Let's get started
This is part 2 of the series: How to create your own website based on Docker.
So why do I want to create my website completely based on Docker containers? Well, that's pretty easy, because a) Docker is cool and b) Docker allows me to move my containers to new providers quickly.
So why do I want to create my website completely based on Docker containers? Well, that's pretty easy, because a) Docker is cool and b) Docker allows me to move my containers to new providers quickly.
Let's imagine, that a new cheap & fast cloud service is brought to the web or my hosting provider gives me a chance to move to a newer/faster hardware, then it would be cool to quickly move my whole page (including all databases, apps and other services that might be running on my "old" machine) to the new appliance.
That's exactly what I need Docker for, because then my "dockerized" apps are completely portable and can run everywhere - on a cloud, on a virtual machine or on my local computer - Linux is pretty much mandatory, though.
If you still don't know what Docker is or what it does? Just read the official "What is docker" document!
Setting up Ubuntu for production use
The big advantage of using Docker is that we don't have to spend that much time creating a production-ready server. This machine will basically only act as platform for all my containers (from now on called "Docker host") and therefore only needs the minimum security configuration. But still - later - in the docker containers - you have to take care of the application security of course - but we'll get to that later.Although Docker is supported on Ubuntu from 13.10 & up, I'm using the latest greatest Ubuntu distribution: Ubuntu 15.04 (Vivid Vervet). It comes with the latest kernel and is therefore well-prepared for my Docker installation (remember Docker requires a 64-bit installation regardless of your Ubuntu version. Additionally, your kernel must be 3.10 at minimum).
I'm going to install everything on this (small) machine to test its performance and have the opportunity to move to a faster one once everything has been set up: Hetzner vServer VX11 (Dual Core, 2GB of RAM). Let's see how this small machine performs in the real world, running nginx, nodejs and mongodb containers.
Let's start setting up the Ubuntu machine - our new Docker host.
Add a new user to the system
# adduser johndoeThis command will ask you some questions (including your password) and will then create a new user for you.
Since you want to be able to use sudo later, you need to add root privileges to that user.
Just type the following command and an editor will appear that allows you to add the user to the:
# visudo
Now find the following section: #user privilege specification and add the following line below the root entry:
Now hit Control+O to save then Control+X to exit Nano editor.root ALL=(ALL:ALL) ALL
johndoe ALL=(ALL:ALL) ALL
Before you exit, you should also change the root password - just to make sure that no one else knows it - just enter the following command and enter your new password twice:
# passwd
Secure your SSH access correctly
On a Unix based machine (e.g. Linux or OSX), you would connect to SSH like that:
# ssh johndoe@yourmachine.comNow that we're logged in as johndoe, we will secure our SSH access. So type the following command to get into the ssh daemon configuration - I will be using vi from now on - but you can also use nano as editor:
# sudo vi /etc/ssh/sshd_configNow we will change the standard SSH port, so that port sniffers will have a hard time to guess your port - for that please change the following line (in vi just press "i" to change to insert mode):
# What ports, IPs and protocols we listen forWe've now changed the port from 22 to 2233. Please write it down the port number and don't forget the value you have specified here - otherwise you won't be able to login via SSH anymore! This will not prevent hackers from trying to port scan your server, but it will prevent scripts trying to access your machine on the standard SSH port.
Port 2233
Now we'll tell SSH to not allow the root user to login - so we're changing the value of PermitRootLogin to "no"!
AuthenticationLoginGraceTime 120If you're the only one accessing this machine you can also add the following line to the end of the file:
PermitRootLogin no
StrictMode yes
AllowUsers johndoeHaving changed that, only johndoe can access this machine via SSH now.
Now just his ESC and enter ":wq" to write the changes to the file and reload the SSH daemon:
# sudo service sshd restartOk... let's test our new secured SSH service. Just exit from the machine and log in via SSH again, but this time you'll have to specify the port:
# ssh johndoe@yourmachine.com -p 2233You can also try to login as root user, but that should not work as we've told the daemon not to allow the root user to login:
# ssh root@yourmachine.com -p 2233
Install & enable the Ubuntu firewall
Since we have now set up our SSH access we should set up our firewall now - this will make sure that you can only access the machine via port 2233 (your new SSH port):
Let's install the UFW - Uncomplicated Firewall by typing the following command:
# sudo apt-get install ufwOnce the firewall is installed, check its status:
# sudo ufw statusIt will probably tell you that it's not enabled - that's ok for now. So we'll tell it to allow incoming requests to our new port:
# sudo ufw allow 2233/tcpAnd we'll also tell it to deny all incoming and allow all outgoing requests by default:
# sudo ufw default deny incomingNow let's enable the firewall:
# sudo ufw default allow outgoing
# sudo ufw enable
Now check the status of the firewall again:
# sudo ufw status
It should now look similar to this:
Status: active
To Action From
-- ------ ----
2233/tcp ALLOW Anywhere
Ok... let's test our new more-secured SSH service. Just exit from the machine and log in via SSH again - again, you'll have to specify the new port:
# ssh johndoe@yourmachine.com -p 2233Now you should be logged in and ready to install docker (next part of the series)!
Great blog so far. A comment/question first, then a potential formatting issue.
ReplyDeleteWhy do you move the ssh process to a different port? This does not provide any real security and, as you point out, increases the risk of locking yourself out of the server if you forget what port you move it too. Now, you can find it with a simple port scan of the server, but so can anyone else. Which is what makes it a waste of time to move it in the first place.
The formatting issue I see may trip up an inexperienced linux person. I have looked at this blog post with both Chrome and Firefox on Fedora (it may look fine on a windows or MacOS platform.) It looks like the sshd_config line where you turn off root login is one line with the commented out AuthenitcationLoginGraceTime and StrictMode entries all mashed together. The net effect of this is that root login will not be disabled (the line starts with # symbol making all of it a comment.) I just thought I would let you know.
Hey Kent,
Deletethank you very much for your comment. I've fixed that formatting issue - you're right, that could cause issues for people that just copy & paste.
Regarding the SSH port:
Sure, it's possible to use port scanners to detect other open ports. I've seen many scripts (and several of my server logs) that show that attackers mostly try to access SSH via port 22 and the root user (using standard passwords or brutforce attacks). So in order to keep them out, it's safer to use a non-standard port and to disable the root login. This is not preventing other bad guys trying to attack your server, but it helps to make their life harder. And you're right, the big disadvantage is that if you forget the port number you've set, you might get locked out of your server.
Big thanks for your thoughts and the hint with the formatting issue.
Regards,
Sascha
Can we use this using CentOS ?
ReplyDeleteHi,
Deleteyou can of course use CentOS as Docker host: https://docs.docker.com/installation/centos.
If you want to use it within you containers, you need to adjust the Dockerfiles since they are built for Ubuntu (e.g. CentOS uses YUM for package management).
Regards,
Sascha
I must be missing something, but why do you attempt to "change" root's password (with the 'passwd' command)? Doesn't Ubuntu have root disabled by default, i.e. the root has no password by default? So, by running 'passwd', don't you actually enable the root login as a side-effect?
ReplyDeletehttp://askubuntu.com/questions/16178/why-is-it-bad-to-login-as-root
http://askubuntu.com/questions/44418/how-to-enable-root-login?lq=1
Hi,
ReplyDeleteit depends on your setup. When I create a new Ubuntu VM, the only user existing on the machine is the root user. So my first login to the machine must be done with root@myhost.com. This means that there are situations where you definitely have a root user. Later, you'll do everything with sudo and your user's password.
Regards,
Sascha
Thanks for the post and great tips..even I also think that hard work is the most important aspect of getting success.. Create an WordPress Website
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThis article describes everything very well.
ReplyDelete