Ubuntu – How to set up an Ubuntu server to be (securely) available from the internet

Apache2serversshvpn

I want to build an Ubuntu server that will be continuously connected to the internet. I own only an IP address. The main purpose of the server is to be a source code controller (probably git or svn… haven't chosen yet), but also some occasional other uses (file sharing with family or customer, personal backup, host of web applications I may write, etc. I also would like to be able to access the computer at any time to administer it, even behind some customer's proxy that allows only http or https

What are the standard steps to achieve that?

My first thought is to set up openssh server. Is it possible (and quite secure) to open it to the internet on standard port (i.e. customer firewall/proxy compatible)?
Is it possible to set up a VPN server, that is run from a webpage plugin (also hosted by the server)?
as I have only one IP address (IP V4 and IPV 6 actually, but I don't think IP V6 address will be accessible from customers network by now), can I make apache and other server software coexist on the same standard ports?

thanks in advance 😉

Best Answer

When properly set-up OpenSSH is safe, even on the standard port. Moving it away from the standard port saves you from your log files being filled up by unauthorized login attempts. More details on the end.

It's very dangerous to access your server if you do not have control over the computer which should connect to your server (which I think that's the reason why you need to use a browser plugin)

OpenVPN can be set up to share TCP ports with a HTTP/HTTPS server, from its manual page:

--port-share host port  
    When run in TCP server mode, share the OpenVPN port with another
    application, such as an HTTPS server.
    If OpenVPN senses a connection to its port which is using a non-OpenVPN
    protocol, it will proxy the connection to the server at host:port.  
    Currently only designed to work with HTTP/HTTPS, though it would 
    be theoretically possible to extend to other protocols such as ssh.

It's not recommended to use OpenVPN with a TCP connection due to its overhead (TCP 3-way handshake). If you've no choice, you could give it a go.

Using OpenVPN, you can avoid any port restriction imposed on you and secure the connection. Please refer to How do I setup OpenVPN so I can securely use the internet from an unsecured hotspot? for a guide on setting up OpenVPN.

You cannot share ports unless an application supports it (like OpenVPN), so I must disappoint you on that.

SSH server

Password-based authentication without limiting connection attempts is asking for trouble. Because of that, it's preferred to use key-based authentication and disable password-based authentication altogether.

Install openssh-server by running sudo apt-get install openssh-server
Disable password-based authentication by editing the configuration file /etc/ssh/sshd_config. To start editing, run sudo nano /etc/ssh/sshd_config. Find the line #PasswordAuthentication yes and change it to PasswordAuthentication no. By default, SSH listens on port 22. If you want to change it, use a port below 1024 for security reasons. (change the line with Port 22)
For extra security, you can configure a list of users who are allowed to login. Add a line with:
```
AllowUsers someuser
```
Replace someuser by the username of the account that is allowed to log in. Multiple usernames should be separated by a space.
Generate a key on your computer using the command ssh-keygen -t rsa. Enter whatever values you want and choose a secure passphrase.
Copy the contents of ~/.ssh/id_rsa.pub file to /home/someuser/.ssh/authorized_keys file on your server. someuser is the user that should be allowed to login. (it's a single line that should be copied, never copy the contents of a file that starts with -----BEGIN RSA PRIVATE KEY
Reload the configuration of your SSH server:
```
sudo reload ssh
```
If you're remotely accessing your server over SSH, verify that you can make a new SSH connection to avoid locking yourself out.

For further debugging:

1) Check that port 22 (SSH) is open on your server and on the router (port forwarding).

2) Check that the SSH server is running on your server

3) Use ping, ssh -v while connecting and look at /var/log/auth.log to debug any further connection problems.

1) On your router: follow router specific instructions

On your server: sudo ufw status (unless you use another firewall configuration utility) or sudo iptables -L (general method, but complex output)

To open port 22: sudo ufw allow 22

cf https://help.ubuntu.com/12.04/serverguide/firewall.html

2) Check it is installed: dpkg -l openssh-server

Check it is running: service ssh status or ps aux | grep sshd

3) On the connecting client:

ping my.external.ip.address
ssh -v user@my.external.ip.address

On the server:

sudo less /var/log/auth.log

You can check the router logs as well if necessary.

Here's an online port scanner: https://www.grc.com/x/ne.dll?bh0bkyd2

I think you can use tools like nmap or other as well, but I'm not that familiar with them yet.

Dealing with a changing external IP address:

1) Get a dynDNS or similar account: http://dyn.com/dns/

Lists of dynamic DNS providers:

2) Another solution, is to set up a crontab job, which regularly mails you your external IP address or puts in into an online storage service like dropbox.

Here's a script a friend of mine uses:

    #!/bin/bash
    # Bash script to get the external IP address
    MYWANIP=$(curl http://mire.ipadsl.net | sed -nr -e 's|^.*<span class="ip">([0-9.]+)</span>.*$|\1| p')
    echo "My IP address is: $MYWANIP"

    IPold=$(cat /home/USER/Dropbox/test.txt)
    echo "Previous IP Address: $IPold"

    if [[ $IPold != $MYWANIP ]] ;
    then
      echo "New IP"
      rm /home/USER/Dropbox/test.txt
      echo $MYWANIP >> /home/USER/Dropbox/test.txt;
      echo $MYWANIP;
    else
      echo "Same IP";
    fi

    # example crontab entry:
    ## m h  dom mon dow   command
    ## */10 * * * * /home/USER/Dropbox/test_ip.sh

Router port forwarding:

1) First, figure out your router's local IP address by running:

ip route | grep default

It is usually something like 192.168.x.x.

Alternative ways and other OS solutions:

2) Using any computer connected locally to the router, access the IP found previously, i.e. via http://192.168.1.1 for example. This should bring up the router configuration interface.

3) The next steps vary depending on your router. Here is how it is done on a router with OpenWRT for example:

https://newspaint.wordpress.com/2012/08/26/how-to-add-a-port-forward-using-the-web-interface-on-openwrt-10-03-1/

Best Answer

SSH server

Related Solutions

Ubuntu – How to make the webpage accessible from Internet

Ubuntu – Connecting to Ubuntu server via SSH externally

For further debugging:

Dealing with a changing external IP address:

Router port forwarding:

Related Question