Categories
blogs

Ubuntu 18 : Enable ssh keys, disable ssh passwords

This is a two step howto, and this is how I do it. Do it in this order to avoid issues.

Before you begin, make sure you have read the other blog posts, where I explain how to add a super user to the system, and disable root from logging into the ssh service.

The next step is to first enable ssh keys for logging in to ssh. Then we are going to disable logging in with passwords.

On your client computer, create an ssh public key. There are enough tutorials online to do this. Here’s one: https://github.com/settings/keys

Once you have a local key, it’s time to copy the public id to the remote server.

Note: that if you have changed the default ssh port from 22 to something else, that you have to specify it.

The easiest way is to use ssh-copy-id, but you can also do this manually.

Note: I strongly recommend to have a user already logged in to the server with ssh that’s sudo up, so you can fix any issues when you potentially get yourself locked out.

ssh-copy-id -p 22555 floris@example.com

ssh-copy-id is either installed or not on your system, this is says program not found, you have to do it manually.

-p 22555 is the ssh port, 22555 in this example as it’s changed.

floris@example.com is the ssh’s username and host address to connect to.

Follow the on-screen instructions, if it asks for a password it’s the password of the user on the remote host you’re trying to login with. If it asks for the keyphrase, then it is probably the ssh keyphrase you’re set for the public key to authenticate.

When done, do not log out yet of the earlier logged in ssh session. Instead, open a new terminal window or tab, and ssh back in with something like ssh floris@example.com -p 22555

It should log you in automatically, or if your ssh key has a keyphrase, it will ask for this. It will no longer ask you for the password.

If this was successful, it’s time for step 2, to disable users from logging in with a password (prevent brute force attacks).

sudo nano /etc/ssh/sshd_config

Find:

#PasswordAuthentication yes

Note how there’s sometimes a # character in front of the line? Remove this # character so it’s no longer commented out.

Change it to:

PasswordAuthentication no

And save your changes.

Now restart the ssh daemon service.

service ssh restart

And try it all again. It should work.

Mega oops! You’ve logged yourself out? If that happened, something went wrong. Most hosting providers have a control panel, with a serial console. Login there with your root account and fix your changes.

If all went well, you can ssh into the server without having to login (or login with a keyphrase if set), but loggin in to the server with the password should no longer work. If you’ve followed the other blog entries, you shouldn’t be able to login with root at all anymore at this point.

 

Categories
blogs

Ubuntu 18 : Disable ssh root login

After your initial setup of your Ubuntu 18 server, and that includes adding a couple of new users, including at least one super user that can sudo up, it’s time to prevent the root user from being able to login on ssh. The username is a default, and doesn’t have to be guessed.

Note: Another blog post will discuss how to change the default ssh port.

ssh into your server with a user that can sudo up, once connected, type:

nano -w /etc/ssh/sshd_config

Within this file find (you could use control+w):

PermitRootLogin yes

Note: If there’s a # in front of this line, remove the # character.

Change the yes to no:

PermitRootLogin no

Save the file (control+x to exit out)

You’ve customized the ssh daemon configuration file, but before we restart the service, I do recommend logging in without a root account, and maybe on a second ssh session. In case you get kicked out due to these changes (but you should be fine).

When you’re ready to restart the ssh service, type:

service ssh restart

It will look like this:

root@server:~# service ssh restart
root@server:~#

Try in a new terminal window or tab to ssh back into the server as root, it will appear to work, but even upon entering the correct password you will get the message Permission Denied.

Then go test with the sudo user, ssh in and it should work. If not, undo your change, restart ssh and fix your error.

floris@iMac ~ % ssh root@example.com -p 22
root@example's password:
Permission denied, please try again.
root@example's password: ^c
floris@iMac ~ %
floris@iMac ~ % ssh floris@example.com -p 22
floris@example's password:
Welcome to this Ubuntu server.
Last login: a minute ago from this.ip.address
floris@server:~$ sudo su -
[sudo] password for floris:
root@server:~#

Yay, it’s all good. Maybe in another blog post I will explain how to update the ssh daemon service to not allow passwords to login, and require the ssh key to do so. But first, let’s change the default ssh port. Which I will also explain in a different blog post.

Categories
blogs

Ubuntu 18 : Install nano text editor

I’ve always preferred using nano over pico, and pico over vi, and vi for very low level file editing.

Anyway: nano for most things. But it’s not installed by default on Ubuntu 18.

And after getting a new VPS you probably have quite some configuration file editing to do, and in my blog posts I tend to say “and then just nano the file..”

Go ssh into your server with a sudo user.

ssh floris@example.com -p 22

and type:

sudo apt-get install nano

Enter the accounts password and follow the on screen instructions. Once installed you can type nano -v to check if it’s actually installed.

Usually you can just type this to open a file

nano file.txt

But to not wrap long lines, which sometimes can really help,

nano -w file.txt

I hope this helps you get started with how to install nano text editor on Ubuntu 18.

Categories
blogs

Ubuntu 18 : Add new super user

Once you’ve ssh into the VPS as a root user, it’s time to add more users to the system. One for the day to day stuff, and one for server management related stuff. The first will be what we consider an unprivileged user, the other sometimes referred to as a sudo user.

As user root, type:

adduser floris

Go through the steps, generally you can just press enter until you’re done. But of course, the one asking for a password, set one.

root@server:~# adduser floris
Adding user `floris' ...
Adding new group `floris' (1000) ...
Adding new user `floris' (1000) with group `floris' ...
Creating home directory `/home/floris' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for floris
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
root@server:~#

Note: By default you can ssh into the box on the default port, using the password. I do recommend to check my other blog post about how to configure the server to no longer allow root to login, to grant access to (certain) accounts to login, and to require an ssh key to login instead of a password. For now, I am going to skip that in this blog post.

Repeat the adduser step until you’ve added all the users you want. We will be using floris as the example to add as a super user.

The users now have regular account privileges, we need to escalate at least one that we can sudo with and have as the one to manage the server.

In Ubuntu 18 there’s a default sudo group, we need to add the user to this group and they will be able to prefix commands with sudo to run them as a super user.

usermod -aG sudo floris

And we’re done.

root@server:~# usermod -aG sudo floris
root@server:~#

You can check who the sudo users are with this command:

root@server:~# getent group sudo | cut -d: -f4
floris
root@server:~#

Now you can stay logged in as root, then open another tab in your terminal and make a new ssh connection to the server using this newly created user. The new user/pass combo should work.

You can also type the following to see if your new user can sudo up:

sudo su -

It will look like this, the password is your sudo user password, not your root password.

floris@server:~$ sudo su -
[sudo] password for floris:
root@server:~# exit
floris@server:~$

Okay, the next step in my opinion would be to change the default port on ssh, install a firewall and block all ports, except the ones you really need. But that’s something for another blog post.

Categories
blogs

Ubuntu 18 lts : Barebone first login

This is a small reminder that once you get a VPS with a provider (like RAMNode, etc) that you should not forget to do a few things.

There’s of course the software (daemons, services, servers, tools, commands, etc) that you wish to install to get to your end goal (run a game server, or a website).

But privacy, security, and keeping current, is important.

If you can, go with the latest lts of Ubuntu, for us currently that’s 18 (even though 20 is out)

And even before you login as root user, read the welcome email from your provider. Remember.. your root pass is in that email usually. So step 1 is not to install an Apache web server, or java for Minecraft server. It’s to get into the control panel of your host and change the root password.

We will use other blog posts soon where we talk about preventing root from even logging in, to add a basic firewall, add a sudo user, etc. Before we get to that, follow the instructions from your host to get to their control panel, and find out how to change the root password.

Go to 1Password or whatever password manager you have, and note down the host/ip, and ssh port, the url to the control panel, the root user and pass, and the now changed user/pass. This way you don’t have to depend on that welcome email. You could even remove it (archive it in 1password if you so desire). So if your email ever get compromised, they. can’t get into the VPS at least.

Ok, now it’s time to make that first connection.

ssh root@example.com -p 22

It will ask you some information. And hopefully you get into the system.

Step 1 is done, you confirmed root login works, and that it works with the new password. And that you’ve taken note of this in 1Password.

Step 2 is next, and that’s to keep the system current. This is as simple as typing the following commands into Ubuntu as root user:

apt-get update

when that’s done:

apt-get upgrade

When this asks for Y/n questions, accept Y for yes, to update things.

And now when this is done, you’re ready for the next step, which is to add additional users to the system. One for maybe web stuff, or a game server, another one for everyday server management (a sudo user). I will try to make another blog entry on how to do that. And after that we have to change the ssh port, and remove the option for root to login through ssh. Then add a firewall, etc.

I hope this helps. These first steps on getting started with the barebone Ubuntu box has worked on old 14 32bit to 20 64bit versions of Ubuntu.

Categories
blogs

Nieuwe server

Even om te herkennen dat dit op de nieuwe is.

Categories
blogs

Papa, ik mis je

🙁

Categories
blogs

Torguard VPN Promo Code FLORIS 50% off

Hey everybody, here we are with something I want to share with my friends and family.

For a while now I have been using Torguard, and if you know me: you know I value privacy and security.

Hopefully you already have an ad-blocker that removes the following URL because it’s actually an affiliate link; I am in that case quite proud of you. But if you see the below URL you will notice it’s an affiliate link. I’ve posted it on my blog before when I am talking about VPN and its importance.

But this time I want to thank you for visiting my site and give you a unique 50% off coupon code for life. Yep, if you follow my link, and then during sign up you use the torguard coupon code FLORIS, you get the same VPN service I am using; 50% off.

Here’s my affiliate link:

Torguard VPN Coupon Code FLORIS 50% off for life
Torguard VPN Coupon Code FLORIS 50% off for life

Enjoy browsing the web a little bit safer.

Note: Like I mentioned before, if you don’t see the affiliate link, your browser and/or ad-blocker might obviously be blocking it. Try: https://bit.ly/2NJxELd

Categories
blogs

mournfulness

But not 12.

I will carry you with me, Sasha, because you helped with the others to be one.

“Before we were born we had no feeling; we were one with the universe. This is called “mind-only,” or “essence of mind,” or “big mind,” After we are separated by birth from this oneness, as the water falling from the waterfall is separated by the wind and rocks, then we have feeling. You have difficulty because you have feeling. You attach to the feeling you have without knowing just how this kind of feeling is created. When you do not realise that you are one with the river, or one with the universe, you have fear. Whether it is separated into drops or not, water is water. Our life and death are the same thing. When we realise this fact we have no fear of death anymore, and we have no actual difficulty in our life.” – Shunryu Suzuki

Categories
blogs

Happy birthday Sasha, you are 11 now.

Geesh, I still remember when she curiously walked around the livingroom for the first time and jumped on my lap and gave me a cuddle. She was not even a year old. And now ten years later she is 11 and still giving me cuddles. She might be an old age kitty now, or at least an adult. But she’s still my little kitty.

Happy birthday Sasha (@Sashapurr on twitter btw), you’re 11 years old now (wait, is that about 60 in human years? holy crap)

Time to spoil you with gifts and snacks this month.

Categories
blogs

They’re just not willing to work on it

and when the importance of the situation isn’t recognized, then either I am putting too much effort into it, or they’re not seeing where it can lead to. It sucks so much.

The frustration of forcing yourself to get over something and lowering your guard just to get steps to moving forward, .. being rewarded with stubborn pushback .. It just doesn’t work. I don’t know what to do and don’t know how to handle it. But the importance for me grows, and the stakes feel like they’re getting higher.

It’s not in balance, and just not worth that knot. That’s all I wanted to say. Now I can close that door and accept defeat so to speak. They win, I give up trying and the prize is never caring again.

Categories
blogs

Full Disk Encryption Please

Before I begin, please note that this blog article is focussed on macOS, modern systems, and not a powerbook from 10 years ago, or a Windows 10 machine. Sorry.

Let’s do this in two parts, one: Encrypt everything, this includes internal and external drives. And two: Have a backup duh.

Let’s start with the backup, it seems the most logical. I am sure I either have an existing blog article about this, or will write one in the near future. But it will come down to this: make backups! Perhaps at least get an external USB drive that’s fast and big, so you can have an automated archive from multiple months. Time Machine from Apple’s macOS can do it all for you. Any modern Mac system has a recovery partition and supports online OS installation. And for $50 to $100 you’re ready to go. Make manual backups as well. Don’t just trust Time Machine – just select what you never want to delete and store it on the external drive (or yet another one). Be paranoid, make a backup that you can store offsite. Just in case of a fire or theft.

Okay, assuming you care about your data and have a backup, encrypt your drives. In two parts: Internal drives and external drives. And at the least encrypt your external drives. They are easier to pick up by others, easier to forget, etc.

On macOS High Sierra for example (and older versions as well) you can just right click the mounted drive, select ‘Encrypt..’ and set a unique and strong enough password. Do not check the box ‘save in keychain’, either store it in a password manager like 1Password, or simply remember it. If you store it in the keychain, someone with your login can unlock keychain and get the passwords that way.

Ok, the internal drive isn’t a right click. You have to go to System Preferences and go to Security and Privacy. From there you can go to FileVault and turn on Full Disk Encryption.

The password for this is your login’s password. If your system will have multiple users (it should!) it will require you to enter those passwords as well. When it asks if you wish to unlock with iCloud or a recovery key: Please use a recovery key. Again, just store it in a password manager like 1Password as a secure note, so your other devices like another system, an iPhone or iPad can show you the key (and it’s stored in a safe place) or just write it down and keep it in your physical vault or something secure.

I think it’s fair to point out that encryption is important, and strong. You can’t just ‘can you fix it for me, I do not remember my password’, you HAVE to remember the password, and if you can’t then you MUST have that recovery key. So please do take this serious. Don’t be scared by it, but please be aware that you’re not just making a .zip file and can unzip it at any time. You’re garbling up everything for the right reasons and the only way for it to make sense is with a unique key that only you know.

What do we want to end up with?

A computer system that has full disk encryption turned ON for all the internal and external drives.

But it is scary!

Okay, what are you more scared of? Someone potentially having access to all your personal and private data, or turning on full disk encryption?

Have any questions, or want to get more information? Feel free to contact me and I’d love to help you improve your privacy and security. Encrypting your drives is one step towards less worries in the long run.

Something worth mentioning is wireless / bluetooth. If you have a usb keyboard and mouse connected to the built-in usb ports, things should be fine. But sometimes with non-stock USB keyboards and mouses, they might not get recognized. So please do have the Apple keyboard/mouse handy or a wired solution. Just in case.