I purchased a VPS (virtual private server) yesterday from URPad.net and selected to install their Ubuntu 10.04 x86 Minimal distribution. It was the most light-weight Ubuntu distribution that they offered (by my reckoning) and I prefer to install packages myself so that I know precisely what is installed.
Ubuntu server editions are distributed without any desktop display; everything must be performed at the command line. While I do love the terminal, I also love remote desktops. It was an easy decision to install a VNC server package – but it was a little difficult to finally get the SSH tunnel and firewall, the VNC server, and the desktop packages to play nice together.
Fortunately, I did figure it out after some trial-and-error (and OS re-installs via the SolusVM panel, pictured at left), and am now very pleased with my xubuntu-desktop and tightvncserver configuration. I took very good notes because it was the nature of the thing that I would re-install the guest OS and have to replicate all my settings all over again. Here are the notes:
Ubuntu 10.04 x86 Minimal
First, change your root password:
Enter new UNIX password: ********************
Retype new UNIX password: ********************
passwd: password updated successfully
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic# You can modify this to only allow certain traffic-A OUTPUT -j ACCEPT
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allows SSH connections## THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE#-A INPUT -p tcp -m state --state NEW --dport 12345 -j ACCEPT
# Allow ping-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy-A INPUT -j REJECT
-A FORWARD -j REJECT
root@localhost:~# iptables-restore < /etc/iptables.up.rules
(this command loads the rules for the current session only)root@localhost:~# iptables --list
(next we ensure these rules are restored on every boot)root@localhost:~# touch /etc/network/if-pre-up.d/iptables
root@localhost:~# chmod +x /etc/network/if-pre-up.d/iptables
root@localhost:~# vim /etc/network/if-pre-up.d/iptables
(the following script will be loaded at boot and loads the new rules)
Broadcast message from root@localhost
(/dev/pts/0) at 22:46 ...
The system is going down for reboot NOW!
login as: patrick
patrick@XX.XX.XX.XX's password: ********************
Linux limberry 2.6.32 #1 SMP Sun Jun 24 20:25:35 MSD 2012 i686 GNU/LinuxUbuntu 10.04.1 LTS
Welcome to Ubuntu!
* Documentation: https://help.ubuntu.com/
Last login: Wed Aug 15 22:33:20 2012 from c-12-34-45-78.abc1.de.comcast.net
Install a light-weight desktop and VNC server that runs during SSH sessions
patrick@limberry:~$ sudo apt-get install xubuntu-desktop tightvncserver
(go make some coffee and come back in a couple minutes)(an alternative desktop: gnome-core xserver-xorg gdm)(or just do the bloated: ubuntu-desktop)patrick@limberry:~$ vncpasswd
(must be less than 8 characters)(not too crucial since we will restrict VNC to localhost accessible via encrypted SSH tunneling)patrick@limberry:~$ vim .bash_aliases && vim .bashrc && vim .bash_logout
(and now we make it run automatically on SSH login)