TL;DR

This is a quick blog post describing what is needed to do an initial Ubuntu 17.10 server setup. It show how to set up an additional user so root user is not used by default and how to access the server using key based SSH access. A no thrills quick and dirty write up how I setup my servers. Enjoy.

What will we cover in this post?

1. Configure DNS
2. Create SSH key [client]
3. Create PuTTY profile [client]
4. Add an user [server]
5. Configure SSH [server]
6. Configure SSH access using key only [server]
7. Configure PuTTY access using key [client]
8. Setup SSH with two factor authentication (2FA [server]
9. Setup Fail2ban for SSH [Server]
10. Setup SSH/SSL multiplexer [server]
11. Setup firewall [server]
12. Setup aliases [server]
13. Extra tidbits [server]
14. Debugging SSH

Prerequisites

To follow this blog post the follow prerequisites must be met:

• You have basic understanding of Linux and working from the command shell.
• You have a VPS to run ProfitTrailer on. I use the following two providers, as they provide very good servers at extremely good value for money: RouterHosting and Contabo.

Okay time to rock & roll. Lets get the show on the road 🙂

1. Configure DNS

After selecting a VPS provider and you receive the VPS details and you have a domain name, setup the IP address as a (sub) domain in the DNS of your domain provider. This simplifies accessing the server. For example: subdomain.domain.tld (vps.funny.com).

This is very easy and straight forward to do by adding an A record in the DNS with the following information.

• Record type: A
• A name: subdomain.domain.tld
• IP address: supplied by VPS provider
• Time-to-live (ttl): 3600

It might take a while before DNS’s are updated. So don’t be to impatient.

Go to index

2. Create SSH key [client]

To enhance security we will create a key that will be used to access the server. To generate an OpenSSH compatible key we will use PuTTYgen:

• Start PuTTYgen by double-clicking its executable file or hitting the Windows key and typing “puttygen” and hitting the “enter” key;
• Select “RSA” under “Type of key to generate”;
• In the field “Number of bits in generated key” specify either 2048 or 4096. Increasing the bits makes it harder to crack the key by brute-force methods;
• Click the button “Generate”;
• Move your mouse pointer around in the blank area of the section “Key”, below the progress bar (to generate some randomness) until the progress bar is full. A private/public key pair has now been generated;
• In the field “Key comment” enter a comment to help you identify the key pair, e.g. the users e-mail address. This is particularly useful in the event you have multiple key pairs;
• Optional: Type a passphrase in the field “Key passphrase” and re-type the same passphrase in the field “Confirm passphrase”. If the key is to be used for automated processes, however, it should not contain a passphrase. Not having a passphrase is a security risk, because anyone who has the key can access the server;
• Click the button “Save public key” and choose a filename with extension “pem”, e.g. username-public-key.pem;
• Click the button “Save private key” and choose a filename with the extension “.pkk”, e.g. username-public-key.pem. It should be stored in a safe location with the public key. This should be a location that only you can access and that you will NOT lose! If you lose your keys and have disabled username/password logins, you will no longer be able log in to the server!;

IMPORTANT NOTE: PuTTY and OpenSSH use different formats for public SSH keys. If the SSH key starts with “—- BEGIN SSH2 PUBLIC KEY …” it is in the wrong format. Be sure to follow the instructions carefully. Your key should start with “ssh-rsa AAAA ….”

Lets create a public key file with the public key in the format SSH expects.

• Copy the public key file you just created;
• Rename it to e.g. username-public-key-ssh.pem;
• Open the file;
• In PuTTYgen right click the field “Public key” and select “Select all”.
• Right-click again in the same text field and choose “Copy”.
• Paste it into the file;
• Save the file.

Go to index

3. Create PuTTY profile [client]

PuTTY is an SSH client. You create profiles for connections to SSH servers.

• Start PuTTY by double-clicking its executable file or hitting the Windows key and typing “putty” and hitting the “enter” key;
• PuTTY’s categories can be navigated on the left-hand side of the window. PuTTY’s initial window is the category “Session”;
• In the field “Host Name (or IP address)”, enter the IP address of the server or its fully qualified domain name (FQDN) if it is setup in a DNS;
• Enter the port number in the “Port” field. For added security, consider changing your server’s SSH port to a non-standard port or setting up a SSH/SSL multiplexer;
• Select “SSH” under “Connection type”;
• Select the sub-category “Data” under “Connection”;
• In the field “Auto-login username” enter the user to use when logging into the SSH server. For now enter root here;
• Return to the category “Session” and enter a name for this profile in the field “Saved Sessions”, e.g. [email protected] or [email protected];
• Click the button “Save” to save the profile;
• Click the button “Open” to connect to the server.

Go to index

4. Add an user [server]

By default the root user is used on the server. First we want to create a new user, so that the root account is not used by default. By creating a new user and adding the user to the sudo group the user has root privileges. To use these privileges the user has to explicitly sudo. This is an extra precaution to avoid accidentally executing root commands and breaking the server.

# Add a new user
adduser nidkil

# Add the user to the sudo group
usermod -aG sudo nidkil

Go to index

5. Configure SSH [server]

Now lets setup SSH so the new user can use it and the root can no longer use it.

# Switch to the new user, so that the following commands are created with the user as owner
su - nidkil

# Create a directory for the public keys to be trusted by SSH
mkdir ~/.ssh

# Ensure only the user can access this directory
chmod 700 ~/.ssh

# Create a file to hold the authorized public keys
touch ~/.ssh/authorized_keys

# Ensure only the user can access this file
chmod 600 ~/.ssh/authorized_keys

Add the user’s public key to the trusted keys file

vim ~/.ssh/authorized_keys

Copy & paste the public key directly from PuTTYgen window or from the file username-public-key-ssh.pem. Save and close the file.

Okay lets ensure the root can no longer log in through SSH.

# Open the SSH config file
sudo vim /etc/ssh/sshd_config

Find the following entry. If it is commented out, then uncomment it and change the value to no.

PermitRootLogin no

Save the configuration file. Now lets restart SSH so that the change can take effect.

sudo service ssh restart

*** IMPORTANT ***
Do NOT logout of the current PuTTy session. If the new user cannot login you will be locked out of the server!

Lets check if the user can login using PuTTy. Update the previously created PuTTy profile.

• Start a new PuTTY session by double-clicking its executable file or hitting the Windows key and typing “putty” and hitting enter;
• Select the profile from the “Load, save or delete a stored session” list.
• Click the button “Load” to load the profile;
• Select “SSH” under “Connection type”;
• Select the sub-category “Data” under “Connection”;
• In the field “Auto-login username” enter the user to use when logging into the SSH server. Enter ‘nidkil’ here;
• Return to the category “Session”;
• Click the button “Save” to save the updated profile;
• Click the button “Open” to connect to the server.

If all went correctly you should have to enter the user’s password. Enter it and hit the “enter” key. If you are logged in the user and SSH are setup correctly. Nice!

Go to index

6. Configure SSH access using key only [server]

Okay, now we are ready to configure SSH to only accept keys.

sudo vim /etc/ssh/sshd_config

Find the following entries in the configuration file. If they exist and are commented out then uncomment them. Make sure the keys have the same values.

PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
ChallengeResponseAuthentication no

Save the file and restart SSH so the changes can take effect.

sudo service ssh restart

*** IMPORTANT ***
Do NOT logout of the current PuTTy session. If the new user cannot login you will be locked out of the server!

Go to index

7. Configure PuTTY access using key [client]

Lets check if the user can login using PuTTy.

• Start PuTTY by double-clicking its executable file or hitting the Windows key and typing “putty” and hitting enter;
• Select the profile from the “Load, save or delete a stored session” list.
• Click the button “Load” to load the profile;
• Expand the sub-category “SSH” under the category “Connection”;
• Highlight the sub-category “Auth”;
• Click on the button “Browse”;
• Select the previously created private key and click the button “Open”;
• Return to the category “Session”;
• Click the button “Save” to save the profile;
• Click the button “Open” to connect to the server.

If all went correctly you should log into the server. If the key has a passphrase you will be prompted to enter it. Enter it and hit the “enter” key. If you are logged in the user and SSH are setup correctly. Congratulations!

Go to index

8. Setup SSH with two factor authentication (2FA) [server]

Coming soon.

Go to index

9. Setup Fail2ban for SSH [Server]

Coming soon.

Go to index

10. Setup SSH/SSL multiplexer [server]

Optionally as an extra security precaution and to avoid brute force attacks we will setup SSH on the same port as SSL (443). We do this using a multiplexer or switchboard. The multiplexer allows different services to run on the same port. It’s a really simple tool that accepts incoming connections to a port and then depending on protocol forwards the connection to the right service, i.e sshd on port 22 or web server on 443.

The protocol detection is made based on a small difference between SSL and SSH: an SSL client connecting to a server speaks first, where as an SSH client expects the SSH server to speak first (announcing itself with a banner). sslh waits for some time for the incoming connection to send data. If it does before the timeout occurs, it is a SSL connection. Otherwise, it is a SSH connection.

Coming soon.

Go to index

11. Setup firewall [server]

If we are running the SSH/SSL multiplexer we need to open port 443 and close port 22.

Coming soon.

Go to index

12. Setup aliases

Lets add some aliases for convenience. Aliases are custom commands you can issue from the command line, that execute more complex commands. Open the alias file.

vim ~/.bash_aliases

This file is automatically loaded by ~/.bashrc. On Ubuntu 11.04 and later, it’s enabled by default. Add the following aliases.

# Reload the environment for the current shell
alias brl="source ~/.bashrc"

# List all files (incl. hidden files) and show file information
alias lsla="ls -la"

# List all processes
alias psa="ps -ax" 
# Convenience commands
alias cls="clear"

The alias commands will be available on any new terminal. To have the alias commands available in the current terminal you need to run one of the aliases you just created.

brl

If you want to list the defined aliases run the following command.

alias

Go to index

13. Extra tidbits

To wrap up the installation there are a few other tools that are useful to install by default. Optionally run the following command.

sudo apt-get install python3 nodejs htop

Go to index

14. Debugging SSH

If you run into connection problems it helps if you can check what is happening in the background. I for example got the following error “…”. After turning debugging on I could see that SSH was not checking the authorized_keys file of the user, but only that of the root user. It turned out that adding the home directory (“~/”) in-front the AuthorizedKeysFile was causing the problem (~/.ssh/authorized_keys). Without debugging it would have been much harder to solve this issue.

Open the SSH configuration file.

sudo vim ~/etc/ssh/sshd_config

To enable debugging find and uncomment the following lines in the config file and change LogLevel to DEBUG.

SyslogFacility AUTH
LogLevel DEBUG

Save the file and restart SSH so the changes can take effect.

service ssh restart

To check the SSH logging execute the following command.

grep 'sshd' /var/log/auth.log

You could of course als use the tail commandto get the debugging information in realtime as the connection is made.

tail /var/log/auth.log | grep 'sshd'

Easy right?

Conclusion

Setting up and securing an Ubuntu server is pretty straight forward once you understand the steps.

Related posts

If you liked this post, you might be interested in the following posts.

• Setting up Mutt to send mail using Gmail with 2FA set
• Installing Gunbot 7.0.2 and Zeno GUI 1.31
• ProfitTrailer setup on Ubuntu 17.10

Go to top of page