Welcome to another tutorial of "What the f*ck is Oracle doing to my machine without me asking for it?"
I will cover in this guide how to correctly setup your machine to get rid of the stupid Oracle's agent on your machine, and even pimp your machine a little bit. You can't say no to that! :D Anyhow, let's start right now!
When you create a machine, I HIGHLY recommend that you grab the SSH keys that Oracle gently ask you to also take. SSH keys are much more secure than passwords and you'll drastically avoid potential security issue with SSH. Oracle will automatically take care to refuse any password connection (Only allowing SSH keys connection) by then.
In this guide, I will assume you have choosen SSH keys since it become a logical choice in today's world.
And that you have updated + upgraded your package using:
sudo apt upgrade
sudo apt updateStarting today, do not login with ubuntu, the default user (Or whatever your default user is), anymore, everyone in the street can know what your machine is running by just making some requests to it. Believe me, it can be REALLY accurate to know what OS your machine run. And then, from that point, it'll be easier to know what's the default user of your OS, and leave a potential security issue if they get to obtain the password (if, of course, you haven't setup SSH keys). As such, let's create a new user, who also have sudo powers!
sudo adduser <your_username>You're then getting asked some questions, it's none of my business to tell you what to include, so go ahead and put what you need! After than, if the user has been succesfully created, you can run this
sudo adduser <your_username> sudoThis will add the user to the sudo group, which add him to the sudoers... And boom! Sudo access baby! Right, let's move on. (DO NOT DISCONNECT FROM YOUR UBUNTU SSH SESSION, HEAR ME???)
Now, if you try to connect with you brand new user (Don't!!!), you'll get an error saying that you can't connect and the server refused our keys, and that's normal. Our SSH server does not accept password login, and our new user does not have any authorized keys in his directory, so, what do we do? Well, you can create another SSH keys pair, but that's boring, so we'll just copy the existing keys from ubuntu:
sudo mkdir /home/<your_username>/.ssh
sudo cp ~/.ssh/authorized_keys /home/<your_username>/.ssh
sudo chown <your_username>:<your_username> -R /home/<your_username>/.sshLet me explain, these commands does the following:
- We create a
.sshfolder in the<your_username>'s home directory (Which is basically where he enter everytime he connect) - We copy the
authorized_keysfile into the folder we have created. - We make
<your_username>the new owner of the directory + file, else we would be unable to connect due to the missing permissions. You don't want that. Believe me.
Now, without disconnecting from the ubuntu session, try to connect to your session, if you connect with success, congrats! You can continue! If you can't, please Google your problem, and find the answer here, this guide might be too old when you read this ^^' but be sure to not disconnect from your ubuntu session until you can connect to your new user's account.
Now let's make things really secure. Check you have sudo permissions, a simple sudo ping google.fr -c 5 will tell you if you do. If not, please fix this ASAP!
Then, let's run all the commands we need to... run :p
sudo usermod -L ubuntu # lock password
sudo passwd -l ubuntu # also lock password
sudo chage -E0 ubuntu # expire user
sudo usermod -s /sbin/nologin ubuntu # change shellWew, that's a lot, let's explain again:
- The 1st command will lock the ubuntu's password.
- The 2nd too, but in a different manner.
- The 3rd will make the user expire, which will harden every kind of connection to it.
- The 4rd will change the ubuntu's shell, making him unable to run any commands even if we get to gain access.
If you want to check if everything gone fine, try running sudo su ubuntu and see by yourself!
Why would you appreciate such a weird package? This dude has been ruining like half of my machine's ressources for NO reasons, and it's completely useless, hence I never check any stats on my dashboard, who even do that by the way? htop do that for you at no cost!
So how do we get rid of the agent?
It's quite simple actually, just run this:
sudo snap remove oracle-cloud-agentAnd boom! Ahah, bye bye agent! See you never!
(If you wonder how I discovered that, it's not by mistake, I've just used one of my favorite tool, locate, (sudo apt install mlocate), and ran sudo locate oracle-cloud-agent, then the directories's name helped by themselves, great package, check it out :D)
But we're not done yet with Oracle bullsh*tting... Yup... They added another annoying things, that I personally hate asf. They have adde~, cough, populated iptables by adding absolutely stupid rules that no one cares about, I am confident about my words. So what do we do?
You follow my gist who tells you about this!
We need to make a slight correction to UFW's service file, due to a missing line. How UFW actually act is that at each reboot, when it start, it tries to find a network interface, however I think that UFW start before any network's initialization, hence that mean UFW start, but find no interfaces available, and fail to boot. That's why we need to tell UFW to start only after network's interface are available.
Start by opening UFW's service file: sudo nano /lib/systemd/system/ufw.service
Now, spot this line, at the beggining: (There is no dots, of course)
...
Before=network.target
now, put the following:
...
Before=network.target
After=netfilter-persistent.service
Do Ctrl+O and Ctrl+X, then type sudo ufw enable (Be sure you've added your SSH port first... Don't be idiot), and now, it should work nicely at every restart!
You'll be using SSH quite often - malicious peoples too. If you don't host anything else publicly, get ready to have a wonderful spam of SSH requests... I had... intersting things sometime :)
So first, let's install an useful package, fail2ban, this will ban peoples's IPs if they fail too much, for a limited time. How wonderful? And just one command away: sudo apt install fail2ban
It's up to you to customize it. I won't handle that here.
Now let's go ahead and see what sshd_config has to offer to us. Don't be shy and run sudo nano /etc/ssh/sshd_config
I advise you to make a backup of this file before editing it! Thank!
First things first, you can change your SSH's port, I personally don't do that, but you just have to uncomment the #Port 22 part, available at the top of the file.
If you ever need to connect to root, just use sudo su (An easy way to remind this command is just "sudo", "superuser", as for "i'm connecting to the system's superuser), but don't connect with SSH directly, it's not bad, but peoples can try to get access from here. And you DON'T want anyone malicious to obtain root's access to your machine.
So you can change this:
#PermitRootLogin prohibit-password
to this:
PermitRootLogin no
This is kind of stupid since we use SSH keys, but it's always better to have it!
Change this:
#MaxAuthTries 6
to this:
MaxAuthTries 2
2 is a recommended value by many.
Oracle should have handled that for you, so make sure this following is correct:
PasswordAuthentication no
PermitEmptyPasswords no
For an extra layer of security, it's recommended to disable X11 Forwarding, however certain applications (Such as pgAdmin 4) require this functionality, hence I do not really recommended to disable it if you might need it. It'll be extremely confusing for you to understand what could be the cause if this is the problem.
So make sure this is either:
X11Forwarding yes
or
X11Forwarding no
It is up to you.
Think it's bad? Might not be, actually! Compression can have a bad performance on your server, even if it's not a lot usually, I love having a 0% usage of my CPU :)
Change:
#Compression delayed
to:
Compression no
Let's say you go grab a cup of coffee, leaving your nice-looking SSH session wide open to the cruel world of entreprise. Anyone can get your mouse and take control of your PC. Oh no! What are you gonna do? Well, nothing since you prefer a nice cup of coffee with friends. However, we can also enable ClientAlive options! Thank SSH! You're so awesome!
Now make sure these options:
#ClientAliveInterval 0
#ClientAliveCountMax 3
are set to:
ClientAliveInterval 300
ClientAliveCountMax 2
ClientAliveIntervalwill add a 1 each 300s, or 5 minutes.ClientAliveCountMaxwill disconnect your client automatically if ClientAlive add as much as this setting's value has set.
Oh lord, we're reaching the end of this file, well, great time to add another option that the file does not include by default. Introduction SSH v2.
Let's add the following line at the end:
Protocol 2
Now, our SSH server will use the most recent SSH protocol and feature much secure functions! Awesome!
What's a FQDN you might ask? Well, it's basically to identify your machine from the rest of the Internet, as for example, one of my machine use aper.lydia.moe, and this is it's FQDN.
aper is the name of my machine, hosted at/by lydia.moe, so it's FQDN is aper.lydia.moe.
It is really advised to setup a FQDN to your machines, for example, if you change your machine's IPs quite often and use multiple SSH clients, why bother edit ALL of thir configuration? When you can just change a DNS record and use your FQDN as the address?
If you do happens to have a domain, consider following this handy tutorial: https://linuxconfig.org/how-to-change-fqdn-domain-name-on-ubuntu-20-04-focal-fossa-linux
This is not advised, sudo has a great reason to enforce this behavious, so I shouldn't even tell you, and let do your own research on the subject. (How hard)
But if you really want to, first, run sudo visudo, you will enter in a file (/etc/sudoers.tmp).
At the end of the file (It does matter! Do it!), put the following:
<your_username> ALL=(ALL) NOPASSWD:ALL
The space between <your_username> and "ALL=(A..." is a tabulation, I don't really know if this matter, but if it does, consider using it.
If you enjoy this guide, don't forget to ⭐ this gist, or even share it to your non-securised friends! That said, bye bye!
Hi, do you use these on their always-free tier? I was wondering if they'd shut down the instance that has agent removed.
There is also gist for manually installing different os, in this case debian
And even a tool to do it, quite flexible as well
Though personally I manually cloned the boot volume and then did it the boring way, no chroot'ing needed.