How do I set up an Ubuntu server to be (securely) available from the internet?

ssh server apache2 vpn

Solution 1:

When properly set-up OpenSSH is safe, even on the standard port. Moving it away from the standard port saves you from your log files being filled up by unauthorized login attempts. More details on the end.

It's very dangerous to access your server if you do not have control over the computer which should connect to your server (which I think that's the reason why you need to use a browser plugin)

OpenVPN can be set up to share TCP ports with a HTTP/HTTPS server, from its manual page:

--port-share host port  
    When run in TCP server mode, share the OpenVPN port with another
    application, such as an HTTPS server.
    If OpenVPN senses a connection to its port which is using a non-OpenVPN
    protocol, it will proxy the connection to the server at host:port.  
    Currently only designed to work with HTTP/HTTPS, though it would 
    be theoretically possible to extend to other protocols such as ssh.

It's not recommended to use OpenVPN with a TCP connection due to its overhead (TCP 3-way handshake). If you've no choice, you could give it a go.

Using OpenVPN, you can avoid any port restriction imposed on you and secure the connection. Please refer to How do I setup OpenVPN so I can securely use the internet from an unsecured hotspot? for a guide on setting up OpenVPN.

You cannot share ports unless an application supports it (like OpenVPN), so I must disappoint you on that.

SSH server

Password-based authentication without limiting connection attempts is asking for trouble. Because of that, it's preferred to use key-based authentication and disable password-based authentication altogether.

  1. Install openssh-serverInstall openssh-server by running sudo apt-get install openssh-server

  2. Disable password-based authentication by editing the configuration file /etc/ssh/sshd_config. To start editing, run sudo nano /etc/ssh/sshd_config. Find the line #PasswordAuthentication yes and change it to PasswordAuthentication no. By default, SSH listens on port 22. If you want to change it, use a port below 1024 for security reasons. (change the line with Port 22)

  3. For extra security, you can configure a list of users who are allowed to login. Add a line with:

    AllowUsers someuser

    Replace someuser by the username of the account that is allowed to log in. Multiple usernames should be separated by a space.

  4. Generate a key on your computer using the command ssh-keygen -t rsa. Enter whatever values you want and choose a secure passphrase.

  5. Copy the contents of ~/.ssh/id_rsa.pub file to /home/someuser/.ssh/authorized_keys file on your server. someuser is the user that should be allowed to login. (it's a single line that should be copied, never copy the contents of a file that starts with -----BEGIN RSA PRIVATE KEY

  6. Reload the configuration of your SSH server:

    sudo reload ssh

  7. If you're remotely accessing your server over SSH, verify that you can make a new SSH connection to avoid locking yourself out.

Related

What makes fonts in Ubuntu as sharp as fonts optimized by ClearType on Windows?
Do apps designed for a different desktop environment (GNOME, XFCE, LXDE, ...) break?
Authoring a DVD into an image file, from command line
Remove Shutdown, Suspend, Restart, and Hibernate from the user switcher menu
Is it possible to install ZSNES Emulator from default software sources?
How do I verify the PGP downloaded signature of the TrueCrypt setup file with Seahorse?
How to install a different version of python-dev?
Network Manager stops working after an update to ca-certificates
"cat: write error: File too large" when trying to join 7GB backup
Eclipse content-assist popup is unreadable on Ambiance/Radiance theme
Is there a player that merge the end of a music with the beginning of the next?
timeout errors in apt-get update/install