Ubuntu - Setup
This article will walk you through setting up your Ubuntu Cloud Server.
If you are logging into your server from Windows you can use a terminal application called PuTTY. Simply do a Google search for it and you will find where to download it.
Mac / Linux Clients
Simply type in the command below from a Terminal window to login:
# ssh email@example.com
If this is a reinstall you may have to delete your ~/.ssh/known_hosts file. Please refer to your Operating Systems documentation on how to resolve this.
Now we're logged in to the VPS, immediately change your root password
Add an admin user (I've used the name demo here but any name will do).
# adduser demo
You'll be prompted for the password as well as basic user information.
As you know we never log in as the root user (this initial setup is the only time you would need to log in as root). As such, the main administration user (demo) needs to have sudo (Super User) privileges so he can, with a password, complete administrative tasks.
To do this, we're going to add the main user to the 'sudo' group. Once that is done, we need to edit the 'sudoers' file, using visudo, and ensure the 'sudo' group has the correct privileges.
So firstly, add the user to the sudo group:
# usermod -a -G sudo demo
Next, give the 'visudo' command:
Near the bottom of the file you will see this group of text:
# Uncomment to allow members of group sudo to not need a password # (Note that later entries override this, so you might need to move # it further down) # %sudo ALL=NOPASSWD: ALL
Simply add the following line just under the text above:
## Allows people in group wheel to run all commands %sudo ALL=(ALL) ALL
Save the file by pressing CTRL-X on your keyboard, followed by Y and Enter. Now members of the 'sudo' group have full sudo privileges. You can test this by opening up another SSH session and logging in as the demo user trying to get to a root shell prompt by typing sudo su - and pressing Enter. You will be prompted for the demo password.
Ubuntu comes with a fully functional package manager called Apt, or apt-get. Ubuntu can also use a program called Aptitude, but it's not always installed on Ubuntu by default.
The first thing we'll need to do is update our cache by running the following command:
# apt-get update
Once you have been returned to the console you'll need to upgrade the packages on your server to keep it secure. Run the following command to upgrade your packages:
# apt-get upgrade
You'll be prompted to confirm the upgrade, press Y followed by Enter.
One effective way of securing SSH access to your server is to use a public/private key, which means that a public key is placed on the server and the private key is on your local computer. This makes it impossible for someone to log in using just a password; they must have the private key. For information about setting up public and private SSH keys on Linus or Mac OS X, read Configuring basic security. For Windows, read Generating RSA keys with SSH - PuTTYgen.
Now it is time to setup a basic firewall. For this tutorial we'll use a great Ubuntu article as the basis for our basic firewall. You can find this article here: https://help.ubuntu.com/community/IptablesHowTo
The following steps will setup each part of a basic firewall configuration. Once we have all of the rules applied we'll save the rules and set them to start up at boot.
Allow established connections
The first thing we need to do is allow any established traffic to come into the server. This will allow our SSH traffic to continue functioning while we work on our firewall. Type the following command:
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Allow SSH traffic
Next we need to include a rule to enable SSH traffic. Type the following rule to allow incoming SSH connections:
# iptables -A INPUT -p tcp --dport ssh -j ACCEPT
If we were to look at our rules at this point by typing iptables -L we would see something like this:
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
While this looks like it may be complete, we still need to add a few additional rules. Let's continue on...
Allow HTTP traffic (optional)
If you intend to host a web server you will need to include a rule to accept HTTP (port 80) traffic. Type the following rule to do this:
# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Note: You will still be required to install a web server such as Apache!
Drop all remaining traffic
Now we need to setup our final rule to drop all remaining traffic that is not destined for our server.
# iptables -A INPUT -j DROP
Allow loopback traffic
Now that we've worked on the rules for our external traffic we need to allow internal loopback traffic for inter-server communication. Type the following rule to allow this:
# iptables -I INPUT 1 -i lo -j ACCEPT
Check your rules
Now if we look at our rules by typing iptables -L -v you should see something similar to this:
# iptables -L -v Chain INPUT (policy ACCEPT 355 packets, 26896 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo any anywhere anywhere 323 24560 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 1 48 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:www 0 0 DROP all -- any any anywhere anywhere Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 372 packets, 38968 bytes) pkts bytes target prot opt in out source destination
Saving your rules
Now that we have a basic firewall configuration we need to go ahead and save it. The command iptables-save will save your IPtables configuration. By default it will send it to the console so we need to 'pipe' it to a file. Type the following to save the file to /etc/iptables.rules:
# iptables-save > /etc/iptables.rules
Set your rules to apply at boot
Finally we need to make sure that our iptables rules are applied when we boot up the server. The method that Ubuntu suggests is to apply them to your interfaces file but because of the tight integration with our Control Panel we do not recommend that. Our suggested method is to create a service that applies the rules.
To create the startup service file type the following command:
# nano /etc/network/if-pre-up.d/iptaload
You'll see the nano text editor load up. Paste in the following text:
#!/bin/sh iptables-restore < /etc/iptables.rules exit 0
Save the file by pressing CTRL-X, then Y and Enter.
Next we need to create a service that will run when the server is shut down. This file will save our rules so any changes we have made will be applied at next boot. Type the following to create the service file:
# nano /etc/network/if-post-down.d/iptasave
Once the nano editor has appeared, paste in the following text:
#!/bin/sh iptables-save -c > /etc/iptables.rules if [ -f /etc/iptables.downrules ]; then iptables-restore < /etc/iptables.downrules fi exit 0
Save the file as you did before.
Now we need to make sure these scripts are executable. Type the following:
# chmod +x /etc/network/if-post-down.d/iptasave # chmod +x /etc/network/if-pre-up.d/iptaload
Test your setup
You may reboot your server and run iptables -L to make sure that your firewall rules applied successfully.
--Kelly Koehn 10:41, 11 February 2010 (CST)
Carry on the conversation in the Rackspace Community.
© 2015 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License
See license specifics and DISCLAIMER