The first time you connect with SSH to a server, the client presents a prompt with the server's fingerprint. The fingerprint is a hash of the public key of the server. Unfortunately, we can't verify the fingerprint; the email from OVH does not contain this information, so we have to trust that this is our server and type yes.
The fingerprint is a security measure to prevent man in the middle attacks, and if you can find this information before you connect, you should compare it. The first thing we should do is change the root password.
OVH sent us the password in an unsecured email. Issue the command passwd , and it prompts for a new password. To verify that the new password works close the SSH connection with exit and try to reconnect.
If something went wrong and you can no longer log in, open the web management console of your VPS provider. There you should find an option where you can either reboot the VPS into a special rescue mode or another way to reset the root password. In the OVH manager, you find the Reboot in rescue mode function. A click on this link reboots the VPS into a special mode where you can fix problems with your Linux installation. As a last resort, if everything fails, most VPS providers support a Reinstall function, which deletes everything and reinstalls the operating system.
In the previous welcome screen, you see that 8 installed packages can be updated. On Debian and Ubuntu, you install and update software packages with the apt command. First, you have to update the local apt database and then upgrade all outdated installed packages.
The local apt database contains information about all available apt packages. If you update or install a new package, apt looks in this database and installs the latest version that is listed in this database.
When the database is outdated, apt installs old packages. Therefore you must call apt update before you update or install packages. Ubuntu updates the apt database automatically once a day. The dist-upgrade command lists the outdated packages and before it installs the updates asks if you want to continue.
Type y and apt installs the updates. Ubuntu also tells you on the welcome screen if it needs a reboot. To reboot the server, you issue the command reboot. This command closes the SSH connection. Keeping the installed packages up-to-date is, in my opinion, very important, especially for a server that is connected to the Internet. Every server is going to be attacked, and if a crucial application like the SSH server has a weakness, attackers will find it and exploit it.
Fortunately, Ubuntu provides a way to install critical updates automatically. Configure the Allowed-Origins section. Next we need to enable unattended-upgrades. OVH gives you one free static IPv6 address, but it's not configured yet. If you are not sure if IPv6 is enabled or not issue this command. In Ubuntu To add IPv6, we have to open the configuration file.
To enable IPv6 support, we have to add an address and gateway6 element. With the try argument, netplan activates the network configuration, and you have to press enter during the next seconds if you want to keep the settings.
If not, netplan reverts to the old configuration. This prevents any misconfiguration that accidentally disables IPv4 and kicks you out of the SSH session. Just wait seconds, and you should be able to log in again. To check if IPv6 is enabled, issue the command ping6 www.
You can also see the configured addresses with ip -6 addr. The SSH server is the main entry point to the server, and we should make this entry as secure as possible. The current login with username and password is not the most secure authentication method. In this section, we change the SSH configuration and make it more difficult for an attacker to gain access to our server.
Open the SSH configuration file, uncomment the Port line and set it to a random port. By default, this parameter is set to "", which means that the server has a maximum of seconds to fulfill each request. This is probably too high for most set ups and can safely be dropped to something between 30 and 60 seconds. This option, if set to "On", will allow each connection to remain open to handle multiple requests from the same client.
If this is set to "Off", each request will have to establish a new connection, which can result in significant overhead depending on your setup and traffic situation. This controls how many separate request each connection will handle before dying. Keeping this number high will allow Apache to serve content to each client more effectively. Setting this value to 0 will allow Apache to serve an unlimited amount of request for each connection.
This setting specifies how long to wait for the next request after finishing the last one. If the timeout threshold is reached, then the connection will die. This just means that the next time content is requested, the server will establish a new connection to handle the request for the content that make up the page the client is visiting. You can cross-reference which section your Apache installation was compiled with by exiting into the terminal and typing:.
As you can see, in this server, "prefork. Your installation may have multiple to choose from, but only one can be selected. The default Virtual Host declaration can be found in a file called "default" in the "sites-available" directory. We can learn about the general format of a Virtual Host file by examining this file. Open the file with the following command:. The default Virtual Host is configured to handle any request on port 80, the standard http port.
This does not mean that it will necessarily handle each request to the server on this port however. Apache uses the most specific Virtual Host definition that matches the request.
This means that if there was a more specific definition, it could supersede this definition. These options are set within the Virtual Host definition outside of any other lower level sub-declaration. They apply to the whole Virtual Host.
The "ServerAdmin" option specifies a contact email that should be used when there are server problems. If we were using this as a template for other Virtual Host definitions, we would want to add a "ServerName" definition that specifies the domain name or IP address that this request should handle.
This is the option that would add specificity to the Virtual Host, allowing it to trump the default definition if it matches the ServerName value. You can also make the Virtual Host apply to more than one name by using the "ServerAlias" definition. This provides alternate paths to get to the same content. A good use-case for this is adding the same domain, preceded by "www". The "DocumentRoot" option specifies where the content that is requested for this Virtual Host will be located.
Within the Virtual Host definition, there are definitions for how the server handles different directories within the file system. Apache will apply all of these directions in order from shortest to longest, so there is again a chance to override previous options. This will provide the baseline configuration for your Virtual Host, as it applies to all files served on the file system. By default, Ubuntu does not set up any access restrictions to the filesystem. Apache recommends that you add some default access restrictions.
You can modify this like so:. This will deny access to all content unless specified otherwise in subsequent directory definitions. The "AllowOverride" option is used to decide whether an ". This is not allowed by default, but can be useful to enable in a variety of circumstances.
We will get to the public key part soon. Enter new password for root. It is a good idea to store this in LastPass or some other password management tool. The goal is to get farther from defaults to make it more safe. This by itself will not completely secure the server, but reduce the risk of your server being of any interest to hackers.
Recent versions of Ubuntu have unattended updates by default. You can verify or change those updates -. SSH uses port 22 by default. But, you can choose any free port between and You can find out whether a port is free with the following command -. While we are at it, let us also add a line to force SSH to always use Protocol 2. Just add the below line anywhere in the file. Open another command prompt.
0コメント