Wednesday, June 4, 2008

GeoDjango on Slicehost: Ubuntu 8.04 Configuration (2 of 4)

OS Configuration

This post goes over how to configure your Ubuntu 8.04 Slice on Slicehost.

(general reference:

Log On to your Slice as root

Note: you will need the ip and password for the slice which was provided to you when the slice was created.
ssh root@11.222.333.444

Change the root password for your slice by entering

and specifying a new password for the root user account. Logout and SSH to connect again to verify that the new password works. NOTE: If you rebuilt the slice, you may need to remove an entry from the local ~/.ssh/known_hosts file in order to connect.

Create an admin (non-root) user account

Add a user and give them a password...
adduser demo

Give the user admin privileges by opening the /etc/sudoers file
nano /etc/sudoers

and add the following to the end of the file:
demo   ALL=(ALL) ALL

SSH Configuration

(general reference: (SSH Copy section & SSH Config section))
Copy your public key from your local computer to your slice by running the following on your LOCAL COMPUTER...
scp ~/.ssh/ demo@11.222.333.444:/home/demo/

Note: you will need to provide the demo user's password that you created earlier.

Now on the SLICE computer, setup the SSH permissions...
mkdir /home/demo/.ssh
mv /home/demo/ /home/demo/.ssh/authorized_keys
chown -R demo:demo /home/demo/.ssh
chmod 700 /home/demo/.ssh
chmod 600 /home/demo/.ssh/authorized_keys

Make changes to the default SSH configuration...
nano /etc/ssh/sshd_config

Replace the content of /etc/ssh/sshd_config with the following...
# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 30000
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM no
UseDNS no
AllowUsers demo

IP Table Configuration

Just follow the instructions on (iptables section))

Save any existing rules...
iptables-save > /etc/iptables.up.rules

Create a new list of iptable rules...
nano /etc/iptables.test.rules

Paste in the following content...

#  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d -j REJECT

#  Accepts all established inbound connections

#  Allows all outbound traffic
#  You can modify this to only allow certain traffic

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allows SSH connections
-A INPUT -p tcp -m state --state NEW --dport 30000 -j ACCEPT

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy


Update the rules...
iptables-restore < /etc/iptables.test.rules

Check to see that the IP table rules were updated...
iptables -L

Save the rules...
iptables-save > /etc/iptables.up.rules

Make sure the rules are applied after a reboot...
nano /etc/network/interfaces

Add the single line after just after 'iface lo inet loopback'
auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/iptables.up.rules

# The primary network interface

Reload the SSH configuration...
/etc/init.d/ssh reload

* Reloading OpenBSD Secure Shell server's configuration sshd [ OK ]

Test the login by opening up a new shell, and logging in as the admin users...
ssh -p 30000 demo@11.222.333.444
Note that if you are unable to connect, you may need to remove stored host keys in the ~/.ssh/known_hosts file. Once you verify that you can login as the admin user, you can close the connection that uses the root login.

Updates to the OS

To get a more useful bash shell that the default, edit the ~/.bashrc file...
nano ~/.bashrc
and add the following to the end
export PS1='\[\033[0;35m\]\h\[\033[0;33m\] \w\[\033[00m\]: '
alias free='free -m'
alias update="sudo aptitude update"
alias install="sudo aptitude install"
alias upgrade="sudo aptitude safe-upgrade"
alias remove="sudo aptitude remove"

Reload the configuration changes for the bash shell...
source ~/.bashrc

Update the OS with any released patches...
sudo aptitude update

Set the locale...
sudo locale-gen en_US.UTF-8
sudo /usr/sbin/update-locale LANG=en_US.UTF-8

Update and upgrade...
sudo aptitude safe-upgrade
sudo aptitude full-upgrade

Install the package of essential build programs...
sudo aptitude install build-essential

Ok, now the OS is configured and updated... you are now ready to proceed to Part 3 - installing the software applications.

No comments:

Post a Comment