Services¶
mDNS (Avahi)¶
Zero configuration, also known as mDNS or Avahi on Linux, is not installed by
default with Ubuntu Server. This means we can’t access .local
addresses.
This is our primary main way of talking to machines. We will want to do this via
the console.
sudo apt install avahi-daemon
sudo apt install avahi-utils
Note we will have to punch a hole in the firewall later for UDP 5353
for
local machines.
To get a list of machines on the network, use
avahi-browse -a
Network¶
We want home to have a static address. In fact, our network is small and unchanging enough we can use static addresses for a lot of things.
sudo vi /etc/netplan/50-cloud-init.yaml
We change this to:
network:
ethernets:
eno1:
addresses: [192.168.13.2/24]
gateway4: 192.168.13.1
nameservers:
addresses: [192.168.13.8,8.8.8.8]
dhcp4: no
eno2:
dhcp4: true
eno7:
dhcp4: true
eno8:
dhcp4: true
version: 2
Despite the scary text in the file, this survives reboots every time. Here, restart the network. From the terminal, execute
sudo netplan apply
In the router, make sure that we get the same address every time via DHCP for this machine.
SSH¶
Though we use the console for lots of stuff, in practice, we’ll want to be able to access the server via ssh. Remember chell is the jump server for home, other machines should not be able to access it.
We change a bunch of options to “harden” the server. We start by editing
/etc/ssh/sshd_config
:
AllowUsers user1
ClientAliveCountMax 0
ClientAliveInterval 300
IgnoreRhosts yes
LoginGraceTime 2m
MaxAuthTries 5
MaxSessions 3
PermitEmptyPasswords no
PermitRootLogin no
Port 2019
PrintMotd yes
Protocol 2
X11Forwarding no
Note that we change the default port (to the year this was written). We’ll go over some of these later when we take a look at the firewall. Then restart the ssh demon.
sudo systemctl restart ssdh
We don’t want to let anybody log in with just their password, instead, we need them to have public keys generated on chell. We will then copy it over from there to home. Don’t use a passphrase when prompted:
ssh-keygen
cat .ssh/id_rsa.pub
ssh-copy-id -p 2019 -i ~/.ssh/id_rsa.pub user1@home.local
On home, we then edit /etc/sshd_config
to include:
PubkeyAuthentication yes
PasswordAuthentication no
Restart again. Because logging in with a different port and all of that gets old
fast, we create a file ~/.ssh/config
on home with the content:
Host home
Hostname home.local
User user1
Port 2019
Now we can just login from chell with ssh home
as user1. We cannot just log
in via password. Remember chell is the jump server for home.