At this point I’ve got the hardware setup and running, but it’s a very basic install. This post is inspired by a post I came across some time ago that I felt gave some good advice. I’ll walk through the steps I took while following that article.
Starting with a clean Ubuntu 16.04.1 server install.
1st login
|
1 2 3 4 5 |
$ sudo apt-get update $ sudo apt-get upgrade $ sudo apt-get install fail2ban $ mkdir .ssh $ chmod 700 .ssh |
Fail2ban is a must have security feature, blocking traffic when it detects repeated failed attempts to access your system.
Now we want to make some ssh keys following the Ubuntu documentation. One key question is how big a key should we be using for reasonable security? I think the answer is 4096 bits.
|
1 2 3 4 |
cd .ssh ssh-keygen -t rsa -b 4096 cp id_rsa.pub authorized_keys chmod 400 authorized_keys |
Why create a key on the new machine? I have the opinion that unique ssh keys for unique machines is a good idea, and the ssh config file makes is really simple to manage multiple keys on your main machine (laptop).
Should you make use of a passphrase when creating your ssh key? If you really care about security, yes – you should. Otherwise anyone who manages to get their hands on your key immediately has access to everything. There is a small usability trade-off, since you need to provide that pass phrase (password) every time you want to use the key.
The ssh config file (not on the host, but on your laptop) will look like this:
|
1 2 3 4 |
$ cat config Host newmachine Hostname newmachine.mydomain.ca IdentityFile ~/.ssh/newmachine.key |
Assuming you’ve copied the private key (id_rsa) from the new server you’re setting up to the laptop, make sure to chmod 600 that key file too.
Now we should be able to ssh into the new server from our laptop. Hooray, it works!
Time to lock down ssh so key based logins are the only way
|
1 2 3 4 |
$ vi /etc/ssh/sshd_config # Change to no to disable tunnelled clear text passwords PasswordAuthentication no |
You might want to have a shell logged in to the machine while you do this, so you can verify that things are cool AND fix stuff if there is a problem. Otherwise you’re locked out.
Time for a firewall, we’re going to use ufw because it’s simple and does the IPTables setup for us.
|
1 2 3 4 |
$ sudo ufw allow 22 $ sudo ufw allow 80 $ sudo ufw allow 443 $ sudo ufw enable |
We’re letting ssh, http and https protocols, and that’s it. We’re not yet running a web server, but we will at one point.
Now let’s reboot and see how things are doing, if we can’t login — we really broke stuff. In my case, everything was still working just fine. If you did break things, go get the USB install for Ubuntu and boot a live version on the machine and use root access there to fix the configuration files to let you get back in — or just re-install and start over.
When I did the original install, I opted to not do automatic security updates. This was a mistake so I’ll fix that now.
|
1 2 3 4 5 6 7 |
$ vi /etc/apt/apt.conf.d/10periodic # Change things to look like below APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade "1"; |
Again, from the post I’m sort of following along – they recommend logwatch, something I haven’t used previously. Having run with it for a while now, I’ve grown to like the level of detail it pulls together into a daily email.
|
1 |
$ sudo apt-get install logwatch |
Now the logwatch installation triggered a postfix install and configuration. This is probably useful for my host to have email capability, but really I want to host my main mail system inside a docker container. Hopefully this won’t cause me grief in the future as I build out the set of containers that will run email etc.
I just picked the default postfix ‘internet’ install and it appears to have done the right thing to allow the new server to send email to lowtek.ca, so that’s positive. Again, my concern is when this new machine starts hosting the lowtek.ca email inside a docker container, how will all of that work? An issue I’ll certainly cover in a future post.
|
1 2 3 4 |
$ vi /etc/cron.daily/00logwatch # execute /usr/sbin/logwatch --output mail --mailto myid@lowtek.ca --detail high |
Almost done.
At this point, things are pretty good, but..
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-31-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 10 packages can be updated. 7 updates are security updates. $ sudo apt-get upgrade [sudo] password for roo: Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done The following packages have been kept back: linux-generic linux-headers-generic linux-image-generic snapd ubuntu-core-launcher 0 upgraded, 0 newly installed, 0 to remove and 5 not upgraded. |
I’m concerned by the 10 packages that aren’t being automatically upgraded. It turns out that this is easy to fix with a dist-upgrade.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
$ sudo apt-get dist-upgrade Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done The following NEW packages will be installed: linux-headers-4.4.0-47 linux-headers-4.4.0-47-generic linux-image-4.4.0-47-generic linux-image-extra-4.4.0-47-generic snap-confine The following packages will be upgraded: linux-generic linux-headers-generic linux-image-generic snapd ubuntu-core-launcher 5 upgraded, 5 newly installed, 0 to remove and 0 not upgraded. Need to get 74.8 MB of archives. After this operation, 306 MB of additional disk space will be used. Do you want to continue? [Y/n] |
And of course, I continued and got all of the latst upgrades to the 16.04 tree. If you’re observant, you’ll notice that 16.04 is still back on an older kernel (4.4) which is fine, this is the LTS release.
One more reboot… then we see
|
1 2 3 4 5 6 7 8 |
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-47-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 0 packages can be updated. 0 updates are security updates. |
excellent. We’re current, and with the automatic updates we’ll get security patches with no additional effort. Non security patches will not install automatically, so from time to time we’ll still need to manually pull down patches.