These Ubuntu Gutsy articles will take you from a 'barebones' Ubuntu Gutsy Slice to a secured and up to date Slice ready for your server software (or whatever you use the Slice for).
Securing your Slice as soon as possible is a great way of starting your Slice administration.
On your LOCAL computer, edit the SSH known_hosts file and remove any entries that point to your Slice IP address. If this is a brand new Slice then you will not need to do this, but a reinstall will result in a different signature.
If you are not using Linux or a Mac on your LOCAL computer, the location of the known_hosts file will differ. Please refer to your own OS for details of where this file is kept.
As soon as you have your IP address and password for your VPS login via SSH:
Now we're logged in to the VPS, immediately change your root password
Add an admin user (I've used the name demo here but any name will do).
As you know, we never log in as the root user (this initial setup is the only time you would need to log in as root). As such, the main administration user (demo) needs to have sudo (Super User) privileges so he can, with a password, complete administrative tasks.
To configure this, give the 'visudo' command:
At the end of the file add:
demo ALL=(ALL) ALL
One effective way of securing SSH access to your slice is to use a public/private key. This means that a 'public' key is placed on the server and the 'private' key is on our local workstation. This makes it impossible for someone to log in using just a password - they must have the private key.
The first step is to create a folder to hold your keys. On your LOCAL workstation:
That's assuming you use Linux or a Mac and the folder does not exist. I will do a separate article for key generation using Putty for Windows users.
To create the ssh keys, on your LOCAL workstation enter:
ssh-keygen -t rsa
If you do not want a passphrase then just press enter when prompted.
That created two files in the .ssh directory: id_rsa and id_rsa.pub. The pub file holds the public key. This is the file that is placed on the Slice.
The other file is your private key. Never show, give away or keep this file on a public computer.
Now we need to get the public key file onto the Slice.
We'll use the 'scp' command for this as it is an easy and secure means of transferring files.
Still on your LOCAL workstation enter this command:
scp ~/.ssh/id_rsa.pub email@example.com:/home/demo/
When prompted, enter the demo user password.
Change the IP address to your slice and the location to your admin user's home directory (remember the admin user in this example is called demo).
OK, so now we've created the public/private keys and we've copied the public key onto the Slice.
Now we need to sort out a few permissions for the ssh key.
On your Slice, create a directory called .ssh in your home folder and move the pub key into it.
mkdir /home/demo/.ssh mv /home/demo/id_rsa.pub /home/demo/.ssh/authorized_keys
Now we can set the correct permissions on the key:
chown -R demo:demo /home/demo/.ssh chmod 700 /home/demo/.ssh chmod 600 /home/demo/.ssh/authorized_keys
Again, change the 'demo' user and group to your admin user and group.
Done. It may seem a long set of steps but once you have done it once you can see the order of things: create the key on your local workstation, copy the public key to the Slice and set the correct permissions for the key.
Next we'll change the default SSH configuration to make it more secure:
Use can use this ssh configuration as an example.
The main things to change (or check) are:
Port 30000 <--- change to a port of your choosing Protocol 2 PermitRootLogin no PasswordAuthentication no X11Forwarding no UsePAM no UseDNS no AllowUsers demo
I think the setting are fairly self explanatory but the main thing is to move it from the default port of 22 to one of your choosing, turn off root logins and define which users can log in.
PasswordAuthentication has been turned off as we setup the public/private key earlier. Do note that if you intend to access your slice from different computers you may want leave PasswordAuthentication set to yes. Only use the private key if the local computer is secure
Right, now we have the basics of logging in and securing SSH done.
Next thing is to set up our iptables so we have a more secure installation. To start with, we're going to have three ports open: ssh, http and https.
We're going to create two files, /etc/iptables.test.rules and /etc/iptables.up.rules. The first is a temporary (test) set of rules and the second the 'permanent' set of rules (this is the one iptables will use when starting up after a reboot for example).
Note: We are still logged in as the root user. This is a new, or reinstalled slice, and it is the only time we will ever log in as root. If you are doing this later, when logged in as the admin user, you will need to enter the command:
The sudo -i command will place you as the 'root' user. You will need to do this when changing the iptables rules.
So, as the root user, save any existing rules to /etc/iptables.up.rules:
iptables-save > /etc/iptables.up.rules
Now let's see what's running at the moment:
You will see something similar to this:
Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
As you can see, we are accepting anything from anyone on any port and allowing anything to happen.
One theory is that if there are no services running then it doesn't matter. I disagree. If connections to unused (and popular) ports are blocked or dropped, then the vast majority of script kiddies will move on to another machine where ports are accepting connections. It takes two minutes to set up a firewall - is it really worth not doing?
Let's assume you've decided that you want a firewall. Create the file /etc/iptables.test.rules and add some rules to it.
Look at this example iptables configuration file.
The rules are very simple and it is not designed to give you the ultimate firewall. It is a simple beginning.
Hopefully you will begin to see the pattern of the configuration file. It isn't complicated and is very flexible. You can change and add ports as you see fit.
Good. Defined your rules? Then lets apply those rules to our server:
iptables-restore < /etc/iptables.test.rules
Let's see if there is any difference:
Notice the change? (If there is no change in the output, you did something wrong. Try again from the start).
Have a look at the rules and see exactly what is being accepted, rejected and dropped. Once you are happy with the rules, it's time to save our rules permanently:
iptables-save > /etc/iptables.up.rules
Now we need to ensure that the iptables rules are applied when we reboot the server. At the moment, the changes will be lost and it will go back to allowing everything from everywhere.
Open the file /etc/network/interfaces
Add a single line (shown below) just after 'iface lo inet loopback':
... auto lo iface lo inet loopback pre-up iptables-restore < /etc/iptables.up.rules # The primary network interface ...
As you can see, this line will restore the iptables rules from the /etc/iptables.up.rules file. Simple but effective.
Logging in as the new user
Now we have our basic firewall humming along and we've set the ssh configuration. Now we need to test it. Reload ssh so it uses the new ports and configurations:
Don't logout yet...
As you have an already established connection you will not be locked out of your ssh session (look at the iptables config file: it accepts already established connections).
On your LOCAL computer, open a new terminal and log in using the administration user (in this case, demo) to the port number you configured in the sshd_config file:
ssh -p 30000 firstname.lastname@example.org
The reason we use a new terminal is that if you can't login you will still have the working connection to try and fix any errors.
Slicehost also has the excellent ajax console so if it all goes horribly wrong, you can log into your slice from the Slicehost management area.
If all goes well you should login without a password to a plain terminal:
We now know that the firewall and ssh_config works and we can log in.
Let's move on to page 2 which includes updating the install and installing some base programmes.