====== Secure Ubuntu System - First Configuration ====== {{:secure_ubuntu_system:first_config.png?100|}} ===== Login ===== Login to the newly installed system with your previously created Administrator's username and password (e.g. administrator and adminpass). ---- ===== Get root privileges (Optional) ===== Because we must run all the next steps from this document with root privileges, we can either prepend all commands in this tutorial with the string **sudo**, or we become root right now by typing: sudo -i ...and entering the Administrator's password, adminpass. **IMPORTANT**: If this is done, then remember to remove the **sudo** command from the front of any future issued command. **DANGER**: Do __NOT__ use the following command: sudo su and do __NOT__ enable the root login by running: sudo passwd root and giving root a password. With these options one can log in as the root user, but this is frowned upon by the Ubuntu developers and community for various reasons. If for some reason the root account has been enabled then disable it again, issuing the following command: sudo passwd -dl root ---- ===== Backup the network interface file ===== cp /etc/network/interfaces /etc/network/interfaces.original **NOTE:** This is done for safety. If the file becomes messed up the original can be restored. ---- ===== Configure the network ===== Because the Ubuntu installer has configured the system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Change the following entry **iface eth0 inet dhcp** in the network interfaces file. Issue the following command: sudo vi /etc/network/interfaces and edit the file as follows: # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary WAN interface auto eth0 iface eth0 inet static address 192.168.1.2 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.1 # dns-* options are implemented by the resolvconf package, if installed dns-search server1.sharewiz.net dns-nameservers 192.168.1.201 192.168.1.202 8.8.8.8 8.8.4.4 # The primary LAN interface auto eth1 iface eth1 inet static address 192.168.0.2 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 ==== IPv6 ==== If using IPv6 then something like the following is needed: ### Start IPV6 static configuration auto eth0 iface eth0 inet6 static #pre-up modprobe ipv6 address 1234:f000:2001:000a:0000:0000:0000:0010 netmask 64 gateway 1234:f000:2001:000a:0000:0000:0000:0001 dns-nameservers 2001:4860:4860::8844 2001:4860:4860::8888 ### END IPV6 configuration The **dns-search** option should usually be the same domain as returned by **hostname -f**. **WARNING**: You cannot edit **/etc/resolv.conf** directly any more to add in nameservers. Instead you need to specify your nameservers in your network configuration. Use the command **man resolveconf** to find out more. * Traditionally, the file **/etc/resolv.conf** was a static configuration file that rarely needed to be changed or automatically changed via DCHP client hooks. * Nowadays, a computer can switch from one network to another quite often and the resolvconf framework is now being used to track these changes and update the resolver's configuration automatically. * It acts as an intermediary between programs that supply nameserver information and applications that need nameserver information. * Resolvconf gets populated with information by a set of hook scripts related to network interface configuration. * The most notable difference for the user is that any change manually done to /etc/resolv.conf will be lost as it gets overwritten each time something triggers resolvconf. * Instead, resolvconf uses DHCP client hooks, and /etc/network/interfaces to generate a list of nameservers and domains to put in /etc/resolv.conf. **NOTE:** You may need to manually remove the DHCP record (lease) associated to this Ubuntu server from your DHCP server so the correct IP can be found by other machines on the network. Use the command **dhclient -r** for this. You might also need to manually add a **HOST(A)** record to your DNS server (for server1.sharewiz.net). By the way, 8.8.8.8 and 8.8.4.4 are Google's DNS servers. 208.67.222.222 and 208.67.220.220 could also be used. They are the OpenDNS' DNS servers. Lines beginning with the word **auto** are used to identify the physical interfaces to be brought up when **ifup** is run with the **-a** option. (This option is used by the system boot scripts.) Physical interface names should follow the word **auto** on the same line. ---- ===== Enable packet forwarding by the kernel ===== Issue the following command: sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward" and then: sudo vi /etc/sysctl.conf ...and uncomment the line: net.ipv4.ip_forward=1 **NOTE:** To uncomment the line, simply remove the hash mark # from the front of the line. IP forwarding essentially turns your server into a router, and can be used as the server has multiple Network Interfaces (NICs). It allows traffic from the internal network to be routed through the external network and vice-versa. If traffic comes in on one network interface that matches a subnet of another network interface, that traffic will be forwarded to the other network interface. If using IPv6, then also uncomment the line: net.ipv6.conf.all.forwarding=1 **SAFETY**: When doing routing, security is a very important consideration. It is essential that fire-walling and security measures are in place. These requirements will be covered through instructions later on in this setup guide. ---- ===== Refresh sysctl ===== Issue the following command: sudo sysctl -p **sysctl** is used to modify kernel parameters at runtime. ---- ===== Restart the Network ===== To enable the new settings to be recognized, the network needs to be restarted. Issue the following command: sudo /etc/init.d/networking restart If this fails to restart the network then try using this command instead: sudo systemctl restart network.service or sudo service networking restart An error message such as this might be displayed, but can be ignored: ERROR: Calling a sysvinit script on a system using upstart isn't supported. Please use the 'service' command instead. An alternative method to restart the network is using these commands: sudo ifdown -a then sudo ifup -a ---- ===== Check the network interfaces ===== Issue the following commands: ifconfig eth0 ip address show eth0 ==== IPv6 ==== If using IPv6 issue this command: ip -6 address show eth0 Alternatively, issue the following command: sudo mii-tool ...which should show something like: eth0: no autonegotiation, 1000baseT-FD flow-control, link ok eth1: no autonegotiation, 1000baseT-FD flow-control, link ok In the example output above, we can see that both eth0 and eth1 have been picked up, so all well. **NOTE:** Ensure that all interfaces are shown. If not, then revisit the above config changes around the network. ---- ===== Setup the Network Hosts File ===== Edit the /etc/hosts file. Issue the following command: sudo vi /etc/hosts and edit the file as follows: 127.0.0.1 localhost.localdomain localhost 192.168.0.2 server1.sharewiz.local 192.168.1.2 server1.sharewiz.net server1 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts Check the network config is working. Issue the following command: sudo ifconfig and make sure the settings are correct. If it's working then **eth0** should show the IP Address 192.168.0.2. **eth1** should also show the IP Address 192.168.1.1. One of the lines for each NIC should show **UP BROADCAST RUNNING MULTICAST**. ---- ===== Check the network is working ===== Issue the following command: sudo ping www.google.com and make sure this is working. If it's working then multiple lines should start something like: 64 bytes from … Press CTRL-C to cancel the pinging. ==== IPv6 ==== To ping using IPv6 to an IPv6 enabled site such as ipv6.google.com: ping6 ipv6.google.com displays... PING cyberciti.biz(ipv6.google.com) 56 data bytes 64 bytes from ipv6.google.com: icmp_seq=1 ttl=60 time=65.3 ms 64 bytes from ipv6.google.com: icmp_seq=2 ttl=60 time=64.2 ms 64 bytes from ipv6.google.com: icmp_seq=3 ttl=60 time=63.9 ms 64 bytes from ipv6.google.com: icmp_seq=4 ttl=60 time=63.9 ms 64 bytes from ipv6.google.com: icmp_seq=5 ttl=60 time=64.1 ms 64 bytes from ipv6.google.com: icmp_seq=6 ttl=60 time=64.0 ms 64 bytes from ipv6.google.com: icmp_seq=7 ttl=60 time=64.0 ms You can also run a traceroute to check the network is working: traceroute6 ipv6.google.com ---- ===== Set the hostname ===== Issue the following command: sudo sh -c "echo server1.sharewiz.net > /etc/hostname" ---- ===== Restart the System ===== To enable the new hostname settings to be recognized, restart the system. Issue the following command: sudo reboot Once the system is rebooted simply login again and issue the **sudo -i** command to continue implementing the system. ---- ===== Check the Network Settings ===== To enable the new network settings to be recognized, restart the system. Issue the following commands: sudo hostname and sudo hostname -f Both should show server1.sharewiz.net now. ---- ===== Use an SSH Client from now on ===== It is better using a SSH Client to connect to the system than directly logging into the console. SSH Clients are not only usually quicker, but they also allows for scrolling and copying of text. They often also allow commands to be pasted in, which could be copied from these directions. Examples of SSH Clients include Putty. ---- ===== Login using a SSH Client ===== ssh adminstrator@192.168.1.2 The terminal will show something like: The authenticity of host '69.55.55.20 (69.55.55.20)' can't be established. ECDSA key fingerprint is 79:95:46:1a:ab:37:11:8e:86:54:36:38:bb:3c:fa:c0. Are you sure you want to continue connecting (yes/no)? Go ahead and type **yes**, and then enter the password of the administrator, adminpass. ---- ===== Continue ===== Continue to [[Secure Ubuntu System:Initial Configuration]]