ubuntu-16.04-Initial Setup

ubuntu-16.04-Initial Setup

Please refer to the following steps done after initialize setup of ubuntu 16.04 server in VMware vSphere 6.5

A. Configure Static IP Address

sudo vi /etc/network/interfaces

Change the inet static and enter the IP Address

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto ens160
iface ens160 inet static
        address 192.168.1.230
        netmask 255.255.255.0
        gateway 192.168.1.1
        dns-nameservers 8.8.8.8 8.8.4.4

Restart the networking service

sudo systemctl restart networking.service

B. Change the password for root
Change the root password and switch to root

kwyong@ubuntu:~$ sudo passwd root
[sudo] password for kwyong:
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
kwyong@ubuntu:~$ su -
Password:
root@ubuntu:~#

C. Change Hostname

#Change the Hostname
su -
echo "mylab.aventistech.info" > /etc/hostname
hostname -F /etc/hostname

Edit the host file with vi /etc/hosts to include 127.0.0.1 mylab.aventistech.info if the FQDN is not registered in the public DNS Server yet

D. Updates

apt-get update

Downloads the package lists from the repositories and “updates” them to get information on the newest versions of packages and their dependencies. It will do this for all repositories and PPAs

apt-get upgrade

Used to install the newest versions of all packages currently installed on the system from the sources enumerated in /etc/apt/sources.list

VMware Tool is NOT required as it is already installed and running

kwyong@ubuntu:~$ sudo apt-get install open-vm-tools
Reading package lists... Done
Building dependency tree
Reading state information... Done
open-vm-tools is already the newest version (2:10.0.7-3227872-5ubuntu1~16.04.2).
0 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.
kwyong@ubuntu:~$ pgrep -l vmtoolsd
988 vmtoolsd

E. SSH Key-Based Authentication
Using MobaXterm in my Windows 10 Machine to generate the SSH Key

ssh-keygen -t rsa -b 2048 -C "ubuntu@Azure"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/mobaxterm/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/mobaxterm/.ssh/id_rsa.
Your public key has been saved in /home/mobaxterm/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:jxuhWzjCqCEFGwQpzhvVwBaHc6ELwUDgiV+CtrEW1+8 debian9@Azure
The key's randomart image is:
+---[RSA 2048]----+
|X=.o=o.          |
|*oo*+o           |
|OB+o+.           |
|.OBo. .          |
|.+=.   .S        |
|.o o  .o +       |
|o . o +E+ .      |
|.o   . + o       |
|.     . .        |
+----[SHA256]-----+

id_rsa is the Private Key, and id_rsa.pub is the Public Key

ls /home/mobaxterm/.ssh
hostkeys     id_rsa       id_rsa.pub   known_hosts

Copy the Public Key to ubuntu 16.04 server

ssh-copy-id kwyong@192.168.1.230
The authenticity of host '192.168.1.230 (192.168.1.230)' can't be established.
RSA key fingerprint is SHA256:8YiLXPXKsztYWyQ1nRSozc3Nuqiv4xoLRqKW9HTZDII.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
kwyong@192.168.1.230's password:
Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'kwyong@192.168.1.230'"
and check to make sure that only the key(s) you wanted were added.

Disabled SSH Password-Base login

sudo vi /etc/ssh/sshd_config
   PasswordAuthentication no
sudo systemctl restart sshd

When you try to login from the terminal where there is no Private Key installed, you will see the error message below

ssh kwyong@192.168.1.230
Permission denied (publickey).

F. Fail2ban & Firewall
Fail2ban-It functions by monitoring intrusion attempts to your server and blocks the offending host for a set period of time. It does this by adding any IP addresses that show malicious activity to your firewall rules. it will ban a host for 10 minutes after 6 unsuccessful login attempts via SSH.(Default Setting)

#Install fail2ban
sudo apt-get install fail2ban
#verify that fail2ban is running 
sudo systemctl status fail2ban

ufw (Uncomplicated Firewall) – To manage the firewall

#add firewall rules 
sudo ufw allow ssh
sudo ufw allow http 
sudo ufw allow https
#Show firewall rules added 
sudo ufw show added 
#Enable Firewall 
sudo ufw enable 
#verify Firewall is running 
sudo ufw status 
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
80                         ALLOW       Anywhere
443                        ALLOW       Anywhere
22 (v6)                    ALLOW       Anywhere (v6)
80 (v6)                    ALLOW       Anywhere (v6)
443 (v6)                   ALLOW       Anywhere (v6)

Leave a Comment