Setting up an Ubuntu Virtual Machine

In order to apply all the ecodev-infra docker compose stacks, you need a Cloud Virtual Machine (VM) with ssh access.

There are countless blog posts to help you decide which cloud provider is the best for you, and we won't add to this litterature here 😊.

Instead we just provide a simple bash script to setup a freshly bought VM with an Ubuntu Operating System.

Launching the script

After having accessed with ssh your VM, just git clone ecodev-infra. Then in the main folder, launch

make setup-vm <YOURUSER> 

$ make setup-vm toto
---> 100%
VM successfully setup!

Where <YOURUSER> is the username you used for connecting to the VM. The bash script executed will

• Install docker and related components
• Add <YOURUSER> to the sudo and docker group of the VM (might need to disconnect and reconnect at the end of the setup for this to take effect)
• Setup ufw (uncomplicated firewall) to work with docker (more on that below)
• block all but 22 (with a rate limiter), 80 (tcp only) and 443 (tcp only) ports.
• Setup a decent history (english resource on the topic) memory size.

Warning

🚨 Technical topic incoming 🚨

As explained here way better than we could, the standard ufw setup won't forbid access to docker exposed ports on your VM, even ports explicitely blocked with an ufw rule!!.

This has to do with technicalities related to iptables explained in the linked posts.

To make ufw work with docker, one has to use this solution. This is the reason of the sudo cp after.rules /etc/ufw/after.rules line in the setup.sh script.

So in reality after the setup your VM will look like so

Ecodev infra with ufw correctly setup

Note

You might be as curious as we were and wondering why there is no Open Source docker container responsible for dealing with firewall issues. To the best of our knowledge, this has to do with the fact that firewell related stuff is really low level and needs to live close to the VM kernel. One example out of the numerous conversations on the topic.

Future connections

Edit your vim ~/.ssh/config like so

Host your-host
    HostName `<VM IP>`
    User `<YOURUSER>`

Host *
   ForwardAgent yes 
   AddKeysToAgent yes 
   ControlMaster auto
   ControlPath ~/.ssh/ctrl-socket-%r@%h:%p
   ControlPersist 900

The last section will apply to all Host defined above. It has the following benefits:

• ForwardAgent
• AddKeysToAgent
• ControlMaster
• ControlPath and ControlPersist

Configuring ssh securely

Configuring ssh in a secure manner being obviously critical, we advocate the curious reader to go read this article.

In our opinion, you should at least:

• disable password connection: a good link explaining how to do so
• remov sha-1 key algorithms. a good link explaining how to do so
• put PrintMode, X11Forwarding and UsePAM to no

Hence a /etc/ssh/sshd_config that looks like so (all comments ommited):

Include /etc/ssh/sshd_config.d/*.conf
ChallengeResponseAuthentication no
PermitRootLogin no
PasswordAuthentication no
KbdInteractiveAuthentication no
UsePAM no
KexAlgorithms diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256
MACs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512
X11Forwarding no
PrintMotd no
AcceptEnv LANG LC_*

If you find any files in /etc/ssh/sshd_config.d/, be sure to propagate the changes there (for instance overriding PasswordAuthentication to no in 50-cloud-init.conf).

Configuring timesyncd securely

Some attacks rely on the fact that VMs fetch time in a specific manner. To change that and fetch time in a secure manner:

• edit /etc/systemd/timesyncd.conf, adding or editing the NTP key

NTP=*.pool.ntp.org

where * stands for the closest country to where your VM sits. Go consult the official site to learn what to put there.

• restart the systemd-timesyncd service: sudo systemctl restart systemd-timesyncd

• Check that everything is working as intended: systemctl status systemd-timesyncd

You should see something like

systemd-timesyncd.service - Network Time Synchronization
Loaded: loaded (/usr/lib/systemd/system/systemd-timesyncd.service; enabled; preset: enabled)
Active: active (running) since Tue 2024-05-07 10:08:55 UTC; 5 days ago

A Reference

Unattended upgrades

Why? To ensure that both security and regular updates are automatically installed regularly on your VM

In a nutshell

Go read this

It really contains all the steps to follow. To be noted, most distros already have unattended-upgrades installed, such that sudo apt-get install does not install anything new.

Be sure to also allow Update upgrades.