Installation Notes

This post is to keep track of the steps I use to configure a fresh Arch Linux installation.

Update the System

  1. Initialize the key store: # pacman-key --init
  2. Add Arch keys: # pacman-key --populate archlinux
  3. Generate some entropy while this command completes
  4. Grab four cups of coffee while the pacman-key command completes
  5. Synchronize repos: # pacman -Syy
  6. Read announcements at archlinux.org
  7. If safe, # pacman -Syu

Add a User

  1. Add a user with a managed home directory: # useradd -m someuser
  2. Set a password: # passwd someuser
  3. Switch to the new user: # su - someuser
  4. SSH key config: $ ssh-keygen
  5. Add a known key: $ vim .ssh/authorized_keys

Be sure to add an authorized_key entry for your user, otherwise the next few steps will lock you out of the machine.

Lock Down SSH

Edit ‘/etc/ssh/sshd_config’ as follows:

  1. PermitRootLogin no
  2. PasswordAuthentication no
  3. AllowGroups ssh

Now add someuser to the ssh group:

  1. # groupadd ssh
  2. # usermod -a -G ssh someuser

Make Your User a Sudoer

  1. # pacman -S sudo
  2. # visudo

Edit the sudoers file to allow use by members of the sudo group, then:

  1. # groupadd sudo
  2. # usermod -a -G sudo someuser

Install Additional Software

  1. The premiere terminal multiplexer: # pacman -S tmux
  2. Better monitor: # pacman -S htop
  3. Easier than curl for downloads: # pacman -S wget

Setup Basic Firewalling

  1. # pacman -S iptables

Now create /etc/iptables/iptables.rules with the following contents:

# Generated by iptables-save v1.4.20 on Mon Dec 16 00:27:46 2013
*security
:INPUT ACCEPT [267590:35911116]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [273660:73095474]
COMMIT
# Completed on Mon Dec 16 00:27:46 2013
# Generated by iptables-save v1.4.20 on Mon Dec 16 00:27:46 2013
*raw
:PREROUTING ACCEPT [269310:36039557]
:OUTPUT ACCEPT [273660:73095474]
COMMIT
# Completed on Mon Dec 16 00:27:46 2013
# Generated by iptables-save v1.4.20 on Mon Dec 16 00:27:46 2013
*nat
:PREROUTING ACCEPT [3565:210125]
:INPUT ACCEPT [1893:113389]
:OUTPUT ACCEPT [5889:486284]
:POSTROUTING ACCEPT [7532:552004]
COMMIT
# Completed on Mon Dec 16 00:27:46 2013
# Generated by iptables-save v1.4.20 on Mon Dec 16 00:27:46 2013
*mangle
:PREROUTING ACCEPT [269310:36039557]
:INPUT ACCEPT [269310:36039557]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [273660:73095474]
:POSTROUTING ACCEPT [273660:73095474]
COMMIT
# Completed on Mon Dec 16 00:27:46 2013
# Generated by iptables-save v1.4.20 on Mon Dec 16 00:27:46 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1386:156347]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p ipv6 -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Mon Dec 16 00:27:46 2013

For details about the directives above, see the excellent Arch Linux wiki entry for Simple Stateful Firewall.

Now set iptables to be started on boot by systemd and enable it. CAUTION! Look at the configuration file above and verify that it makes sense for your environment before you enable iptables. Failure to do so could result in being locked out of the machine.

  1. Start iptables at boot: # systemctl enable iptables
  2. Start iptables now: # systemctl start iptables

Celebrate

  1. ssh someuser@your.shiny.new.machine
  2. $ echo "OMFG I LOVE ARCH!"