Monday, May 11, 2015

Series: How to create your own website based on Docker (Part 2 - Setting up Ubuntu for production use)

Setting up Ubuntu as docker host

Let's get started

This is part 2 of the series: How to create your own website based on Docker.

So why do I want to create my website completely based on Docker containers? Well, that's pretty easy, because a) Docker is cool and b) Docker allows me to move my containers to new providers quickly.

Let's imagine, that a new cheap & fast cloud service is brought to the web or my hosting provider gives me a chance to move to a newer/faster hardware, then it would be cool to quickly move my whole page (including all databases, apps and other services that might be running on my "old" machine) to the new appliance.

That's exactly what I need Docker for, because then my "dockerized" apps are completely portable and can run everywhere - on a cloud, on a virtual machine or on my local computer - Linux is pretty much mandatory, though.

If you still don't know what Docker is or what it does? Just read the official "What is docker" document!

Setting up Ubuntu for production use

The big advantage of using Docker is that we don't have to spend that much time creating a production-ready server. This machine will basically only act as platform for all my containers (from now on called "Docker host") and therefore only needs the minimum security configuration. But still - later - in the docker containers - you have to take care of the application security of course - but we'll get to that later.

Although Docker is supported on Ubuntu from 13.10 & up, I'm using the latest greatest Ubuntu distribution: Ubuntu 15.04 (Vivid Vervet). It comes with the latest kernel and is therefore well-prepared for my Docker installation (remember Docker requires a 64-bit installation regardless of your Ubuntu version. Additionally, your kernel must be 3.10 at minimum).

I'm going to install everything on this (small) machine to test its performance and have the opportunity to move to a faster one once everything has been set up: Hetzner vServer VX11 (Dual Core, 2GB of RAM). Let's see how this small machine performs in the real world, running nginx, nodejs and mongodb containers.

Let's start setting up the Ubuntu machine - our new Docker host.

Add a new user to the system


First of all you need make sure that no one (besides you) can access your machine via SSH, so we need to create a new user. Let's say our new user is called "johndoe" - please use your own user name here - but for the sake of simplicity I'll keep using johndoe as our new user in this series.
# adduser johndoe
This command will ask you some questions (including your password) and will then create a new user for you.

Since you want to be able to use sudo later, you need to add root privileges to that user.

Just type the following command and an editor will appear that allows you to add the user to the:
# visudo
Now find the following section: #user privilege specification and add the following line below the root entry:
root ALL=(ALL:ALL) ALL
johndoe ALL=(ALL:ALL) ALL
Now hit Control+O to save then Control+X to exit Nano editor.

Before you exit, you should also change the root password - just to make sure that no one else knows it - just enter the following command and enter your new password twice:
# passwd

Secure your SSH access correctly


Now that you have your user set up, you can log out from your machine (just type exit) and log in with your new user again. Although it's not necessary, I recommend to do so, so that you can test whether your SSH login (with your new user) works as expected.

On a Unix based machine (e.g. Linux or OSX), you would connect to SSH like that:
# ssh johndoe@yourmachine.com
Now that we're logged in as johndoe, we will secure our SSH access. So type the following command to get into the ssh daemon configuration - I will be using vi from now on - but you can also use nano as editor:
# sudo vi /etc/ssh/sshd_config
Now we will change the standard SSH port, so that port sniffers will have a hard time to guess your port - for that please change the following line (in vi just press "i" to change to insert mode):
# What ports, IPs and protocols we listen for
Port 2233
We've now changed the port from 22 to 2233. Please write it down the port number and don't forget the value you have specified here - otherwise you won't be able to login via SSH anymore! This will not prevent hackers from trying to port scan your server, but it will prevent scripts trying to access your machine on the standard SSH port.

Now we'll tell SSH to not allow the root user to login - so we're changing the value of PermitRootLogin to "no"!
AuthenticationLoginGraceTime 120
PermitRootLogin no
StrictMode yes
If you're the only one accessing this machine you can also add the following line to the end of the file:
AllowUsers johndoe
Having changed that, only johndoe can access this machine via SSH now.

Now just his ESC and enter ":wq" to write the changes to the file and reload the SSH daemon:
# sudo service sshd restart
Ok... let's test our new secured SSH service. Just exit from the machine and log in via SSH again, but this time you'll have to specify the port:
 # ssh johndoe@yourmachine.com -p 2233
You can also try to login as root user, but that should not work as we've told the daemon not to allow the root user to login:
  # ssh root@yourmachine.com -p 2233

  Install & enable the Ubuntu firewall

Since we have now set up our SSH access we should set up our firewall now - this will make sure that you can only access the machine via port 2233 (your new SSH port):

Let's install the UFW - Uncomplicated Firewall by typing the following command:
# sudo apt-get install ufw
Once the firewall is installed, check its status:
# sudo ufw status
It will probably tell you that it's not enabled - that's ok for now. So we'll tell it to allow incoming requests to our new port:
# sudo ufw allow 2233/tcp
And we'll also tell it to deny all incoming and allow all outgoing requests by default:
# sudo ufw default deny incoming
# sudo ufw default allow outgoing
Now let's enable the firewall:
# sudo ufw enable
Now check the status of the firewall again:
# sudo ufw status
It should now look similar to this:
Status: active
To               Action      From
--               ------      ----
2233/tcp         ALLOW       Anywhere
That's pretty much it - your Ubuntu machine is now secured from illegal SSH access.

Ok... let's test our new more-secured SSH service. Just exit from the machine and log in via SSH again - again, you'll have to specify the new port:
 # ssh johndoe@yourmachine.com -p 2233
Now you should be logged in and ready to install docker (next part of the series)!

9 comments:

  1. Great blog so far. A comment/question first, then a potential formatting issue.

    Why do you move the ssh process to a different port? This does not provide any real security and, as you point out, increases the risk of locking yourself out of the server if you forget what port you move it too. Now, you can find it with a simple port scan of the server, but so can anyone else. Which is what makes it a waste of time to move it in the first place.

    The formatting issue I see may trip up an inexperienced linux person. I have looked at this blog post with both Chrome and Firefox on Fedora (it may look fine on a windows or MacOS platform.) It looks like the sshd_config line where you turn off root login is one line with the commented out AuthenitcationLoginGraceTime and StrictMode entries all mashed together. The net effect of this is that root login will not be disabled (the line starts with # symbol making all of it a comment.) I just thought I would let you know.

    ReplyDelete
    Replies
    1. Hey Kent,

      thank you very much for your comment. I've fixed that formatting issue - you're right, that could cause issues for people that just copy & paste.

      Regarding the SSH port:

      Sure, it's possible to use port scanners to detect other open ports. I've seen many scripts (and several of my server logs) that show that attackers mostly try to access SSH via port 22 and the root user (using standard passwords or brutforce attacks). So in order to keep them out, it's safer to use a non-standard port and to disable the root login. This is not preventing other bad guys trying to attack your server, but it helps to make their life harder. And you're right, the big disadvantage is that if you forget the port number you've set, you might get locked out of your server.

      Big thanks for your thoughts and the hint with the formatting issue.

      Regards,

      Sascha

      Delete
  2. Can we use this using CentOS ?

    ReplyDelete
    Replies
    1. Hi,

      you can of course use CentOS as Docker host: https://docs.docker.com/installation/centos.

      If you want to use it within you containers, you need to adjust the Dockerfiles since they are built for Ubuntu (e.g. CentOS uses YUM for package management).

      Regards,

      Sascha

      Delete
  3. I must be missing something, but why do you attempt to "change" root's password (with the 'passwd' command)? Doesn't Ubuntu have root disabled by default, i.e. the root has no password by default? So, by running 'passwd', don't you actually enable the root login as a side-effect?

    http://askubuntu.com/questions/16178/why-is-it-bad-to-login-as-root
    http://askubuntu.com/questions/44418/how-to-enable-root-login?lq=1

    ReplyDelete
  4. Hi,

    it depends on your setup. When I create a new Ubuntu VM, the only user existing on the machine is the root user. So my first login to the machine must be done with root@myhost.com. This means that there are situations where you definitely have a root user. Later, you'll do everything with sudo and your user's password.

    Regards,

    Sascha

    ReplyDelete
  5. Thanks for the post and great tips..even I also think that hard work is the most important aspect of getting success.. Create an WordPress Website

    ReplyDelete
  6. This comment has been removed by the author.

    ReplyDelete
  7. This article describes everything very well.

    ReplyDelete