Sergeant's Website

HW02: Installing Server Instance due Mon 30 Jan 12:00

$\begin{purpose} In this assignment you will install your own server instance an... ...ecurity for it. You will also learn to document your setup steps. \end{purpose}$

What You Need to Turn In

In a text file (i.e., NOT MS Word or other word processor) document the steps you take to complete installation including steps in the browser and exact commands that you typed on the command-line. The goal is to produce a document someone else could follow to perform the install. Upload the text file

In addition you need to bring to class on a USB drive a copy of the private key file generated during the install process (i.e., sa-yourfirstname.pem). This file will be used by me to access your server. We are not turning in the file electronically for security reasons.

Installing a Server

From your AWS Educate account visit the Server Administration course and click on the AWS Console button to access AWS Console. Below I have some short, somewhat cryptic steps for completing the install process. You should start by following those steps. If you get stuck or find there is not enough detail you can use these links to fill in the blanks:

My Cryptic Notes/Instructions

Go to Services -> EC2 -> Launch Instance
Ubuntu Server 18.04 LTS (HVM), SSD Volume Type
64-bit (x86)
Type: Use FREE Tier (probably t2.micro)
Create New Key Pair with name: sa-yourfirstname
Download .pem file and put in a safe place. Also, put it on a USB drive that you will bring to class when we next meet.
Got to EC2 Console to see instances. Take note of IP number.
To connect to your new server:
Using Putty/Windows?

Launch puttygen, load .pem file, enter password/confirm, save private key with name sa-yourfirstname.ppk
To connect: start putty, enter IP number of your server, go to Connection -> SSH -> Auth and browse for private key file (choose new ppk file), save the session configuration under a useful name, connect, username is ubuntu.

Using Linux/MacOS Command Line?
Use these commands:
```
	chmod 400 /path/to/sa-yourfirstname.pem
	ssh -i /path/to/sa-yourfirstname.pem ubuntu@your-ip-address
```

Essential Commands

These commands will be used over-and-over and should be memorized:

Execute Privileged Instructions

The ubuntu account and the additional account you created have full sudo privileges which you can utilize by preceding a privileged command with sudo. Example (assuming $ is the command prompt):

$ ls /root
ls: cannot open directory '/root': Permission denied

The request to list files in the /root directory fails because we don't have permission to look in that directory.

$ sudo ls /root
# contents of /root are displayed

This request succeeds because we requested special permissions. Why not just give these accounts full root access so you don't have to type sudo in front of every privileged command? Primarily to keep you from accidently shooting yourself in the foot. Doing everything with root access is like carrying around a loaded gun in your hand!

If you are needing to do a number of system admin tasks and don't want to be bothered with typing sudo in front of everything you can do this:

$ sudo su

Then you'll have root privileges with every command. Use CTRL-D or type exit to revert back to normal privileges.

Update OS / Software

The system software should be updated by issuing these commands: sudo apt update followed by sudo apt upgrade

If the upgrade requires a reboot of the system it will create a file named: /var/run/reboot-required. If the file exists you should reboot. Otherwise, a reboot is not needed. Although it is possible to reboot from the command-line I've, in the past, had some strange behavior with AWS servers that are rebooted in this way. So, even though it is more work I always reboot from the AWS console by clicking on the EC2 instances and choosing Actions -> Instance State -> Reboot.

Work with Background Processes

To work with processes that run in the background (like web server, AppArmor, database server, etc.) use the systemctl command as follows:

sudo systemctl [command service]

If the command and service are omitted, it will display the state of all background services. Some examples of systemctl commands you will use below with the AppArmor service:

sudo systemctl status apparmor # view status of the apparmor service
sudo systemctl start apparmor  # start the apparmor service
sudo systemctl enable apparmor # cause apparmor service to start on boot

Basic Security

To access an AWS server you need to know: IP number, username, and have a copy of the .pem file generated during installation. The .pem file is indeed the “keys to the kingdom” so it needs to be stored in a safe place. The key file is used in place of a password.

By default AWS Ubuntu 18.04 installs:

AppArmor

A mandatory access control (MAC) system to confine programs to a limited set of resources. Take a look at this tutorial. Verify that AppArmor is on, configured, and set to run on boot. (In theory you shouldn't need to configure anything.)

https://medium.com/information-and-technology/so-what-is-apparmor-64d7ae211ed

Uncomplicated FireWall (UFW)

A front-end to the Linux iptables firewall which provides packet filtering. You'll need to enable the firewall and to allow OpenSSH from any location. You can use this tutorial to help you with those steps:

https://medium.com/@jasonrigden/a-guide-to-the-uncomplicated-firewall-ufw-for-linux-570c3774d7f4

IMPORTANT: This is an easy place to shoot yourself in the foot. If you turn on ufw but fail to allow OpenSSH access you will no longer be able to access your server! It is important to test your settings by:

Leave your current command-line session with the server open.
Attempt to establish a new, separate command-line session with the server. If you are able to do this after the firewall has is in place then you should be good.

Default AWS Security Group

A security group is assigned to each EC2 instance and defines what type of access is allowed. The security group policies are enforced by AWS and are layered outside of kernel-level protection mechanisms (such as the firewall). We will establish the habit of using both layers of protection. See this document for general information about security groups:

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#adding-security-group-rule

To view/edit your security group go to the EC2 Dashboard, click to see running instances. Click checkbox beside your instance scroll down to see Security groups: launch-wizard-1. Click the link to see Security group details, click on inbound rules. Modify ssh to only allow access from IP numbers you expect to work from. NOTE: One good way to learn your public IP is to visit google.com in your browser and type “what is my ip”. Include in your list of rules the HSU subnet: 209.165.224.0/24

Create a non-privileged account for yourself that allows sudo and use that account to complete the installation.It is conventional to create a non-privileged account that you use to work in the system. Amazon automatically creates such an account for you (called ubuntu). If you want to create your own account, say fred, this is how you would set it up.

Create the account: useradd fred
Create the user's home directory and give the account info about the access key. The easiest way to do this is to copy (as root) all files from the ubuntu user's home directory and then to adjust ownership:
```
sudo cp -rp /home/ubuntu /home/fred
sudo chown fred.fred -R /home/fred
```
Give the new account sudo privileges. Edit /etc/sudoers.d/90-cloud-init-users and copy the line that names ubuntu and replace “ubuntu” with “fred” in the copied line.
Now you should be able to login as fred with the same privileges as ubuntu.
To get the new user account to use the bash shell you may need to edit the appropriate entry in /etc/passwd accordingly.

I Know You Know

You will find this assignment more pleasurable if you start early and play around with stuff as you move forward.