Skip to content

Instantly share code, notes, and snippets.

@dospuntocero

dospuntocero/ServerSetup.md

Forked from sageworksstudio/ServerSetup.md
Last active April 22, 2020 00:03
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save dospuntocero/809e826a4847e590ca99bf4b037d21d9 to your computer and use it in GitHub Desktop.
Save dospuntocero/809e826a4847e590ca99bf4b037d21d9 to your computer and use it in GitHub Desktop.
Download ZIP
Ubuntu 18.04 LAMP setup
Raw
ServerSetup.md

First create an ssh key

ssh-keygen -t rsa -C "your email"

Ubuntu 18.04 LAMP setup

SECURITY FIRST: Add a sudo user, require public key authentication and disable root login

Log into the remote machine as root: ssh root@123.45.67.890

First, add the admin user.

adduser <webmaster>

Add user to sudo'ers:

gpasswd -a webmaster sudo

Add your .pub key to authorized_keys and set permissions

mkdir /home/webmaster/.ssh

$ nano /home/webmaster/.ssh/authorized_keys

Paste your key into the authorized_keys file and save.

$ chown -R newuser:newuser /home/webmaster/.ssh

$ chmod 700 /home/webmaster/.ssh

$ chmod 600 /home/webmaster/.ssh/authorized_keys

Edit the SSH configuration file to enable public key authentication only and disable password login:

nano /etc/ssh/sshd_config

Set this parameter to 'yes':

PubkeyAuthentication

Set these parameters to 'no':

PermitRootLogin, ChallengeResponseAuthentication, PasswordAuthentication, UsePAM

Save, close and reload the SSH config file:

$ sudo service ssh reload

Exit the remote machine:

exit

Try to reconnect as the new user. You should not be prompted for a password:

$ ssh webmaster@123.45.67.890

Trying to SSH into the server from another machine you should receive this error: Permission denied (publickey)

Disable root login

As the admin user:

$ sudo passwd -l root

You will be prompted to enter the sudo user's password.

SECURITY SECOND: Add a firewall.

sudo apt-get install ufw

Make sure IPv6 is enabled (you are using IPv6, correct?)

sudo nano /etc/default/ufw

IPV6=yes

Save and close and set up rules.

sudo ufw default deny incoming

sudo ufw default allow outgoing

sudo ufw allow ssh

sudo ufw allow http

sudo ufw allow http

Finally, enable the firewall

sudo ufw enable

Common inbound ports to leave open

  • 80 http
  • 443 https
  • 22 ssh

Common inbound ports to close

  • everything else

LAMP installation and setup (mod_php)

Install Apache

sudo apt-get update

sudo apt-get install apache2 -y

Install MariaDB

sudo apt-get install software-properties-common sudo apt install mariadb-server mariadb-client You might be prompted to give root a password. Just leave it blank

Run the MySQL secure installation sudo mysql_secure_installation

Remember to set a root password. By default connections to MariaDB are done through unix_socket. In the next steps you will create a non-root user. For that user you can use password authentication is necessary.

  1. Database creation

Log into MariaDB

sudo mysql -u root

Create a new database

CREATE DATABASE mydb;
  1. User creation

Add your user (probably the sudo user you created earlier) to MariaDB to use unix_socket

CREATE USER username@localhost IDENTIFIED VIA unix_socket;
  1. Grant all privileges to the user on a specific database. Only allow access from localhost (this is the most secure and common configuration you will use for a web application). This will probably be the new sudo user you have set up previously.
GRANT ALL privileges ON mydb.* TO myuser@localhost;
  1. Apply changes made
flush privileges;

exit;

Install PHP

sudo apt-get install libapache2-mod-php php-gd php-curl php-xml php-mysql php-gettext php-mbstring php-xdebug php-intl

or if using 7.3

sudo apt-get install libapache2-mod-php php7.3 php7.3-gd php7.3-curl php7.3-xml php7.3-mysql php7.3-gettext php7.3-mbstring php7.3-xdebug php7.3-intl

Set date.timezone in php.ini

date.timezone = America/Los_Angeles

upload_max_filesize = 20M

post_max_size = 20M

For development:

display_errors = On

Enable Apache mods

$ sudo a2enmod rewrite headers deflate expires

Run Apache as your user

sudo nano /etc/apache2/envvars

export APACHE_RUN_USER=webmaster
export APACHE_RUN_GROUP=webmaster

Additionally you will need

sudo chown webmaster.webmaster -R /var/log/apache2

**You will need to change the user that is in charge of /var/www

sudo chown **webmaster** /var/www

Optionally install mailutils

sudo apt-get install mailutils

Postfix is now set up with a default configuration. If you need to make changes, edit /etc/postfix/main.cf

After modifying main.cf, be sure to run '/etc/init.Distinctlm.com/postfix reload'

Adding a v-host

  1. Open your Apache conf file.

    sudo nano /etc/apache2/sites-available/000-default.conf

  2. Either edit or add a new v-host. This is the most basic configuration.

    # My v-host
<VirtualHost *:80>
    DocumentRoot /path/to/document/root
    ServerName MYSITE
</VirtualHost>

  3. Restart Apache

    sudo service apache2 restart

sudo nano /etc/apache2/sites-available/000-default.conf


# default
<VirtualHost *:80>
        DocumentRoot /var/www/html
        ServerName localhost
</VirtualHost>

# Silver Stream Master
<VirtualHost *:80>
    DocumentRoot /var/www/html/Silver-Stream-Master
    ServerName silverstream
        <Directory /var/www/html/Silver-Stream-Master>
                Options Indexes FollowSymLinks
                AllowOverride All
                Require all granted
        </Directory>
</VirtualHost>

# StreamBuilder
<VirtualHost *:80>
    DocumentRoot /var/www/html/StreamBuilder-Master
    ServerName streambuilder
        <Directory /var/www/html/StreamBuilder>
                Options Indexes FollowSymLinks
                AllowOverride All
                Require all granted
        </Directory>
</VirtualHost>

then you will need to edit /var/hosts file sudo nano /etc/hosts

127.0.0.1   streambuilder
...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment