Installing and using UFW on Ubuntu 16.04 LTS

On an Ubuntu server the default firewall management command is iptables. While iptables provides powerful functionality it’s syntax is often seen as complex. For most users a friendlier syntax can make managing your firewall much easier.

The uncomplicated firewall (UFW) is an alternative program to iptables for managing firewall rules. Most typical Ubuntu installations will include UFW by default. In cases where UFW isn’t included it’s just a quick command away!

Installing UFW on Ubuntu

Pre-Flight Check

  • These directions are intended to be done on any Ubuntu 16.04 LTS release.
  • You will need to be logged in to SSH as the root user.

Keeping with best practice we’ll quickly run package updates before we install UFW. Once that’s done and out of the way we can run the install.

apt update
apt upgrade

  1. Install UFW
    apt install ufw
  2. Check the install
    ufw --version

    ufw 0.35
    Copyright 2008-2015 Canonical Ltd.
    

And that is it, not much to the install and setup here. Nothing to enable or restart with systemd since UFW is a wrapper for iptables and netfilters.

Now to fully enable UFW simply run:

ufw enable

If you are migrating from an iptables based setup you will need to recreate the rules in UFW. For the best results you should setup the basic rules first and then enable UFW. This will help prevent locking yourself out if you’re working over SSH.

Examples using UFW

If you’re unfamiliar with firewall management then UFW and this quick list will make things a breeze! It really is pretty simple to use since programs can provide support for UFW in the form of app profiles. Using these profiles you can easily allow/deny access for the specific application.

  • List all the profiles provided by installed packages:
    ufw app list

    Available applications:
    Apache
    Apache Full
    Apache Secure
    OpenSSH
  • Allow access to Apache on both port 80 and 443:
    ufw allow "Apache Full"

    Rule added
    Rule added (v6)
  • Allow access to SSH:
    ufw allow "OpenSSH"

    Rule added
    Rule added (v6)
  • See the full status of UFW:
    ufw status verbose

    Status: active
    Logging: on (low)
    Default: deny (incoming), allow (outgoing), disabled (routed)
    New profiles: skip
    
    To                         Action      From
    --                         ------      ----
    22/tcp (OpenSSH)           ALLOW IN    Anywhere                  
    22/tcp (OpenSSH (v6))      ALLOW IN    Anywhere (v6)

Because of the cool App profiles feature in UFW most services can easily be opened up in your firewall. In our example the server is still pretty fresh and barebones so we don’t have that manage app profiles. As you install more applications, if they support UFW, then you’ll see those profiles listed when you run the app list command from above.

Enable Root Login via SSH

By default SSH comes configured in a way that disables root user logins. This is done as a security precaution and means that you cannot directly login as the root user over SSH. However you can usually get around the need for root ssh login by using the sudo command. In some cases though it’s just more convenient to get directly logged in as root.

Continue reading “Enable Root Login via SSH”

What is SSH?

SSH, or secure shell, is a network protocol used for secure network communications and remote command execution. Common use cases for SSH include: controlling computers remotely and securing network services. A great example of securing other services is the SFTP protocol which uses SSH to securely connect to a server and FTP to transfer the files. Continue reading “What is SSH?”

How to enable EPEL repository?

What’s an ‘EPEL repository’?

The EPEL repository is an additional package repository that provides easy to install packages for commonly used software. The EPEL repository is managed by the EPEL group, which is a Special Interest Group within the Fedora Project. ‘EPEL’ stands for Extra Packages for Enterprise Linux.

The EPEL group creates, maintains and manages a high quality set of additional packages. These packages may be software not included in the core repository, or even updates which haven’t been provided yet.
Continue reading “How to enable EPEL repository?”

Protecting Against CVE-2016-0777 and CVE-2016-0778

Overview

A flaw in OpenSSH, discovered and reported by Qualys on Jan. 14, 2016, could potentially allow an information leak (CVE-2016-0777) or buffer overflow (CVE-2016-0778) via the OpenSSH client. Specifically, an undocumented feature called roaming, introduced in OpenSSH version 5.4, can be exploited to expose a client’s private SSH key.

Impact

The roaming feature, which allows clients to reconnect to the server automatically should the connection drop (on servers supporting the feature), can be exploited in the default configuration of OpenSSH clients from versions 5.4 through 7.1p1, but is not supported in the default configuration of the OpenSSH server.

All versions of OpenSSH clients from 5.4 through 7.1p1 are affected for anyone who connects via SSH on the following operating systems:

  • Linux
  • FreeBSD
  • Mac OS X
  • Windows when using OpenSSH for Windows

The following are not affected:

  • OpenSSH servers in default configuration
  • Windows users utilizing PuTTY to connect
  • Connections not authenticated via an SSH key

Summary

A connection made from an affected client to a compromised or malicious server which uses an SSH key for authentication potentially could expose all or part of the user’s private SSH key.

If the key utilized to authenticate the connection is encrypted, only the encrypted private key could be exposed. However, a malicious party could attempt to brute-force the password offline after obtaining the encrypted key.

Is Your SSH Client Vulnerable?

You can check the version of your SSH client by running the following command:

ssh -V

That will produce output similar to:

workstation$ $ ssh -V
OpenSSH_7.1p2, OpenSSL 1.0.2e 3 Dec 2015

If the version is below 7.1p2, the SSH client is affected.

Resolution

  1. Update your OpenSSL client: Check for any updates to your SSH client and apply them immediately.
  2. Patch older clients: If an update is not yet available for your operating system, you may disable the roaming feature on affected clients by adding the line “UseRoaming no” to your ssh configuration file. You can do so directly or via one of the methods below:
    • On Linux, you can run the following command to add the necessary line:echo 'UseRoaming no' | sudo tee --append /etc/ssh/ssh_config

      And restart ssh.

    • On a Mac running OS X, you can run the command:echo "UseRoaming no" >> ~/.ssh/config

      You will need to close any active SSH sessions or log out and log back in to ensure the change has taken effect.

  3. Change existing SSH keys: If you’re using keys to authenticate SSH connections, you should generate new keys as soon as possible. You can find instructions for generating a key and uploading it to your server at: Using SSH Keys. Please note: If you currently are using the same key to connect to multiple servers, you may wish to consider using unique keys in the future in light of the potential scope of this vulnerability. You also should ensure you are using a strong passphrase for any key you generate.

 

How to Install Git on Ubuntu 15.04

Introduction

Git is an open source, distributed version control system (VCS). It’s commonly used for source code management (SCM), with sites like GitHub offering a social coding experience, and popular projects such as Perl, Ruby on Rails, and the Linux kernel using it.

Pre-Flight Check

  • These instructions are intended for installing Git on Ubuntu 15.04.
  • I’ll be working from a Liquid Web Core Managed Ubuntu 15.04 server, and I’ll be logged in as root.

Continue reading “How to Install Git on Ubuntu 15.04”

How to Install and Configure Git on Fedora 22

Introduction

Git is a widely adopted, distributed version control system (VCS) and open source. It’s commonly used for source code management (SCM), with sites like GitHub offering a social coding experience, and popular projects such as Perl, Ruby on Rails, and the Linux kernel using it.

Pre-Flight Check

  • These instructions are intended for installing Git on Fedora 22.
  • I’ll be working from a Liquid Web Self Managed Fedora 22 server, and I’ll be logged in as root.

Continue reading “How to Install and Configure Git on Fedora 22”

How to Securely Transfer Files via rsync and SSH on Linux

Pre-Flight Check

  • These instructions are intended specifically for transferring files between servers via rsync and SSH on Linux.
  • I’ll be working from a Liquid Web Core Managed CentOS 7 server, and I’ll be logged in as root.

Continue reading “How to Securely Transfer Files via rsync and SSH on Linux”

How to Configure a VNC Server to Use an SSH Tunnel on Ubuntu 14.04 LTS

VNC is short for ‘Virtual Network Computing’. It’s a simple method for sharing a graphical desktop environment. For example, if you install VNC on your hosted server, you could connect to its graphical desktop environment remotely.

Pre-Flight Check

Continue reading “How to Configure a VNC Server to Use an SSH Tunnel on Ubuntu 14.04 LTS”

How to Install and Configure Git on Fedora 21

Introduction

Git is an open source, distributed version control system (VCS). It’s commonly used for source code management (SCM), with sites like GitHub offering a social coding experience, and popular projects such as Perl, Ruby on Rails, and the Linux kernel using it.

Pre-Flight Check

  • These instructions are intended for installing Git on Fedora 21.
  • I’ll be working from a Liquid Web Self Managed Fedora 21 server, and I’ll be logged in as root.

Continue reading “How to Install and Configure Git on Fedora 21”