BobCHub/Ubuntu.txt

## Ubuntu.txt
1)   Install Hyper-V (DON”T NEED THIS)
Go to the Windows icon and start the Server Manager
Click on Manage > Add Roles and Features
Click on Next repeatedly, until you get to the Select server roles screen
Select Hyper-V and click Next
When prompted to add additional required features, click on Add Features
Click on Add Features
Click Next
Under Remote Server Administration Tools > Role Administration Tools, select Hyper-V
Management Tools (if not already selected) and click on Next
Click Next
Select Ethernet
Click on Next
Do not allow live migrations
Click on Next
Accept the default stores
Click on Next
Click on Install
Restart when required.
Start the Server Manager again as before.

Set up Ubuntu Server in a Hyper-V virtual machine

Open Hyper_V Manager
new —> Virtual Machine
Specify name and Location
Specify Generation (Generation 1)
Assign Memory ( 2048 MB.  ) - Select Dynamic Memory and set the maximum to 2048 MB.
Configure Network - Connect the machine to the Ethernet adapter and click on Next
Leave the default hard disk settings (5 GB) and click on Next.
Installation Option (Image file - Browse)
Review the settings and click on Finish
Now click on the Ubuntu icon and then click on Start.
Double-click on the screen icon to see the full screen
Click on Install Ubuntu
DON”T Select Download updates while installing Ubuntu - Click on Continue
Leave Erase disk and install Ubuntu selected
Click on Install now
Pick the correct time zone - Click on Continue
Leave the default keyboard as is - Click on Continue
Enter your name
Pick a server name that consists of Ubuntu and your deepblue login ID.
Ubuntu Install screens

Install Ubuntu Server
Language page select your language
Select Install Ubuntu Server and press enter
Once again select the language
Select your location to detect your time zone
Select Yes to detect automatically you keyboard or No to select it manually
Let the system load all additional components.
autoconfigure network?
Enter Hostname
Type the full name of user then enter to Continue.
Enter password
Partition Disk - Guided – use entire disk and set up LVM. - Press enter and go to finalize the hard disk configuration.
Select Yes to write and apply the changes to hard disk.
Select the amount of volume group to use for guided partitioning and enter to Continue.
Finally select Finish partitioning and write changes to disk and press enter to apply it.
Select Yes to write the changes to disks
When ask you about Configure the package manager, press enter to Continue
Don’t Select Install automatic updates and press enter
Software selection (OpenSSH server)
Select Yes to install the GRUB boot loader on a hard disk.
Finally the Ubuntu server installation has been finished successfully.

The system will restart now and when up again, type your user name and password to login.


———————————————————————————————
2)    Set up SSH

SSH Set Up

Find IP Addresses
ip add
ip adds show
ifconfig -a
hostname -l
On GUI - Right click the network icon in your notifications area (top right - up and down arrows - connection information)
sudo -i - run as root
sudo -s -   This gives you root access, but maintains your current SHELL
su - (substitute user) command to get a root shell
ls -hal ~/.ssh  - check if you have any existing SSH keys installed

Install ssh/ Start  on Server and client
sudo apt-get install openssh-server  - install ssh (On both Ubuntu’s if needed)
sudo apt install openssh-client
sudo /etc/init.d/ssh start     - start ssh
or
sudo systemctl start ssh - start ssh
Create Configuration Backup
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.factory-defaults

After the backup has been made, you’ll need to modify its permissions.
sudo chmod a-w /etc/ssh/sshd_config.factory-defaults

Generating Your Keys
ssh-keygen -t rsa
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Check SSH server process running
ps -A | grep sshd  -  should see something like this: [number] ?  00:00:00 sshd

Check that you can 'login' to the host machine from the host machine
ssh localhost

On Regular Ubuntu Make Key Directory
mkdir ~/.ssh

On Server Copy Keys Over with password
ssh-copy-id sammy@your_server_ip


configure your SSH file

sudo nano /etc/ssh/sshd_config
Replace PermitRootLogin no
Remove # in front of StrictMode yes
Remove # in front of PermitEmptyPassword no
Remove # in front of PubkeyAuthentication yes
Replace #PasswordAuthentication yes to PasswordAuthentication no - change to yes if can’t copy key over
Replace #ChallengeResponseAuthentication yes to ChallengeResponseAuthentication no
MaxAuthTries 3
LogLevel VERBOSE
SyslogFacility AUTH
AllowGroups admins
Banner /etc/banner
AllowUsers ramesh john jason - optional

Restart SSH after changes
sudo systemctl restart sshd  - restart the SSH server
sudo systemctl reload sshd.service
sudo systemctl restart ssh
sudo /etc/init.d/ssh restart or
sudo restart ssh or
sudo systemctl reload sshd

Connecting Over LAN
ssh <username>@<ip.address.here>
ssh pi@ ___.___.___.___

Other Commands

sudo service ssh status - check status of ssh
sudo systemctl status ssh – shows the status of the ssh daemon
sudo systemctl start ssh – starts ssh
sudo systemctl restart ssh - restart ssh
ssh local host - check if you can connect
exit - ssh logout
sudo less /var/log/auth.log - view ssh logs

ssh files

/.ssh/id_rsa - contains private key
/.ssh/id_rsa.pub - contains public key


--------------------------------------------------------------------------------------

Implement UFW rules

sudo apt-get install ufw - install ufw if you have to
sudo ufw enable - enables the firewall at start up
sudo ufw logging on  - turn logging on
sudo ufw allow ssh  comment 'allow ssh'
sudo ufw allow OpenSSH
sudo ufw allow 22  comment 'Open ssh port 22' (SSH port)
sudo ufw reload
sudo ufw status
sudo ufw status verbose - confirm firewall is active - lists all firewall rules

UFW and SSH
sudo ufw allow from <target> to <destination> port <port number> - Allow by specific port and

sudo ufw allow from 10.20.30.40 to any port 22 - allow IP 10.20.30.40 access to port 22
                                target computer
                                  IP Adress

                              icmp                  any                                     any
ufw   allow  proto    tcp    from   __.__.__.__    port ____ to  __.__.__.__      port 22
        deny               udp             __.__.__.__/__                     __.__.__.__/__
                                                  target computer                computer your using
                                                       IP Adress                            IP Adress

sudo ufw disable - disable ufw
sudo ufw -h - UFW Help
sudo ufw reset
sudo ufw logging on

Rules
sudo ufw status numbered - show rule numbers
sudo ufw delete n - deletes firewall rule n
sudo ufw deny from n.n.n.n - blocks connection from IP n.n.n.n

Allow
ufw allow from <IP Adress> - Allow a specific IP Address
ufw allow from <IP Address> proto tcp to any port __ - allow access to one port from a specific IP only

Ufw Configure File
sudo nano /etc/default/ufw
/etc/ufw/user.rules

SSH Trouble Shooting
ps -A | grep sshd - check that your SSH daemon is running
grep Port /etc/ssh/sshd_config - Checking the SSH Service Port
ls ~/.ssh - List the contents of ~/.ssh
sudo journalctl -u ssh - Check the logs that it is reporting logins
sudo journalctl -u sshd
sudo journalctl -u sshd | tail -100
sudo journalctl -u sshd -n 100
sudo less /var/log/auth.log - log all authentication attempts
tail /var/log/auth.log -n 100 - View SSH Logs
tail -500 /var/log/auth.log | grep ‘sshd' - check sshd log


Diagnosing Errors at the Source

Problem #1
ssh: connect to host __.__.__.__ port 22: Operation timed out
Check source and target IP address
Check source and target ufw rules

Problem #2
ssh: connect to host __.__.__.__ port 22: Connection refused
Make sure ssh is installed and running (use lsof -i)

Problem #3
xyz@__.__.__.__: Permission denied (publickey).
/home/xyx/.ssh/authorized_hosts does not have a copy of the
source's public key; one way is to allow passwords for user xyz
temporarily, use ssh-copy-id xyz@__.__.__.__ to copy over the
key, then disallow passwords for user xyz again; may also have
to run ssh-add on the source to make sure the keychain is aware
of the private key

Diagnosing Errors with sudo journalctl -f

ufw block log:
Mar 11 19:45:36 michaelubuntuvm kernel: [UFW BLOCK]
IN=enp0s3 OUT= MAC=... SRC=__.__.__.__ DST=__.__.__.__
LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
SPT=51922 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0

Failed login log:
Mar 11 19:43:17 michaelubuntuvm sshd[16449]: Failed password
for michael from __.__.__.__ port 50449 ssh2

Successful password login log:
Mar 11 19:43:21 michaelubuntuvm sshd[16449]: Accepted
password for michael from __.__.__.__ port 50449 ssh2

Successful pubkey login log:
Mar 11 19:44:15 michaelubuntuvm sshd[16486]: Accepted
publickey for michael from __.__.__.__ port 50454
journalctl -f


Configure
sudo nano /etc/systemd/journald.conf
Under the [Journal] section, set the Storage= option to "persistent" to enable persistent logging:
. . .
[Journal]
Storage=persistent
Commands
journalctl --since "1 hour ago”
journalctl -u sshd
journalctl -u sshd | grep “input_userauth_request:"
journalctl -u sshd.service
journalctl /usr/sbin/sshd
journalctl list-units | grep .servics
journalctl status ssh.service

/var/log/auth.log

Command Output to file

standard output stream will be redirected to the file only, it will not be visible in the terminal
command > output.txt

appended to the end of the file
command >> output.txt

standard output stream will be copied to the file, it will still be visible in the terminal
command | tee output.txt

The standard output stream will be copied to the file, it will still be visible in the terminal. If the file already exists, the new data will get appended to the end of the file
command | tee -a output.txt


Lab Directions

Download the Ubuntu Server ISO using the IP given to you by your instructor.
Use the ISO to install Ubuntu Server in a new Hyper-V virtual machine.
Update and upgrade the machine, but do not install any extra packages except what is necessary to run ssh.
Set up a terminal (ssh) server with the following requirements:
Anyone on 10.51.10.0/23 can connect, but only to TCP port 22; everything else is not
allowed.
Root may not log in via ssh.
Passwords are disallowed; only public/private key authentication is allowed.
Before login via ssh, a banner must be presented using the same login banner text you
see just before logging in to the A machines.
Logging must be set to verbose. (Check the logs that it is reporting logins.)
Demonstrate that you can log in to Ubuntu server by logging in to the server in the Hyper-V console and executing an ls to show that the directory is empty, then uploading a file from the Pi or another computer to the Ubuntu server without using a password, and then entering ls on the Hyper-V console to show the file has appeared. Note that the banner must appear when you are trying to log in.

Then hand in the following:
Your ufw rules
Your sshd_config rules
A copy of the journalctl showing you logging in from the Pi.
	1) Install Hyper-V (DON”T NEED THIS)
	Go to the Windows icon and start the Server Manager
	Click on Manage > Add Roles and Features
	Click on Next repeatedly, until you get to the Select server roles screen
	Select Hyper-V and click Next
	When prompted to add additional required features, click on Add Features
	Click on Add Features
	Click Next
	Under Remote Server Administration Tools > Role Administration Tools, select Hyper-V
	Management Tools (if not already selected) and click on Next
	Click Next
	Select Ethernet
	Click on Next
	Do not allow live migrations
	Click on Next
	Accept the default stores
	Click on Next
	Click on Install
	Restart when required.
	Start the Server Manager again as before.

	Set up Ubuntu Server in a Hyper-V virtual machine

	Open Hyper_V Manager
	new —> Virtual Machine
	Specify name and Location
	Specify Generation (Generation 1)
	Assign Memory ( 2048 MB. ) - Select Dynamic Memory and set the maximum to 2048 MB.
	Configure Network - Connect the machine to the Ethernet adapter and click on Next
	Leave the default hard disk settings (5 GB) and click on Next.
	Installation Option (Image file - Browse)
	Review the settings and click on Finish
	Now click on the Ubuntu icon and then click on Start.
	Double-click on the screen icon to see the full screen
	Click on Install Ubuntu
	DON”T Select Download updates while installing Ubuntu - Click on Continue
	Leave Erase disk and install Ubuntu selected
	Click on Install now
	Pick the correct time zone - Click on Continue
	Leave the default keyboard as is - Click on Continue
	Enter your name
	Pick a server name that consists of Ubuntu and your deepblue login ID.
	Ubuntu Install screens

	Install Ubuntu Server
	Language page select your language
	Select Install Ubuntu Server and press enter
	Once again select the language
	Select your location to detect your time zone
	Select Yes to detect automatically you keyboard or No to select it manually
	Let the system load all additional components.
	autoconfigure network?
	Enter Hostname
	Type the full name of user then enter to Continue.
	Enter password
	Partition Disk - Guided – use entire disk and set up LVM. - Press enter and go to finalize the hard disk configuration.
	Select Yes to write and apply the changes to hard disk.
	Select the amount of volume group to use for guided partitioning and enter to Continue.
	Finally select Finish partitioning and write changes to disk and press enter to apply it.
	Select Yes to write the changes to disks
	When ask you about Configure the package manager, press enter to Continue
	Don’t Select Install automatic updates and press enter
	Software selection (OpenSSH server)
	Select Yes to install the GRUB boot loader on a hard disk.
	Finally the Ubuntu server installation has been finished successfully.

	The system will restart now and when up again, type your user name and password to login.














	———————————————————————————————
	2) Set up SSH

	SSH Set Up

	Find IP Addresses
	ip add
	ip adds show
	ifconfig -a
	hostname -l
	On GUI - Right click the network icon in your notifications area (top right - up and down arrows - connection information)
	sudo -i - run as root
	sudo -s - This gives you root access, but maintains your current SHELL
	su - (substitute user) command to get a root shell
	ls -hal ~/.ssh - check if you have any existing SSH keys installed

	Install ssh/ Start on Server and client
	sudo apt-get install openssh-server - install ssh (On both Ubuntu’s if needed)
	sudo apt install openssh-client
	sudo /etc/init.d/ssh start - start ssh
	or
	sudo systemctl start ssh - start ssh
	Create Configuration Backup
	sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.factory-defaults

	After the backup has been made, you’ll need to modify its permissions.
	sudo chmod a-w /etc/ssh/sshd_config.factory-defaults

	Generating Your Keys
	ssh-keygen -t rsa
	chmod 700 ~/.ssh
	chmod 600 ~/.ssh/authorized_keys

	Check SSH server process running
	ps -A \| grep sshd - should see something like this: [number] ? 00:00:00 sshd

	Check that you can 'login' to the host machine from the host machine
	ssh localhost

	On Regular Ubuntu Make Key Directory
	mkdir ~/.ssh

	On Server Copy Keys Over with password
	ssh-copy-id sammy@your_server_ip


	configure your SSH file

	sudo nano /etc/ssh/sshd_config
	Replace PermitRootLogin no
	Remove # in front of StrictMode yes
	Remove # in front of PermitEmptyPassword no
	Remove # in front of PubkeyAuthentication yes
	Replace #PasswordAuthentication yes to PasswordAuthentication no - change to yes if can’t copy key over
	Replace #ChallengeResponseAuthentication yes to ChallengeResponseAuthentication no
	MaxAuthTries 3
	LogLevel VERBOSE
	SyslogFacility AUTH
	AllowGroups admins
	Banner /etc/banner
	AllowUsers ramesh john jason - optional

	Restart SSH after changes
	sudo systemctl restart sshd - restart the SSH server
	sudo systemctl reload sshd.service
	sudo systemctl restart ssh
	sudo /etc/init.d/ssh restart or
	sudo restart ssh or
	sudo systemctl reload sshd

	Connecting Over LAN
	ssh <username>@<ip.address.here>
	ssh pi@ ___.___.___.___

	Other Commands

	sudo service ssh status - check status of ssh
	sudo systemctl status ssh – shows the status of the ssh daemon
	sudo systemctl start ssh – starts ssh
	sudo systemctl restart ssh - restart ssh
	ssh local host - check if you can connect
	exit - ssh logout
	sudo less /var/log/auth.log - view ssh logs

	ssh files

	/.ssh/id_rsa - contains private key
	/.ssh/id_rsa.pub - contains public key


	--------------------------------------------------------------------------------------

	Implement UFW rules

	sudo apt-get install ufw - install ufw if you have to
	sudo ufw enable - enables the firewall at start up
	sudo ufw logging on - turn logging on
	sudo ufw allow ssh comment 'allow ssh'
	sudo ufw allow OpenSSH
	sudo ufw allow 22 comment 'Open ssh port 22' (SSH port)
	sudo ufw reload
	sudo ufw status
	sudo ufw status verbose - confirm firewall is active - lists all firewall rules

	UFW and SSH
	sudo ufw allow from <target> to <destination> port <port number> - Allow by specific port and

	sudo ufw allow from 10.20.30.40 to any port 22 - allow IP 10.20.30.40 access to port 22
	target computer
	IP Adress

	icmp any any
	ufw allow proto tcp from __.__.__.__ port ____ to __.__.__.__ port 22
	deny udp __.__.__.__/__ __.__.__.__/__
	target computer computer your using
	IP Adress IP Adress

	sudo ufw disable - disable ufw
	sudo ufw -h - UFW Help
	sudo ufw reset
	sudo ufw logging on

	Rules
	sudo ufw status numbered - show rule numbers
	sudo ufw delete n - deletes firewall rule n
	sudo ufw deny from n.n.n.n - blocks connection from IP n.n.n.n

	Allow
	ufw allow from <IP Adress> - Allow a specific IP Address
	ufw allow from <IP Address> proto tcp to any port __ - allow access to one port from a specific IP only

	Ufw Configure File
	sudo nano /etc/default/ufw
	/etc/ufw/user.rules

	SSH Trouble Shooting
	ps -A \| grep sshd - check that your SSH daemon is running
	grep Port /etc/ssh/sshd_config - Checking the SSH Service Port
	ls ~/.ssh - List the contents of ~/.ssh
	sudo journalctl -u ssh - Check the logs that it is reporting logins
	sudo journalctl -u sshd
	sudo journalctl -u sshd \| tail -100
	sudo journalctl -u sshd -n 100
	sudo less /var/log/auth.log - log all authentication attempts
	tail /var/log/auth.log -n 100 - View SSH Logs
	tail -500 /var/log/auth.log \| grep ‘sshd' - check sshd log


	Diagnosing Errors at the Source

	Problem #1
	ssh: connect to host __.__.__.__ port 22: Operation timed out
	Check source and target IP address
	Check source and target ufw rules

	Problem #2
	ssh: connect to host __.__.__.__ port 22: Connection refused
	Make sure ssh is installed and running (use lsof -i)

	Problem #3
	xyz@__.__.__.__: Permission denied (publickey).
	/home/xyx/.ssh/authorized_hosts does not have a copy of the
	source's public key; one way is to allow passwords for user xyz
	temporarily, use ssh-copy-id xyz@__.__.__.__ to copy over the
	key, then disallow passwords for user xyz again; may also have
	to run ssh-add on the source to make sure the keychain is aware
	of the private key

	Diagnosing Errors with sudo journalctl -f

	ufw block log:
	Mar 11 19:45:36 michaelubuntuvm kernel: [UFW BLOCK]
	IN=enp0s3 OUT= MAC=... SRC=__.__.__.__ DST=__.__.__.__
	LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
	SPT=51922 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0

	Failed login log:
	Mar 11 19:43:17 michaelubuntuvm sshd[16449]: Failed password
	for michael from __.__.__.__ port 50449 ssh2

	Successful password login log:
	Mar 11 19:43:21 michaelubuntuvm sshd[16449]: Accepted
	password for michael from __.__.__.__ port 50449 ssh2

	Successful pubkey login log:
	Mar 11 19:44:15 michaelubuntuvm sshd[16486]: Accepted
	publickey for michael from __.__.__.__ port 50454
	journalctl -f


	Configure
	sudo nano /etc/systemd/journald.conf
	Under the [Journal] section, set the Storage= option to "persistent" to enable persistent logging:
	. . .
	[Journal]
	Storage=persistent
	Commands
	journalctl --since "1 hour ago”
	journalctl -u sshd
	journalctl -u sshd \| grep “input_userauth_request:"
	journalctl -u sshd.service
	journalctl /usr/sbin/sshd
	journalctl list-units \| grep .servics
	journalctl status ssh.service

	/var/log/auth.log

	Command Output to file

	standard output stream will be redirected to the file only, it will not be visible in the terminal
	command > output.txt

	appended to the end of the file
	command >> output.txt

	standard output stream will be copied to the file, it will still be visible in the terminal
	command \| tee output.txt

	The standard output stream will be copied to the file, it will still be visible in the terminal. If the file already exists, the new data will get appended to the end of the file
	command \| tee -a output.txt
















	Lab Directions

	Download the Ubuntu Server ISO using the IP given to you by your instructor.
	Use the ISO to install Ubuntu Server in a new Hyper-V virtual machine.
	Update and upgrade the machine, but do not install any extra packages except what is necessary to run ssh.
	Set up a terminal (ssh) server with the following requirements:
	Anyone on 10.51.10.0/23 can connect, but only to TCP port 22; everything else is not
	allowed.
	Root may not log in via ssh.
	Passwords are disallowed; only public/private key authentication is allowed.
	Before login via ssh, a banner must be presented using the same login banner text you
	see just before logging in to the A machines.
	Logging must be set to verbose. (Check the logs that it is reporting logins.)
	Demonstrate that you can log in to Ubuntu server by logging in to the server in the Hyper-V console and executing an ls to show that the directory is empty, then uploading a file from the Pi or another computer to the Ubuntu server without using a password, and then entering ls on the Hyper-V console to show the file has appeared. Note that the banner must appear when you are trying to log in.

	Then hand in the following:
	Your ufw rules
	Your sshd_config rules
	A copy of the journalctl showing you logging in from the Pi.