Software engineering notes

Posts Tagged ‘ssh

getting started with Ubuntu server, continued

I’ve been playing around with an Ubuntu 10.10 64-bit server vm for the past couple days. My previous post ended with me unable to ssh into the vm. Today, I read a post on serverfault that got me thinking about trying to ping the vm. For whatever reason, I might have more success with that than ssh.

The post also mentioned turning off the firewall, which seems like a logical step, though I’ve been paranoid for so long, I’m uncomfortable doing so, even on a vm. Nevertheless, I turned off the firewall: sudo ufw disable

Restarted the vm: sudo shutdown -r now

Ran ifconfig to confirm that the ip hadn’t changed: ifconfig

But it had. It was now something like 0.0.0.255, which looked off. It didn’t seem like something I could ssh into. When I was hacking around the other day, I had tried configuring the vm to use a bridged network. I now switched back to the default NAT setting: Virtual Machine > settings > Network > Share the Mac’s network connection

I restarted the machine, and ran ifconfig again. Now it was back to an ip that looked more familiar:
… inet addr:172.16.83.133 …

From my Mac, I tried pinging the vm: ping 172.16.83.133

To my surprise, it responded. Amazing. I tried ssh’ing in and was rejected with
ssh: connect to host 172.16.83.133 port 22: Connection refused.

Then I remembered I had set the ssh port to 2222, and tried again:
ssh erik@172.16.83.133 -p 2222

Success! Amazing again. Then I went overboard and turned the firewall back on, sudo ufw enable, and restarted, but it still worked(!). I checked the status of the firewall just to make sure I wasn’t delusional: sudo ufw status

Status: active

To                         Action      From
--                         ------      ----
2222                       ALLOW       Anywhere
22                          ALLOW        Anywhere
80/tcp                     ALLOW       Anywhere

This is madness, but it’s working, so I’m not complaining.

To wrap up the ssh piece, I want to configure ssh to use a public key instead of a password. I’ll follow the SSH/OpenSSH keys tutorial on the Ubuntu wiki.

I created a new ssh key, ssh-keygen -t rsa, and save it in a file called ~/.ssh/erik_rsa.

Then I copied the key to the vm:
scp -P 2222 ~/.ssh/erik_rsa.pub erik@172.16.83.133:.ssh/authorized_keys

Ideally (for me), the vm would now just automagically prefer public key authentication. I gave it a shot and immediately tried ssh’ing into the vm, but it still prompted me for a password. Oh well.

I edited the sshd_config file to uncomment the line AuthorizedKeysFile %h/.ssh/authorized_keys and set PasswordAuthentication to “no”, and then restarted sshd: sudo /etc/init.d/ssh restart

I exited the vm, and tried ssh’ing in again, this time specifying the location of my shiny new ssh key: ssh erik@172.16.83.133 -p 2222 -i ~/.ssh/erik_rsa

Wow. It worked. I’m always astounded when things like this actually work. Mac prompted me to enter my passphrase, and then I was in.

Now that I can ssh and I have a firewall, it’s time to move on to the next step of the security wiki … hmm … well, before I dive into denyhosts and fail2ban, I think I’ll play around with the real reason I wanted to get an OS up and running, to install node.js.

Written by Erik

October 20, 2010 at 10:32 pm

Posted in notes

Tagged with , ,

getting started with Ubuntu server security

In preparation for playing around with a VPS, I’d like to get familiar with Ubuntu 10.10 64-bit server. I grabbed the iso from their download page and installed it on vmware. Please pause with me and feel gratitude for Ubuntu. Thank you, Ubuntu, for being awesome. I was going to pick a more commercially popular OS, but I value my life, and Ubuntu was made with humans in mind.

The first thing I want to look at is security. Ubuntu’s forum has a sticky for general, intro-level security.

Ubuntu Wiki configure SSH seems like as good a place as any to get started.

This wiki page leads with “Once you have installed an OpenSSH server…”, so I set off to install openssh-server: sudo apt-get install openssh-server

But that gave me an error about openssh-server not being available for my system. After some digging, I got the impression that I might just need to update my system:
sudo apt-get update

Yup, that was it. Whew! I’m grateful it wasn’t a multi-hour quest for some random config setting.

Allegedly, after installing openssh, I should be able to ssh in right away. I ran ifconfig to get my vm’s ip address, and then tried it: ssh erik@172.16.83.255

ssh: connect to host 172.16.83.255 port 22: Permission denied.

Well, at least it’s talking to me. I think we’re ready to move on with the wiki.

I was able to make a backup of the default ssd_config file and set permissions on it without issue. On to customizing my sshd_config file: sudo vi /etc/ssh/sshd_config

  • Change PasswordAuthentication to “no”
  • I didn’t see a default setting for AllowTcpForwarding an X11Forwarding, so I added entries to turn each of these off
  • I added an AllowUsers entry for my username
  • Changed LoginGraceTime from 120 to 20
  • Changes the LogLevel from “INFO” to “VERBOSE”
  • Uncommented the Banner entry, and changed the file name from “issue.net” to “issue” for simplicity. I’ll defer setting the contents of this file.
  • I also changed PermitRootLogin to “no”

As a sanity check, I ran ps -A | grep sshd to confirm sshd is running. As a second sanity check, I tried logging in via the local machine: ssh -v localhost. Amazingly, this also worked.

Ok. Moment of truth. Restarting sshd: sudo /etc/init.d/ssh restart.

Doh! I forgot to add my ssh key before disabling password login. Quick edit to restore PasswordAuthentication. Trying again … Connection refused on port 22. Oh, yeah. I changed it to 2222. Trying again … success! – from the local machine. Still can’t ssh in from a remote host. Time to check the ssh log: tail -f /var/log/auth.log

My ssh requests aren’t showing up in the logs. Time to look into the iptables settings. I’m guessing there’s a rule in there to ignore ssh, or no rule to allow ssh. I’ll continue this in another post.

Written by Erik

October 18, 2010 at 10:35 pm

Posted in notes

Tagged with , , , ,