ASCII Smiley Face Daniel Dickinson Mini Headshot
The C Shore

Configure OVH OpenStack VPS

Version 2.0.0~alpha1

Preliminaries

  1. Configure your DNS with a hostname pointing to the IP that has been assigned to your instance (this is beyond the scope of this document).

  2. Locally create a SSH keypair (or keypairs) if you don’t already have one (them). See one of the many guides on the internet if you need more info, for example:

    1. In your OVH Web Control Panel (https://xx.ovh.com/manager, where xx is the ISO two letter country code for your OVH billing/admin), in your account information (In the menu that appears when you click on your name on the top-right, select ‘My Account’), select ‘My SSH Keys’, then ‘Add an SSH key’ - for a more complete guide see OVH’s guide configuring SSH keys). It is recommended to use a separate SSH key here rather than your operating key.

    2. Change your server’s hostname for OVH purposes:

      1. Select Cloud|Servers|[your new server]
      2. Under the ‘Configuration’ section click on the circle with ... to right of the current hostname (in the row titled ‘Name’)
      3. Click on ‘Modify’
      4. Enter your new hostname (the DNS you configured above).
      5. In ‘IP’ section for the row ‘Reverse DNS’ select ‘…’ and configure your IP(s) to point to your hostname (only one per address family (e.g. ipv4/ipv6).
    3. Reinstall your VPS with the OS you want – you will be prompted for the SSH keys to include in the image; they will be used to all public key root login; also unselect ‘email me my authentication/credentials’. It is recommended to use a separate SSH for this initial deployment than for regular use.

Common Steps

  1. ssh root@[your-vps-ip-or-hostname]
  2. Change root password (execute passwd root)
  3. Edit /etc/cloud/cloud.cfg
    • Edit hostname: <default-hostname> to be your desired hostname
    • set ssh_pwauth: 0 (after setting up public/private keypair, below)
  4. Set hostname for instance:

     hostnamectl set-hostname new-hostname
    
  5. Make sure /etc/hosts has your IP (v4 and/or v6) to hostname mapping

     127.0.0.1           localhost
     xxx.xxx.xxx.xxxx    exhost.example.com exhost
    
     # If you wish to support ipv6
     ::1 localhost
     abcd:0124:ef56:789a::aaaa exhost.example.com exhost
    
    1. To avoid log spam from failed SSH brute force attempts change the SSH port (NB This isn’t a real security measure it just avoids getting log-spammed with ‘script kiddy’ level failures (you are using SSH public keys not passwords right?))
      1. Update SSH config to use the new port by changing the Port 22 directive in /etc/ssh/sshd_config to Port 28332
      2. See OS-specific additional instructions
    2. Enable OVH Firewall (see OVH docs for this; this reduces the load on your VPS/VM by letting OVH handle the majority of firewall traffic): OVH Firewall Network (anti-DDOS)
    3. Install useful admin tools

      • byobu (pre-installed on Ubuntu / Docker on Ubuntu images)

        • byobu-config (as each user for which you wish to use byobu
        • byobu-enable (for each user for which you wish to byobu to launch on logon; it is not recommended to do this for root (potential for getting locked out))
        • touch ~/.byobu/.always-select (if you want to be prompted to resume an old session (if present) or start a new one when byobu launches
        • If you are already using Byobu locally
          • Add export LC_BYOBU=2 to your local .bashrc or equivalent (use LC_BYOBU=3 if you want nested byobu so you can e.g. su to root with byobu automatically started for root)
          • On remote hosts make sure /etc/ssh/sshd_config has AcceptEnv LC_BYOBU
          • On local hosts make sure /etc/ssh/ssh_config or $HOME/.ssh/config has SendEnv LC_BYOBU
      • logwatch

      • psmisc

      • rsync

      • mutt

      • vim-enhanced

        • Recommend having a $HOME/.vimrc with things like syntax on

Centos 7 Specific

 1. Configure firewall logging by running `firewall-cmd --set-log-denied=unicast`
 2. Tell SELinux to allow SSH on your new port (we use 28322 for this

example: 10000-65535 are mostly safe although there may be some ports already in use; use ss -lut to check your ports in use)

         semanage port -a -t ssh_port_t -p tcp 28332

  3. Allow the new port through your firewall:

         firewall-cmd --permanent --new-service=altssh
         firewall-cmd --permanent --service=altssh --add-port=28332/tcp
         firewall-cmd --permanent --add-service altssh
         firewall-cmd --complete-reload

  4. Restart SSH (`systemctl restart sshd`)
  5. Logout and and log back in using the new port (e.g.

ssh -p 28332 your-user@your-dns-address-or-ip-address).

  1. Enable SELinux if it’s not enabled

    1. Edit /etc/sysconfig/selinux so that it has the line SELINUX=enforcing and not the linesSELINUX=permissive or SELINUX=disabled
  2. Edit /etc/sysconfig/network-scripts/ifcfg-eth0 (only needed if you wish to support ipv6).

     BOOTPROTO=dhcp
     DEVICE=eth0
     HWADDR=<macaddr>
     ONBOOT=yes
     TYPE=Ethernet
     USERCTL=no
     IPV6INIT=yes
     IPV6_AUTOCONF=no
     IPV6_DEFROUTE=yes
     IPV6_FAILURE_FATAL=no
     IPV6ADDR=<ipv6-addr/cidr>
     IPV6_DEFAULTGW=<ipv6-gateway-addr>
     ZONE=<firewall-zone>
    
  3. Enable ipv6 (if wanted) by adding the following to /etc/sysconfig/network. Obviously you only do this if you’re supporting ipv6.

      NETWORKING_IPV6=yes
    
  4. Add /etc/cloud/cloud.cfg.d/00_disable_cloud_init_networking.cfg. Only if you’ve done the manual network configuration above.

      network:
        config: disabled
    
  5. Add a regular user who is a member of ‘adm’, ‘systemd-journal’

      adduser -U -G adm,systemd-journal username
    
  6. Only allow non-console logins / No operations requiring password (i.e. lock the password) for that user (user can still use su to operate as root if necessary):

      passwd -l username
    
  7. Allow SLA monitoring from OVH

    1. In your control panel find the SLA address ranges to allow, and issue a command similar to the following for each range:

      firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 1 -s <range> -j ACCEPT
      
    2. Then firewall-cmd --complete-reload

  8. Install epel-release to get EPEL repository (yum install epel-release)

  9. Install yum-cron + Edit /etc/yum/yum-cron.conf and /etc/yum/yum-cron-hourly.conf to suit your preferences.

Ubuntu 14.04 and Docker on Ubuntu (14.04) specific (incomplete)

NB: Abandoned in favour Ubuntu 16.04 with Docker before completed.

Note2: When using Docker ipv6 is a major hassle so is not supported in this guide.

  1. Restart ssh (service ssh restart)
  2. Logout and and log back in using the new port from above (e.g. ssh -p 28332 your-user@your-dns-address-or-ip-address).
  3. Configure and enable firewall (in that order).

    1. sudo ufw allow proto tcp from any to any port 28332 (where 28332 is you new SSH port)
    2. As above for for any other ports you wish to allow.
    3. Enable SLA monitoring: In your control panel find the SLA address ranges to allow, and for each range:

      sudo ufw allow from <range> to any
      
    4. sudo ufw enable

  4. Add a operator user who is a member of ‘adm’, and ‘docker’

        adduser -U -G adm,docker username
    
  5. Copy the ssh public key for that user to their home directory and set permission appropriately (assuming you have copied into ubuntu user’s home directory as user.pub.

        sudo mkdir -p /home/<username>/.ssh
        sudo chmod 700 /home/<username>/.ssh
        sudo chown <username>:<username> /home/<username>/.ssh
        sudo mv user.pub /home/<username>/.ssh/authorized_keys
        sudo chown <username>:<username> /home/<username>/.ssh/authorized_keys
        sudo chmod 600 /home/<username>/.ssh/authorized_keys
    

Ubuntu 16.04 and Docker on Ubuntu (16.04) Specific

NB: This guide is ipv4 only because ipv6 on Docker is managed quite differently from ipv4 Docker and is still likely to change quite a bit.

  1. Restart ssh (systemctl restart ssh)
  2. Logout and and log back in using the new port from above (e.g. ssh -p 28332 your-user@your-dns-address-or-ip-address).
  3. Configure and enable firewall (in that order).

    1. sudo ufw allow proto tcp from any to any port 28332 (where 28332 is you new SSH port)
    2. As above for for any other ports you wish to allow.
    3. Enable SLA monitoring: In your control panel find the SLA address ranges to allow, and for each range:

      sudo ufw allow from <range> to any
      
    4. sudo ufw enable

  4. Add a operator user who is a member of ‘adm’, ‘docker’, and ‘systemd-journal’

        adduser -U -G adm,docker,systemd-journal username
    
  5. Only allow non-console logins / No operations requiring password (i.e. lock the password) for that user (user can still use su to operate as root if necessary):

      passwd -l username
    

More Common Steps

  1. Use only SSH public/private keys (for more details see one of the many guides on the web).

    1. On your local machine create (if you don’t already have one) an SSH public/private keypair
    2. Put the public key in the $HOME/.ssh/authorized_keys file for the user for which you want to use SSH.
    3. Edit /etc/ssh/sshd_config and make sure that AllowRoot is set to prohibit-password or no (the latter if you don’t want root to be SSH accessible even with a keypair).
    4. In the same file make sure that PasswordAuthentication is set to no
    5. Also make sure that PubkeyAuthentication is set to yes
    6. Remove the SSH keys that were used during deployment and enabled for the root user by removing /root/.ssh/authorized_keys.
  2. Install more useful tools

    • rkhunter

      • Create /etc/rkhunter.conf.local and add:

            ALLOW_SSH_ROOT_USER=no
            ALLOWHIDDENDIR=/dev/shm/byobu-*-*/.last.tmux
            # for etckeeper
            ALLOWHIDDENDIR=/etc/.git
            ALLOWHIDDENDIR=/etc/.bzr
            # etckeeper
            ALLOWHIDDENFILE=/etc/.etckeeper
            ALLOWHIDDENFILE=/etc/.gitignore
            ALLOWHIDDENFILE=/etc/.bzrignore
            # systemd
            ALLOWHIDDENFILE=/etc/.updated
            # byobu
            ALLOWHIDDENDIR=/dev/shm/byobu-*-*/.last.tmux
            ALLOWDEVFILE=/dev/shm/byobu-*-*/*
            ALLOWDEVFILE=/dev/shm/byobu-*-*/*.tmux/*
            ALLOWDEVFILE=/dev/shm/byobu-*-*/.last.tmux/*
        
      • Do rkhunter --propupd

        • (On Centos you need to repeat that command after doing upgrades, and in some cases for configuration modifications).
    • etckeeper

      • etckeeper init
      • etckeeper vcs config user.email your-email@your-domain.tld
      • etckeeper vcs config user.name "Your Name"
      • etckeeper vcs config --global user.email your-email@your-domin.tld
      • etckeeper vcs config --global user.name "Your Name"
      • etckeeper commit "Initial import"

More Ubuntu 16.04 (optionally with Docker) Steps

  1. Exit ‘ubuntu’ user, login as the user you created above, and su to root
  2. Lock the ‘ubuntu’ user from being used (as it’s root-equivalent is potentially accessible via SSH):
    1. Do passwd -l ubuntu
    2. And chage -E 0 ubuntu
  3. Remove /home/ubuntu/.ssh/authorized_keys.