A Project by Mathias
By following this guide, you'll to get a secure Ubuntu 18.04 server running and ready for use. This can be done from any environment.
Here's a list of some of the fancy technologies/software used in the project:
- Git
- Cloud-init
- Vagrant
- VirtualBox
- SSH
This setup is made possible with a virtual machine(VM), to ensure that everybody can achieve the same results, without ever worrying about configuring their own environment.
Make sure VirtualBox and Vagrant are installed. If they aren't installed yet, it's quite easy to get done by going to their websites and following the instructions for your OS.
The VM used in this project contains the instructions for setting up an Ubuntu 18.04 OS. This is done in order to ensure the possibility of generating secure SSH key-pairs with the ssh-keygen
command.
Open a terminal and make a new project folder, then download this repository:
mkdir server-setup && cd server-setup
git clone https://github.com/MathiasKandelborg/server-configuration.git .
Now it's time to setup the VM. This generally takes some time as the computer is downloading, installing and running an entire Operating System, in your current OS. This only needs to be set up once though.
vagrant up
When the installation processes are done, access the VM with this command:
vagrant ssh
We'll create the key-pair with some extra flags for more security. We're also telling the program to create a 4096bit key instead of the standard 2048bit
ssh-keygen -f ~/generated-keys/server_id -t rsa -b 4096
press 'enter' twice for no password.
You can choose a password if you want to, it's not needed for this guide but is good for security. The password is needed every time the key is used.
Needless to repeat, this is a secure server setup and you need to figure out how you are going to handle your files - in a secure manner.
I cannot give any definitive suggestions to secure file & password handling, because there's so many situations to take into account - it's best if you take some time to learn about file & group permissions on computers + proper data-handling practices.
You might have noticed that two files popped up inside the generated-keys
folder, the one with the .pub extension is for registering your key-pair. The other is highly confidential, if it gets compromised(shared with the real world) you have no defence against someone who has that key. This lack of defence means that your database(s), login credentials, command history and everything else on your server is free to access for anyone.
The cloud-init file is where everything that should get installed and be executed on first boot - is defined.
This setup is quite bare-bones but this is a guide to a secure server setup, not a complete one. ;)
Here's an overlook of the instructions defined in the file:
-
Set the main user to 'admin'
-
Disable running admin commands without sudo
-
Disable root login functionality
-
Define authorized SSH keys for user 'admin'
-
Change the default SSH port to defer generic hacking attempts
-
Disable password login on server
-
Enable login for new user' admin' only
-
Setup a firewall using the UFW
- Opt-in on ingoing connections instead of opt-out
- Disable default SSH connection
- Enable default web hosting ports
-
Set timezone to UTC
At this point we want to edit the cloud-init file to suit our environment.
The only thing we need to do right now, is input the newly generated SSH key:
- Copy the contents of server_id.pub
- Open up the
cloud-init
file in your text-editor/IDE
cloud-init is a yaml file and indentation is really important
- Input all the contents of server_id.pub on line 8, from column 9
If you choose to change the name of the user, remember to change it on line 12 as well. This is where we tell the server which users are allowed to connect to the server via SSH.
If you don't have an account at Digital Ocean already, go make one right now (here's my referral link, if, you know..).
-
Log into your account
-
Press the green button with the words 'create' in the top-right corner
-
Choose the 'Droplets' option
-
At the start in the images dropdown-menu choose
Ubuntu 18.04 x64
-
Choose your preferred server size (the smallest is fine)
-
Skip the sections about enabling backups and adding volumes
-
Chose a data-center region closest to your location
-
Select the following additional options:
- IPv6
- Monitoring
- User data
After having chosen 'user data', a big text-box show up. Let's put something in that box!
This box is actually where most of the 'magic' happens. In here, we'll input our cloud-init file, which sets up the server, with a pre-defined firewall and one user, that has access only with our new SSH key.
Let's continue:
- Copy the contents of your customized cloud-init file
- Paste the file contents into the 'user data' text-box
You can happily skip the SSH key section, as that functionality is what we've just done. We're just storing the key in our own, local environment. That is, not on a server somewhere we don't have control over it.
In the last section, you can define how many droplets you want and an optional hostname.
Now for the last and hardest part of setting up a server, I'm not sure any of us are ready for this:
- Click create!
It'll take a minute or two before the droplet is accessible with the custom configuration. In the meantime, let's go back to the terminal and access our VM.
In order to access the remote server, the fast way is to go to our project folder.
-
Access the terminal with the VM running or run
vagrant up && vagrant ssh
-
Connect to the server
Alternatively, you can use any SSH program of your choice, as long as you can define the locations of your keys.
ssh -p 2222 [email protected] -i ~/generated-keys.pub
If you choose to use other software than provided, remember to change the connection port to 2222 instead of 22. You can change the port on line 10. Change the 2222
part to the port of your choice. Remember to change the corresponding port on line 16.
For some clarification on why or why not, read this.
sed -i -e '/^#Port 22/s/^.*$/Port 9001/' /etc/ssh/sshd_config
...
...
ufw allow 9001/tcp
This would result in having to use port 9001, when connecting to this host.
- VSCode - The IDE & Text editor
- VirtualBox - VMM
- Vagrant - Fantastic tool for building and managing automated environments
- Cloud-init - The defacto multi-distribution package that handles early initialization of a cloud instance
This project is licensed under the MIT License - see the LICENSE.md file for details
- Mathias Wøbbe - Initial work - MathiasKandelborg