Introduction
In this guide I will show you how to create an Ubuntu Server 20.04 VM on ESXi 7.0 and setup basic security such as firewall and SSH key.
Download Ubuntu Server 20.04
Head over to the releases page and download the image. For this guide, we will be using the “64-bit PC (AMD64) server install image”.
Upload the ISO Image To Your Datastore
Now that you have the ISO ready, visit the “Storage” section on your ESXi host, click on “Datastore browser” and browse for the newly download Ubuntu Server ISO:
Once the upload is complete you may close the datastore browser.
Configure The Hardware And Load The Installer
Login to your ESXi host and click on “Create / Register VM” where a new window will pop up:
Click “Next” and enter a name for your VM. I chose “Ubuntu_2004_VM”. Under “Compatibility”, leave the default “7.0 U1”. For “Guest OS family” select “Linux” and “Guest OS version”, select “Ubuntu Linux (64-bit)”.
On the next screen, select the datastore where you want to install and click “Next” where you will be greeted with the “Customize settings”. This is where you will customize your VM hardware, options and mount the ISO uploaded in the earlier step. Below are the settings I use for most VMs. Customize here based on your use case:
Please note that the above assumes you already have network settings configured.
Before you click next, find the “CD/DVD Drive 1” and click on “Host Device” and select “Datastore ISO File” where a window will pop up allowing you to select the previously uploaded ISO. Now click “Next” then “Finish”. You should receive a message “Virtual machine Ubuntu_2004_VM was successfully created”.
Start The Virtual Machine
Head over to your inventory and find your newly created VM. Select it and click “Power ON”. The virtual machine will now start and upon clicking on the small preview screen, a window will pop up. You can also click on “Console” and select “Open Console in new tab” so you can have a dedicated browser tab.
Select your language and click next
If a new installer is available, you should see the option here. Select whether you want to update to the new installer. I chose yes. Next select your keyboard and click next.
On the next screen you should be greeted with “Network Connections”. I opted for DHCP so an IP was quickly assigned by my router:
Click done until you reach the “Guided Storage Configuration”. I kept the default settings of “Use entire disk” and “Set up this disk as an LVM group”.
Click done until you reach the screen confirming the destructive action (it simply means the disk will be erased).
On the next screen you will need to enter some basic information such as “Your Name”, “Your Server’s Name”, “Pick a username” and a “Password”.
Click done and you will be greeted with “SSH Setup”. Tap your spacebar to select the option to “Install OpenSSH server” which will make it easier to access this server remotely later.
On the next screen you will have the option to install a variety of Server Snap packages such as Nextcloud, Docker and others. Highlight and press spacebar to select the ones you want (if any). Hit “tab” on your keyboard to jump to “Done” at the bottom once finished.
Installation will now start. Be aware that it may take a while due to security updates being downloaded and applied. Once complete, click “Reboot Now” and your VM will now reboot. You may receive a message stating that it failed to umnount /cdrom. Simply press ENTER on this screen.
Once the machine reboots, you may now login with the username and password you created.
You have successfully installed Ubuntu Server 20.04 as a Virtual Machine!
Configure SSH Key And Disable Password Authentication
At this point, the OpenSSH service has been started so you can login to your server through your terminal of choice. Since I use OS X, I am using the default Terminal app so I entered the following to login:
ssh [email protected]I was prompted for my password and successfully logged in.
Generate An SSH Key Pair
We must now generate an SSH key pair so we can use to login to our new server so in a new terminal window (Command+T), run the following command:
ssh-keygen -t rsaYou will be asked for a name in which to save the key, you can enter a name or simply ignore and press enter and it will be saved to the default location of /home/youruser/.ssh/id_rsa. Next you will be asked to enter a passphrase so make sure to remember it as it will be required for using the key later.
This will complete the key generation and two files will be located inside the /home/youruser/.ssh folder (/home/user/.ssh/id_rsa and /home/user/.ssh/id_rsa.pub).
Copy The SSH Key To The Server
Now that we have generated our keys, we must copy the public key to the server. We can use ssh-copy-id which is included in most operating systems by default and by issuing the following command:
ssh-copy-id -i /home/user/.ssh/id_rsa.pub [email protected]You will be prompted for the password of the user “lee”. Type in the password and press “enter”. This step will copy your public key into the user’s ~/.ssh directory.
If the command above succeeded, you may now login by issuing ssh [email protected] once again and if you supplied a password in the earlier step when creating the key, you will be asked to enter it now.
You should now be logged in to your server using SSH key pair!
Disable Password Authentication
By now you should be able to login to your server without a password using only the SSH key so it may be a good time to disable password authentication which will protect your server from brute force attacks.
Start by editing SSH daemon configuration file. I am using the default and built in nano editor:
sudo nano /etc/ssh/sshd_configSearch for the line PasswordAuthentication# from in front and change it to no. It should then look like this:
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords noSave the file (crtl+o) and exit (crtl+x).
Just to be sure, it may be wise to open another terminal window and login to verify that everything is working before closing the current session.
If you were successful, you have finished configuring your server to use SSH passwordless login!
Enable the UFW Firewall
UFW is the default firewall configuration tool for Ubuntu and is ready to be configured. Without digging too deep on how it works, here’s an excerpt from the documentation:
When you turn UFW on, it uses a default set of rules (profile) that should be fine for the average home user. That’s at least the goal of the Ubuntu developers. In short, all ‘incoming’ is being denied, with some exceptions to make things easier for home users.
https://help.ubuntu.com/community/UFW
So basically it protects your server since all “incoming” traffic is denied by default unless otherwise specified using “rules”.
For this basic setup, we will be allowing only services that we are currently using such as OpenSSH service which we use to login via SSH.
Start by issuing the command below to list services already registered with the UFW firewall:
sudo ufw app listYou should see a list of apps available to be enabled.
As you can see, OpenSSH is registered and can be enabled by issuing:
sudo ufw allow OpenSSHYou should see the following output:
Rules updated
Rules updated (v6)This rule will allow incoming SSH connections on port 22. You may now enable the firewall:
sudo ufw enable Type “y” to confirm
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startupThe firewall is now active and all incoming traffic besides SSH is being denied. Remember that if you plan on hosting other services on your server to make sure and allow them through the firewall as needed.
Conclusion
If you made it this far, you have successfully created a VM under ESXi 7.0, installed Ubuntu 20.04, enabled SSH key login and enabled basic security using the UFW firewall.
Here are some resources in case you want to dig deeper into SSH keys or the UFW firewall.