Differences

This shows you the differences between two versions of the page.

--- secure_ubuntu_system:first_configuration [2016/12/07 12:14] – [Enable packet forwarding by the kernel] peter
+++ secure_ubuntu_system:first_configuration [2016/12/07 12:17] (current) – removed peter
@@ Line 1: / Line 1: @@
-====== Secure Ubuntu System - First Configuration ======
-===== Login =====
-Login to the newly installed system with your previously created Administrator's username and password (e.g. <color red>administrator</color> and <color red>adminpass</color>).
-===== Get root privileges (Optional) =====
-Because we must run all the next steps from this document with root privileges, we can either prepend all commands in this tutorial with the string **sudo**, or we become root right now by typing:
-<code bash>
-sudo -i
-</code>
-...and entering the Administrator's password, <color red>adminpass</color>.
-**IMPORTANT**:  If this is done, then remember to remove the **sudo** command from the front of any future issued command.
-<WRAP danger>
-**DANGER**:  Do __NOT__ use the following command:
-<code bash>
-sudo su
-</code>
-and do __NOT__ enable the root login by running:
-<code bash>
-sudo passwd root
-</code>
-and giving root a password.
-With these options one can log in as the root user, but this is frowned upon by the Ubuntu developers and community for various reasons.
-If for some reason the root account has been enabled then disable it again, issuing the following command:
-<code bash>
-sudo passwd -dl root
-</code>
-</WRAP>
-===== Backup the network interface file =====
-<code bash>
-cp /etc/network/interfaces /etc/network/interfaces.original
-</code>
-This is done for safety.  If the file becomes messed up the original can be restored.
-===== Configure the network =====
-Because the Ubuntu installer has configured the system to get its network settings via DHCP, we have to change that now because a server should have a static IP address.
-Change the following entry **iface eth0 inet dhcp** in the network interfaces file.
-Issue the following command:
-<code bash>
-sudo vi /etc/network/interfaces
-</code>
-and edit the file as follows:
-<file bash /etc/network/interfaces>
-# This file describes the network interfaces available on your system
-# and how to activate them. For more information, see interfaces(5).
-# The loopback network interface
-auto	lo
-iface	lo	inet loopback
-# The primary WAN interface
-auto	eth0
-iface	eth0	inet static
-		address		192.168.1.2
-		netmask		255.255.255.0
-		network		192.168.1.0
-		broadcast	192.168.1.255
-		gateway		192.168.1.1
-# dns-* options are implemented by the resolvconf package, if installed
-                dns-search      server1.sharewiz.net
-		dns-nameservers	192.168.1.201 192.168.1.202 8.8.8.8 8.8.4.4
-# The primary LAN interface
-auto	eth1
-iface	eth1	inet static
-		address		192.168.0.2
-		netmask		255.255.255.0
-		network		192.168.0.0
-		broadcast	192.168.0.255
-</file>
-<WRAP tip>
-==== IPv6 ====
-If using IPv6 then something like the following is needed:
-<file bash /etc/network/interfaces>
-### Start IPV6 static configuration
-auto  eth0
-iface eth0 inet6 static
-#pre-up    modprobe ipv6
-           address 1234:f000:2001:000a:0000:0000:0000:0010
-           netmask 64
-           gateway 1234:f000:2001:000a:0000:0000:0000:0001
-           dns-nameservers 2001:4860:4860::8844 2001:4860:4860::8888
-### END IPV6 configuration
-</file>
-</WRAP>
-The **dns-search** option should usually be the same domain as returned by **hostname -f**.
-<WRAP warning>
-**WARNING**: You cannot edit **/etc/resolv.conf** directly any more to add in nameservers.  Instead you need to specify your nameservers in your network configuration.  Use the command **man resolveconf** to find out more.
-Traditionally, the file /etc/resolv.conf was a static configuration file that rarely needed to be changed or automatically changed via DCHP client hooks.  Nowadays, a computer can switch from one network to another quite often and the resolvconf framework is now being used to track these changes and update the resolver's configuration automatically.  It acts as an intermediary between programs that supply nameserver information and applications that need nameserver information.  Resolvconf gets populated with information by a set of hook scripts related to network interface configuration.  The most notable difference for the user is that any change manually done to /etc/resolv.conf will be lost as it gets overwritten each time something triggers resolvconf.  Instead, resolvconf uses DHCP client hooks, and /etc/network/interfaces to generate a list of nameservers and domains to put in /etc/resolv.conf.
-</WRAP>
-<WRAP info>
-You may need to manually remove the DHCP record (lease) associated to this Ubuntu server from your DHCP server so the correct IP can be found by other machines on the network.  Use the command **dhclient -r** for this.
-You might also need to manually add a **HOST(A)** record to your DNS server (for <color red>server1.sharewiz.net</color>).
-By the way, <color red>8.8.8.8</color> and <color red>8.8.4.4</color> are Google's DNS servers.  208.67.222.222 and 208.67.220.220 could also be used.  They are the OpenDNS' DNS servers.
-Lines beginning with the word **auto** are used to identify the physical interfaces to be brought up when **ifup** is run with the **-a** option.  (This option is used by the system boot scripts.)  Physical interface names should follow the word **auto** on the same line.
-</WRAP>
-===== Enable packet forwarding by the kernel =====
-Issue the following command:
-<code bash>
-sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
-</code>
-and then:
-<code bash>
-sudo vi /etc/sysctl.conf
-</code>
-...and uncomment the line:
-<file>
-net.ipv4.ip_forward=1
-</file>
-To uncomment the line, simply remove the hash mark # from the front of the line.
-IP forwarding essentially turns your server into a router, and can be used as the server has multiple Network Interfaces (NICs).  It allows traffic from the internal network to be routed through the external network and vice-versa.  If traffic comes in on one network interface that matches a subnet of another network interface, that traffic will be forwarded to the other network interface.
-If using IPv6, then also uncomment the line:
-<file>
-net.ipv6.conf.all.forwarding=1
-</file>
-<WRAP safety>
-**SAFETY**:  When doing routing, security is a very important consideration.  It is essential that fire-walling and security measures are in place.  These requirements will be covered through instructions later on in this setup guide.
-</WRAP>
-===== Refresh sysctl =====
-Issue the following command:
-<code bash>
-sudo sysctl -p
-</code>
-**sysctl** is used to modify kernel parameters at runtime.
-===== Restart the Network =====
-To enable the new settings to be recognized, the network needs to be restarted.  Issue the following command:
-<code bash>
-sudo /etc/init.d/networking restart
-</code>
-<WRAP info>
-If this fails to restart the network then try using this command instead:
-<code bash>
-sudo systemctl restart network.service
-</code>
-or
-<code bash>
-sudo service networking restart
-</code>
-An error message such as this might be displayed, but can be ignored:
-<code>
-ERROR: Calling a sysvinit script on a system using upstart isn't supported.  Please use the 'service' command instead.
-</code>
-An alternative method to restart the network is using these commands:
-<code bash>
-sudo ifdown -a
-</code>
-then
-<code bash>
-sudo ifup -a
-</code>
-</WRAP>
-===== Check the network interfaces =====
-Issue the following commands:
-<code bash>
-ifconfig eth0
-ip address show eth0
-</code>
-<WRAP info>
-==== IPv6 ====
-If using IPv6 issue this command:
-<code bash>
-ip -6 address show eth0
-</code>
-</WRAP>
-Alternatively, issue the following command:
-<code bash>
-sudo mii-tool
-</code>
-...which should show something like:
-<code>
-eth0: no autonegotiation, 1000baseT-FD flow-control, link ok
-eth1: no autonegotiation, 1000baseT-FD flow-control, link ok
-</code>
-Ensure that all interfaces are shown.  If not, then revisit the above config changes around the network.
-In the example output above, we can see that both eth0 and eth1 have been picked up, so all well.
-===== Setup the Network Hosts File =====
-Edit the /etc/hosts file.  Issue the following command:
-<code bash>
-sudo vi /etc/hosts
-</code>
-and edit the file as follows:
-<file bash /etc/hosts>
-.0.0.1 localhost.localdomain localhost
-.168.0.2 server1.sharewiz.local
-.168.1.2 server1.sharewiz.net server1
-# The following lines are desirable for IPv6 capable hosts
-::1 localhost ip6-localhost ip6-loopback
-fe00::0 ip6-localnet
-ff00::0 ip6-mcastprefix
-ff02::1 ip6-allnodes
-ff02::2 ip6-allrouters
-ff02::3 ip6-allhosts
-</file>
-Check the network config is working.  Issue the following command:
-<code bash>
-sudo ifconfig
-</code>
-and make sure the settings are correct.  If it's working then **eth0** should show the IP Address <color red>192.168.0.2</color>.
-**eth1** should also show the IP Address <color red>192.168.1.1</color>.
-One of the lines for each NIC should show **UP BROADCAST RUNNING MULTICAST**.
-===== Check the network is working =====
-Issue the following command:
-<code bash>
-sudo ping www.google.com
-</code>
-and make sure this is working.  If it's working then multiple lines should start something like:
-<code>
-bytes from …
-</code>
-Press <color green>CTRL-C</color> to cancel the pinging.
-<WRAP info>
-==== IPv6 ====
-To ping using IPv6 to an IPv6 enabled site such as ipv6.google.com:
-<code bash>
-ping6 ipv6.google.com
-</code>
-displays...
-<code>
-PING cyberciti.biz(ipv6.google.com) 56 data bytes
-bytes from ipv6.google.com: icmp_seq=1 ttl=60 time=65.3 ms
-bytes from ipv6.google.com: icmp_seq=2 ttl=60 time=64.2 ms
-bytes from ipv6.google.com: icmp_seq=3 ttl=60 time=63.9 ms
-bytes from ipv6.google.com: icmp_seq=4 ttl=60 time=63.9 ms
-bytes from ipv6.google.com: icmp_seq=5 ttl=60 time=64.1 ms
-bytes from ipv6.google.com: icmp_seq=6 ttl=60 time=64.0 ms
-bytes from ipv6.google.com: icmp_seq=7 ttl=60 time=64.0 ms
-</code>
-You can also run a traceroute to check the network is working:
-<code bash>
-traceroute6 ipv6.google.com
-</code>
-</WRAP>
-===== Set the hostname =====
-Issue the following command:
-<code bash>
-sudo sh -c "echo server1.sharewiz.net > /etc/hostname"
-</code>
-===== Restart the System =====
-To enable the new hostname settings to be recognized, restart the system.  Issue the following command:
-<code bash>
-sudo reboot
-</code>
-Once the system is rebooted simply login again and issue the **sudo -i** command to continue implementing the system.
-===== Check the Network Settings =====
-To enable the new network settings to be recognized, restart the system.  Issue the following commands:
-<code bash>
-sudo hostname
-</code>
-and
-<code bash>
-sudo hostname -f
-</code>
-Both should show <color red>server1.sharewiz.net</color> now.
-===== Use an SSH Client from now on =====
-It is better using a SSH Client to connect to the system than directly logging into the console.
-SSH Clients are not only usually quicker, but they also allows for scrolling and copying of text.  They often also allow commands to be pasted in, which could be copied from these directions.
-Examples of SSH Clients include Putty.
-===== Login using a SSH Client =====
-<code bash>
-ssh adminstrator@192.168.1.2
-</code>
-The terminal will show something like:
-<code>
-The authenticity of host '69.55.55.20 (69.55.55.20)' can't be established.
-ECDSA key fingerprint is 79:95:46:1a:ab:37:11:8e:86:54:36:38:bb:3c:fa:c0.
-Are you sure you want to continue connecting (yes/no)?
-</code>
-Go ahead and type **yes**, and then enter the password of the administrator, <color red>adminpass</color>.