5

looking for a way to turn a laptop into a headless box server with ubuntu server, with ssh only access, disk encryption activated, no login prompt at reboot and deactivate screen and keyboard.

pa4080
  • 29,831
geogeek
  • 153
  • 7
    IMO there is nothing special, just install Ubuntu Server. Btw, I do not think disc encryption is nice idea, every time when you restart the server you should have physical access to enter your decryption password. – pa4080 Mar 19 '18 at 09:30
  • What @pa4080 says. – Jos Mar 19 '18 at 10:10
  • You can do disk encryption with automatic decryption using a keyfile. That should be pretty secure for access from outside, but it's not secure for someone with physical access. – pLumo Mar 19 '18 at 10:21
  • @RoVo, I think * automatic decryption using a keyfile* is meaningful but not for full disk encryption where you need to decrypt the root fs / to start the system. – pa4080 Mar 19 '18 at 14:44
  • 2
    True. I thought of / on unencrypted disk, /var and /home on encrypted disk ... – pLumo Mar 19 '18 at 14:54

1 Answers1

9

Here are asked four questions/requirements and some of them are not compatible each other. If it will be a home server with public access (as it sounds like), I would just install Ubuntu Server and will close the lid of the laptop to make it headless.

Setup SSH

To install SSH server on Ubuntu execute the following commands (or tick Open SSH Server during Ubuntu Server's installation process; the openssh-client should be installed by default):

sudo apt update 
sudo apt install openssh-server openssh-sftp-server

Now you should be able to connect to the SSH server through the loopback interface (from/to the server itself) by the command:

ssh <user>@localhost

Setup key based authentication to increase the security. First create the directory .ssh within your user's home directory: mkdir ~/.ssh

Then, from a remote instance (from your LAN), let's assume it is also Ubuntu, execute the following steps (source):

  • Generating RSA Keys (enter passphrase for more security in case someone steal your key, it should be different from your user's password):

    mkdir ~/.ssh
chmod 700 ~/.ssh
ssh-keygen -t rsa -b 4096
chmod 600 ~/.ssh/id_rsa

  • Transfer the Client Key to the Server (note):

    ssh-copy-id <user>@<server-lan-ip>

  • Now you should be able to connect to the SSH server with key authentication (you should enter your passphrase if you've setup it):

    ssh <user>@<server-lan-ip>

Once this works, you could disable the password authentication of the Server by editing the file /etc/ssh/sshd_config in this way:

#PasswordAuthentication yes
PasswordAuthentication no

Don't forgot to restart the SSH server: sudo systemctl restart sshd.service

If you are planning to use encrypted home directory you should tweak your SSH configuration (on the server side) as it is described here: SSH is allowing remote connections only after a local login to the server.

No login prompt at reboot or How to prevent login with physical access

I wold say, in my opinion, this is not necessary. Within Ubuntu, the login with root is disabled by default. That means, as local Server's administrator, you should login with a user that could have a hard to guess (odd, meaningless) username and strong password. And, I think, this is enough in this case where you should guess the password by hand writing. If you want to add more security you can setup two factor authentication.

Actually, first, you should disable the Recovery mode in order to prevent login with physical access as root. It is accessible within the 'Advanced options' in the GRUB's menu, that can be reached through long press of the Shift key during the boot.

If you really want to disable the TTYs to prevent the login with physical access, within nowadays Ubuntu versions (15.04+) that uses systemd, you can edit the file /etc/systemd/logind.conf in the following way, that will disable the TTYs from 2 to 6 (source):

[Login]
NAutoVTs=0

TTY-1 is hard coded and will stay active. To disable TTY-1 use the following command that will symlink it to /dev/null (source):

sudo systemctl mask getty@tty1.service    # use `unmask` to remove the symlink

Now restart the system and the TTYs should be unavailable.

Deactivate Screen and Keyboard

The screen and the keyboard of a laptop could be deactivated through GRUB. For this purpose edit the file /etc/default/grub and modify the following line in the shown way (where <default parameters> are the parameters that already exists):

GRUB_CMDLINE_LINUX_DEFAULT="<default parameters> i8042.nokbd video=LVDS-1:d"

Then execute sudo update-grub and reboot the system. These additional kernel parameters will deactivate the keyboard and the screen of the laptop. My research shows that they will fit to almost every laptop brand/model.

You can override these parameters by pressing the e key within the GRUB menu. With these settings, if you plug in external keyboard and monitor (why not and mouse) they must work.

Full disk encryption

A short internet research shows that there are available few approaches how to make full disk encryption, for example:

Please note! "A consequence of full system encryption is that you need to type in your system passphrase each time you power on your computer..."

So, if you setup full disk encryption and disable the keyboard and the display this will make impossible to run the system after reboot.

Here are few additional notes about the encryption: Using a VPS service, can I prevent my data from being accessible by the VPS host?

Think twice before setup full disk encryption!

This will add security only in a case your device is stolen and its HDD/SSD is attached to an another host. During the working process of your Server the disk will be decrypted in order to be accessible for the system. So this will not add extra network security.

In the same beginning - do you really need this additional headache? I would spend this time to learn about how to use LVM.

Maybe you would like to use encrypted home directory to prevent the other users of the system to access your personal files. In this case unless you are not logged-in your personal data will be encrypted.

Note if you are planning to be stand alone administrator of this Server you do not need to do that, because you can restrict the access to your files and folders effectively through the permissions.

While you are logged-in your home will be decrypted in order to be accessible for your user and if there is an another administrator - someone that can use the sudo command, - which is maliciously tuned (!?), he or she could access your files.

Maybe the most effective way to keep your sensitive data secure is to use encrypted folder (or just encrypted archive file). Thus, before decrypt the folder (file), you could check who is logged-in (as root).

pa4080
  • 29,831
  • 1
    I doubt you can use automatic login together with encryption. The 1st defeats the 2nd: all someone has to do is boot the system and the data is there for the taking. – Rinzwind Mar 19 '18 at 15:33
  • 1
    Hi, @Rinzwind, I have say nothing about automatic login. The section "No login prompt at reboot" is about how to disable the TTYs to prevent login with physical access - if I understand the question correctly. – pa4080 Mar 19 '18 at 15:59
  • @pa4080 yes exactly – geogeek Mar 19 '18 at 21:10
  • 1
    @geogeek, the answer is updated :) – pa4080 Mar 20 '18 at 00:21