sshguard.net/
 
*http://www.ohloh.net/p/sshguard
 
  
[[Category:Security]]
+
To get your <code>/boot/grub/grub.cfg</code> to support booting with UEFI, make the following changes. Below the existing insmod lines, add the following lines.  Both of these involve adding support for the UEFI framebuffer to GRUB.:
[[Category:Server]]
+
 
{{EbuildFooter}}
+
<pre>
 +
  insmod efi_gop
 +
  insmod efi_uga
 +
</pre>
 +
 
 +
Then, change the <code>set gfxpayload</code> line to read as follows. UEFI does not support text mode, so we will keep video initialized to the current resolution.:
 +
 
 +
<pre>
 +
  set gfxpayload=keep
 +
</pre>
 +
 
 +
You can now save your changes by pressing <code>Control-X</code> and answering <code>y</code> when asked if you want to save the modified buffer. When prompted for a filename, hit Enter to use the existing filename.

Revision as of 19:48, January 1, 2015


Note

This is a template that is used as part of the Installation instructions which covers: boot loader configuration. Templates are being used to allow multiple variant install guides that use most of the same re-usable parts.


Installing a Bootloader

These install instructions show you how to use GRUB to boot using BIOS (old-school) or UEFI (new-school).

Old School (BIOS)

If you're using the BIOS to boot, setting up GRUB, the bootloader, is pretty easy.

To use this recommended boot method, first emerge boot-update. This will also cause grub-2 to be merged, since it is a dependency of boot-update.

(chroot) # emerge boot-update

Then, edit /etc/boot.conf and specify "Funtoo Linux genkernel" as the default setting at the top of the file, replacing "Funtoo Linux".

/etc/boot.conf should now look like this:

boot {
	generate grub
	default "Funtoo Linux genkernel" 
	timeout 3 
}

"Funtoo Linux" {
	kernel bzImage[-v]
}

"Funtoo Linux genkernel" {
	kernel kernel[-v]
	initrd initramfs[-v]
	params += real_root=auto 
} 

"Funtoo Linux better-initramfs" {
	kernel vmlinuz[-v]
	initrd /initramfs.cpio.gz
}

Please read man boot.conf for further details.

Running grub-install and boot-update

Finally, we will need to actually install the GRUB boot loader to your disk, and also run boot-update which will generate your boot loader configuration file:

(chroot) # grub-install --no-floppy /dev/sda
(chroot) # boot-update

Now you need to update your boot loader configuration file:

(chroot) # boot-update

You only need to run grub-install when you first install Funtoo Linux, but you need to re-run boot-update every time you modify your /etc/boot.conf file, so your changes are applied on next boot.

New School (UEFI)

If you're using UEFI to boot, setting up the boot loader is a bit more complicated for now, but this process will be improving soon. Perform the following steps.

Emerging GRUB

You will still use GRUB as a boot loader, but before emerging grub, you will need to enable EFI booting. To do this, add the following line to /etc/make.conf:

For x86-64bit systems:

GRUB_PLATFORMS="efi-64"

For x86-32bit systems:

GRUB_PLATFORMS="efi-32"

Then, emerge boot-update. You will notice grub and efibootmgr getting pulled in as dependencies. This is expected and good:

(chroot) # emerge boot-update
Installing GRUB

Now, for the magic of getting everything in place for booting. You should copy your kernel and initramfs (if you have one -- you will if you are following the default install) to /boot. GRUB will boot those. But how do we get UEFI to boot GRUB? Well, we need to run the following command (for 32 bit simply set it as i386-efi):

(chroot) # grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id="Funtoo Linux [GRUB]" --recheck /dev/sda

This command will simply install all the stuff to /boot/EFI and /boot/grub that your system needs to boot. In particular, the /boot/EFI/grub/grubx64.efi file will be created. This is the GRUB boot image that UEFI will load and start.

A more detailed explanation of the flags used in the above command:

  • --target=x86_64-efi: Tells GRUB that we want to install it in a way that allows it to boot in UEFI
  • --efi-directory=/boot: All GRUB UEFI files will be installed in /boot
  • --bootloader-id="Funtoo Linux [GRUB]": This flag is not necessary for GRUB to boot. However, it allows you to change the text of the boot option in the UEFI BIOS. The stuff in the quotes can be set to anything that you would like.
  • --recheck: If a device map already exists on the disk or partition that GRUB is being installed on, it will be removed.
  • /dev/sda:The device that we are installing GRUB on.
Configuring GRUB

OK, now UEFI has the GRUB image it needs to boot. But we still need to configure GRUB itself so it finds and boots your kernel and initramfs. This is done by performing the following steps. Since boot-update doesn't yet support UEFI, we will use boot-update, but then edit our /boot/grub/grub.cfg to support UEFI booting.

First, you will need to edit /etc/boot.conf. Format this as you would if you were booting without UEFI. If you are not sure how this should look, below is an example of what it could look like if you are booting from an unencrypted ext4 partition:

/etc/boot.conf
boot {
        generate grub
        default "Funtoo Linux"
        timeout 3
}

"Funtoo Linux" {
        kernel vmlinuz[-v]
        params += rootfstype=ext4 root=/dev/sda2
}

After you have edited your /etc/boot.conf file, run boot-update. You should now have a /boot/grub/grub.cfg file, which you can edit using the following command:

# nano /boot/grub/grub.cfg


To get your /boot/grub/grub.cfg to support booting with UEFI, make the following changes. Below the existing insmod lines, add the following lines. Both of these involve adding support for the UEFI framebuffer to GRUB.:

  insmod efi_gop
  insmod efi_uga

Then, change the set gfxpayload line to read as follows. UEFI does not support text mode, so we will keep video initialized to the current resolution.:

  set gfxpayload=keep

You can now save your changes by pressing Control-X and answering y when asked if you want to save the modified buffer. When prompted for a filename, hit Enter to use the existing filename.