Ubuntu Feisty setup - page 1

In this Ubuntu Feisty guide, we have a basic Ubuntu Feisty slice upgraded from Ubuntu LTS as shown in this article. Do note that the upgrade should have been conducted on a barebones LTS install.

Now we need to access the slice and secure it as soon as possible.


Log in:

You may be logged in from the upgrade article, but if not, using your IP address and password login via SSH:

ssh root@123.45.67.890

User administration

The root password has already been changed in the upgrade process.

So now we'll add an admin user (I've used the name demo here but any name will do).

adduser demo

As demo is our main administration user (we don't log in as root!) he needs to have sudo (Super User) privileges. We give those permissions via the visudo command:

visudo

At the end of the file add:

demo   ALL=(ALL) ALL

SSH preperation

One effective way of securing SSH access to your slice is to use a public/private key. This means that a 'public' key is placed on the server and the 'private' key is on our local workstation. This makes it impossible for someone to log in using just a password - they must have the private key.

This is very simple with ssh-copy-id (thanks to Eftarjin for correcting my original suggestion).

We already have our admin user created (demo), so on your local workstation enter the command:

ssh-copy-id -i ~/.ssh/id_rsa.pub demo@123.45.67.890

We use the -i option to specify which file (identity) to copy across to the slice. The user is then specified followed by the IP address of the slice.

So what happens when the command is entered? Firstly you will need to enter the user's password so it can have secure access to the slice. Then it creates a 'hidden' directory called .ssh and copies the public key to a file named 'authorized_keys'.

It then automatically changes the permissions so that only the owner (demo) can read or write to the file. Neat.

It's always a good idea to check the settings on something as important as this so let's have quick look at the permissions:

ls -al /home/demo/.ssh/authorized_keys
...
-rw------- 1 demo demo 394 Sep  6 09:23 /home/demo/.ssh/authorized_keys

Perfect. You can also open the authorized_keys file and make sure only your key was copied across and it is not full of unknown keys.

Remember that this is the only time you'll need to enter the SSH password as the file we just copied over will authorise the admin user 'demo' to SSH in without it - but only if they have the private key on their local workstation: it won't work from any workstation.

SSH config

Next we'll change the default SSH configuration to make it more secure:

nano /etc/ssh/sshd_config

Use can use this ssh configuration as an example.

The main things to change (or check) are:

Port 30000                           <--- change to a port of your choosing
Protocol 2
PermitRootLogin no
PasswordAuthentication no
X11Forwarding no
UsePAM no
UseDNS no
AllowUsers demo

I think the setting are fairly self explanatory but the main thing is to move it from the default port of 22 to one of your choosing, turn off root logins and define which users can log in.

PasswordAuthentication has been turned off as we setup the public/private key earlier. Do note that if you intend to access your slice from different computers you may want leave PasswordAuthentication set to yes. Only use the private key if the local computer is secure i.e. don't place it on a machine at work, etc.

iptables

Right, now we have the basics of logging in and securing SSH done.

Next thing is to set up our iptables so we have a more secure installation. To start with, we're going to have three ports open: ssh, http and https.

We're going to create two files, /etc/iptables.test.rules and /etc/iptables.up.rules. The first is a temporary (test) set of rules and the second the 'permanent' set of rules (this is the one iptables will use when starting up after a reboot for example).

Note: We are still logged in as the root user. This is a new, or reinstalled slice, and it is the only time we will ever log in as root. If you are doing this later, when logged in as the admin user, you will need to enter the command:

sudo -i

The sudo -i command will place you as the 'root' user. You will need to do this when changing the iptables rules as it won't work by adding a standard 'sudo' in front of the commands.

So, as the root user, save any existing rules to /etc/iptables.up.rules:

iptables-save > /etc/iptables.up.rules

Now let's see what's running at the moment:

iptables -L

You will see something similar to this:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

As you can see, we are accepting anything from anyone on any port and allowing anything to happen.

One theory is that if there are no services running then it doesn't matter. I disagree. If connections to unused (and popular) ports are blocked or dropped, then the vast majority of script kiddies will move on to another machine where ports are accepting connections. It takes two minutes to set up a firewall - is it really worth not doing?

Let's assume you've decided that you want a firewall. Create the file /etc/iptables.test.rules and add some rules to it.

nano /etc/iptables.test.rules

Look at this example iptables configuration file.

The rules are very simple and it is not designed to give you the ultimate firewall. It is a simple beginning.

Hopefully you will begin to see the pattern of the configuration file. It isn't complicated and is very flexible. You can change and add ports as you see fit.

Good. Defined your rules? Then lets apply those rules to our server:

iptables-restore < /etc/iptables.test.rules

Let's see if there is any difference:

iptables -L

Notice the change? (If there is no change in the output, you did something wrong. Try again from the start).

Have a look at the rules and see exactly what is being accepted, rejected and dropped. Once you are happy with the rules, it's time to save our rules permanently:

iptables-save > /etc/iptables.up.rules

Now we need to ensure that the iptables rules are applied when we reboot the server. At the moment, the changes will be lost and it will go back to allowing everything from everywhere.

Open the file /etc/network/interfaces

nano /etc/network/interfaces

Add a single line (shown below) just after 'iface lo inet loopback':

...
auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/iptables.up.rules

# The primary network interface
...

As you can see, this line will restore the iptables rules from the /etc/iptables.up.rules file. Simple but effective.

testing

Now we have our basic firewall humming along and we've set the ssh configuration. Now we need to test it. Reload ssh so it uses the new ports and configurations:

/etc/init.d/ssh reload

Don't logout yet...

On your LOCAL computer, open a new terminal and log in using the administration user (in this case, demo) to the port number you configured in the sshd_config file:

ssh -p 30000 demo@123.45.67.890

The reason we use a new terminal is that if you can't login you will still have the working connection to try and fix any errors.

Slicehost also has the excellent ajax console so if it all goes horribly wrong, you can log into your slice from the Slicehost management area.

If all goes well you should login without a password to a plain terminal:

demo@yourvpsname:~$

Success!

We now know that the firewall and ssh_config works and we can log in.

Let's move on to page 2 which includes updating the install and installing some base programmes.

PickledOnion.

Article Comments:

Eftarjin commented Wed Sep 05 22:58:42 UTC 2007:

  • What about using ssh-copy-id to copy the public key to slice ?
  • "We're going to create two files, /etc/iptables.up.rules and /etc/iptables.test.rules. The first is a temporary (test) set of rules and the second the 'permanent' set of rules" : isn't it the opposite ?

PickledOnion commented Thu Sep 06 09:37:30 UTC 2007:

Eftarjin, Good catch! Thanks for pointing that out - I have changed the order of the listing.

You have a point about ssh-copy-id. You can use that, there is no particular reason I did it the way shown and I have, in fact, changed the article to reflect the way you suggest.

Thanks, PickledOnion.

Steve Schwartz commented Wed Sep 26 02:41:18 UTC 2007:

I stuck on the first step of ssh preparation. When I enter the following on my local machine

ssh-copy-id -i ~/.ssh/id_rsa.pub demo@123.45.67.890 (with my info of course)

I get "ERROR: No identities found"

Any ideas?

Steve Schwartz commented Wed Sep 26 06:43:20 UTC 2007:

Nevermind, I'm dumb. I was suppose to be entering that after doing the keygen command from my local machine.

ssh-keygen -t rsa

djwonk commented Fri Oct 12 18:39:59 UTC 2007:

In my case, the pre-up line should go after the 'iface eth0' line:

auto eth0 iface eth0 inet static pre-up iptables-restore < /etc/iptables.up.rules

Putting it "just after 'iface lo inet loopback'" like you locked me out from external ssh access. I had to use the console to repair things.

dark commented Sun Oct 28 04:25:01 UTC 2007:

just on newbie question, if I followed the "ssh-copy-id -i ~/.ssh/id_rsa.pub demo@123.45.67.890", anyone who got my private file can access to my slice, so isn't it less secured than password?

PickledOnion commented Sun Oct 28 10:28:54 UTC 2007:

Hi Dark,

That depends on how secure you keep your private key.

Having said that there are a couple of other things to keep in mind:

Firstly, with a private key setup, the only way for someone to gain access is if they have the key.

If you allow password access, then anyone can gain access if they guess the password. Brute force attempts are made on daily basis in their hundreds of thousands all over the net.

Sure, a good password may help in preventing that but it does allow for more access to your Slice.

Secondly, now I've said why password access is less secure, if you are concerned about someone gaining your private key (though unless you place it in a less secure place like a work computer, this is pretty unlikely) then when you create your private key you can place a passphrase on that.

That means that someone will need your private key and need to know the passphrase.

Don't confuse the passphrase with the password. The passphrase protects the private key. It is not the same as logging in with a password.

I hope that helps.

PickledOnion.

Want to comment?


(not made public)

(optional)

(use plain text or Markdown syntax)