Setting up an unmanaged instance of Ubuntu Linux is not difficult. You just need to know what to do. A bit rhetorical, but that’s the truth of the matter. If you search or Google for solutions, you’ll find multiple tutorials describing the process. You have to be careful though, some authors leave out key steps (not sure why). Also, you have to ensure that you are following the correct version. Following the tutorial for alternate software versions is a recipe for disaster and a doorway to countless hours spent debugging non-existent problems. In this tutorial, we provide a complete guide to set up an unmanaged Ubuntu Linux. Version 16.04.
If you have your server hardware in house, you have less to worry about. If you lock yourself out, you have console access. If you have leased or rented a Linux distro from Linode or similar service, you’ll need to be a bit more careful. Locking yourself out of a remote instance with no physical access, can be more difficult to deal with. Some providers provide console access remotely, an excellent feature. If you find yourself locked out remotely for any reason, be sure to check if the provider has remote console access. I know Joe’s Datacenter provides this capability, I’m certain others do as well. Below, we walk through each step and provide detailed information on each step and what to do in the event something goes wrong.
This tutorial assumes that Ubuntu has been set up and exists on a network ready to accept SSH connections. This network can be the internet or a local area network. If you purchased a Ubuntu instance from a provider, they will give you the SSH username/password and IP address. If you have installed Ubuntu on a LAN, you will need to know the local IP address. Once you have the IP address, username, and password. You are ready to connect to your server.
Connection Software: Putty
You are free to use any SSH/Telnet client available. For this tutorial, Putty will be our choice, download it here. Once you have installed the client, follow the below instuctions which reference the provided screenshot. The numbers reflect the arrows in the screenshot.
- Your IP Address goes here
- The port number. The default is 22, we will change this later to help mitigate lazy attacks.
- SSH is the protocol we will use. It encrypts traffic using a self signed certificate initially.
- Provide a name for your session. Anything you want
- Click save so that you can load the settings later. Easy to forget.
You will notice that Putty has a ton of categorial screens for various customization options. We do not need to worry about these at all, we only need to worry about the session screen. We do not need to alter any settings elsewhere.
Once you have established a connection you will move through the following phases.
- Enter Connection settings or load previously saved settings
- Click yes on the security prompt
- Login with username and password
- congratulations, you should be logged into the server.
Security Alert (Perfectly fine, select yes)
Login Prompt (Enter your username and password )
Logged In (Your login may or may not mention updates)
Are you getting the error below? Putty login should be easy, however, There are two primary reasons this could occur.
- Incorrect settings. Ensure you have the correct IP address and port number.
- Blocked Port. Network administrators or ISP’s could block the required port.
- Check with your network administrator or your ISP website. example.
- If you are at the login prompt, but login is failing, you are not entering the correct username/password.
Sudo User: root
Congratulations on successfully logging in. Now, firstly, we will check for updates. However, you must have sudo(admin rights) to accomplish this. If your provider gave you the username “root”, they have provided you the super account by default and you will be able to just run commands. We will change this later, however, it is best practice to avoid using the root account by default. If you are not the root user, there are two approaches. First, you can enter “sudo” before every command. The server will prompt you for the password, this is a temporary elevation to the root level just for the command.
Secondly, not recommended, but fine if you are comfortable. You can use sudo -s to enter a root level session. This will allow you to run commands as the root user so that you do not need to enter sudo before every command. There are other ways to accomplish this, but for now, we are starting with the simplest method.
The first thing to do is run updates. You will need to run “apt-get update” and apt-get upgrade using the sudo method of choice. The below example uses the “sudo -s method” Either command may prompt you to confirm update installation with a “Y/N” prompt, be sure to hit “Y”. You will likely see a large amount of scrolling text, some text may even read “warning”, a normal occurrence during updates.
UFW vs. IP Tables
If you are new, you want to implement network security using the UFW application. Its simple and accomplishes the same task with a fraction of the difficulty. If you are an expert or have a deep interest, go ahead and implement your own rules using IP Tables. IP Tables are complex and warrant their own chapter/tutorial. UFW is easy and will reach a acceptable level of security by any standard, in fact, many experts prefer standard software solutions. It is more likely an individual, even an expert, accidentally left a hole in the firewall. If you are using a standard solution, I know that is much less likely to have occurred. This tutorial will be using the UFW application to enforce standard network security principles.
First, before enabling UFW, ensure that your SSH port is open. This is 22 by default. run the command “ufw allow 22”
Then, check results with “ufw show added”. This command shows the rules even while the application is disabled. This will help you avoid locking yourself out. UFW blocks all ports by default, thus, if you enable with no implemented rules, you will lose remote access to your system.
Once you have confirmed the correct port is added, enable ufw with the “ufw enable” command. This command will also cause UFW to configure with auto-start. UFW will be enabled automatically on system restarts.
Now check that UFW is working correctly and that the expected port rules exist. The command is “UFW status”
Now, before you do anything else, check and ensure that your server is still accepting connections. Open Putt again, while your current session is open and attempt to start a new session. If you are unable to, disable the UFW application with the “ufw disable” command. Then try again, if the connection works, your UFW settings are incorrect. Verify UFW settings with the previously mentioned commands and try again.
Disable Remote Root Connections
Create a new User
If the provider gave you the username “root”, we need to disable its use for remote access. The Root username is half the key, if you have a custom username, that is two pieces of information needed for system access. First, create a new user with the command ” adduser username”
Add the User to the SUDO group
Now we need to add the new user to the SUDO group so that it can run commands at the administrator level. Complete this action by running the following command. “usermod -aG sudo username”
Test the User
Run the command “su – username“. This command switches to the new user account, a test drive in this case. Once switched to the new account, run a test command. “sudo ls -la /root”, In this example we list the contents of the “root” directory, this requires root level access to accomplish. If the command is successful, congratulations, you now have a new user capable of root level permissions. Also, open a new Putty session and connect as the new user to confirm remote connectivity.
Disable Root SSH access/Change Port Number
To disable root and change the port number, we need to access the SSH settings file. This is located at “/etc/ssh/sshd_config”. Access the file using the “nano” text editor program. This program is simple to use, if you are new, avoid the VI/Vim editor. Access the file using the following command. “/etc/ssh/sshd_config”. If you are not in a root session, be sure to append sudo to the beginning, otherwise, you wont be able to save the settings.
Now test your settings by opening another Putty Session. You do not need to close you current running session, in fact I recommend leaving it running. In some cases, you could put the wrong setting in place and your running session will give you an opportunity to fix it.
To change the port number, find the line with labeled “Port 22”. In this example, we will change the port to 54474. Feel free to use a different number if desired, just make sure its not a port commonly used for other services. Next change the the line “PermitRootLogin prohibit-password” to “PermitRootLogin no” Once you have accomplished this, save the file and add the correct port number using the “UFW allow” command. To perform nano commands, ^o = “ctrl+o”. Save is titled “Write Out”, run “Ctril+o” with the file open to save.
Add UFW port and reload SSH
Once you have saved the file, add the port number to the UFW rule list. Once you have done that, reload the SSH service with the “service ssh reload” command. Now connect to the new port number with a new Putty session. If the connection is successful, deny port 22 with a “ufw deny 22” command. Check the status again, you see that 22 is denied. You do not need to worry that other ports are not shown, if its not mentioned, it is blocked.
Security is an important concept, it is central to the protection of your information and any consumers you serve. Take the login security a step further, disable password login and enforce token login only. This creates an even more difficult scenario for hackers to overcome if they take a particular interest in your server. First, generate a key pair with the command “ssh-keygen -t ecdsa”.
You may put the key in any directory. However, make sure you generate the key as the target user and not root. Permission errors can cause the process to fail. Make sure that if you create new directories, that these are created with the target users permission as well. This is easily accomplished in the users home directory at /home/$username/
Now that you have generated the key, you must know inform the SSH application that this key is acceptable. If you forget to do this, the key will not work. Also, be sure to include the port number we changed earlier.
My command: “ssh-copy-id -p 54474 testuser@ubuntu-Server-Demo”
To set this up with Putty and make the process easy, we need to install some additional tools. We need to install putty tools on our server. Furthermore, we will use the Puttygen program that installs with the Putty program. You should not need to install anything extra to use it.