ConoHa environment construction memo

environment

ConoHa VPS

$ cat /etc/os-release
NAME="Ubuntu"
VERSION="18.04.3 LTS (Bionic Beaver)"

Creating a working user

 $ add user lambda34 # Add user

 $ password # password setting

 $ gpasswd -a lambda34 sudo # Make users belong to a group

SSH settings

1. Create a public key on the local PC side

$ ssh-keygen -t rsa

You can see that the public and private keys have been created.

$ ls -la ~/.ssh
total 72
drwx------   9 aaa  staff   288 10 12 23:34 .
drwxr-xr-x+ 59 aaa  staff  1888 12  8 04:07 ..
-rw-------   1 aaa  staff  1843 12  8 17:03 id_rsa
-rw-r--r--   1 aaa  staff   413 12  8 17:03 id_rsa.pub

2. Set the public key in the directory on the VPS side

$ scp ~/.ssh/id_rsa.pub [email protected]:~/　

3. Set the public key in the user directory on the VPC side

$ ssh [email protected]

$ mv ~/id_rsa.pub ~lambda34/.ssh/authorized_keys

$ chown -R lambda34: ~lambda34/.ssh

$ chmod 700 ~lambda34/.ssh

$ chmod 600 ~lambda34/.ssh/authorized_keys

Enter the VPC as the root user and create the public key in the user directory of lambda34. Installed in. Change the authority.

** Make sure that the user created from the local PC can connect **

$ ssh -i ~/.ssh/id_rsa [email protected] 

security settings

Edit sshd_config so that you cannot log in as the root user.

** Make a backup before editing **

$ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bac 

$ sudo vi /etc/ssh/sshd_config
↓
 Port 65656 # port22 is guessed, so change to another port
 PermitRootLogin no #Prohibit login in root directory
 PasswordAuthentication no #Prohibit login with password

Reboot

$ sudo service ssh restart 

Confirm that you cannot log in as the root user

$ ssh -p 65656 -i ~/.ssh/id_rsa [email protected]
[email protected]'s password:
Permission denied, please try again

When logging in using the port specification and private key

$ ssh -p 65656 -i ~/.ssh/id_rsa [email protected]

Firewall settings

It should be inactive by default.

$sudo ufw status
[sudo] password for lambda34:
Status: inactive

activation

$ sudo ufw enable

Access is denied by default

$ sudo ufw default deny

Only communication of required protocol is allowed Here we will open ports 80 and 443.

$ sudo ufw allow https/tcp
$ sudo ufw allow http/tcp

Confirmation command

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
443/tcp                    ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
65656                      ALLOW IN    Anywhere
443/tcp (v6)               ALLOW IN    Anywhere (v6)
80/tcp (v6)                ALLOW IN    Anywhere (v6)
65656 (v6)                 ALLOW IN    Anywhere (v6)

Reload

$ sudo ufw reload
Firewall reloaded

Package update

$ sudo apt-get update

install docker

$ sudo apt-get install \
    apt-transport-https \
    ca-certificates \
    curl \
    gnupg-agent \
    software-properties-common
    - y

$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

$ sudo apt-key fingerprint 0EBFCD88

$ sudo add-apt-repository \
   "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
   $(lsb_release -cs) \
   stable"

$ sudo apt-get update

$ sudo apt-get install docker-ce -y

Docker auto-start settings

$ sudo systemctl enable docker

Add user to Docker group

$ sudo usermod -aG docker $USER

Install docker-compose

$ sudo curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

$ sudo chmod +x /usr/local/bin/docker-compose

$ exit

Creating a working directory

$ sudo mkdir -p /data/repo
$ sudo chown -R $USER /data