OS Configuration

This post goes over how to configure your Ubuntu 8.04 Slice on Slicehost.

(general reference: http://articles.slicehost.com/2008/4/25/ubuntu-hardy-setup-page-1)

Log On to your Slice as root

Note: you will need the ip and password for the slice which was provided to you when the slice was created.

ssh root@11.222.333.444

Change the root password for your slice by entering

passwd

and specifying a new password for the root user account. Logout and SSH to connect again to verify that the new password works. NOTE: If you rebuilt the slice, you may need to remove an entry from the local ~/.ssh/known_hosts file in order to connect.

Create an admin (non-root) user account

Add a user and give them a password…

adduser demo

Give the user admin privileges by opening the /etc/sudoers file

nano /etc/sudoers

and add the following to the end of the file:

demo   ALL=(ALL) ALL

SSH Configuration

(general reference: http://articles.slicehost.com/2008/4/25/ubuntu-hardy-setup-page-1 (SSH Copy section & SSH Config section))
Copy your public key from your local computer to your slice by running the following on your LOCAL COMPUTER…

scp ~/.ssh/id_rsa.pub demo@11.222.333.444:/home/demo/

Note: you will need to provide the demo user’s password that you created earlier.

Now on the SLICE computer, setup the SSH permissions…

mkdir /home/demo/.ssh
mv /home/demo/id_rsa.pub /home/demo/.ssh/authorized_keys
chown -R demo:demo /home/demo/.ssh
chmod 700 /home/demo/.ssh
chmod 600 /home/demo/.ssh/authorized_keys

Make changes to the default SSH configuration…

nano /etc/ssh/sshd_config

Replace the content of /etc/ssh/sshd_config with the following…

# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 30000
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM no
UseDNS no
AllowUsers demo

IP Table Configuration

Just follow the instructions on http://articles.slicehost.com/2008/4/25/ubuntu-hardy-setup-page-1 (iptables section))

Save any existing rules…

iptables-save > /etc/iptables.up.rules

Create a new list of iptable rules…

nano /etc/iptables.test.rules

Paste in the following content…

*filter

#  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT

#  Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allows all outbound traffic
#  You can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allows SSH connections
#
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
#
-A INPUT -p tcp -m state --state NEW --dport 30000 -j ACCEPT

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

Update the rules…

iptables-restore < /etc/iptables.test.rules

Check to see that the IP table rules were updated…

iptables -L

Save the rules…

iptables-save > /etc/iptables.up.rules

Make sure the rules are applied after a reboot…

nano /etc/network/interfaces

Add the single line after just after ‘iface lo inet loopback’

...
auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/iptables.up.rules

# The primary network interface
...

Reload the SSH configuration…

/etc/init.d/ssh reload

* Reloading OpenBSD Secure Shell server's configuration sshd                    [ OK ]

Test the login by opening up a new shell, and logging in as the admin users…

ssh -p 30000 demo@11.222.333.444

Note that if you are unable to connect, you may need to remove stored host keys in the ~/.ssh/known_hosts file. Once you verify that you can login as the admin user, you can close the connection that uses the root login.

Updates to the OS

To get a more useful bash shell that the default, edit the ~/.bashrc file…

nano ~/.bashrc

and add the following to the end

export PS1='\[\033[0;35m\]\h\[\033[0;33m\] \w\[\033[00m\]: '
alias free='free -m'
alias update="sudo aptitude update"
alias install="sudo aptitude install"
alias upgrade="sudo aptitude safe-upgrade"
alias remove="sudo aptitude remove"

Reload the configuration changes for the bash shell…

source ~/.bashrc

Update the OS with any released patches…

sudo aptitude update

Set the locale…

sudo locale-gen en_US.UTF-8
sudo /usr/sbin/update-locale LANG=en_US.UTF-8

Update and upgrade…

sudo aptitude safe-upgrade
sudo aptitude full-upgrade

Install the package of essential build programs…

sudo aptitude install build-essential

Ok, now the OS is configured and updated… you are now ready to proceed to Part 3 - installing the software applications.
…

Trackback URI | Comments RSS