Install Ubuntu Server

Ubuntu.txt

1)   Install Hyper-V (DON”T NEED THIS)
Go to the Windows icon and start the Server Manager
Click on Manage > Add Roles and Features
Click on Next repeatedly, until you get to the Select server roles screen
Select Hyper-V and click Next
When prompted to add additional required features, click on Add Features
Click on Add Features
Click Next
Under Remote Server Administration Tools > Role Administration Tools, select Hyper-V
Management Tools (if not already selected) and click on Next
Click Next
Select Ethernet
Click on Next
Do not allow live migrations
Click on Next
Accept the default stores
Click on Next
Click on Install
Restart when required.
Start the Server Manager again as before.

Set up Ubuntu Server in a Hyper-V virtual machine

Open Hyper_V Manager
new —> Virtual Machine
Specify name and Location
Specify Generation (Generation 1)
Assign Memory ( 2048 MB.  ) - Select Dynamic Memory and set the maximum to 2048 MB.
Configure Network - Connect the machine to the Ethernet adapter and click on Next
Leave the default hard disk settings (5 GB) and click on Next.
Installation Option (Image file - Browse)
Review the settings and click on Finish
Now click on the Ubuntu icon and then click on Start. 
Double-click on the screen icon to see the full screen 
Click on Install Ubuntu 
DON”T Select Download updates while installing Ubuntu - Click on Continue 
Leave Erase disk and install Ubuntu selected
Click on Install now
Pick the correct time zone - Click on Continue
Leave the default keyboard as is - Click on Continue 
Enter your name
Pick a server name that consists of Ubuntu and your deepblue login ID.
Ubuntu Install screens

Install Ubuntu Server
Language page select your language 
Select Install Ubuntu Server and press enter 
Once again select the language 
Select your location to detect your time zone 
Select Yes to detect automatically you keyboard or No to select it manually 
Let the system load all additional components. 
autoconfigure network?
Enter Hostname 
Type the full name of user then enter to Continue. 
Enter password 
Partition Disk - Guided – use entire disk and set up LVM. - Press enter and go to finalize the hard disk configuration. 
Select Yes to write and apply the changes to hard disk. 
Select the amount of volume group to use for guided partitioning and enter to Continue.
Finally select Finish partitioning and write changes to disk and press enter to apply it. 
Select Yes to write the changes to disks 
When ask you about Configure the package manager, press enter to Continue
Don’t Select Install automatic updates and press enter 
Software selection (OpenSSH server)
Select Yes to install the GRUB boot loader on a hard disk. 
Finally the Ubuntu server installation has been finished successfully.

The system will restart now and when up again, type your user name and password to login.














———————————————————————————————
2)    Set up SSH

SSH Set Up

Find IP Addresses
ip add
ip adds show
ifconfig -a
hostname -l 
On GUI - Right click the network icon in your notifications area (top right - up and down arrows - connection information)
sudo -i - run as root 
sudo -s -   This gives you root access, but maintains your current SHELL
su - (substitute user) command to get a root shell
ls -hal ~/.ssh  - check if you have any existing SSH keys installed

Install ssh/ Start  on Server and client
sudo apt-get install openssh-server  - install ssh (On both Ubuntu’s if needed)
sudo apt install openssh-client
sudo /etc/init.d/ssh start     - start ssh
or
sudo systemctl start ssh - start ssh
Create Configuration Backup
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.factory-defaults

After the backup has been made, you’ll need to modify its permissions.
sudo chmod a-w /etc/ssh/sshd_config.factory-defaults

Generating Your Keys
ssh-keygen -t rsa
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Check SSH server process running
ps -A | grep sshd  -  should see something like this: [number] ?  00:00:00 sshd

Check that you can 'login' to the host machine from the host machine
ssh localhost

On Regular Ubuntu Make Key Directory 
mkdir ~/.ssh

On Server Copy Keys Over with password
ssh-copy-id sammy@your_server_ip


configure your SSH file

sudo nano /etc/ssh/sshd_config
Replace PermitRootLogin no
Remove # in front of StrictMode yes 
Remove # in front of PermitEmptyPassword no 
Remove # in front of PubkeyAuthentication yes
Replace #PasswordAuthentication yes to PasswordAuthentication no - change to yes if can’t copy key over
Replace #ChallengeResponseAuthentication yes to ChallengeResponseAuthentication no
MaxAuthTries 3 
LogLevel VERBOSE 
SyslogFacility AUTH 
AllowGroups admins 
Banner /etc/banner 
AllowUsers ramesh john jason - optional

Restart SSH after changes
sudo systemctl restart sshd  - restart the SSH server 
sudo systemctl reload sshd.service
sudo systemctl restart ssh
sudo /etc/init.d/ssh restart or
sudo restart ssh or 
sudo systemctl reload sshd 

Connecting Over LAN
ssh <username>@<ip.address.here>
ssh pi@ ___.___.___.___

Other Commands

sudo service ssh status - check status of ssh
sudo systemctl status ssh – shows the status of the ssh daemon
sudo systemctl start ssh – starts ssh
sudo systemctl restart ssh - restart ssh
ssh local host - check if you can connect
exit - ssh logout 
sudo less /var/log/auth.log - view ssh logs

ssh files

/.ssh/id_rsa - contains private key
/.ssh/id_rsa.pub - contains public key


--------------------------------------------------------------------------------------

Implement UFW rules

sudo apt-get install ufw - install ufw if you have to
sudo ufw enable - enables the firewall at start up
sudo ufw logging on  - turn logging on
sudo ufw allow ssh  comment 'allow ssh'
sudo ufw allow OpenSSH
sudo ufw allow 22  comment 'Open ssh port 22' (SSH port)
sudo ufw reload
sudo ufw status
sudo ufw status verbose - confirm firewall is active - lists all firewall rules

UFW and SSH
sudo ufw allow from <target> to <destination> port <port number> - Allow by specific port and

sudo ufw allow from 10.20.30.40 to any port 22 - allow IP 10.20.30.40 access to port 22
                                target computer                                                                         
                                  IP Adress

                              icmp                  any                                     any
ufw   allow  proto    tcp    from   __.__.__.__    port ____ to  __.__.__.__      port 22
        deny               udp             __.__.__.__/__                     __.__.__.__/__
                                                  target computer                computer your using
                                                       IP Adress                            IP Adress

sudo ufw disable - disable ufw
sudo ufw -h - UFW Help
sudo ufw reset 
sudo ufw logging on

Rules
sudo ufw status numbered - show rule numbers
sudo ufw delete n - deletes firewall rule n 
sudo ufw deny from n.n.n.n - blocks connection from IP n.n.n.n

Allow
ufw allow from <IP Adress> - Allow a specific IP Address
ufw allow from <IP Address> proto tcp to any port __ - allow access to one port from a specific IP only

Ufw Configure File
sudo nano /etc/default/ufw 
/etc/ufw/user.rules

SSH Trouble Shooting
ps -A | grep sshd - check that your SSH daemon is running
grep Port /etc/ssh/sshd_config - Checking the SSH Service Port
ls ~/.ssh - List the contents of ~/.ssh 
sudo journalctl -u ssh - Check the logs that it is reporting logins
sudo journalctl -u sshd
sudo journalctl -u sshd | tail -100
sudo journalctl -u sshd -n 100
sudo less /var/log/auth.log - log all authentication attempts
tail /var/log/auth.log -n 100 - View SSH Logs
tail -500 /var/log/auth.log | grep ‘sshd' - check sshd log


Diagnosing Errors at the Source

Problem #1
ssh: connect to host __.__.__.__ port 22: Operation timed out
Check source and target IP address
Check source and target ufw rules

Problem #2
ssh: connect to host __.__.__.__ port 22: Connection refused
Make sure ssh is installed and running (use lsof -i)

Problem #3
xyz@__.__.__.__: Permission denied (publickey).
/home/xyx/.ssh/authorized_hosts does not have a copy of the
source's public key; one way is to allow passwords for user xyz
temporarily, use ssh-copy-id xyz@__.__.__.__ to copy over the
key, then disallow passwords for user xyz again; may also have
to run ssh-add on the source to make sure the keychain is aware
of the private key

Diagnosing Errors with sudo journalctl -f

ufw block log:
Mar 11 19:45:36 michaelubuntuvm kernel: [UFW BLOCK]
IN=enp0s3 OUT= MAC=... SRC=__.__.__.__ DST=__.__.__.__
LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
SPT=51922 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0

Failed login log:
Mar 11 19:43:17 michaelubuntuvm sshd[16449]: Failed password
for michael from __.__.__.__ port 50449 ssh2

Successful password login log:
Mar 11 19:43:21 michaelubuntuvm sshd[16449]: Accepted
password for michael from __.__.__.__ port 50449 ssh2

Successful pubkey login log:
Mar 11 19:44:15 michaelubuntuvm sshd[16486]: Accepted
publickey for michael from __.__.__.__ port 50454
journalctl -f


Configure
sudo nano /etc/systemd/journald.conf
Under the [Journal] section, set the Storage= option to "persistent" to enable persistent logging:
. . .
[Journal]
Storage=persistent
Commands
journalctl --since "1 hour ago”
journalctl -u sshd
journalctl -u sshd | grep “input_userauth_request:"
journalctl -u sshd.service
journalctl /usr/sbin/sshd
journalctl list-units | grep .servics
journalctl status ssh.service

/var/log/auth.log

Command Output to file

standard output stream will be redirected to the file only, it will not be visible in the terminal
command > output.txt

appended to the end of the file
command >> output.txt

standard output stream will be copied to the file, it will still be visible in the terminal
command | tee output.txt

The standard output stream will be copied to the file, it will still be visible in the terminal. If the file already exists, the new data will get appended to the end of the file
command | tee -a output.txt
















Lab Directions

Download the Ubuntu Server ISO using the IP given to you by your instructor.
Use the ISO to install Ubuntu Server in a new Hyper-V virtual machine.
Update and upgrade the machine, but do not install any extra packages except what is necessary to run ssh.
Set up a terminal (ssh) server with the following requirements:
Anyone on 10.51.10.0/23 can connect, but only to TCP port 22; everything else is not
allowed.
Root may not log in via ssh.
Passwords are disallowed; only public/private key authentication is allowed.
Before login via ssh, a banner must be presented using the same login banner text you
see just before logging in to the A machines.
Logging must be set to verbose. (Check the logs that it is reporting logins.)
Demonstrate that you can log in to Ubuntu server by logging in to the server in the Hyper-V console and executing an ls to show that the directory is empty, then uploading a file from the Pi or another computer to the Ubuntu server without using a password, and then entering ls on the Hyper-V console to show the file has appeared. Note that the banner must appear when you are trying to log in. 

Then hand in the following:
Your ufw rules
Your sshd_config rules
A copy of the journalctl showing you logging in from the Pi.