So, I am setting up a VPS with the following configuration.
- Operating System – Ubuntu 17.04
- Web Server – Apache2
- Database – MySQL
- Backend – PHP 7.0
This method of procedure will be a step by step guide from initializing your server to making it up and running.
Setting up your instance
At the time of OS selection , select Ubuntu 17.04. Once the instance is deployed , you will get the following details on your dashboard.
Setting up the first user
The first task would be to use the non-root user for all the configuration and disable the root login over ssh. You can use any SSH client on your local PC or laptop to SSH to the IP address. Use the username as root and password displayed in the snapshot.
Once you login , you will get the following prompt
~$ ssh firstname.lastname@example.org The authenticity of host '220.127.116.114 (18.104.22.168)' can't be established. ECDSA key fingerprint is SHA256:sssssssssssssssssssssssssssss. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '22.214.171.124' (ECDSA) to the list of known hosts. email@example.com's password: Welcome to Ubuntu 17.04 (GNU/Linux 4.10.0-35-generic x86_64)
First thing that you should do is update the packages.
root@hostname:~# sudo apt-get update Get:1 http://security.ubuntu.com/ubuntu zesty-security InRelease [89.2 kB] Hit:2 http://archive.ubuntu.com/ubuntu zesty InRelease Get:3 http://archive.ubuntu.com/ubuntu zesty-updates InRelease [89.2 kB] Get:4 http://archive.ubuntu.com/ubuntu zesty-backports InRelease [89.2 kB] Fetched 268 kB in 1s (164 kB/s) Reading package lists... Done
Creating the first user
We will be using this user for all our operations purposes.
root@hostname:/# sudo adduser newuser Adding user `newuser' ... Adding new group `newuser' (1001) ... Adding new user `newuser' (1001) with group `electron' ... Creating home directory `/home/newuser' ... Copying files from `/etc/skel' ... New password: Retype new password: passwd: password updated successfully Changing the user information for electron Enter the new value, or press ENTER for the default Full Name : Room Number : Work Phone : Home Phone : Other : Is the information correct? [Y/n] y
Also we will add the newly added user to the sudoers list so that we can carry all the operations which require higher privileges. Use visudo to open the GNU Nano editor to edit the /etc/sudoers file.
root@hostname:~# visudo # # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin" # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL newuser ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d
After you have edited this file, do a ctrl + O followed by ctrl + X. Make sure, you set the file location to /etc/sudoers while overwriting it.
Once the user is created you can just switch to the user and test if the sudo is working correctly
$ sudo bash root@hostname:/#
Update the password for the root user
It is better to update the password for the root user and keep it somewhere safe
root@hostname:~# passwd New password: Retype new password: passwd: password updated successfully
Enabling the password less SSH access
To enable the password less SSH access , we will have to follow 3 steps
- Generate a SSH key on the local client i.e. your laptop or PC
- Transfer the key to the server
- Login using the SSH password less method
Generating the SSH Keys
To generate the SSH key , we will use the command ssh-keygen
~$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/localuser/.ssh/id_rsa): /home/localuser/.ssh/id_rsa already exists. Overwrite (y/n)? y Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/localuser/.ssh/id_rsa. Your public key has been saved in /home/localuser/.ssh/id_rsa.pub. The key fingerprint is: SHA256:xxxxxxxxxxxxxxxxxxxxxx localuser@localpc The key's randomart image is: +---[RSA 2048]----+ | sd | | +.o= . . | | ds o .| | oS*+o+o ..| | sssss .+++o+... | |ssssss...o + o .| | o= + .E ..o.| | .+o+ . ..o..| +----[SHA256]-----+ ~$
Transferring the SSH Key
The easiest way to transfer the key is using the SSH-COPY-ID method
~$ ssh-copy-id firstname.lastname@example.org /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'email@example.com'" and check to make sure that only the key(s) you wanted were added.
you might need to add the generated SSH Key to your client ssh keys as well.
~$ ssh-add Identity added: /home/localuser/.ssh/id_rsa (/home/localuser/.ssh/id_rsa)
Now, you can try to login using the password less method
~$ ssh firstname.lastname@example.org Welcome to Ubuntu 17.04 (GNU/Linux 4.10.0-35-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage * Ubuntu is participating in Google Code-in, a contest to introduce students from 13 to 17 years old to free software. You can join as a student or as a mentor: - https://ubu.one/UcodeIn 79 packages can be updated. 43 updates are security updates. New release '17.10' available. Run 'do-release-upgrade' to upgrade to it. Last login: Fri Dec 15 06:40:44 2017 from 126.96.36.199 newuser@hostname:~$
Now, we will install LAMP.
Apache Web Server
newuser@hostname:~$ sudo apt-get install apache2 Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: apache2-bin apache2-data apache2-utils libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap liblua5.2-0 Suggested packages: www-browser apache2-doc apache2-suexec-pristine | apache2-suexec-custom Recommended packages: ssl-cert The following NEW packages will be installed: apache2 apache2-bin apache2-data apache2-utils libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap liblua5.2-0 0 upgraded, 9 newly installed, 0 to remove and 75 not upgraded. Need to get 1,580 kB of archives. After this operation, 6,533 kB of additional disk space will be used. Do you want to continue? [Y/n] y
After apache is installed. Just put the IP address of the server in the browser.
Next, we will add a single line to the
/etc/apache2/apache2.conf file to suppress a warning message. While harmless, if you do not set
ServerName globally, you will receive the following warning when checking your Apache configuration for syntax errors. You can either set it to the IP address of the server or the domain name, that you are going to Map with the IP.
newuser@hostname:~$ sudo apache2ctl configtest [sudo] password for newuser: AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message Syntax OK newuser@hostname:~$ sudo vi /etc/apache2/apache2.conf newuser@hostname:~$ newuser@hostname:~$ newuser@hostname:~$ newuser@hostname:~$ newuser@hostname:~$ newuser@hostname:~$ sudo service apache2 restart newuser@hostname:~$ sudo apache2ctl configtest Syntax OK newuser@hostname:~$ sudo apache2ctl configtest Syntax OK
Adjust the Firewall to Allow Web Traffic
Next, assuming that you have followed the initial server setup instructions to enable the UFW firewall, make sure that your firewall allows HTTP and HTTPS traffic. You can make sure that UFW has an application profile for Apache like so:
newuser@hostname:~$ sudo ufw app list [sudo] password for newuser: Available applications: Apache Apache Full Apache Secure OpenSSH newuser@hostname:~$ sudo ufw app info "Apache Full" Profile: Apache Full Title: Web Server (HTTP,HTTPS) Description: Apache v2 is the next generation of the omnipresent Apache web server. Ports: 80,443/tcp newuser@hostname:~$ sudo ufw allow in "Apache Full" Rules updated Rules updated (v6)
Install the mysql server package using the following method
newuser@hostname:~$ sudo apt-get install mysql-server
The next thing would be securing our MySQL installation.
newuser@hostname:~$ mysql_secure_installation Securing the MySQL server deployment. Enter password for user root: VALIDATE PASSWORD PLUGIN can be used to test passwords and improve security. It checks the strength of password and allows the users to set only those passwords which are secure enough. Would you like to setup VALIDATE PASSWORD plugin? Press y|Y for Yes, any other key for No: y There are three levels of password validation policy: LOW Length >= 8 MEDIUM Length >= 8, numeric, mixed case, and special characters STRONG Length >= 8, numeric, mixed case, special characters and dictionary file Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: Using existing password for root. Estimated strength of the password: 100 Change the password for root ? ((Press y|Y for Yes, any other key for No) : ... skipping. By default, a MySQL installation has an anonymous user, allowing anyone to log into MySQL without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? (Press y|Y for Yes, any other key for No) : y Success. Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? (Press y|Y for Yes, any other key for No) : y Success. By default, MySQL comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? (Press y|Y for Yes, any other key for No) : y - Dropping test database... Success. - Removing privileges on test database... Success. Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? (Press y|Y for Yes, any other key for No) : y Success. All done!
newuser@hostname:~$ sudo apt-get install php libapache2-mod-php php-mcrypt php-mysql Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: libapache2-mod-php7.0 libmcrypt4 php-common php7.0 php7.0-cli php7.0-common php7.0-json php7.0-mcrypt php7.0-mysql php7.0-opcache php7.0-readline Suggested packages: php-pear libmcrypt-dev mcrypt The following NEW packages will be installed: libapache2-mod-php libapache2-mod-php7.0 libmcrypt4 php php-common php-mcrypt php-mysql php7.0 php7.0-cli php7.0-common php7.0-json php7.0-mcrypt php7.0-mysql php7.0-opcache php7.0-readline 0 upgraded, 15 newly installed, 0 to remove and 75 not upgraded. Need to get 3,686 kB of archives. After this operation, 14.9 MB of additional disk space will be used.
Test PHP Processing on your Web Server
In order to test that our system is configured properly for PHP, we can create a very basic PHP script.
In Ubuntu 17.04, this directory is located at /var/www/html/. We can create the file at that location by typing:
sudo vi /var/www/html/info.php
This will open a blank file. We want to put the following text, which is valid PHP code, inside the file:
When you are finished, save and close the file and open the following URI in the webpage – http://188.8.131.52/info.php .The following page will be displayed
After the page is tested, do not forget to remove the file using the command
sudo rm /var/www/html/info.php
Creating the MySQL Database
We are going to create a user and database that we will be using for WordPress installation.
# mysql -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 7 Server version: 5.7.20-0ubuntu0.17.04.1 (Ubuntu) Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> create database dbname; Query OK, 1 row affected (0.00 sec) mysql> mysql> CREATE USER 'dbuser'@'localhost' IDENTIFIED BY 'password'; Query OK, 0 rows affected (0.00 sec) mysql> GRANT ALL PRIVILEGES ON * . * TO 'dbuser'@'localhost'; Query OK, 0 rows affected (0.00 sec) mysql> FLUSH PRIVILEGES; Query OK, 0 rows affected (0.00 sec)
To install WordPress, we will fetch WordPress using wget.
newuser@hostname:~/apps$ wget http://wordpress.org/latest.zip
To unzip it , we would require unzip package.
newuser@hostname:~/apps$ sudo apt-get install unzip
Unzip the package
newuser@hostname:~/apps$ unzip -q latest.zip
Move the files to the apache web server path
newuser@hostname:~/apps$ sudo mv wordpress/ /var/www/html/
Provide the appropriate permissions
newuser@hostname:/var/www/html$ sudo chown -R www-data:www-data /var/www/html/wordpress newuser@hostname:/var/www/html$ sudo chmod -R 755 /var/www/html/wordpress newuser@hostname:/var/www/html$ sudo mkdir -p /var/www/html/wordpress/wp-content/uploads newuser@hostname:/var/www/html$ sudo chown -R www-data:www-data /var/www/html/wordpress/wp-content/uploads
Add the database details
newuser@hostname:/var/www/html/wordpress$ sudo cp wp-config-sample.php wp-config.php newuser@hostname:/var/www/html/wordpress$ sudo vi wp-config.php