Things to Do After Installing a Ubuntu Server

Posted on by John Datema
Category: Getting Started | Tags: , , , , ,
Reading Time: 5 minutes

After spinning up a new Ubuntu server you may find yourself looking for a guide of what to do next.  Many times the default setting do not provide the top security that your server should have. Throughout this article we provide you security tips and pose questions to help determine the best kind of setup for your environment.

 

1. Secure the Root User

This should be the very first thing you do when setting up a fresh install of Ubuntu server. Typically setting up a password for the root user is done during the installation process. However, if you should ever find yourself in a position where you have assumed the responsibility of a Ubuntu server, it’s best to reset the password keeping in mind the best practices for passwords.

  • Don’t use English words
  • Use a mixture of symbols and alphanumeric characters
  • Length – based on probability and odds of guessing or cracking a password you can provide the best security after a password gets to a certain length. More than ten characters long is good practice, but even longer passwords with complex characters is a safer way to go.

You can also lock the root user password to effectively keep anything from running as root.

Warning:
Please be sure you already have another administrative user on the system with root or “sudo” privileges before locking the root user.

Depending on your version of Ubuntu the root account may be disabled, simply setting or changing the password for root will enable it with the following.

sudo passwd root

Now we can lock the root account by locking the password with the “-l” flag like the following. This will prevent the root user from being used.

sudo passwd -l root

To unlock the root account, again, just change the password for root to enable it.

sudo passwd root

 

2. Secure SSH Access

Many times, once a server is up and running the default configuration for SSH remote logins are set to allow root to log in. We can make the server more secure than this.

You only need to use the root user to run root or administration level commands on the server. This can still be accomplished by logging into a server over SSH with a regular user, and then switching to the root user after you are already logged into the server.
ssh spartacus@myawesomeserver.com

Once logged in you can switch from the user “spartacus” to the root user.

su -

You can disable SSH login for the root user by making some adjustments in the sshd_config file. Be sure to run all of the following commands as root or with a user with sudo privileges.

vim /etc/ssh/sshd_config

Within this file find the Authentication section and look for the following line:

PermitRootLogin yes

Just change that to:

PermitRootLogin no

For the changes to take effect you will need to restart the SSH service with:

/etc/init.d/ssh restart

You can now test this by logging out of the server and then log in again over SSH with the root user and password. It should deny your attempts to do so. This provides a lot more security as it requires a different user (one that others won’t know and probably cannot guess) to log in to the server over SSH. This provides two values that an attacker would need to know, instead of one vaule, as most hackers know that the root user exists on a Linux server.

Also, the following can also be changed to make SSH access more secure.

vim /etc/ssh/sshd_config

PermitEmptyPasswords no

Make sure that directive is set to “no” so that users without a password can’t log in. Otherwise, the attacker would need only one piece of information while also giving them the ability to get in with just knowledge of a user. This, of course, would also mean they could keep attempting guesses at users as well and very easily log in.

A final caution is to adjust any router or firewall settings to make sure that remote SSH access is forwarded to port 22 and does not directly access port 22. This will eliminate a lot of bots or scripts that will try to log in over SSH directly on port 22 with random usernames and passwords. You may need to refer to your router or server firewall documentation on making sure you forward a higher port than port 22.

 

3. Install a Firewall

By default, later versions of Ubuntu should come with Uncomplicated Firewall or UFW. You can check to see if UFW is installed with the following:

sudo ufw status

That will return a status of active or inactive. If it is not installed you can install it with:

sudo apt-get install ufw

It’s a good idea to think through a list of components that will require access to your server. Is SSH access needed? Is web traffic needed? You will want to enable the services through the firewall that are needed so that incoming traffic can access the server in the way you want it to.

In our example let’s allow SSH and web access.

sudo ufw allow ssh

sudo ufw allow http

Those commands will also open up the ports. You can alternatively use the port method to allow services through that specific port.

sudo ufw allow 80/tcp

That will essentially be the same as allowing the HTTP service. Once you have the services you want listed you can enable the firewall with this.

sudo ufw enable

This may interrupt the current SSH connection if that is how you are logged in so be sure your information is correct, so you don’t get logged out.

Also, ensure you have a good grasp on who really needs access to the server and only add users to the Linux operating system that really need access.

 

4. Understand What You Are Trying to Accomplish

It’s important to think through what you will be using your server for. Is it going to be just a file server? Or a web server? Or a web server that needs to send an email out through forms?

You will want to make a clear outline of what you will be using the server for so you can build it to suit those specific needs. It’s best to only build the server with the services that it will require. When you end up putting extra services that are not needed you run the risk of having outdated software which will only add more vulnerability to the server.

Every component and service you run will need to be secured to it’s best practices. For example, if you’re strictly running a static site, you don’t want to expose vulnerabilities due to an outdated email service.

 

5. Keep the File System Up-To-Date

You will want to make sure your server stays up to date with the latest security patches. While a server can run for a while without much maintenance and things will “just work” you will want to be sure not to adapt a “set it and forget it” mentality.

Regular updates on a Ubuntu server can make sure the system stays secure and up to date. You can use the following to do that.

sudo apt-get update

While installing an Ubuntu server is a great way to learn how to work with a Linux it’s a good idea to learn in an environment that is safe. Furthermore, it’s best not to expose the server to the Internet until you are ready.

A great way to get started is at home where you can access the server from your own network without allowing access to the server through the Internet or your home router.

If and when you do deploy a Ubuntu server you’ll want to keep the above five things in mind. It’s important to know the configuration of the server once it’s deployed so you know what type of access the public can get to and what yet needs to be hardened.

Enjoy learning and don’t be afraid to break something in your safe environment, as the experience can be a great teacher when it’s time to go live.

How To Set Up FTP isolation in CentOS or Ubuntu

Posted on by Mark Cunningham
Category: Tutorials | Tags: , , , , , , , ,
Reading Time: 4 minutes

Configuring Multi-User FTP with User Isolation

This article is intended to give an overview of a chroot environment and configuring your FTP service for user isolation. This is done with a few lines within the main configuration file of the FTP service.

This article is also intended as a guide for our Core-Managed servers running CentOS or Ubuntu without a control panel. Our Fully Managed servers that utilize the cPanel software already have the FTP user isolation configured by default and also provide utilities for creating FTP users.

What is Chroot?

Chroot or change-root is the implementation of setting a new root directory for the environment that a user has access to. By doing this, from the user’s perspective, there will appear to be no higher directory that the user could escape to. They would be limited to the directory they start in and only see the contents inside of that directory.

If a user were to try and list the contents of the root (/) of the system, it would return the contents of their chroot environment and not the actual root of the server. Read more about this at the following link.

 

Installing ProFTPd

As there are many FTP options available, ProFTPd, Pure-FTPd, vsftpd, to name a few, this article will only focus on the use of ProFTPd for simplicity and brevity. This is also not intended to be a guide for installing an FTP service as it’s covered in our Knowledge Base articles below.

https://www.liquidweb.com/kb/how-to-install-proftpd-on-centos-7/

https://www.liquidweb.com/kb/how-to-install-and-configure-proftpd-on-ubuntu-14-04-lts/

 

User Isolation with ProFTPd

User Setup

By default, ProFTPd will read the system /etc/passwd file. These users in this file are the normal system users and are not required to be created outside of normal user creation. There are many ways to create additional FTP users, but this is one way to get started.

Here are some typical entries from the system passwd file. From left to right, you can see the username the user and group IDs, the home directory and the default shell configured for that user.

user1:x:506:521::/home/user1:/bin/bashuser2:x:505:520::/home/user2:/bin/bash

To create these users, you would use the useradd command from the command line or whatever other methods you would typically use to create users on the server.

Create the user

useradd -m -d /home/homedir newuser

Set the user password

passwd newuser

If you are setting up multiple users that all need to have access to the same directory, you will need to make sure that the users are all in the same group. Being in the same group means that each user can have group level access to the directory and allow everyone in the group to access the files that each user uploads. This level of user management is beyond the scope of this article, but be aware that things of this nature are possible.

ProFTPd User Configuration

To jail a user to their home directory within ProFTPd, you have to set the DefaultRoot value to ~.

vim /etc/proftpd.conf

DefaultRoot ~

With this set, it tells the FTP service to only allow the user to access their home directory. The ~ is a shortcut that tells the system to read whatever the user’s home directory is from the /etc/passwd file and use that value.

Using this functionality in ProFTPd, you can also define multiple DefaultRoot directives and have those restrictions match based on some criteria. You can jail some users, and not others, or jail a set of users all to the same directory if desired. This is done by matching the group that a user belongs to.

When a new user is created, as shown above, their default group will be the same as their username. You can, however, add or modify the group(s) assigned to the user after they are created if necessary.

Jail Everyone Not in the “Special-Group”

DefaultRoot ~ !special-group

Jail Group1 and Group2 to the Same Directory

DefaultRoot /path/to/uploads group1,group2

After making these changes to the proftpd.conf file you’ll need to restart the FTP service.

CentOS 6.x (init)

/etc/init.d/proftpd restart

CentOS 7.x (systemd)

systemctl restart proftpd

 

User Isolation with SFTP (SSH)

You can also isolate SFTP users or restrict a subset of SSH users to only have SFTP access. Again, this pertains to regular system users created using the useradd command.

While you can secure FTP communications using SSL, this is an extra level of setup and configuration. SFTP, by contrast, is used for file transfers over an SSH connection. SSH is an encrypted connection to the server and is secure by default. If you are concerned about security and are unsure about adding SSL to your FTP configuration, this may be another option to look into.

 

SFTP User Setup

Create the user and their home directory just like with the FTP user, but here we make sure to set the shell to not allow normal SSH login. We are presuming that you are looking for SFTP-only users and not just regular shell users, so we add the restriction on the shell to prevent non-SFTP logins.

useradd -m -d /home/homedir/ -s /sbin/nologin username

passwd username

We need to make sure that permissions and ownership are set for the home directory to be owned by root, and the upload directory is owned by the user.

chmod 755 /home/homedir/

chown root. /home/homedir/

mkdir -p /home/homedir/upload-dir/

chown username. /home/homedir/upload-dir/

 

SFTP Configuration

Hereby setting the ChrootDirectory to the %h variable, we are confining the user to their home directory as set up when the user was created. Using the ForceCommand directive also limits the commands the user is allowed to execute to only SFTP commands used for file transfers, again eliminating the possibility that the users will be able to break out of the jail and into a normal shell environment.

/etc/ssh/sshd_config
Subsystem sftp internal-sftp
Match User user1,user2,user3
ChrootDirectory %h
ForceCommand internal-sftp

Jail Multiple FTP Users to a Location

Alternatively, if you wanted to have multiple users all jailed to the same location, you can set them all to be in the same group, have the same home directory, and then use a Match Group directive within the SSH configuration.

vim /etc/ssh/sshd_config

Subsystem sftp internal-sftp
Match Group groupname
ChrootDirectory %h
ForceCommand internal-sftp

After making these changes to the sshd_config file, restart the SSH service. One of the following commands should work for you.

CentOS 6.x (init)

/etc/init.d/sshd restart

CentOS 7.x (systemd)

systemctl restart sshd

Further Reading can be found at:

 

Getting Started with Ubuntu 16.04 LTS

Posted on by Jeramy Chunko | Updated:
Category: Getting Started | Tags: , , , , , , , , ,
Reading Time: 5 minutes

A few configuration changes are needed as part of the basic setup with a new Ubuntu 16.04 LTS server. This article will provide a comprehensive list of those basic configurations and help to improve the security and usability of your server while creating a solid foundation to build on. Continue reading “Getting Started with Ubuntu 16.04 LTS”

Using SSH Client Natively in Windows 10

Posted on by Helpful Humans of Liquid Web | Updated:
Category: Featured Articles, Getting Started, Other | Tags: ,
Reading Time: 3 minutes

Have you ever wanted to use SSH to control your Linux server from Windows? You’ve most likely downloaded and launched third-party applications like PuTTY or KiTTY to get this functionality on your Windows computer. Thankfully, with the Windows 10 Fall Creators Update, you can now use a built-in SSH client directly within your Windows OS. Continue reading “Using SSH Client Natively in Windows 10”

Installing and using UFW on Ubuntu 16.04 LTS

Posted on by Dan Pock | Updated:
Category: Featured Articles, Getting Started | Tags: , , , , ,
Reading Time: 2 minutes

On an Ubuntu server the default firewall management command is iptables. While iptables provides powerful functionality it’s syntax is often seen as complex. For most users a friendlier syntax can make managing your firewall much easier.

The uncomplicated firewall (UFW) is an alternative program to iptables for managing firewall rules. Most typical Ubuntu installations will include UFW by default. In cases where UFW isn’t included it’s just a quick command away! Continue reading “Installing and using UFW on Ubuntu 16.04 LTS”

Enable Root Login via SSH

Posted on by Dan Pock
Category: Common Fixes | Tags: , ,
Reading Time: 1 minute

By default SSH comes configured in a way that disables root user logins. This is done as a security precaution and means that you cannot directly login as the root user over SSH. However you can usually get around the need for root ssh login by using the sudo command. In some cases though it’s just more convenient to get directly logged in as root.

Continue reading “Enable Root Login via SSH”

What is SSH?

Posted on by Dan Pock
Category: Featured Articles, Getting Started | Tags: , , ,
Reading Time: 2 minutes

SSH, or secure shell, is a network protocol used for secure network communications and remote command execution. Common use cases for SSH include: controlling computers remotely and securing network services. A great example of securing other services is the SFTP protocol which uses SSH to securely connect to a server and FTP to transfer the files. Continue reading “What is SSH?”

How to enable EPEL repository?

Posted on by Dan Pock | Updated:
Category: Common Fixes | Tags: , , , , , ,
Reading Time: 2 minutes

The EPEL repository is an additional package repository that provides easy access to install packages for commonly used software. This repo was created because Fedora contributors wanted to use Fedora packages they maintain on RHEL and other compatible distributions.

To put it simply the goal of this repo was to provide greater ease of access to software on Enterprise Linux compatible distributions.

What’s an ‘EPEL repository’?

The EPEL repository is managed by the EPEL group, which is a Special Interest Group within the Fedora Project. The ‘EPEL’ part is an abbreviation that stands for Extra Packages for Enterprise Linux. The EPEL group creates, maintains and manages a high quality set of additional packages. These packages may be software not included in the core repository, or sometimes updates which haven’t been provided yet.
Continue reading “How to enable EPEL repository?”

Protecting Against CVE-2016-0777 and CVE-2016-0778

Posted on by dpepper | Updated:
Category: Security Bulletins | Tags: , ,
Reading Time: 2 minutes

Overview

A flaw in OpenSSH, discovered and reported by Qualys on Jan. 14, 2016, could potentially allow an information leak (CVE-2016-0777) or buffer overflow (CVE-2016-0778) via the OpenSSH client. Specifically, an undocumented feature called roaming, introduced in OpenSSH version 5.4, can be exploited to expose a client’s private SSH key.

Continue reading “Protecting Against CVE-2016-0777 and CVE-2016-0778”

How to Install Git on Ubuntu 15.04

Posted on by J. Mays | Updated:
Category: Tutorials | Tags: , , , , , ,
Reading Time: 1 minute

Introduction

Git is an open source, distributed version control system (VCS). It’s commonly used for source code management (SCM), with sites like GitHub offering a social coding experience, and popular projects such as Perl, Ruby on Rails, and the Linux kernel using it.

Pre-Flight Check

  • These instructions are intended for installing Git on Ubuntu 15.04.
  • I’ll be working from a Liquid Web Core Managed Ubuntu 15.04 server, and I’ll be logged in as root.

Continue reading “How to Install Git on Ubuntu 15.04”