Well, its about time I upgrade and test backups at the same time, so thats what I’m doing today. This is to document the process I took for posterity and maybe to help someone else.
Even though this will be mostly utilized as a server, I dont mind spending a few extra resources to have a GUI (Graphical User Interface) installed for ease of use. I downloaded the latest Ubuntu LTS version, which at the time of writing this is 22.04:
I use “Startup Disk Creator” which is on my current version of Ubuntu to create a bootable usb disk with the iso downloaded above. Then insert the bootable usb into the server and power it up.
You may have to change the boot sequence or type a special key during bios boot to select the usb drive as your boot media. I will not go into that detail but feel free to google it if necessary.
Select Install Ubuntu and follow the prompts - this part is pretty self-explanatory and the defaults should work most of the time. After following all prompts, you will be asked to remove the USB and reboot the server. Upon reboot, you will be in your new Ubuntu installation!
The very next step I take after building the server is to enable remote access (only to my internal network!) and secure the server. Welp, lets begin!
Open UFW ports and enable UFW
NOTE: If you do this step out of order you could lock yourself out from any remote connections - if you’ve already enabled ssh and are connected remotely, in other words.
Allow port 22 - I specify my internal ip range just as an extra precaution, but you could just sudo ufw allow ssh
sudo ufw allow from 192.168.0.0/24 to any port 22
Enable ufw
sudo ufw enable
you can replicate that rule for any port you require later on, modifying the port as required.
Now we verify from a remote host that they can connect to the server
telnet 192.168.0.190 22
We should see a response such as:
Trying 192.168.0.190...
Connected to 192.168.0.190. Escape character is '^]'.
SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1
If you see something such as the following, then you should go back and try all the steps above again or check the ip address you’re hitting because something isnt correct
Trying 192.168.0.190...
telnet: connect to address 192.168.0.190: Connection refused
telnet: Unable to connect to remote host
To exit, type control
+]
then type quit
Next we secure SSH to prevent unauthorized access. We will harden ssh by disallowing root login - dont worry, you can still sudo to root after logging in as your user - and forcing ssh key login, thus making brute-force password guessing impossible, even though we will not be opening ssh to the world, I like to do this.
Secure SSH
make a backup of the original sshd config so we can always revert if we mess up
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
Now we make changes with sudo vi /etc/ssh/sshd_config
- feel free to use any editor of your choice, such as nano
or even gedit
Verify PasswordAuthentication is disabled by unhashing out that line (line 57 in my default config) and changing to no.
from:
#PasswordAuthentication yes
to:
PasswordAuthentication no
Next we disable root login. Line 33 in my default config
from:
#PermitRootLogin prohibit-password
to:
PermitRootLogin no
I dont know which protocol version openssh uses by default, so to guarantee I added the following line:
Protocol 2
Save the file and restart ssh daemon to take these new settings into effect:
sudo systemctl restart sshd
Install and configure Fail2Ban
Install fail2ban:
sudo apt install -y fail2ban
fail2ban protects ssh by default, but I like to loosen the restrictions a bit, just in case I messup:
sudo vi /etc/fail2ban/jail.d/defaults-debian.conf
Add the following lines to the [sshd] section:
logpath = /var/log/auth.log
maxretry = 10
Configure PAM to email any time someone successfully SSHs into your machine. If you SSH in a lot this may be daunting, but it could be a great first alert.
Install mailx with sudo apt install -y mailutils
Create an App Password for gmail:
Create a password file for postfix sudo vi /etc/postfix/sasl/sasl_password
Add:
[smtp.gmail.com]:587 youremail@gmail.com:yourapppasswd
Lock down the file with sudo chmod 600 /etc/postfix/sasl/sasl_password
Modify postfix main.cf sudo vi /etc/postfix/main.cf
Add the following:
mydestination =
relayhost = [smtp.gmail.com]:587 smtp_use_tls = yes smtp_sasl_auth_enable = yes smtp_sasl_security_options = smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
Feed password file to app sudo postmap /etc/postfix/sasl/sasl_passwd
restart postfix sudo systemctl restart postfix
send a test email to check:
echo "test email" | mailx -s "test email" myemail@gmail.com
If you received that email you’re good to go. If not, check /var/log/mail.log for troubleshooting
install libpam-script sudo apt install -y libpam-script
make a scripts dir and create a script called ssh-notify.sh
sudo mkdir /opt/scripts
sudo vi /opt/scripts/ssh-notify.sh
#!/bin/bash
EMAIL=youremail@gmail.com
USER=$(whoami)
IP=$(echo $SSH_CONNECTION | awk ‘{print $1}’)
echo “User $USER logged in to server from IP:${IP} | mailx -s “SSH Login to Server” $EMAIL
make executable sudo chmod +x /opt/scripts/ssh-notify.sh
modify pam config sudo vi /etc/pam.d/sshd
Add to the end of the file:
session optional pam_exec.so seteuid /opt/scripts/ssh_notify.sh
restart sshd sudo systemctl restart sshd
Login to your server via ssh and test receiving the email. If you dont get an email you might check your /var/log/mail.log file again, and verify your script is correct and that you restarted sshd.
Register for and configure Ubuntu Pro to enable automatic security updates. This is free for personal use and highly recommended. I will not go over the details of the process but you can find out more here: