Beiträge

How to open an encrypted Ubuntu 18.04 Server with SSH Dropbear

Some of you are security-aware and would like to install a full disk encryption on a new system. But you’ll face a problem: Once the machine reboots and you’re not around to type in the password, the machine will simply not boot up. For come over that issue you can use a small SSH listener called Dropbear which loads up during the very beginning of the boot process. Only if you authenticate with your correct RSA key, you can log on to the machine, provide the password for uncrypting the filesystem and will be kicked out again while the machine will finish its bootup.

Prerequisites:
– Freshly installed and encrypted Ubuntu 18.04 server (headless installation – no GUI).
– You should know how to use the linux terminal and the text editor nano.
– I advice you to tell your DHCP router to provide always the same IP to the machine. Otherwise the IP will change/increment every time you boot it up.

Steps:
1. Let’s ensure we have all updates installed:

sudo apt update
sudo apt dist-upgrade

Install the required additional dropbear package:

sudo apt-get --assume-yes install dropbear-initramfs

You’ll notice that during package installation some keys will be automatically generated:
– DSA 1024 key for root
– RSA 2048 key for root
– ECDSA521 key for root

2. Edit the config file:

sudo nano /etc/dropbear-initramfs/config

Uncomment the DROPBEAR_OPTIONS line and add a second port where SSH should listen on:

DROPBEAR_OPTIONS=“-p YOUR_PORT“

3. Since only public key authentication is allowed we need to create and fill up our authorized_keys file:

sudo nano /etc/dropbear-initramfs/authorized_keys

Fill it with the only allowed command and append your ssh-rsa key:

command="/bin/cryptroot-unlock" ssh-rsa YOUR_KEY

4. Apply the changes and reboot:

sudo update-initramfs -u
sudo reboot

5. Now you can login to your machine for instance with:
ssh root@MACHINE_IP -p YOUR_PORT -i ~/.ssh/YOUR_KEY_FILE

Credits:
– https://hamy.io/post/0009/how-to-install-luks-encrypted-ubuntu-18.04.x-server-and-enable-remote-unlocking/
– https://www.pbworks.net/ubuntu-guide-dropbear-ssh-server-to-unlock-luks-encrypted-pc/
– https://seeseekey.net/archive/122144/ (Hetzner specific)

How to install XFCE and VNC on a headless Ubuntu 18.04 Server

This week I’ve tested some tutorials on the internet which guide through the installation of VNC. Unfortunately some of them just didn’t work out therefore I’m writing down the current way that works flawlessly.

Prerequisites:
– Freshly installed Ubuntu 18.04 server edition (headless installation – no GUI).
– We assume all commands are typed in a terminal of a standard user – so don’t login as root directly.
– You should know how to use the linux terminal and the text editor nano.

Steps:
1. Let’s ensure we have all updates installed:

sudo apt update
sudo apt dist-upgrade

If you have only a root account available on your system then create a new default user for you:

sudo adduser YOUR_NEW_USER
usermod -a -G sudo YOUR_NEW_USER

2. Install XFCE4 and VNC:

sudo apt install xfce4 xfce4-goodies
sudo apt install tightvncserver

3. Configuring VNC:
Start vncserver, choose a password, no we don’t want a view-only password, and kill it again:
vncsercer
vncserver -kill :1

Backup the configuration file:

mv ~/.vnc/xstartup ~/.vnc/xstartup.bak

Create a new file

nano ~/.vnc/xstartup

and fill it with:

#!/bin/bash
xrdb $HOME/.Xresources
startxfce4 &

and make it executable:
sudo chmod +x ~/.vnc/xstartup

4. Creating a system daemon for autostarting VNC:
Create a new file:
sudo nano /etc/systemd/system/vncserver@.service

and fill it with these lines:
(replace YOUR_USER with your username)
[Unit]
Description=Start TightVNC server at startup
After=syslog.target network.target

[Service]
Type=forking
User=YOUR_USER
Group=YOUR_USER
WorkingDirectory=/home/YOUR_USER

PIDFile=/home/YOUR_USER/.vnc/%H:%i.pid
ExecStartPre=-/usr/bin/vncserver -kill :%i > /dev/null 2>&1
ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :%i
ExecStop=/usr/bin/vncserver -kill :%i

[Install]
WantedBy=multi-user.target

Tell Ubuntu about the new daemon file, mark it as runnable on boot and start the service:

sudo systemctl daemon-reload
sudo systemctl enable vncserver@1.service
vncserver -kill :1
sudo systemctl start vncserver@1

5. Use a SSH tunnel to connect to your server.
ssh -L 5901:127.0.0.1:5901 -C -N -l USER YOUR_SERVER_IP

6. Voila! Now you can open up a VNC-Viewer and connect locally to localhost:5901. The system will forward this request through the SSH tunnel to the server and the desktop environment (XFCE) will show up. If you are unsatisfied with the screen dimensions just play around with the -geometry parameter in /etc/systemd/system/vncserver@.service.

(7. Recommendation: For some reason the xfce screensaver produces a quite high cpu load (in my case around 36%) even if you are not connected to the server. Therefore just deactivate it in the settings and you’ll save quite much valueable cpu resources.)

Sources:
https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-vnc-on-ubuntu-18-04 (thanks a lot to finid and Brian Hogan)

Tutorial: Bridged OpenVPN Virtual Machine Server Setup

Windows 2012 R2 Standard | Hyper-V | Ubuntu 16.04.1 LTS | Bridged OpenVPN

Weiterlesen