TQ
dev.com
Blog about software development
05 Jan 2020 - by 'Maurits van der Schee'
In a previous post I have installed Ubuntu 18.04 on my Dell R720xd. In this post I will show how to install OpenSSH on it, so that we no longer need the iDRAC for system administration. After setting up SSH to securely manage the server we only need the iDRAC when we misconfigure the firewall or the network.
Installing OpenSSH can be done by selecting the "OpenSSH server" in the software selection screen of the network installer. Alternatively you can install it, or ensure that it is installed, by running the following command:
Subscribesudo apt install openssh-server
This should start and enable the SSH server. To verify that it is running you can run:
sudo systemctl status ssh.service
It should output:
systemctl status ssh.service | grep Active:
It should output:
Active: active (running) since Sun 2020-01-05 23:15:24 CET; 2min 2s ago
Now you can also test connectivity by running:
nc 0 22
It should (immediately) output:
SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
You can end the command with Ctrl-C (or pressing enter twice, triggering a "Protocol mismatch"). If your SSH is not running then there will be no output.
To enable UFW (Uncomplicated FireWall) and allow only port 22 (for SSH) towards this server you can run:
sudo ufw allow 22
sudo ufw enable
To verify that UFW is running, you can run the following command:
sudo ufw status
It should output:
Status: active
To Action From
-- ------ ----
22 ALLOW Anywhere
22 (v6) ALLOW Anywhere (v6)
Showing that only port 22 is allowed on both IPv4 and IPv6.
Unfortunately UFW spams the /var/log/syslog by default with "block" messaging, while it already logs to /var/log/ufw.log. We can avoid this double logging by running:
sudo nano /etc/rsyslog.d/20-ufw.conf
and changing the last line from:
#& stop
to:
& stop
To make this effective we need to restart the rsyslog service using:
sudo systemctl restart rsyslog
Now your UFW log messages should no longer show up in /var/log/syslog.
You may want to login to the server using SSH on the machine and transfer your public keys.
You need to put your public keys (one per line) in the file ~/.ssh/authorized_keys.
IMPORTANT: check that you connect to the server without entering a password, before continuing.
Now you can disable (interactive) password logins in the SSH config by running:
sudo nano /etc/ssh/sshd_config
change the line:
#PasswordAuthentication yes
into:
PasswordAuthentication no
Now restart ssh for these changes to take effect:
sudo systemctl reload ssh.service
And now the server is online and secure.
If you have made a mess of the firewall rules, then you can run the following to delete all rules (!) and reset everything:
sudo bash -c "ufw -f reset && iptables -F && iptables -X && ufw allow 22 && ufw -f enable"
This does not only reset the ufw firewall, but also the (filter chain of the) underlying iptables firewall. By immediately allowing port 22 and "forcing" the two commands that require confirmation you may even run this over a SSH connection.
Here are a few rules on good SSH usage for users:
ssh-keygen -p to set a passphrase).ssh -A option (do NOT copy private keys).Please also consider to use SSH certificates in your cloud infrastructure.
In the next post I will walk you through a setup of KVM on Ubuntu 18.04 LTS. We will turn this machine into a proper hypervisor for your virtual machines. I will do this using open source only and also only from the command line.
Click here to read the next article (on installing KVM).
PS: Liked this article? Please share it on Facebook, Twitter or LinkedIn.