This note contains a basic Ubuntu 18.04 server setup. The server will be installed on a encrypted LVM volume which can be unlocked via SSH. This are the settings I found most useful for me, I can’t guaranty a completely secure system by using this notes. If you find any issues or you have suggestions on what I could improve in this setup, just message me.
For advanced options, such as encrypted LVM volumes, to be available during installation, the image must be loaded from the alternative Ubuntu download page and not from the main website - which provides a image which uses the Subiquity installer. The ISO file with the classic installer, which offers more options, can be found on the Ubuntu alternative download page. Select the image for your type of computer, usually the ubuntu-18.04-server-amd64.iso. The installation is straightforward, just follow the installation instructions. Make sure to select a encrypted LVM volume, the installer will ask you for a security key afterwards. You can also select to install the OpenSSH server, because we’ll use it to access the server.
After a reboot you have to unlock the LVM volume with the security key you selected during the installation.
Sudo apt install OpenSSH-Server Verify Open SSH server status; sudo service ssh status Open SSH server’s configuration file is located here, file name is sshdconfig. Open SSH should work out of the box, however, you can edit it if needed with your preferred choice of editor; cd /etc/ssh 2. Update/Upgrade installed packages. You have learned how to install and enable SSH on your Ubuntu 18.04. You can now login to your machine and perform common sysadmin tasks through the command prompt. By default, SSH listens on port 22. Changing the default SSH port adds an extra layer of security to your server by reducing the risk of automated attacks. Complete Linux newb trying to get Ubuntu going so that I can learn. I'm getting the following errors when I try to install the SMB client and Open SSh server on a fresh install of 18.04.2. The procedure to set up secure ssh keys on Ubuntu 18.04: Create the key pair using ssh-keygen command. Copy and install the public key using ssh-copy-id command. Add yourself to sudo admin account on Ubuntu 18.04 server. Installing OpenSSH Server on Ubuntu 20.04. First of all, as always, make sure that your current packages are up to date for security purposes. Sudo apt-get update. Now that all packages are up-to-date, run the “apt-get install” command in order to install OpenSSH. Sudo apt-get install openssh-server. This command should run a complete.
First of all update the server.
I sometimes have problems with language and region settings after installation. To fix this, I set the locales to en_US.UTF-8.
This step is optional and depends on how and where you host your server. I need to setup a static IP, which I do in the network settings like follows:
Here’s an example file, the IPs must be changed according to your setup.
addresses contain the IPs of the server. The rest of the settings should be self-explanatory. After changing the config, apply it by:
IP hardening
We also want to setup some IP settings for security. This can be done in:
I’ll just post my configuration file, which disables ICMP redirects, enables IP spoofing protection, ignores broadcast requests and so on. I also disable IPv6 auto configuration, because it’s manually configured in the step before. Some more information about the various options can be found in the redhat docs - Securing Network Access.
After you’ve created / changed this file, apply the settings:
If you haven’t selected the option to install the OpenSSH server during the installation process do it now:
We will setup the server to allow SSH access only via SSH keys. Therefore, the public key to be used should be copied to the server at this point. If you don’t have an SSH key yet, it has to be generated - I made a note for that. Here is an example, which needs to be executed on your client system, not on the server, of how a key can be copied to the server:
I copy my Ed25519 public key for the user dennis to the server dennisnotes.com. Make sure to use the public key (.pub) and not your private key! You’ll be asked to provide your password to copy the key to the server. This is because we still use the default SSH settings. We’ll change this in the next step.
In the last step you should test if the access to the server with the SSH key works. Do this from your client machine. It should open up a SSH connection using your SSH key. Maybe you need to unlock the key by entering the keys password.
In addition to the Ed25519 key, I copy an RSA key to the server, which will later be used for the Dropbear SSH server to unlock the encrypted LVM volume via SSH:
The OpenSSH configuration is located at /etc/ssh/sshd_config.
I just post the content of my config here. In short I forbid the root login and password logins, I allow the login only for the user dennis, I change the default port 22 to another (e.g. 1234), I use protocol 2 and I allow the login via SSH key. Some more tips and details about the settings can be found in the SSH Docs as well as in the Debian Doc.
After you’ve changed the config file restart the ssh service.
After setting up the SSH server a firewall should be activated to secure the system. We’ll use the uncomplicated firewall (UFW). UFW should be installed by default, if not install it now. afterwards enable the SSH port, which you’ve set in your sshd_config. In the example above this would be port 1234. Afterwards you need to enable the firewall.
You should still be able to connect to your system via the ssh port. Test it by executing the following command on your client system:
Note the -p 1234, with the option -p we set the ssh port of the remote system.
To allow only users in a given admin group to switch users - su - execute the following steps in which you create a admin group, add a user dennis to this group and restrict the access to /bin/su to the admin group.
Fail2ban is an intrusion prevention system that basically monitors log files and searches for certain patterns corresponding to a failed login. If a certain number of failed login attempts are detected from an IP address within a certain time, fail2ban blocks access for this IP address by creating a corresponding firewall rule. First of all install fail2ban:
Fail2Ban can be configured via configuration files in /etc/fail2ban/jail.d. Further filters can be created in /etc/fail2ban/filter.d. Currently our system is only accessible via SSH, so we should fail2ban watch the SSH access. To do so create a new configuration file like follows:
Here is a example configuration file.
It is a relatively simple configuration that specifies that we monitor SSH access to port 1234, whose log files are located at /var/log/auth.log. To check the log file for failed logins, the filter sshd, which is included in the installation, is used. After three failed login attempts the corresponding IP address will be banned. It is also possible to notify the administrator by e-mail if IP addresses have been banned, etc. There are several sources on the Internet, such as the official fail2ban documentation.
After a new configuration has been added, the fail2ban service must be restarted. After the restart, the new configuration should appear in the status query from the fail2ban client, which can then also be viewed in detail.
To unlock the LVM volume via SSH on a reboot we need a little SSH server which is only used during the boot process. This is where Dropbear comes in. Install it via:
Next we need to set the port we want to use, as well as some other options:
Here is a example of how my configuration looks like:
In the next step you have to specify the RSA key you want to use later. I already copied my id_rsa.pub key to the server in a previous step, it can be found at ~/.ssh/authorized_keys. The key, e.g. ssh-rsa blablakey comment, must now be copied. At the end it must be added to the authorized_keys of dropbear:
We add some more options like no X11 forwarding etc. for security, my file looks like this:
Finally you have to update the initramfs:
Setup the IP Address in grub
I need a static IP which I setup in a step before, which is only loaded after I decrypted the LVM volume and booted Ubuntu. To set the IP address before I add the following flag in the GRUB config.
Heres an example of my GRUB_CMDLINE_LUNX_DEFAULT setting in which 192.168.14.2 is the servers IP, 192.168.14.1 the Gateway and dennisnotes the hostname.
After you’ve added this you need to recreate the grub.cfg file like follows:
Test the SSH LVM Volume unlock
- Reboot
ssh root@dennisnotes.com -p 1234- type pw
- done
This is my base server setup. In further notes I will explain how to set up nginx, Nextcloud via Docker images with a nginx proxy and so on.
Step 1: Install & Configure SSH Server
1.1 Install SSH server
1.1.a Edit SSH server configuration file
1.1.b Remove the hashtag from the port statement
Exit and Save
1.2 Restart SSH daemon
1.3 Verify status
SSH server is read to be used on port 22
Ubuntu 18.04 Ssh Server Install Windows 7
Step 2: Configure SSH Server
2.1 Change SSH Server port
2.1.a Change the port number
Openssh For Ubuntu
Exit and Save
2.1.b Restart the SSH service
2.1.c Verify status
SSH server is ready to be used on port 888
2.2 Disable the option to login in directly as root via SSH
2.2.a Change the PermitRootLogin parameter to no
Exit and Save
2.2.b Restart the SSH service
Useful Commands
SSH Service status
Restart SSH service
Stop SSH service
Start SSH service
Disable SSH service next boot
Enable SSH service next boot