It has been a while since I had the time to tinker around and to work on my pet project. So to get back into hacking mode or tinkering mode, I decided to proceed with my RPI-based home sensor network project.
So to get back on track and to boost my motivation, I decided yesterday evening to order a basic Ubuntu 18.04 LTS VM from ServerBase.ch for testing and development purposes.
I decided to go for the
SSD VPS - SSD1 G4 offering, which provides
one vCPU, 2 GB RAM, and 20GB SSD storage. Depending on the invoicing interval
you choose, you pay monthly 10.90 CHF, 9.90 CHF, 8.90 CHF.
To my surprise, I found this morning an email in my inbox saying that my ordeded VM
was already ready and running since 3 am.
To be honest I didn't expect to have a running VM on sunday morning to mess around with.
Well, it was also interesting to see the logs in
/var/log/auth.log once I logged
into the system via ssh.
As one can see in the logs below, it took only 15 minutes once some bots tried
to ssh into the VM using the user
Dec 9 03:14:12 yux sshd: Invalid user admin from 22.214.171.124 port 51607 Dec 9 03:53:05 yux sshd: Invalid user admin from 126.96.36.199 port 33330 Dec 9 09:56:51 yux sshd: Invalid user admin from 188.8.131.52 port 50219 Dec 9 10:56:40 yux sshd: Invalid user admin from 184.108.40.206 port 42406 Dec 9 17:58:34 yux sshd: Invalid user admin from 220.127.116.11 port 50604
Anyway, to cut a long story short, I reinstalled the VM with the help of the ServerBase dashboard, and I did mess around with the VM, and documented at the same time my configuration steps for a sane initial ServerBase Ubuntu VM.
Per default a fresh Ubuntu vserver on ServerBase has a very relaxed SSH access policy. For example, the root user is allowed to SSH into the VM via the root password. Moreover, the system locales are set to Swiss German. Last but not least, the grub settings are tweaked so grub boots faster.
So my steps to configure the VM to my liking were as follows:
1) Add a custom sudo user. 2) Setup SSH pubkey authentication for the custom user. 3) Disable SSH password authentication and ssh root login. 4) Update the system and upgrade the packages via apt. 5) Setup automatic updates and install fail2ban 6) Install helpful packages such as vim, tmux, zsh etc. 7) Change the system locales to US english.
1) Add a custom sudo user
In a next step, we add a sudo user, so we don't need the root account anymore:
# adduser alex --gecos '' # adduser alex sudo
2) Setup SSH pubkey authenitcation
Next, we setup passwordless login using SSH public/private keys.
For this reason, we generate a SSH key pair as shown below:
ssh-keygen -b 4096 -t rsa
Once we have generate the keys, we need to copy the public key to our virtual server.
This can be easily done with help of
ssh-copy-id -i ~/.ssh/id_rsa.pub alex@some-ip-addr
3) Disable password authentication and root ssh access
Edit the file
/etc/ssh/sshd_config/ and change it as follows:
PermitRootLogin no #edited line to no # custom changes Protocol 2 StrictModes yes PasswordAuthentication no PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys AllowUsers alex
After that change, reboot the system:
4) Update the system
sudo apt update sudo apt upgrade sudo apt full-upgrade sudo apt autoremove
5) Setup automatic updates and install fail2ban
To keep the system secure and up-to-date, one can install the
package via apt:
sudo apt install unattended-upgrades
Moreover, we install
sudo apt install fail2ban
6) Install helpful packages
sudo apt install vim tmux htop tree zsh git
Lastly, we install
sh -c "$(wget https://raw.githubusercontent.com/robbyrussell/oh-my-zsh/master/tools/install.sh -O -)"
7) Change the system locales
Per default, it seems that ServerBase Ubuntu 18.04 VMs are configured with Swiss German locales. I don't like that :D. Thus, let's change that and use US English UTF-8 locales instead.
sudo dpkg-reconfigure locales
After that reboot or open a new terminal.
That's it for now. The VM is running and is more or less secured. The next steps involve installing environments like node.js, ruby, and deploying some custom applications for my home sensor network monitoring projects.