Security settings around login for Ubuntu server on IBM Cloud VPC Gen 2

Outline of this article

When Ubuntu VSI was set up on IBM Cloud VPC Gen 2, I summarized what I did to ensure security as a memorandum.

The contents of the implementation are as follows.

--Creating a general user --General user sudo settings --SSH public key authentication settings for general users --Prohibit SSH login as root --Disable password authentication --Change of default security group (limitation of access source IP address)

In addition, this article refers to the following articles.

-SSH connection via HTTP Proxy (Mac) -How to access externally from Windows 10 under proxy environment by SSH -Until connecting with SSH public key authentication -Prohibit ssh root login on Ubuntu

Prerequisites

This article assumes the following:

--VSI OS is Ubuntu --The local terminal is a Mac

Creating a general user

In the initial state, SSH login is performed as root, but it is dangerous to continue using root as it is, so create a general user. On Ubuntu, you can use two types of commands, the useradd command and the adduser command, but since there are inconveniences such as the useradd command not creating a home directory, use the adduser command. To use. You can set a password interactively by executing the adduser command.

# adduser <User ID>

General user sudo settings

After this, to prohibit SSH login as root, allow general users to become root with sudo su. This is possible by adding the user to the sudo group, so run the following command: Specify -aG because it replaces the group specified as having only -G as an option instead of adding it.

# usermod -aG sudo <User ID>

Setting up SSH public key authentication for general users

Create an SSH key on your local device.

ssh-keygen -t rsa -b 4096 -f id_rsa_ubuntu

The above command creates the id_rsa_ubuntu file (private key) and id_rsa_ubuntu.pub file (public key), so copy the contents of the id_rsa_ubuntu.pub file (public key).

Next, on the Ubuntu side, su to the target general user, create and edit the .ssh / authorized_keys file, and paste the copied public key contents.

# su - <User ID>
$ mkdir ~/.ssh
$ vi ~/.ssh/authorized_keys

After this, log out once and confirm that SSH access is possible as a general user.

ssh -i <Private key file path> <User ID>@<IP address of VSI>

Prohibit SSH login as root & disable password authentication

To prohibit SSH login as root and disable password authentication, edit the / etc / ssh / sshd_config file as follows.

#Root login permission settings. yes->Change to no. If it is commented out, cancel it and change it.
PermitRootLogin no

#Password authentication settings. yes->Change to no. If it is commented out, cancel it and change it.
PasswordAuthentication no

Change the default security group (restriction of access source IP address)

In the VPC security group settings, limit the access source IP address to a specific IP address only.

Go to the VPC Security Groups page (https://cloud.ibm.com/vpc-ext/network/securityGroups).

The target VPC has a default security group, so select it. (In this example, select the VPC default security group called samplevpc)

Click "Rules".

The default security group inbound rules allow port 22 (SSH) access from any IP address, unless you changed the default specification when you created your VPC. Limit this to a specific IP address range only. Click the three-point block on the far right of the "TCP" line and select "Delete" to delete it. Then click the Create button.

As a new inbound rule, specify TCP for Protocol, 22 for Port Range, and 22 for Maximum. Also, select "CIDR block", specify the range of access source IP addresses to allow, and click the "Save" button.

The following is the state after creating a rule that specifies two types of ranges.

As a result, SSH access can only be performed from a specific IP address, SSH login as root is prohibited, and password authentication is also disabled.

SSH access with proxy specification

In recent remote operations, there are cases where the server is accessed from home, but in that case, the IP address is dynamically assigned by the Internet provider, and there are cases where the IP address range cannot be narrowed down. If your company provides a remote HTTP proxy, you may be able to limit your IP addresses to authorized IP addresses by going through that proxy.

How to connect with SSH via HTTP Proxy (Mac) introduces SSH access via HTTP proxy when using Mac. By executing the following command along with this, it is possible to set the access source IP address to the permitted address.

ssh -i <Private key file path> <User ID>@<IP address of VSI> -o ProxyCommand='nc -X connect -x <HTTP proxy host name>:<HTTP proxy port number> %h %p'

In case of Windows, it can be done in the same way by How to access from Windows 10 under proxy environment by SSH.