Book Image

Mastering Ubuntu Server - Fourth Edition

By : Jay LaCroix
4.7 (7)
Book Image

Mastering Ubuntu Server - Fourth Edition

4.7 (7)
By: Jay LaCroix

Overview of this book

Ubuntu Server is taking the server world by storm - and for a good reason! The server-focused spin of Ubuntu is a stable, flexible, and powerful enterprise-class distribution of Linux with a focus on running servers both small and large. Mastering Ubuntu Server is a book that will teach you everything you need to know in order to manage real Ubuntu-based servers in actual production deployments. This book will take you from initial installation to deploying production-ready solutions to empower your small office network, or even a full data center. You'll see examples of running an Ubuntu Server in the cloud, be walked through set up popular applications (such as Nextcloud), host your own websites, and deploy network resources such as DHCP, DNS, and others. You’ll also see how to containerize applications via LXD to maximize efficiency and learn how to build Kubernetes clusters. This new fourth edition updates the popular book to cover Ubuntu 22.04 LTS, which takes advantage of the latest in Linux-based technologies. By the end of this Ubuntu book, you will have gained all the knowledge you need in order to work on real-life Ubuntu Server deployments and become an expert Ubuntu Server administrator who is well versed in its feature set.

Related Content you might be interested in

Current Title:

Small book image
Mastering Ubuntu Server - Fourth Edition
Jay LaCroix
Sep, 2022 | 584 pages
Small book image
Linux for System Administrators
Viorel Rudareanu | Daniil Baturin
Sep, 2023 | 294 pages
Small book image
Mastering Linux Administration
Alexandru Calcatinge | Julian Balog
Jun, 2021 | 772 pages
Small book image
CentOS Quick Start Guide
Shiwang Kalkhanda
Dec, 2018 | 320 pages
Table of Contents (26 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Share your thoughts
1
Deploying Ubuntu Server
Deploying Ubuntu Server
Technical requirements
Determining your server’s role
Choosing a device for our server
Obtaining installation media
Creating a bootable flash drive
Installing Ubuntu Server
Installing Ubuntu on a Raspberry Pi
Summary
Relevant tutorials
Free Chapter
2
Managing Users and Permissions
Managing Users and Permissions
Understanding the purpose of users and groups
Understanding when to use root
Creating and removing users
Understanding the /etc/passwd and /etc/shadow files
Distributing default configuration files with /etc/skel
Switching users
Managing groups
Managing passwords and password policies
Configuring administrator access with sudo
Setting permissions on files and directories
Summary
Relevant videos
Further reading
3
Managing Software Packages
Managing Software Packages
Understanding Linux package management
Understanding the differences between Debian and Snap packages
Installing and removing software
Searching for packages
Managing package repositories
Backing up and restoring Debian packages
Cleaning up orphaned apt packages
Taking advantage of hardware enablement updates
Summary
Relevant video
Further reading
4
Navigating and Essential Commands
Navigating and Essential Commands
Learning essential Linux commands
Understanding the Linux filesystem layout
Viewing the contents of files
Viewing application log files
Summary
Relevant video
Further reading
5
Managing Files and Directories
Managing Files and Directories
Copying, moving, and renaming files and directories
Editing files with the Nano and Vim text editors
Input and output streams
Using symbolic and hard links
Summary
Relevant videos
6
Boosting Your Command-line Efficiency
Boosting Your Command-line Efficiency
Understanding the Linux shell
Understanding Bash history
Learning some useful command-line tricks
Understanding variables
Writing simple scripts
Putting it all together – Writing an rsync backup script
Summary
Relevant videos
Further reading
7
Controlling and Managing Processes
Controlling and Managing Processes
Managing jobs
Understanding the ps command
Changing the priority of processes
Dealing with misbehaving processes
Managing system processes
Scheduling tasks with cron
Summary
Relevant videos
Further reading
8
Monitoring System Resources
Monitoring System Resources
Viewing disk usage
Monitoring memory usage
Understanding load average
Viewing resource usage with htop
Summary
Relevant videos
Further reading
9
Managing Storage Volumes
Managing Storage Volumes
Adding additional storage volumes
Formatting and partitioning storage devices
Mounting and unmounting volumes
Understanding the /etc/fstab file
Backing up and restoring volumes
Utilizing LVM
Summary
Relevant videos
Further reading
10
Connecting to Networks
Connecting to Networks
Setting the hostname
Managing network interfaces
Assigning static IP addresses
Understanding Linux name resolution
Getting started with OpenSSH
Getting started with SSH key management
Simplifying SSH connections with a config file
Summary
Relevant videos
Further reading
11
Setting Up Network Services
Setting Up Network Services
Planning your IP address scheme
Setting up a DHCP server for serving IP addresses
Adding a DNS server
Setting up an internet gateway
Summary
Further reading
12
Sharing and Transferring Files
Sharing and Transferring Files
File server considerations
Sharing files with Windows users via Samba
Setting up NFS shares
Transferring files with rsync
Transferring files with SCP
Summary
Relevant videos
Further reading
13
Managing Databases
Managing Databases
Preparations for setting up a database server
Installing MariaDB
Understanding the MariaDB configuration files
Managing MariaDB databases
Setting up a secondary database server
Summary
Further reading
14
Serving Web Content
Serving Web Content
Installing and configuring Apache
Installing additional Apache modules
Securing Apache with TLS
Installing and configuring NGINX
Setting up and configuring Nextcloud
Summary
Relevant videos
Further reading
15
Automating Server Configuration with Ansible
Automating Server Configuration with Ansible
Understanding the need for configuration management
Why Ansible?
Creating a Git repository
Getting started with Ansible
Making your servers do your bidding
Putting it all together – automating web server deployment
Using Ansible’s pull method
Summary
Relevant videos
Further reading
16
Virtualization
Virtualization
Prerequisites and considerations
Setting up a virtual machine server
Creating virtual machines
Bridging the virtual machine network
Simplifying virtual machine creation with cloning
Managing virtual machines via the command line
Summary
Relevant video
Further reading
17
Running Containers
Running Containers
What is containerization?
Understanding the differences between Docker and LXD
Installing Docker
Managing Docker containers
Automating Docker image creation with Dockerfiles
Managing LXD containers
Summary
Relevant videos
Further reading
18
Container Orchestration
Container Orchestration
Container orchestration
Preparing a lab environment for Kubernetes testing
Utilizing MicroK8s
Setting up a Kubernetes cluster
Deploying containers via Kubernetes
Summary
Relevant videos
Further reading
19
Deploying Ubuntu in the Cloud
Deploying Ubuntu in the Cloud
Understanding the difference between on-premises and cloud infrastructure
Important considerations when considering cloud computing as a potential solution
Becoming familiar with some basic AWS concepts
Creating an AWS account
Choosing a region
Deploying Ubuntu as an AWS EC2 instance
Creating and deploying Ubuntu AMIs
Automatically scaling Ubuntu EC2 deployments with Auto Scaling
Keeping costs down: understanding how to save money and make cost-effective decisions
Taking the cloud further: additional resources to grow your knowledge
Summary
Further reading
20
Automating Cloud Deployments with Terraform
Automating Cloud Deployments with Terraform
Why it’s important to automate your infrastructure
Introduction to Terraform and how it can fit within your workflow
Installing Terraform
Automating an EC2 instance deployment
Managing security groups with Terraform
Using Terraform to destroy unused resources
Combining Ansible with Terraform for a full deployment solution
Summary
21
Securing Your Server
Securing Your Server
Lowering your attack surface
Understanding and responding to CVEs
Installing security updates
Automatically installing patches with the Canonical Livepatch service
Securing OpenSSH
Installing and configuring Fail2ban
MariaDB best practices for secure database servers
Setting up a firewall
Encrypting and decrypting disks with LUKS
Locking down sudo
Summary
Further reading
22
Troubleshooting Ubuntu Servers
Troubleshooting Ubuntu Servers
Evaluating the scope
Conducting a root cause analysis
Viewing system logs
Tracing network issues
Troubleshooting resource issues
Diagnosing defective RAM
Summary
Further reading
23
Preventing Disasters
Preventing Disasters
Preventing disasters
Utilizing Git for configuration management
Implementing a backup plan
Utilizing bootable recovery media
Summary
Further reading
24
Other Books You May Enjoy
Other Books You May Enjoy
25
Index
Index

Managing passwords and password policies

In this chapter, we’ve already covered a bit of password management, since I’ve given you a few examples of the passwd command. If you recall, the passwd command allows us to change the password of the currently logged-in user. In addition, using passwd as root (and supplying a username) allows us to change the password for any user account on our system. But that’s not all this command can do.

Locking and unlocking user accounts

One thing I’ve neglected to mention regarding the passwd command is the fact that you can use it to lock and unlock a user’s account. There are many reasons why you may want to do this. For instance, if a user is going on vacation or extended leave, perhaps you’d want to lock their account so that it cannot be used while they are away. After all, the fewer active accounts, the smaller your attack surface. To lock an account, use the -l option:

sudo passwd -l <username>

And to unlock it, use the -u option:

sudo passwd -u <username>

However, locking an account will not prevent the user from logging in if they have access to the server via SSH while utilizing public key authentication. In that case, you’d want to remove their ability to use SSH as well. One common way of doing this is to limit SSH access to users who are members of a specific group. When you lock an account, simply remove them from the group. Don’t worry so much about the SSH portion of this discussion if this is new to you. We will discuss securing your SSH server in Chapter 21, Securing Your Server. For now, just keep in mind that you can use passwd to lock or unlock accounts, and if you utilize SSH, you’ll want to lock your users out of that to prevent them from logging in.

However, there’s more to password management than the passwd command, as we can also implement our own policies, such as viewing or adjusting password expiration details.

Setting password expiration information

Earlier, I mentioned that you can set an expiration date on a user’s password (during our discussion on the /etc/shadow file). In this section, we’ll go through how to actually do that. Specifically, the chage command gives us this ability. We can use chage to alter the expiration period of a user’s password, but it’s also a more convenient way of viewing current expiration information than viewing the /etc/shadow file. With the -l option of chage, along with providing a username, we can see the relevant info:

sudo chage -l <username>

Using sudo or root is not required to run chage. You’re able to view expiration information for your own username without needing to escalate permissions. However, if you want to view information via chage for any user account other than your own, you will need to use sudo.

In the example that follows, we can see the output of this command from a sample user account:

Figure 2.11: Output from the chage command

In the output, we can see values for the date of expiration, the maximum number of days between password changes, and so on. Basically, it’s the same information stored in /etc/shadow but it’s much easier to read.

If you would like to change this information, chage will again be the tool of choice. The first example I’ll provide is a very common one. When creating user accounts, you’ll certainly want them to change their password when they first log in.

Unfortunately, not everyone will be keen on doing so. The chage command allows you to force a password change for a user when they first log in. Basically, you can set their number of days to expiry to 0 as follows:

sudo chage -d 0 <username>

You can see the results of this command immediately if you run chage -l again against the user account you just modified:

sudo chage -l <username>

The output will display information regarding the password change:

Figure 2.12: The chage command listing a user that has a required password change period set

To set a user account to require a password change after a certain period of days, the following will do the trick:

sudo chage -M 90 <username>

In that example, I’m setting the user account to expire and require a password change in 90 days. When the impending date reaches 7 days before the password is to be changed, the user will see a warning message when they log in.

As I mentioned earlier, users will often do whatever they can to cheat password requirements and may try to change their password back to what it was originally after satisfying the initially required password change. You can set the minimum number of days with the -m flag, as you can see in the next example where we set it to 5 days:

sudo chage -m 5 dscully

The trick with setting a minimum password age is to set it so that it will be inconvenient for the user to change their password to the original one, but you still want a user to be able to change their password when they feel the need to (so don’t set it too long, either). If a user wants to change their password before the minimum number of days elapses (for example, if your user feels that their account may have been compromised), they can always have you change it for them. However, if you make your password requirements too much of an inconvenience for your users, it can also work against you.

Setting a password policy

Next, we should discuss setting a password policy. After all, forcing your users to change their passwords does little good if they change it to something simple, such as abc123. A password policy allows you to force requirements on your users for things such as length, complexity, and so on.

To facilitate this, we have Pluggable Authentication Module (PAM) at our disposal. PAM gives us additional functionality and control over the process of authentication, and also provides additional plugins we can use to extend authentication and add additional features. Although a full walkthrough of PAM isn’t covered in this book, I recommend keeping it fresh in your mind in case you want to add additional features later.

Specific to the subject of setting up a password policy, we can install a PAM module to enable this, which involves installing a new package:

sudo apt install libpam-cracklib

Next, let’s take a look at the following file, which is provided with Ubuntu. Feel free to open it with a text editor, such as nano, as we’ll need to edit it:

sudo nano /etc/pam.d/common-password

An extremely important tip while modifying configuration files related to authentication (such as password requirements, sudo access, SSH, and so on) is to always keep a root shell open at all times while you make changes, and in another shell, test those changes. Do not log out of your initial root window until you are 100% certain that your changes have been thoroughly tested. While testing a policy, make sure that not only can your users log in, but your admins too. Otherwise, you may remove your ability to log in to a server and make changes.

To enable a history requirement for your passwords (meaning the system remembers the last several passwords a user has used, preventing them from reusing them), we can add the following line to the file:

password   required   pam_pwhistory.so remember=99 use_authok

In the example config line, I’m using remember=99, which (as you can probably guess) will cause our system to remember the last 99 passwords for each user and prevent them from using those passwords again. If you’ve configured a minimum password age earlier, for example, 5 days, it would take the user 495 days to cycle back to their original password if you take into account that the user changes their password once every 5 days, 99 times. That pretty much makes it impossible for the user to utilize their old passwords.

Another field worth mentioning within the /etc/pam.d/common-password file is the section that reads difok=3. This configuration mandates that at least three characters have to be different before the password is considered acceptable. Otherwise, the password would be deemed too similar to the old one and refused. You can change this value to whatever you like; the default is normally 5 but Ubuntu defaults it to 3 in their implementation of this config file. In addition, you’ll also see obscure mentioned in the file as well, which prevents simple passwords from being used (such as common dictionary words and so on).

Setting a password policy is a great practice to increase the security of your server. However, it’s also important to not get carried away. In order to strike a balance between security and user frustration, the challenge is always to create enough restrictions to increase your security, while trying to minimize the frustration of your users. Of course, the mere mention of the word “password” to a typical user is enough to frustrate them, so you can’t please everyone. But in terms of overall system security, I’m sure your users will appreciate the fact that they can be reasonably sure that you as an administrator have taken the necessary precautions to keep their (and your company’s) data safe. When it comes down to it, use your best judgment.

Since we’re on the subject of security, we should also take a look at configuring sudo itself, which we’ll take care of in the next section.

Previous Section
End of Section 9
Next Section