How do I set up an Ubuntu server to be (securely) available from the internet?

server ssh apache2 vpn
11,306

When properly set-up OpenSSH is safe, even on the standard port. Moving it away from the standard port saves you from your log files being filled up by unauthorized login attempts. More details on the end.

It's very dangerous to access your server if you do not have control over the computer which should connect to your server (which I think that's the reason why you need to use a browser plugin)

OpenVPN can be set up to share TCP ports with a HTTP/HTTPS server, from its manual page:

--port-share host port  
    When run in TCP server mode, share the OpenVPN port with another
    application, such as an HTTPS server.
    If OpenVPN senses a connection to its port which is using a non-OpenVPN
    protocol, it will proxy the connection to the server at host:port.  
    Currently only designed to work with HTTP/HTTPS, though it would 
    be theoretically possible to extend to other protocols such as ssh.

It's not recommended to use OpenVPN with a TCP connection due to its overhead (TCP 3-way handshake). If you've no choice, you could give it a go.

Using OpenVPN, you can avoid any port restriction imposed on you and secure the connection. Please refer to How do I setup OpenVPN so I can securely use the internet from an unsecured hotspot? for a guide on setting up OpenVPN.

You cannot share ports unless an application supports it (like OpenVPN), so I must disappoint you on that.

SSH server

Password-based authentication without limiting connection attempts is asking for trouble. Because of that, it's preferred to use key-based authentication and disable password-based authentication altogether.

  1. Install openssh-serverInstall openssh-server by running sudo apt-get install openssh-server

  2. Disable password-based authentication by editing the configuration file /etc/ssh/sshd_config. To start editing, run sudo nano /etc/ssh/sshd_config. Find the line #PasswordAuthentication yes and change it to PasswordAuthentication no. By default, SSH listens on port 22. If you want to change it, use a port below 1024 for security reasons. (change the line with Port 22)

  3. For extra security, you can configure a list of users who are allowed to login. Add a line with:

    AllowUsers someuser

    Replace someuser by the username of the account that is allowed to log in. Multiple usernames should be separated by a space.

  4. Generate a key on your computer using the command ssh-keygen -t rsa. Enter whatever values you want and choose a secure passphrase.

  5. Copy the contents of ~/.ssh/id_rsa.pub file to /home/someuser/.ssh/authorized_keys file on your server. someuser is the user that should be allowed to login. (it's a single line that should be copied, never copy the contents of a file that starts with -----BEGIN RSA PRIVATE KEY

  6. Reload the configuration of your SSH server:

    sudo reload ssh

  7. If you're remotely accessing your server over SSH, verify that you can make a new SSH connection to avoid locking yourself out.

Share:
11,306

Related videos on Youtube

bgun
Author by

bgun

Updated on September 18, 2022

Comments

  • bgun
    bgun over 1 year

    I want to build an Ubuntu server that will be continuously connected to the internet. I own only an IP address. The main purpose of the server is to be a source code controller (probably git or svn... haven't chosen yet), but also some occasional other uses (file sharing with family or customer, personal backup, host of web applications I may write, etc. I also would like to be able to access the computer at any time to administer it, even behind some customer's proxy that allows only http or https

    What are the standard steps to achieve that?

    • My first thought is to set up openssh server. Is it possible (and quite secure) to open it to the internet on standard port (i.e. customer firewall/proxy compatible)?
    • Is it possible to set up a VPN server, that is run from a webpage plugin (also hosted by the server)?
    • as I have only one IP address (IP V4 and IPV 6 actually, but I don't think IP V6 address will be accessible from customers network by now), can I make apache and other server software coexist on the same standard ports?

    thanks in advance ;)

  • bgun
    bgun almost 13 years
    thx for this detailed answer. 1st remark: I want to able to connect to the server either from my own computers (personal or office) or from customers network I trust (by trust I mean more secure that an open wifi hotspot). 2nd remark: openvpn network overhead is not a matter as it's more a rescue gate than a daily gate. 3rd question: the process of creating the key needs to initially know the client computer ? what about if I have to connect from a computer not known before ? 4th final question: most of my client computers will be windows based. the ssh-keygen has win alternative, hasn't it ?
  • Lekensteyn
    Lekensteyn almost 13 years
    1: Once OpenVPN is setup, you can even use untrusted networks. 3. no, you can create it on any machine you want, but if you do it on a compromised server, an intruder could use that key for connecting 4: your clients can use PuTTY. The key from OpenSSH needs to be converted using PuTTYgen before it can be used with PuTTY.
  • bgun
    bgun almost 13 years
    ok thanks :) I'll have to dive into that. Finally, is there any tools that can check a computer for best practices in security and configuration ? In the MS world, there is the Microsoft Baseline Analyzer tool. Any similar tool for the unbuntu (linux in general) world ?
  • Lekensteyn
    Lekensteyn almost 13 years
    Its name is "UBUNTU"! For a security check, search / ask on security.stackexchange.com. Best "Configuration" is relative and you should hire someone for it or look on serverfault.com
  • neuromancer
    neuromancer almost 13 years
    I suggest you to install fail2ban. It's a small daemon that intercept and block ip trying to connect with fake credential to some services hosted on your machine. I use it for ssh.
  • Jos
    Jos over 7 years
    It is now 2016 and the above procedure still works. Thanks for this. Only sudo reload ssh is now sudo systemctl reload ssh on Ubuntu versions with systemd.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

ssh: connect to host [ip] port 22: No route to host
How do I copy files with SCP to /var/www?
Is PPTP a secure VPN-protocol?
remote SSH root login with Ubuntu 12.04
Connected to OpenVPN Server but can't SSH
OpenVPN setting up own server 2 errors
Create new ssh user account to access specific folder only
nginx erreur it didn't open
Can't SSH to server with VPN connection
permission denied for root@localhost for ssh connection