Ubuntu - Setup

This article will walk you through setting up your Ubuntu Cloud Server.


Log in

Windows Clients

If you are logging into your server from Windows you can use a terminal application called PuTTY. Simply do a Google search for it and you will find where to download it.

Mac / Linux Clients

Simply type in the command below from a Terminal window to login:

# ssh root@

If this is a reinstall you may have to delete your ~/.ssh/known_hosts file. Please refer to your Operating Systems documentation on how to resolve this.

User administration

Now we're logged in to the VPS, immediately change your root password

# passwd

Add an admin user (I've used the name demo here but any name will do).

# adduser demo

You'll be prompted for the password as well as basic user information.

As you know we never log in as the root user (this initial setup is the only time you would need to log in as root). As such, the main administration user (demo) needs to have sudo (Super User) privileges so he can, with a password, complete administrative tasks.

To do this, we're going to add the main user to the 'sudo' group. Once that is done, we need to edit the 'sudoers' file, using visudo, and ensure the 'sudo' group has the correct privileges.

So firstly, add the user to the sudo group:

# usermod -a -G sudo demo

Next, give the 'visudo' command:

# visudo

Near the bottom of the file you will see this group of text:

# Uncomment to allow members of group sudo to not need a password
# (Note that later entries override this, so you might need to move
# it further down)

Simply add the following line just under the text above:

## Allows people in group wheel to run all commands
%sudo  ALL=(ALL)       ALL

Save the file by pressing CTRL-X on your keyboard, followed by Y and Enter. Now members of the 'sudo' group have full sudo privileges. You can test this by opening up another SSH session and logging in as the demo user trying to get to a root shell prompt by typing sudo su - and pressing Enter. You will be prompted for the demo password.

Updating Apt

Ubuntu comes with a fully functional package manager called Apt, or apt-get. Ubuntu can also use a program called Aptitude, but it's not always installed on Ubuntu by default.

The first thing we'll need to do is update our cache by running the following command:

# apt-get update

Once you have been returned to the console you'll need to upgrade the packages on your server to keep it secure. Run the following command to upgrade your packages:

# apt-get upgrade

You'll be prompted to confirm the upgrade, press Y followed by Enter.

SSH keys

One effective way of securing SSH access to your server is to use a public/private key, which means that a public key is placed on the server and the private key is on your local computer. This makes it impossible for someone to log in using just a password; they must have the private key. For information about setting up public and private SSH keys on Linus or Mac OS X, read Configuring basic security. For Windows, read Generating RSA keys with SSH - PuTTYgen

Basic Firewall

Now it is time to setup a basic firewall. For this tutorial we'll use a great Ubuntu article as the basis for our basic firewall. You can find this article here: https://help.ubuntu.com/community/IptablesHowTo

The following steps will setup each part of a basic firewall configuration. Once we have all of the rules applied we'll save the rules and set them to start up at boot.

Allow established connections

The first thing we need to do is allow any established traffic to come into the server. This will allow our SSH traffic to continue functioning while we work on our firewall. Type the following command:

# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Allow SSH traffic

Next we need to include a rule to enable SSH traffic. Type the following rule to allow incoming SSH connections:

# iptables -A INPUT -p tcp --dport ssh -j ACCEPT

If we were to look at our rules at this point by typing iptables -L we would see something like this:

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

While this looks like it may be complete, we still need to add a few additional rules. Let's continue on...

Allow HTTP traffic (optional)

If you intend to host a web server you will need to include a rule to accept HTTP (port 80) traffic. Type the following rule to do this:

# iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Note: You will still be required to install a web server such as Apache!

Drop all remaining traffic

Now we need to setup our final rule to drop all remaining traffic that is not destined for our server.

# iptables -A INPUT -j DROP

Allow loopback traffic

Now that we've worked on the rules for our external traffic we need to allow internal loopback traffic for inter-server communication. Type the following rule to allow this:

# iptables -I INPUT 1 -i lo -j ACCEPT

Check your rules

Now if we look at our rules by typing iptables -L -v you should see something similar to this:

# iptables -L -v
Chain INPUT (policy ACCEPT 355 packets, 26896 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
  323 24560 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    1    48 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:www 
    0     0 DROP       all  --  any    any     anywhere             anywhere 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 372 packets, 38968 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Saving your rules

Now that we have a basic firewall configuration we need to go ahead and save it. The command iptables-save will save your IPtables configuration. By default it will send it to the console so we need to 'pipe' it to a file. Type the following to save the file to /etc/iptables.rules:

# iptables-save > /etc/iptables.rules

Set your rules to apply at boot

Finally we need to make sure that our iptables rules are applied when we boot up the server. The method that Ubuntu suggests is to apply them to your interfaces file but because of the tight integration with our Control Panel we do not recommend that. Our suggested method is to create a service that applies the rules.

To create the startup service file type the following command:

# nano /etc/network/if-pre-up.d/iptaload

You'll see the nano text editor load up. Paste in the following text:

iptables-restore < /etc/iptables.rules
exit 0

Save the file by pressing CTRL-X, then Y and Enter.

Next we need to create a service that will run when the server is shut down. This file will save our rules so any changes we have made will be applied at next boot. Type the following to create the service file:

# nano /etc/network/if-post-down.d/iptasave

Once the nano editor has appeared, paste in the following text:

iptables-save -c > /etc/iptables.rules
if [ -f /etc/iptables.downrules ]; then
   iptables-restore < /etc/iptables.downrules
exit 0

Save the file as you did before.

Now we need to make sure these scripts are executable. Type the following:

# chmod +x /etc/network/if-post-down.d/iptasave
# chmod +x /etc/network/if-pre-up.d/iptaload

Test your setup

You may reboot your server and run iptables -L to make sure that your firewall rules applied successfully.

--Kelly Koehn 10:41, 11 February 2010 (CST)

© 2015 Rackspace US, Inc.

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License

See license specifics and DISCLAIMER