Updating the firmware

Configure minicom to connect to the serial console:

Serial Device /dev/ttyUSB0
Bps/Par/Bits 19200 8N1
Hardware Flow Control No
Software Flow Control No

Press ctrl-p when the soekris is booting to get access to the BIOS.

Get the latest BIOS image and send it to the soekris by typing:

download

Now, press ctrl-a s, choose xmodem and select the downloaded image.

Once the transfer is complete, you can flash the BIOS by typing:

flashupdate

This update will alter the boot order, the result is that the soekris will no longer boot from its flash drive. To fix this, type:

set BootDrive 80 81 F0 FF
reboot

For more information and downloads, see the soekris site.

Installing Debian wheezy

There is a special installer available for the soekris here.

I used the latest release version. Follow the instructions to do the initial install.

The default image fails to boot because the IDE driver is not in the initial ram disk, to fix this you must mount the image and do a change root:

mount /dev/sdc1 /media/usb
cd /media/usb
chroot .

Now add the following line to /etc/initramfs-tools/modules:

ide_generic

Generate a new initrd and unmount:

update-initramfs
exit
cd
umount /media/usb

Configuration

Users and passwords

The default root password is "voyage", change it and create a normal user account:

passwd
adduser jlaros

Swap

Sometimes, apt will run out of memory while installing or configuring a package. Add a swap file to fix this:

dd if=/dev/zero of=/swapfile bs=1024 count=65536
mkswap /swapfile

Now, whenever you need more memory, turn on swap:

swapon /swapfile

Turn off swap when you're done:

swapoff /swapfile

Network

Edit /etc/network/interfaces', in this example, 'eth0 is an internal interface, eth1' is the external interface and 'wlan0 is the wireless interface:

iface eth0 inet static
        address 192.168.20.201
        netmask 255.255.255.0

iface eth1 inet static
        address 192.168.178.21
        netmask 255.255.255.0
        gateway 192.168.178.1

auto wlan0
iface wlan0 inet static
        address 192.168.21.1
        netmask 255.255.255.0
                hostapd /etc/hostapd/hostapd.wlan0.conf
                sh /etc/network/scripts/rate.sh

Alter the following lines in /etc/hostapd/hostapd.wlan0.conf to set the ssid, password and encryption type:

ssid=fixedpoint
wpa_passphrase=wpa2istheshit
wpa=wpa2

The rate limiting script is used to throttle http traffic.

Configure dhcp and DNS in the /etc/dnsmasq.conf file:

expand-hosts
domain=morspoort.fixedpoint.nl
except-interface=eth1
no-dhcp-interface=eth1
dhcp-range=192.168.20.0,static
dhcp-range=192.168.21.0,static
dhcp-host=x:x:x:x:x:x,y.y.y.y

You can use the /etc/hosts file to add DNS names:

127.0.0.1 localhost

192.168.20.201 ns1
192.168.20.201 gw1
192.168.20.201 ntp
192.168.20.201 soekris
192.168.21.1 gw2
10.0.0.1 gw3

192.168.178.1 adsl

10.99.99.1 server

192.168.20.212 media

Since I don't use a DHCP client, I prefer a static resolv.conf:

First remove the resolvconf package:

apt-get purge resolvconf

Then edit /etc/resolv.conf:

domain morspoort.fixedpoint.nl
search morspoort.fixedpoint.nl fixedpoint.nl
nameserver 127.0.0.1
nameserver 194.109.6.66

Set up a rudimentary firewall:

iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables-save > /etc/iptables/rules.v4

Host name

Edit /etc/hostname:

soekris

Packages

You may find some of these packages helpful:

apt-get update
apt-get upgrade
apt-get install iptables-persistent bacula-client vim etherwake openvpn dialog screen locales exim4 sudo ntp rkhunter denyhosts dnsutils bind9-host mtr mutt

The locales package is installed to get rid of tons of error messages generated by dpkg:

dpkg-reconfigure locales

Choose en_US.UTF-8 UTF-8 and make it default.

Mail

Edit /etc/exim4/update-exim4.conf.conf to use an external mail server:

dc_eximconfig_configtype='smarthost'
dc_other_hostnames='soekris'
dc_smarthost='mail.fixedpoint.nl'

Set a valid mail name by by editing /etc/mailname:

soekris

To forward all mail to one address, add the following line to /etc/aliases:

root: postmaster@fixedpoint.nl

Backup

I use the machine called media as a backup server, this is the content of /etc/bacula/bacula-fd.conf:

Director {
  Name = media-dir
  Password = "password1"
}

Director {
  Name = media-mon
  Password = "password2"
  Monitor = yes
}

FileDaemon {                     # this is me
  Name = soekris-fd
  FDport = 9102                  # where we listen for the director
  WorkingDirectory = /var/lib/bacula
  Pid Directory = /var/run/bacula
  Maximum Concurrent Jobs = 20
  #FDAddress = 127.0.0.1
}

Messages {
  Name = Standard
  director = media-dir = all, !skipped, !restored
}

To connect to the bacula console, edit /etc/bacula/bconsole.conf:

Director {
  Name = media-dir
  DIRport = 9101
  address = 192.168.20.212
  Password = "password3"
}

I also made the soekris responsible for initiating backups every night. To do this, I made a couple of small scripts and placed them in the /root/scripts directory.

script description
mediawake Turn the backup server on.
mediahalt Turn the backup server off.
halt Backup server halting script.
runbackups Start the backups.
config The backup configuration.

Now, to initiate a backup every day dat 06:25, run crontab -e as root and add the following line:

25 6 * * * sh /root/scripts/runbackups.sh > /dev/null

Wake remote server on demand

Since my backup server needs to be accessed sometimes, I gave the user jlaros permission to turn it on and off.

In /etc/sudoers, add the following line:

jlaros  ALL=NOPASSWD: /root/scripts/mediawake.sh, /root/scripts/mediahalt.sh

For convenience, you might want to add some aliases to /home/jlaros/.bash_profile:

alias mediawake="sudo /root/scripts/mediawake.sh"
alias mediahalt="sudo /root/scripts/mediahalt.sh"

Denyhosts

Make a file called /var/lib/denyhosts/allowed-hosts and add the IP address of any host that you want to exempt from being blocked by denyhosts.

VPN

The following config (stored in /etc/openvpn) file is an example on how to set up a VPN.