1st, kudos to bluelock for providing an Ubuntu template for use on their beta vCloud. Taking a stock Ubuntu template provided to Lucid costs about 2 bucks, that is, if they were charging us. Thanks guys!
With that out of the way let’s get to the meat, if you’re deploying an ubuntu vm from the current template (as of 10Mar10) there are a few security items I’d address right out of the gates after deploying a new VM.
From the console, after logging in with the provided account information:
0) turn on the firewall
sudo ufw enable
This will disable all inbound connections, and set the firewall to start automatically on boot. We’ll go back and selectively open ports later.
1) create a new user.
In order to create a new user, from the command line, do the following:
sudo adduser
answer the questions asked about the user, (this is you btw). As we’ll be deleting the default user account, you’ll want to make sure that this new user is in the admin group, so that you can have sudo access.
sudo usermod -g admin
Verify this worked by logging out, and logging in as your new user. (exit will log you out at this point)
Once you’re logged back in as your new user, type:
sudo -l -S
you should see the response that looks like this:
User
(ALL) ALL
with that done,
2) delete the default bluelock user.
sudo userdel express
3)disable root ssh access
I’m not sure why this is enabled by default, but certainly go in and edit your sshd.conf, look for the # Authentication: section, and disable the root account from being able to log in remotely via ssh.
sudo nano /etc/ssh/sshd_config
and change:
PermitRootLogin yes
to
PermitRootLogin no
4)change the root password
Call me paranoid, but at this point I want to ensure that this template’s root account has a different root password than all the other ones that are deployed in bluelock.
sudo su -
at this point, you’ll be root, to change the password, I suggest using the following website: https://www.grc.com/passwords.htm copy the bottom option (yes all of it) and type:
passwd
and when prompted enter that long string. You won’t be using it again, so don’t worry what it is. (thus the power of sudo)
5)Change the default root mysql password
You’ll want to follow the recommended procedure from bluelock and change your default mysql root password as well.
sudo dpkg-reconfigure mysql-server-5.0
5)check for updates
Get used to using aptitude. It rocks. I know, I know, apt-get works, but aptitude is the way to go.
sudo aptitude update
Once your available package information has been updated, upgrade!
sudo aptitude upgrade
or combine the two together:
sudo aptitude update && sudo aptitude upgrade
select yes, and grab a cup of coffee. This may take a few minutes. (BlueLock does have fat pipes, so this won’t take THAT long.)
wait? what about my firewall?
oh that’s right. we want to enable access to some services now that we’ve taken care of some security stuff. Get familar with the ufw commands. This is a great simple firewall that ships by default with ubuntu now.
Let’s enable ssh and http access (as bluelock does ship their current ubuntu template with apache2 installed)
sudo ufw enable ssh
sudo ufw enable http
and let’s verify what we’ve enabled
sudo ufw status
should return something like:
status: active
and a list of ports that are open.
Break Break
Couple of thoughts, I always move away from password based ssh logins to key based. Rather than recreate the wheel, here’s a good tutorial that I use as well: http://www.debuntu.org/ssh-key-based-authentication
At this point we’re at a point where we’ve deployed a secure platform to move forward from. If you want to upgrade to a newer version of ubuntu read on!
6)upgrade!
Once you’ve applied all your updates, here’s the command to go out and see if there’s a newer version of ubuntu available:
sudo do-release-upgrade
if you want to to check for development versions of Ubuntu, use:
sudo do-release-upgrade -d
7)rinse and repeat
At this time, you can update and upgrade to your heart’s content to get to whatever version of Ubuntu you’re looking for. I recommend doing the upgrade through the console to avoid any issues that may arise doing it via ssh.
Thanks for reading!
(This has also been reposted over in the Tips, Tricks, Tutorials section of the BlueLock Forum)