TQ
dev.com

Blog about software development

Subscribe

Install OpenSSH on Ubuntu 18.04

05 Jan 2020 - by 'Maurits van der Schee'

In a previous post I have installed Ubuntu 18.04 on my Dell R720xd. In this post I will show how to install OpenSSH on it, so that we no longer need the iDRAC for system administration. After setting up SSH to securely manage the server we only need the iDRAC when we misconfigure the firewall or the network.

Install OpenSSH

Installing OpenSSH can be done by selecting the "OpenSSH server" in the software selection screen of the network installer. Alternatively you can install it, or ensure that it is installed, by running the following command:

sudo apt install openssh-server

This should start and enable the SSH server. To verify that it is running you can run:

sudo systemctl status ssh.service

It should output:

systemctl status ssh.service | grep Active:

It should output:

Active: active (running) since Sun 2020-01-05 23:15:24 CET; 2min 2s ago

Now you can also test connectivity by running:

nc 0 22

It should (immediately) output:

SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3

You can end the command with Ctrl-C (or pressing enter twice, triggering a "Protocol mismatch"). If your SSH is not running then there will be no output.

Enable the firewall

To enable UFW (Uncomplicated FireWall) and allow only port 22 (for SSH) towards this server you can run:

sudo ufw allow 22
sudo ufw enable

To verify that UFW is running, you can run the following command:

sudo ufw status

It should output:

Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere                  
22 (v6)                    ALLOW       Anywhere (v6)          

Showing that only port 22 is allowed on both IPv4 and IPv6.

Avoid double logging

Unfortunately UFW spams the /var/log/syslog by default with "block" messaging, while it already logs to /var/log/ufw.log. We can avoid this double logging by running:

sudo nano /etc/rsyslog.d/20-ufw.conf

and changing the last line from:

#& stop

to:

& stop

To make this effective we need to restart the rsyslog service using:

sudo systemctl restart rsyslog

Now your UFW log messages should no longer show up in /var/log/syslog.

Some SSH configuration

You may want to login to the server using SSH on the machine and transfer your public keys. You need to put your public keys (one per line) in the file ~/.ssh/authorized_keys.

IMPORTANT: check that you connect to the server without entering a password, before continuing.

Now you can disable (interactive) password logins in the SSH config by running:

sudo nano /etc/ssh/sshd_config

change the line:

#PasswordAuthentication yes

into:

PasswordAuthentication no

Now restart ssh for these changes to take effect:

sudo systemctl reload ssh.service 

And now the server is online and secure.

Resetting the firewall

If you have made a mess of the firewall rules, then you can run the following to delete all rules (!) and reset everything:

sudo bash -c "ufw -f reset && iptables -F && iptables -X && ufw allow 22 && ufw -f enable"

This does not only reset the ufw firewall, but also the (filter chain of the) underlying iptables firewall. By immediately allowing port 22 and "forcing" the two commands that require confirmation you may even run this over a SSH connection.

SSH usage guidelines

Here are a few rules on good SSH usage for users:

Please also consider to use SSH certificates in your cloud infrastructure.

Next: install KVM

In the next post I will walk you through a setup of KVM on Ubuntu 18.04 LTS. We will turn this machine into a proper hypervisor for your virtual machines. I will do this using open source only and also only from the command line.

Click here to read the next article (on installing KVM).


PS: Liked this article? Please share it on Facebook, Twitter or LinkedIn.