====== Secure Ubuntu System - First Configuration ======
{{:secure_ubuntu_system:first_config.png?100|}}
===== Login =====
Login to the newly installed system with your previously created Administrator's username and password (e.g. administrator and adminpass).
----
===== Get root privileges (Optional) =====
Because we must run all the next steps from this document with root privileges, we can either prepend all commands in this tutorial with the string **sudo**, or we become root right now by typing:
sudo -i
...and entering the Administrator's password, adminpass.
**IMPORTANT**: If this is done, then remember to remove the **sudo** command from the front of any future issued command.
**DANGER**: Do __NOT__ use the following command:
sudo su
and do __NOT__ enable the root login by running:
sudo passwd root
and giving root a password.
With these options one can log in as the root user, but this is frowned upon by the Ubuntu developers and community for various reasons.
If for some reason the root account has been enabled then disable it again, issuing the following command:
sudo passwd -dl root
----
===== Backup the network interface file =====
cp /etc/network/interfaces /etc/network/interfaces.original
**NOTE:** This is done for safety. If the file becomes messed up the original can be restored.
----
===== Configure the network =====
Because the Ubuntu installer has configured the system to get its network settings via DHCP, we have to change that now because a server should have a static IP address.
Change the following entry **iface eth0 inet dhcp** in the network interfaces file.
Issue the following command:
sudo vi /etc/network/interfaces
and edit the file as follows:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary WAN interface
auto eth0
iface eth0 inet static
address 192.168.1.2
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
# dns-* options are implemented by the resolvconf package, if installed
dns-search server1.sharewiz.net
dns-nameservers 192.168.1.201 192.168.1.202 8.8.8.8 8.8.4.4
# The primary LAN interface
auto eth1
iface eth1 inet static
address 192.168.0.2
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
==== IPv6 ====
If using IPv6 then something like the following is needed:
### Start IPV6 static configuration
auto eth0
iface eth0 inet6 static
#pre-up modprobe ipv6
address 1234:f000:2001:000a:0000:0000:0000:0010
netmask 64
gateway 1234:f000:2001:000a:0000:0000:0000:0001
dns-nameservers 2001:4860:4860::8844 2001:4860:4860::8888
### END IPV6 configuration
The **dns-search** option should usually be the same domain as returned by **hostname -f**.
**WARNING**: You cannot edit **/etc/resolv.conf** directly any more to add in nameservers.
Instead you need to specify your nameservers in your network configuration. Use the command **man resolveconf** to find out more.
* Traditionally, the file **/etc/resolv.conf** was a static configuration file that rarely needed to be changed or automatically changed via DCHP client hooks.
* Nowadays, a computer can switch from one network to another quite often and the resolvconf framework is now being used to track these changes and update the resolver's configuration automatically.
* It acts as an intermediary between programs that supply nameserver information and applications that need nameserver information.
* Resolvconf gets populated with information by a set of hook scripts related to network interface configuration.
* The most notable difference for the user is that any change manually done to /etc/resolv.conf will be lost as it gets overwritten each time something triggers resolvconf.
* Instead, resolvconf uses DHCP client hooks, and /etc/network/interfaces to generate a list of nameservers and domains to put in /etc/resolv.conf.
**NOTE:** You may need to manually remove the DHCP record (lease) associated to this Ubuntu server from your DHCP server so the correct IP can be found by other machines on the network.
Use the command **dhclient -r** for this.
You might also need to manually add a **HOST(A)** record to your DNS server (for server1.sharewiz.net).
By the way, 8.8.8.8 and 8.8.4.4 are Google's DNS servers. 208.67.222.222 and 208.67.220.220 could also be used. They are the OpenDNS' DNS servers.
Lines beginning with the word **auto** are used to identify the physical interfaces to be brought up when **ifup** is run with the **-a** option. (This option is used by the system boot scripts.) Physical interface names should follow the word **auto** on the same line.
----
===== Enable packet forwarding by the kernel =====
Issue the following command:
sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
and then:
sudo vi /etc/sysctl.conf
...and uncomment the line:
net.ipv4.ip_forward=1
**NOTE:** To uncomment the line, simply remove the hash mark # from the front of the line.
IP forwarding essentially turns your server into a router, and can be used as the server has multiple Network Interfaces (NICs). It allows traffic from the internal network to be routed through the external network and vice-versa. If traffic comes in on one network interface that matches a subnet of another network interface, that traffic will be forwarded to the other network interface.
If using IPv6, then also uncomment the line:
net.ipv6.conf.all.forwarding=1
**SAFETY**: When doing routing, security is a very important consideration.
It is essential that fire-walling and security measures are in place.
These requirements will be covered through instructions later on in this setup guide.
----
===== Refresh sysctl =====
Issue the following command:
sudo sysctl -p
**sysctl** is used to modify kernel parameters at runtime.
----
===== Restart the Network =====
To enable the new settings to be recognized, the network needs to be restarted. Issue the following command:
sudo /etc/init.d/networking restart
If this fails to restart the network then try using this command instead:
sudo systemctl restart network.service
or
sudo service networking restart
An error message such as this might be displayed, but can be ignored:
ERROR: Calling a sysvinit script on a system using upstart isn't supported. Please use the 'service' command instead.
An alternative method to restart the network is using these commands:
sudo ifdown -a
then
sudo ifup -a
----
===== Check the network interfaces =====
Issue the following commands:
ifconfig eth0
ip address show eth0
==== IPv6 ====
If using IPv6 issue this command:
ip -6 address show eth0
Alternatively, issue the following command:
sudo mii-tool
...which should show something like:
eth0: no autonegotiation, 1000baseT-FD flow-control, link ok
eth1: no autonegotiation, 1000baseT-FD flow-control, link ok
In the example output above, we can see that both eth0 and eth1 have been picked up, so all well.
**NOTE:** Ensure that all interfaces are shown. If not, then revisit the above config changes around the network.
----
===== Setup the Network Hosts File =====
Edit the /etc/hosts file. Issue the following command:
sudo vi /etc/hosts
and edit the file as follows:
127.0.0.1 localhost.localdomain localhost
192.168.0.2 server1.sharewiz.local
192.168.1.2 server1.sharewiz.net server1
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
Check the network config is working. Issue the following command:
sudo ifconfig
and make sure the settings are correct. If it's working then **eth0** should show the IP Address 192.168.0.2.
**eth1** should also show the IP Address 192.168.1.1.
One of the lines for each NIC should show **UP BROADCAST RUNNING MULTICAST**.
----
===== Check the network is working =====
Issue the following command:
sudo ping www.google.com
and make sure this is working. If it's working then multiple lines should start something like:
64 bytes from …
Press CTRL-C to cancel the pinging.
==== IPv6 ====
To ping using IPv6 to an IPv6 enabled site such as ipv6.google.com:
ping6 ipv6.google.com
displays...
PING cyberciti.biz(ipv6.google.com) 56 data bytes
64 bytes from ipv6.google.com: icmp_seq=1 ttl=60 time=65.3 ms
64 bytes from ipv6.google.com: icmp_seq=2 ttl=60 time=64.2 ms
64 bytes from ipv6.google.com: icmp_seq=3 ttl=60 time=63.9 ms
64 bytes from ipv6.google.com: icmp_seq=4 ttl=60 time=63.9 ms
64 bytes from ipv6.google.com: icmp_seq=5 ttl=60 time=64.1 ms
64 bytes from ipv6.google.com: icmp_seq=6 ttl=60 time=64.0 ms
64 bytes from ipv6.google.com: icmp_seq=7 ttl=60 time=64.0 ms
You can also run a traceroute to check the network is working:
traceroute6 ipv6.google.com
----
===== Set the hostname =====
Issue the following command:
sudo sh -c "echo server1.sharewiz.net > /etc/hostname"
----
===== Restart the System =====
To enable the new hostname settings to be recognized, restart the system. Issue the following command:
sudo reboot
Once the system is rebooted simply login again and issue the **sudo -i** command to continue implementing the system.
----
===== Check the Network Settings =====
To enable the new network settings to be recognized, restart the system. Issue the following commands:
sudo hostname
and
sudo hostname -f
Both should show server1.sharewiz.net now.
----
===== Use an SSH Client from now on =====
It is better using a SSH Client to connect to the system than directly logging into the console.
SSH Clients are not only usually quicker, but they also allows for scrolling and copying of text. They often also allow commands to be pasted in, which could be copied from these directions.
Examples of SSH Clients include Putty.
----
===== Login using a SSH Client =====
ssh adminstrator@192.168.1.2
The terminal will show something like:
The authenticity of host '69.55.55.20 (69.55.55.20)' can't be established.
ECDSA key fingerprint is 79:95:46:1a:ab:37:11:8e:86:54:36:38:bb:3c:fa:c0.
Are you sure you want to continue connecting (yes/no)?
Go ahead and type **yes**, and then enter the password of the administrator, adminpass.
----
===== Continue =====
Continue to [[Secure Ubuntu System:Initial Configuration]]