Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

hetzner rescue

installimage

by default hetzner offers rescue os whem you add server

From start you should check hardware (disks,cpu,etc)

After that cmd installimage

Input

DRIVE1 /dev/sda
DRIVE2 /dev/sdb
FORMATDRIVE1 1
FORMATDRIVE2 1

SWRAID 0
SWRAIDLEVEL 0

PART /boot/efi esp 256M
PART /boot ext3 1024M
PART lvm vg0 all
LV vg0 root / ext4 all

BOOTLOADER grub

HOSTNAME machine
#IPV4_ONLY yes
#IMAGE /root/images/Ubuntu-2204-jammy-amd64-base.tar.gz

Galactica node rescue config

echo <<ECHO | tee -a install-config
DRIVE1 /dev/nvme0n1
DRIVE2 /dev/nvme1n1
DRIVE3 /dev/nvme2n1

FORMATDRIVE1 1
FORMATDRIVE2 1
FORMATDRIVE3 1

SWRAID 0
SWRAIDLEVEL 0

BOOTLOADER grub

HOSTNAME gala-reti-bm-node02

PART /boot/efi esp 256M
PART /boot ext3 512M
PART / ext4 50G
PART lvm vg0 all
LV vg0 root /galactica ext4 all

IMAGE /root/images/Debian-bookworm-latest-amd64-base.tar.gz
ECHO
installimage -c install-config -a

In guest os to add lvm:

pvcreate /dev/nvme1n1
vgextend vg0 /dev/nvme1n1
lvextend -l +100%FREE /dev/vg0/root
resize2fs /dev/vg0/root

or

for disk in nvme0n1 nvme1n1 ; do echo $disk ; pvcreate /dev/$disk && vgextend vg0 /dev/$disk && lvextend -l +100%FREE /dev/vg0/root ; done && resize2fs /dev/vg0/root

in vm

sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1


ufw allow 22
ufw enable

# apt install fail2ban
# systemctl status fail2ban.service
# vim /etc/fail2ban/jail.local

crowdsec / fail2ban

curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
sudo apt-get update
sudo apt-get install crowdsec

[INCLUDES]
before = paths-debian.conf
[DEFAULT]
ignorecommand =
bantime  = 10m
findtime  = 10m
maxretry = 5
maxmatches = %(maxretry)s
backend = auto
usedns = warn
logencoding = auto
enabled = false
mode = normal
filter = %(__name__)s[mode=%(mode)s]
destemail = root@localhost
sender = root@<fq-hostname>
mta = sendmail
protocol = tcp
chain = <known/chain>
port = 0:65535
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
banaction = iptables-multiport
banaction_allports = iptables-allports
action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(action_)s
            %(mta)s-whois[sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(action_)s
             %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
action_xarf = %(action_)s
             xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
                %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
action_blocklist_de  = blocklist_de[email="%(sender)s", service="%(__name__)s", apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
action_abuseipdb = abuseipdb
action = %(action_)s
[sshd]
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
[dropbear]
port     = ssh
logpath  = %(dropbear_log)s
backend  = %(dropbear_backend)s
[selinux-ssh]
port     = ssh
logpath  = %(auditd_log)s

systemctl restart fail2ban


DRIVE1 /dev/nvme0n1
DRIVE2 /dev/nvme0n1
FORMATDRIVE1 1
FORMATDRIVE2 1

SWRAID 0
SWRAIDLEVEL 0

PART /boot/efi esp 256M
PART /boot ext3 1024M
PART btrfs.1 btrfs all
SUBVOL btrfs.1 @ /
SUBVOL btrfs.1 @root /root
SUBVOL btrfs.1 @log /var/log

BOOTLOADER grub

HOSTNAME cl-0.infra.badai.io
#IPV4_ONLY yes
IMAGE /root/images/Debian-trixie-latest-amd64-base.tar.gz