Tag Archives: ubuntu

Setting Up SFTP on Ubuntu 20.04

Leave a reply

Basic SFTP Setup

A recent project had me doing a quick refresh of how to setup an SFTP server. I thought I’d put those steps here. To setup a basic SFTP server on ubuntu, we’ll create a a dedicated sftp user and group, and a directory for the root sftp connection. Then lock down the directory to only users in our sftp group.

Start by creating a new group.

sudo addgroup sftp_group

Create a new user specifically for SFTP, and add them to the group. Use the “-M" flag will create a user without a home to directory.

sudo useradd -M sftp_user -g sftp_group

Create a password for the user:

sudo passwd sftp_user

Now we need to create a root directory for SFTP and make sure root is the owner

sudo mkdir -p /sftp
chown root:root /sftp

Now create a SFTP directory for our user and lock permission to only this user

sudo mkdir /sftp/Data
sudo chown sftp_user:sftp_group /sftp/Data
sudo chmod 700 /sftp/Data

It’s time to install ssh

sudo apt-get install ssh

Edit the config.

sudo nano /etc/ssh/sshd_config

Add these settings to end of the file for our sftp settings:

Match group sftp_group
ChrootDirectory /sftp
X11Forwarding no 
AllowTcpForwarding no 
ForceCommand internal-sftp

You can add or uncomment any additional settings to the file that you need as well. Here’s a few I added.

Change the default ssh port:

Port 4422

Change logging level:

LogLevel VERBOSE

Disable root ssh:

PermitRootLogin no

Set session timeout. This will disconnect idle connections after 5 minutes.

ClientAliveInterval 300

When you’re done editing the file, restart ssh service:

sudo systemctl restart ssh

Connect to SFTP Server

To test your connection, open an sftp client like FileZilla and create a new site (File > Site manager > new site). Enter the IP or hostname of the sftp server, the port number, and username and password. Then hit “Connect

If successful, you should open to the default directory in your “sshd_config” file (/sftp). Open the “Data” folder, create a txt file and upload to the server.

Setup Grafana, Influxdb, and Telegraf on Ubuntu 18.04

Leave a reply

There’s great how-tos out there, like this and this. This is just the striped down steps that worked for me. I’m not a expert in any of these services.

Overview:

Assuming you already have an Ubuntu VM/box setup and configured how you want.

  • Install & Configure Influxdb
  • Install & Configure Telegraf
  • Install & Configure Grafana
  • Configure SSL With Self-Signed Certs For Grafana
  • Setup Influxdb With Self-Signed Certs

Install & Configure Influxdb
See documentation for changes or newer versions.

Default config file: /etc/influxdb/influxdb.conf

Install influxdb 1.7.3 (current version at the time), and set as a service to start at boot:

wget https://dl.influxdata.com/influxdb/releases/influxdb_1.7.3_amd64.deb
sudo dpkg -i influxdb_1.7.3_amd64.deb
sudo systemctl start influxdb
sudo systemctl enable influxdb

create the default influxdb database and user:

create database telegraf
create user telegraf with password 'password'
GRANT ALL ON telegraf TO telegraf

Set a retention policy name “Two_Weeks” for db telegraf, set it to 14 days and make it the default policy:

CREATE RETENTION POLICY Two_Weeks ON telegraf DURATION 14d REPLICATION 1 DEFAULT

Sanity checks to show that the db, user, and retention policy were created:

show databases
show users
SHOW RETENTION POLICIES ON telegraf

Install & Configure Telegraf

See documentation for changes or newer versions.
Default config file: /etc/telegraf/telegraf.conf

Install Telegraf 1.9.2 (current version at the time), and start as a network service at boot:

wget https://dl.influxdata.com/telegraf/releases/telegraf_1.9.2-1_amd64.deb
sudo dpkg -i telegraf_1.9.2-1_amd64.deb
sudo systemctl start telegraf
sudo systemctl enable telegraf
Create Telegraf Configuration File

If /etc/telegraf/telegraf.conf already exist make sure at least these options are uncommented and updated to your appropriate settings. Other wise create the file and paste these settings in.

[agent]
hostname = "nameofyourgrafanaserver"
flush_interval = "15s"
interval = "15s"

[[inputs.cpu]]

[[inputs.mem]]

[[inputs.system]]

[[inputs.disk]]
mount_points = ["/"]

[[inputs.processes]]

[[inputs.net]]
fieldpass = [ "bytes_*" ]

[[outputs.influxdb]]
database = "telegraf"
urls = [ "http://127.0.0.1:8086" ]
username = "telegraf"
password = "password"

After updating the config file, always restart Telegraf:

sudo systemctl restart telegraf

To test that Telegraf is setup correct:

#path_to_telegraf -test -config /path_to_telegraf.conf
telegraf -test -config /etc/telegraf/telegraf.conf

Install & Configure Grafana

See documentation for changes or newer versions.

Default config file: /etc/grafana/grafana.ini

Default log file: /var/log/grafana

Install Grafana 5.4.3 (current version at the time), and set as a network service at boot.

wget https://dl.grafana.com/oss/release/grafana_5.4.3_amd64.deb
sudo apt-get install -y adduser libfontconfig
sudo dpkg -i grafana_5.4.3_amd64.deb
sudo systemctl daemon-reload
sudo systemctl start grafana-server
sudo systemctl status grafana-server
sudo systemctl enable grafana-server.service

Logging in for the first time:

To run Grafana open your browser and go to http://localhost:3000/. 3000 is the default http port that Grafana listens to if you haven’t configured a different port. The defaults login ia admin/admin

Configure SSL With Self-Signed Certs For Grafana

Steps to enable SSL for Grafana. Change to the grafana config directory and create certs:

cd /etc/grafana
sudo openssl req -x509 -newkey rsa:2048 -keyout grafana-key.pem -out grafana-cert.pem -days 3650 -nodes

After creating the .pem files. Change the mode and owner:

sudo chmod 644 grafana-key.pem
sudo chmod 644 grafana-cert.pem
sudo chown root grafana-key.pem
sudo chown root grafana-cert.pem

Update /etc/grafana/grafana.ini with these options:

# Protocol (http, https, socket)
protocol = https

# https certs & key file
cert_file =/etc/grafana/grafana-cert.pem
cert_key =/etc/grafana/grafana-key.pem

Restart Grafana:

systemctl restart grafana-server

You should be able to access Grafana on https://localhost:3000/

Setup Influxdb With Self-Signed Certs:

Create the certs:

sudo openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/ssl/influxdb-selfsigned.key -out /etc/ssl/influxdb-selfsigned.crt -days 3650

After creating the .pem files. Change the mode and owner:

sudo chmod 644 /etc/ssl/influxdb-selfsigned.crt
sudo chmod 644 /etc/ssl/influxdb-selfsigned.key
sudo chown root /etc/ssl/influxdb-selfsigned.crt
sudo chown root /etc/ssl/influxdb-selfsigned.key

Update the influxdb.conf file:

[http]

#Determines whether HTTPS is enabled.
https-enabled = true

#The SSL certificate to use when HTTPS is enabled.
https-certificate = "/etc/ssl/influxdb-selfsigned.crt"

#Use a separate private key location.
https-private-key = "/etc/ssl/influxdb-selfsigned.key"

Restart influxdb:

sudo systemctl restart influxdb

You also need to update Telegraf so it knows to use ssl when sending to influxdb. Update the telegraf.config file.

sudo nano /etc/telegraf/telegraf.conf

Update these settings:

[[outputs.influxdb]]
urls = ["https://127.0.0.1:8086"]

## Optional TLS Config for use on HTTP connections.
insecure_skip_verify = true

## HTTP Basic Auth
username = "telegraf"
password = "password"

Log into Grafana web and update the Influxdb datasoure:
– change URL to https://localhost:8086
– check box for Skip TLS Verify

That’s it. You should be able to create a new dashboard in Grafana and start adding panels with stats collected from Telegraf on the local Ubuntu machine.

Bitbucket Server SSL Setup

Leave a reply

Bitbucket SSL Setup

To secure Bitbucket server with a self-signed certificate, you’ll need to stop the server, generate a certificate, create a bitbucket.properties file, and restart the server.

This is for testing purposes only. In production, you should not use a self-signed certificate. And I’m assuming Bitbucket server is already running http on the default port 7990 on Ubuntu 18.04 LTS.

Stop bitbucket server:

sudo service atlbitbucket stop

Generate SSL keystore:
If you do not have Java installed, you must first install and verify you have the keytool command

#install Java
sudo apt-get install oracle-java8-installer

Verify keytool:

which keytool

Generate a self-signed certificate:

sudo keytool -genkey -alias tomcat -keyalg RSA -sigalg SHA256withRSA \
-keystore /var/atlassian/application-data/bitbucket/shared/config/ssl-keystore

Answers to the certificate creation … Note “What is your first and last name?” is the “Common Name” and should be the server name. Also the default password for tomcat is “changeit” … for testing purposes, it’s easiest to just use it as the default password.

Enter keystore password: changeit
Re-enter new password: changeit
What is your first and last name?
What is the name of your organizational unit?
What is the name of your organization?
What is the name of your City or Locality?
What is the name of your State or Province?
What is the two-letter country code for this unit?
Is CN=bitbucket-gk, OU=testco, O=testco, L=Phoenix, ST=Arizona, C=AZ correct?
Ignore the Warning:

The JKS keystore uses a proprietary format”.

There is No need to convert in dev environment. But you can convert it to “PKCS12”, but you have to add an additional line to your bitbucket.properties files:

server.ssl.key-store-type=pkcs12

Create bitbucket.properties file:

This file does not exist by default. If it’s missing, you must create it.

sudo nano /var/atlassian/application-data/bitbucket/shared/bitbucket.properties

Paste these into the bitbucket.properties file and save:

#ssl settings
server.port=8443
server.ssl.enabled=true
server.ssl.key-store=/var/atlassian/application-data/bitbucket/shared/config/ssl-keystore
server.ssl.key-store-password=changeit
server.ssl.key-password=changeit

To start bitbucket server:

sudo service atlbitbucket start

Wait about 3-5 minutes for the server to restart and access it on https://localhost:8443

To Export Out Certificate

If you want to export out the Java Keystore to a public .cer, and import into macOS keychain.

keytool -export -alias tomcat -file /tmp/bitbucket-gk.cer \
-keystore /var/atlassian/application-data/bitbucket/shared/config/ssl-keystore

Copy to local machine:

scp -rp ssh username@bitbucket-gk:/tmp/bitbucket-gk.cer /tmp

Once it’s copied to local machine you can double click the .cer to open the “Add Certificates” dialog box and import it into your local keychain. Once it’s imported, you can change the trust level to “Always Trust”.