ユーザアカウント作成とアクセス権・F/W設定

Nid: 728
  • サーバへssh接続。契約直後でDNSがまだ反映されてない場合は、IPアドレスでアクセス
$ ssh root@vps99999.vps.ovh.ca
  • アップグレード。必要に応じてリブート。
# apt-get update && apt-get -y upgrade && apt-get -y dist-upgrade && apt-get -y autoremove
  • 環境確認
# uname -a
Linux vps99999 4.4.0-22-generic #40-Ubuntu SMP Thu May 12 22:03:46 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
# cat /etc/issue
Ubuntu 16.04 LTS \n \l
# netstat -tulnp

 

  • ufw ファイアウォール設定

管理コンソールで確認したOVHモニタリング用のIPアドレスを許可する。

# ufw default deny incoming
# ufw default allow outgoing
# ufw allow ssh
# ufw allow http
# ufw allow https
# ufw allow from 92.xxx.xxx.0/24 comment 'for OVH monitoring'
# ufw allow from 92.xxx.xxx.0/24 comment 'for OVH monitoring'
# ufw allow from 92.xxx.xxx.0/24 comment 'for OVH monitoring'
# ufw allow from 167.xxx.xxx.0/24 comment 'for OVH monitoring'
# ufw allow from 192.xxx.xxx.xxx comment 'for OVH monitoring'
# ufw allow from 213.xxx.xxx.xxx to any port 22 proto tcp comment 'for OVH technicians from cache.ovh.net'
# ufw enable

確認

# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere
80                         ALLOW IN    Anywhere
443                        ALLOW IN    Anywhere
Anywhere                   ALLOW IN    92.xxx.xxx.0/24            # for OVH monitoring
Anywhere                   ALLOW IN    92.xxx.xxx.0/24            # for OVH monitoring
Anywhere                   ALLOW IN    92.xxx.xxx.0/24            # for OVH monitoring
Anywhere                   ALLOW IN    167.xxx.xxx.0/24            # for OVH monitoring
Anywhere                   ALLOW IN    192.xxx.xxx.xxx             # for OVH monitoring
22/tcp                     ALLOW IN    213.xxx.xxx.xxx             # for OVH technicians from cache.ovh.net
22 (v6)                    ALLOW IN    Anywhere (v6)
80 (v6)                    ALLOW IN    Anywhere (v6)
443 (v6)                   ALLOW IN    Anywhere (v6)

# view /var/log/ufw.log
# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1003/sshd
tcp6       0      0 :::22                   :::*                    LISTEN      1003/sshd
udp        0      0 0.0.0.0:68              0.0.0.0:*                           897/dhclient

 

  • root パスワード変更
# passwd
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

 

  • ユーザ作成とsudo設定
# useradd -d /home/<username> -s /bin/bash -m <username>
# passwd <username>
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
# usermod -aG sudo <username>

 

  • 作成した一般ユーザでアクセス
$ ssh -o "ServerAliveInterval 60" username@vps99999.vps.ovh.ca

 

  • rootでのsshログイン不許可設定
$ sudo sed -i.org -e "s/^PermitRootLogin yes/#PermitRootLogin yes/" /etc/ssh/sshd_config
$ diff /etc/ssh/sshd_config.org /etc/ssh/sshd_config
< PermitRootLogin yes
---
> #PermitRootLogin yes
sshd サービス再起動
$ sudo systemctl restart sshd
root でsshできないことを確認。
$ ssh root@vps99999.vps.ovh.ca
root@vps99999.vps.ovh.ca's password:
Permission denied, please try again.