ConoHa VPS (ubuntu 18.04) Initial setting memo

ConoHa has a new plan, and another server will be launched again from Ubuntu 18.04. Positioning of updates for this article. I really wanted to wait for 20.04, but no.

ConoHa VPS contract

Contracted RAM1GB / SSD100GB plan @ Tokyo region. 880 yen a month. It's cheaper than 3 or 4 years ago, SSD is double ... --There are no port restrictions for the time being. Set after logging in with ssh. --The image type is OS. Select ubuntu 18.04. You can't start it even if you specify an application (for example, Docker) instead of the OS. It's evolving! --Do not register SSH Pubkey. Since a user cannot be created when creating a virtual machine, create a user before registering.

Domain settings

Domain management is maintained as Sakura Internet. --From Sakura's domain management screen, change the address of the domain name. --On the ConoHa server management screen, enter the domain name as the reverse host name. Just in case.

Initial settings around security

User created & ssh

Create a user by shell login as root from SSH or control panel, add to sudoers, set ssh key, copy and register the public key of a new user with vi, all at once.

# adduser <new user>
# usermod -aG sudo <new user>
# su <new user>
$ mkdir ~/.ssh
$ touch ~/.ssh/authorized_keys
$ vi ~/.ssh/authorized_keys

Change Port by playing with sshd_config, prohibit Root / Password login, and only public key login.

$ sudo vi /etc/ssh/sshd_config
- Port 22
+ Port xxx #Change port

- PermitRootLogin yes
+ PermitRootLogin no

- PubkeyAuthentication no
+ PubkeyAuthentication yes #Public key login

- PasswordAuthentication yes
+ PasswordAuthentication no

- UsePAM yes
+ usePAM no

$ sudo /etc/init.d/ssh restart

ʻIptables` settings

Have fun with ʻufw`. You don't have to bother to open Port 80/443 because docker's nginx-proxy will open it for you.

$ sudo ufw allow <ssh port> # ssh
$ sudo ufw default deny #Deny all by default
$ sudo ufw enable

Verification.

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip


To                         Action      From
--                         ------      ----
<ssh port>                 ALLOW IN    Anywhere                  
<ssh port> (v6)            ALLOW IN    Anywhere (v6)             

IPv6 settings

ConoHa VPS has 17 IPv6 addresses assigned to each server. However, only IPv4 addresses are assigned to images created with the Ubuntu 18.04 image. Since I want to access with IPv6, I also assign an IPv6 address.

/etc/netplan/10-gmovps.yaml


network:
    ethernets:
        eth0:
-           addresses: [] 
+           addresses:
+             - <ipv6_address>/64
            dhcp4: true
            dhcp6: false
            accept-ra: false
            optional: true
+           gateway6: <gateway_address>
    version: 2

Change it as above, or create a yaml with 11 or more prefixes and insert it as above to overwrite the settings (e.g., /etc/netplan/20-mynetwork.yaml). Then execute the following to reflect.

$ sudo netplan apply

Host name change

Since / etc / hosts and / etc / hostname are inconsistent,

/etc/hosts
127.0.0.1 conoha

/etc/hostname
conoha

I'll keep it like this.

I can't put in NTP anymore

There seems to be no need to set up an NTP server anymore. Since systemd-timesyncd is running on Ubuntu, it seems that it will synchronize the time without permission.

It's synchronized like this.

$ timedatectl status
                      Local time: Tue 2020-03-17 17:37:26 JST
                  Universal time: Tue 2020-03-17 08:37:26 UTC
                        RTC time: Tue 2020-03-17 08:37:27
                       Time zone: Japan (JST, +0900)
       System clock synchronized: yes
systemd-timesyncd.service active: yes
                 RTC in local TZ: no

Docker All servers will be run by Docker.

Repository settings

$ sudo apt-get update;
$ sudo apt-get install \
    apt-transport-https \
    ca-certificates \
    curl \
    gnupg-agent \
    software-properties-common
$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - #Introduced Docker GPG key
$ sudo add-apt-repository \
   "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
   $(lsb_release -cs) \
   stable" #Add repository

Introducing Docker Community Edition

$ sudo apt-get install docker-ce docker-ce-cli containerd.io
$ sudo docker run hello-world #Operation check

Make Docker available to the created general users

sudo usermod -aG docker <new user>

Introducing Docker Compose

$ sudo curl -L https://github.com/docker/compose/releases/download/1.25.4/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
#1 at the time of writing this.25.4 is the latest. Check github for the status. https://github.com/docker/compose/releases

$ sudo chmod +x /usr/local/bin/docker-compose #Grant execution authority
$ docker-compose --version #check
docker-compose version 1.25.4, build 8d51620a

reference: Get Docker CE for Ubuntu Install Docker Compose

Throw a log to gmail with Logwatch.

Just in case.

$ sudo apt-get install logwatch
$ sudo cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/

Edited to gmail.

/etc/logwatch/conf/logwatch.conf


- MailTo = root
+ MailTo = [email protected]

Use the following article to use Sakura's mail server as a relay server and send it from postfix to gmail.

https://qiita.com/jqtype/items/cfb03be0efb8eacd8978

Recommended Posts

ConoHa VPS (ubuntu 18.04) Initial setting memo
linux (ubuntu) memo
poetry introduction memo (ubuntu18.04)
ConoHa environment construction memo
Pycharm setting memo writing
Raspberry Pi 4B initial setting
[Python] numpy.empty initial value setting
[WSL2] CentOS 8 VScode setting memo
Ubuntu18.04 Development environment creation memo