Services

mDNS (Avahi)

Zero configuration, also known as mDNS or Avahi on Linux, is not installed by default with Ubuntu Server. This means we can’t access .local addresses. This is our primary main way of talking to machines. We will want to do this via the console.

sudo apt install avahi-daemon
sudo apt install avahi-utils

Note we will have to punch a hole in the firewall later for UDP 5353 for local machines.

To get a list of machines on the network, use

avahi-browse -a

Links

• https://kb.iweb.com/hc/en-us/articles/360005117952-Guide-to-Multicast-DNS-mDNS-security-issues

Network

We want home to have a static address. In fact, our network is small and unchanging enough we can use static addresses for a lot of things.

sudo vi /etc/netplan/50-cloud-init.yaml

We change this to:

network:
    ethernets:
        eno1:
            addresses: [192.168.13.2/24]
            gateway4: 192.168.13.1
            nameservers:
              addresses: [192.168.13.8,8.8.8.8]
            dhcp4: no
        eno2:
            dhcp4: true
        eno7:
            dhcp4: true
        eno8:
            dhcp4: true
    version: 2

Despite the scary text in the file, this survives reboots every time. Here, restart the network. From the terminal, execute

sudo netplan apply

In the router, make sure that we get the same address every time via DHCP for this machine.

Links

• https://websiteforstudents.com/configure-static-ip-addresses-on-ubuntu-18-04-beta/
• https://www.ostechnix.com/how-to-configure-ip-address-in-ubuntu-18-04-lts/

SSH

Though we use the console for lots of stuff, in practice, we’ll want to be able to access the server via ssh. Remember chell is the jump server for home, other machines should not be able to access it.

We change a bunch of options to “harden” the server. We start by editing /etc/ssh/sshd_config:

AllowUsers user1
ClientAliveCountMax 0
ClientAliveInterval 300
IgnoreRhosts yes
LoginGraceTime 2m
MaxAuthTries 5
MaxSessions 3
PermitEmptyPasswords no
PermitRootLogin no
Port 2019
PrintMotd yes
Protocol 2
X11Forwarding no

Note that we change the default port (to the year this was written). We’ll go over some of these later when we take a look at the firewall. Then restart the ssh demon.

sudo systemctl restart ssdh

We don’t want to let anybody log in with just their password, instead, we need them to have public keys generated on chell. We will then copy it over from there to home. Don’t use a passphrase when prompted:

ssh-keygen
cat .ssh/id_rsa.pub
ssh-copy-id -p 2019 -i ~/.ssh/id_rsa.pub user1@home.local

On home, we then edit /etc/sshd_config to include:

PubkeyAuthentication yes
PasswordAuthentication no

Restart again. Because logging in with a different port and all of that gets old fast, we create a file ~/.ssh/config on home with the content:

Host home
    Hostname home.local
    User user1
    Port 2019

Now we can just login from chell with ssh home as user1. We cannot just log in via password. Remember chell is the jump server for home.

Links

• https://linux-audit.com/audit-and-harden-your-ssh-configuration/
• https://linux-audit.com/using-ssh-keys-instead-of-passwords/)