Click here for "Safe Air Conditioner Repair and Proper Freon Recovery".

Ubuntu Server 18.04 Initial Setup

1. Set the root password and use the SU command

$  passwd root
password for <user name> ← Current user’s password
Enter new UNIX password: ← Enter the root password to be set.
Retype new UNIX password: ← Re-enter the same password
passwd: password updated successfully

2. Initial SSH configuration

$ su –
password :
# cd /etc/ssh
# vi sshd_config
PermitRootLogin no ← #Disable login as root

3. Setting up SSH key authentication

#Become an ordinary user and create a key pair with RSA
$ ssh-keygen -t rsa
Enter file in which to save the key (/home/masa/.ssh/id_rsa):
#Storage location If there are no changes, just enter.
Created directory ‘/home/<user>/.ssh’.Enter passphrase (empty for no passphrase):
#Password setting(Enter, no password)
Enter same passphrase again:
$ mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys$ chmod 600 ~/.ssh/authorized_keys

After this, use WINSCP or something similar to copy the id_rsa file to an appropriate location in Windows.

#Rewrite the configuration file to disable password authentication.

$ su –

# vi /etc/ssh/sshd_config

#Line 56: Make password authentication impossible.

PasswordAuthentication no  → PubkeyAuthentication yes

#Restart SSH service
# systemctl restart ssh

4. Firewalling with UFW

#Type the following command to see the status of the ufw configuration

# sudo ufw status

Status: inactive

#The ufw setting should be disabled at first, as it is marked as inactive.

#Type the following command to activate ufw once.

# sudo ufw enable

#You may get the following message.

Command may disrupt existing ssh connections. Proceed with operation (y|n)?

# “This may interrupt your current ssh connection. Would you like to continue?” It means “Do you want to continue?”, and it is displayed to users who are connected to the server by ssh connection.

#In my environment, ssh was never disconnected even if I entered y (yes), so I think it is safe to enter y.

# ufw status

Status: active

#Valid because it is marked as active

#If you type the following command in this state, you should see various settings written to iptables

# iptables -nL

#If you want to disable ufw, type the following command

# ufw disable

 

#Disable all communication once by typing the following command

# ufw default DENY

Default incoming policy changed to ‘deny’

(be sure to update your rules accordingly)

#This will block all communication from the outside.。(As for the ssh connection that you are currently connected to, it can be disconnected in the middle of the connection.
However, once you log out, it will be impossible to connect again via ssh.
Please be careful.)

#Once all communication is blocked, we can decide which services to allow to communicate.

#Even with this setting, the only communication that is disabled is the communication coming from “outside to inside”.
Communication that goes from inside to outside is not disabled.。

Configure the settings

#If you want to set ufw to “Allow communication coming to port number xxx”, type the following command

# ufw allow [port number]

#On the other hand, if you want to “disallow communication coming to port number ◯◯◯◯,” type the command as follows

# ufw deny [port number]

 Allow ssh connections

# Allow ssh connections so that you can connect remotely in the future

#To allow ssh connections, type the following command, assuming the ssh port is set to 5001

# ufw allow 5001

#It will continuously try to access port 5001 by typing in the appropriate password and trying to find a coincidental match so that it can log in.
This is called a brute force attack. This is called a brute force attack.

#As a countermeasure, apply the setting “Do not allow connections from IP addresses that are accessed consecutively”.
Type the following command

# ufw limit 5001

#This will set the rule “Do not allow IP addresses that have attempted to connect more than 6 times in 30 seconds”.

#Check the settings. You should see something like this

# ufw status
Status: active
To                              Action      From
—                               ——        —-
5001                         LIMIT       Anywhere
5001 (v6)      1          LIMIT       Anywhere (v6)   

#LIMIT (connection restriction) is set for port 5001 of IPv4 and IPv6

 

Only allow ssh connections from specific networks

#Even with the above settings, you are still exposing your ssh port to the outside Internet.
Even with the above settings, you are still exposing your ssh port to the outside Internet.
Even if you set a limit on the number of times you can connect, it is still possible for someone to guess your password somehow and connect to you.
Even if you set a limit on the number of connections, it is possible that the password will be guessed somehow and the connection will be established, or the connection will be established through a vulnerability attack.

#Therefore, ssh connections should only be allowed on internal networks, and all external ssh connections should not be allowed.
Therefore, allow ssh connections only for internal networks and do not allow any external ssh connections.

#In the local area network, there is a host with an IP address of “192.168.11.xx”.
Allow ssh connections only from this host. To allow ssh connections only from this host or from this network (192.168.11.0/24)
or from this network (192.168.11.0/24), type the following command.

#Allow ssh connections from 192.168.11.0/24

# ufw allow from 192.168.11.0/24 to any port 5001
Rule added

#If you check your settings, you should see something like this

# ufw status
Status: active
To                         Action      From
—                         ——      —-
5001                         LIMIT       Anywhere
5001                         ALLOW     192.168.11.0/24
5001 (v6)                     LIMIT       Anywhere (v6)  

#However, even in this state, it will allow ssh connections from outside with a limited number of connections.

#Therefore, we will remove the rule with the LIMIT
#Use the following command to display the rule number and confirm the settings

# ufw status numbered
Status: active
    To                         Action      From
     —                         ——      —-
[ 1] 5001                         LIMIT IN    Anywhere
[ 2] 5001                         ALLOW IN  192.168.11.0/24
[ 3] 5001 (v6)                     LIMIT IN    Anywhere (v6)     

#Since rules 1 and 3 are not needed, we will delete them by specifying their numbers.
Rules 1 and 3 are not needed.

# ufw delete 1
Deleting:
 limit 5000
Proceed with operation (y|n)? y
Rule deleted

#Now that rule #1 has been deleted, delete rule #3 in the same way as above.

 Allow access to the web.

#Since our goal is to set up a firewall for the web server, we will allow connections to 80 (HTTP) and 443 (HTTPS).
connections to 80 (HTTP) and 443 (HTTPS).

#You can specify a port number to allow connections, or you can specify an application.
You can also specify the application.

#You can see the list of applications with the following comman。

# vi /etc/services

#Allows HTTP(80) and HTTPS(443) connections.

# ufw allow http
Rule added
Rule added (v6)

# ufw allow https
Rule added
Rule added (v6)

#Check your settings and they should look like this

# ufw status
Status: active

To                         Action      From
—                         ——      —-
5001                      ALLOW       192.168.11.0/24
80                          ALLOW       Anywhere
443                        ALLOW       Anywhere
80  (v6)                  ALLOW       Anywhere
443 (v6)                 ALLOW       Anywhere (v6) 

#You can now access 80,443 (WEB) from the outside.

Disable ufw for ipv6

# vi /etc/default/ufw
IPV6=yes  →   IPV6=no

#After all the work
# systemctl restart ufw

 

タイトルとURLをコピーしました