Ubuntu Remote Access SSH Server

I've intended to stand up a server for remote access to my home network. My goals are to:
  • Give myself encrypted and strongly-authenticated remote access to my home network
  • Allow myself to tunnel to the other hosts (physical and virtual) on the network for Remote Desktop and X Windows sessions
  • Transfer files to and from the home network

To accomplish all this, I'm going to use OpenSSH.  SSH is handy as you can reduce your exposure to the internet to just a single port / service and tunnel from there to the rest of the network.  If I had a router handy that supported DD-WRT, I'd be strongly tempted run OpenVPN or OpenSSH from there.  I don't, however, so I'm going to use a virtual machine.

Ideally I'd have a packet-filtering firewall between the OpenSSH server and my internal systems. In my case, I think I'm going to run the OpenSSH server on an Ubuntu guest OS on a VMWare Server 2 host. Someday I may rebuild this using ESXi, but this will do for now.

Since I'm running the gateway on a virtual machine, and I haven't yet decided how the virtual network topology should work, I'm going to start off using iptables to restrict where you can get from the Ubuntu server. This way, if someone exploits a vulnerability in OpenSSH, they would have to gain elevated privileges to change the host-based firewall rules. This is imperfect, but I think it will do for now.

My VMWare Server host is has a Q6600 processor on a motherboard which supports Intel VT. This will allow me to run 64-bit guests.  Since this is going to be a light-weight Ubuntu server, I won't need to address much memory.  I'm going 64-bit anyway just for kicks.

Enable Virtualization Technology

The first thing I need to do (while Ubuntu 8.10 Server is downloading) is enable VT. VT is often disabled in BIOS by default. If you're running on a 64-bit CPU and a motherboard with BIOS that supports VT, yet you get errors booting your 64-bit guest OSes about 64-bit processor support, there's a good chance that VT is disabled in BIOS.

Reboot your host machine, enter BIOS, and look for the VT settings. They are often found under the Security tab.

Note that if you're using Windows XP for your host OS, when it goes to sleep or stand-by, it will often quit reporting that VT is still enabled, causing problems with virtual machines. The only fix I've found is to disable sleep / stand-by mode, or to reboot the host after a sleep / stand-by event.

Install Ubuntu

Using the VMWare Server web console, I created a new virtual machine with a 2GB hard drive, 256MB of RAM, and a single processor. I gave it a single CD-ROM drive which I mapped to the Ubuntu 8.10 Server iso file I downloaded earlier.

On startup, I chose my language and hit F4 to do a minimal virtual machine installation. This is equivalent to the JeOS release available in 8.04 and earlier.

Since I don't plan on having multiple volumes and I'm not anticipating the need to add or move volumes in the future, I chose "Guided - use entire disk" as the partitioning method, and accepted the default partitions.

For server packages, I chose "Ubuntu Basic Server" and "OpenSSH Server".

First Boot - Post-Install Configuration

The first thing I did after logging in was install updates:

sudo apt-get update && sudo apt-get upgrade

I then installed Aptitude:

sudo apt-get install aptitude

Then I installed VMWare Tools. I'm not entirely sure if all of these steps are necessary, but this is how I did it:

sudo aptitude install build-essential linux-headers-$(uname -r)

sudo aptitude install psmisc

aptitude install open-vm-tools

The next step is to configure the network. Right now it's setup for DHCP, but I want to make it static so the IP address never changes.

To do this, you edit the interfaces file (I'm using vi):
$ sudo vi /etc/network/interfaces

Then comment out this line:
iface eth0 inet dhcp

And finally, I added the following to statically assign the IP (you will need to use the correct settings for your network):
iface eth0 inet static

Configure OpenSSH

First thing I'll do is make a copy of the sshd_config file:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original

I created a Banner file with an (un-)welcome message and some ascii art:
# Banner file displayed at login
Banner /etc/ssh/Banner

And made a few other changes:
LoginGraceTime 30

And finally, I restarted sshd so the changes would take effect:
sudo /etc/init.d/ssh restart

Port Forwarding

And finally, I forwarded a single TCP port on my router to port 22 on my new Ubuntu virtual machine. I choose a nonstandard port for the external side (such as 8022).

Done, for now

That's it for now. I now have a fully functional remote access gateway running in VMWare. In the next installment I'll set up the host-based firewall. Then I'll build a second VM just like this one, but set up with Samba so I and other trusted users can SCP into that server and access a secure file drop box and file share.

I'll also follow the cleanup steps from here to remove all the unnecessary build tools and packages:

No comments:

Post a Comment