*5 Minute* SCRIPT!! Automate Secure & Solid LAMP Setup – VPS Bible




new password?
login
X

LAMP Stack: !!5 Minute!! VPS Install 4 Ubuntu 32bit

15 Jul 10
Apache for LAMP logo image

Run this script on a new Ubuntu distro & browse to your domain. Tweaked for performance & security, setup includes new user, Apache, PHP5, Suhosin, Memcache, MySQL, Postfix, firewall, SSH keys, SSHD security & more.

Not good enough? Prefer Nginx? Check out more stackscripts here.

Complete with full instructions, launch your Linux server distribution, setup the DNS, run this script and log in. Full spec below.

Setup Unmanaged VPS: The Ubuntu-Nginx Guide

Take your virtual private server from zero to hero

  .. from blank box to cute-as server ..  

with this easy-to-follow copy/paste guide.

22+ parts with video, here’s the index.

LAMP for Ubuntu Stack: Package Spec & Running Order

In order of installation, here’s what the script does:-

  • ensures you have the correct safe package repositories
  • carries out a system update and safe-upgrade
  • creates locale and character set
  • adds a user with password, root-elevation privilege & a /home/USER directory
  • amends bashrc with useful alias shortcut commands
  • sets up a public authentication key (the Lite version does not)
  • hardens SSH security
  • configures an iptables firewall
  • configures Postfix for email (ideal for Google Apps)
  • installs and secures MySQL *
  • installs Apache2
  • tweaks Apache to prevent information leakage
  • installs PHP5 suited to serving websites
  • .. with support for curl, gd, imagick, mcrypt, mysqli, mysql, pdo_mysql, pdo, pspell, snmp, xmlrpc, xsl
  • .. with caching by Memcache
  • .. and hardened by Suhosin
  • sets up your web directory tree with proper permissions
  • configures your first site’s virtual host (configuration) file
  • sets up a welcome screen to browse to at your domain
  • carries out a second system update and safe-upgrade
  • reboots the server

* MySQL Secure Installation

This is the one time the script needs a prompt by you, a few minutes from kick-off.

The questions are self-explanatory but here’s what to do anyway.

Give your chosen root MySQL password, then type n for no and hit ENTER, then type y for yes four times, hitting ENTER after each.

The script will continue to its end after this, taking about 10 minutes in total.

LAMP for Ubuntu 32bit Stack: How To Run It

Basically, launch your Linux distro, setup the DNS (or do that after if you prefer), setup your authentication keys if you want them and run the script. Here’s the detail.

Distro & DNS

Launch the latest 32bit Ubuntu distribution from your VPS provider’s control panel.

Here is how – Set Up a VPS Linux Distribution.

Configure the Nameservers at your domain registrar to point your domain to your VPS provider.

They’re called something like ns1.vpsprovider.com and ns2.vpsprovider.com. You may have more. Check with your VPS provider.

Read Moving Day! How to Move Your Blog or Site for site move strategies and DNS tips.

Setup your DNS at your VPS control panel, else using Bind, to create your domain’s registration records.

Follow Add a Domain Zone to Your VPS for how to do that.

Authentication Keys

This only applies for the advanced security scripts. If you are running a basic script you should do this manually afterwards.

Create SSH authentication keys to suit either your Windows or Linux local machine:-

  • If you run Windows locally follow Encrypt Data with OpenSSH & Auto-Login with PuTTY, stopping before the section Add the Public Key to Your Remote VPS. I’d recommend you also to carry out the later section in that guide, Even Faster Login Using Pageant although that’s not essential.
  • As the above linked tutorial spells out, you want your local private key somewhere safe on your PC. For the public key, open its file with Notepad and copy it into the authentication key variable (explained below).
  • If you run Linux locally follow Create a Basic Local to Remote Server SSH Connection but do not upload the public key. Or just do this (Linux is easier to sum up.)
    • Create the keys following the prompts and, I suggest, with a passphrase:-
      ssh-keygen -t rsa

    • Open the public key with some text editor like gedit:-
      gedit /home/USERNAME/.ssh/id_rsa.pub
    • Copy the key into the authentication key variable (explained below).
Stackscript Variables

Bear in mind that the server we end up with is highly configured. To make that possible we edit a few values and, for some, to carry out some basic research.

The values to change are found at the top of the script (scroll down for that) in the section marked YOU MUST EDIT SOME VARIABLES HERE. So that’s original.

Fortunately I’ve detailed each value you may need to edit although, in practice, most can be left at their defaults.

These notes are recycled across all vpsBible stacks so you can ignore the variables not mentioned at the top of this particular script.

LEMP/LAMP

General Notes

These notes refer to all scripts.

A typical variable entry reads:-

export USER="username"

Only change the text within the “quotation marks” so, in the example above, we would only change username.

Many variables need not be changed. For instance, package versions will be updated by me every so often. Then again, if you do change them that’s up to you but, be warned, the script has only been tested with the versions shown and these versions are therefore recommended to avoid errors.

Unless there is a note to the contrary values must not be left blank.

Some special characters used in your password export commands – only &,/,!,(,),{ and } AFAIK – may disable script functionality. To use these place a backslash “” in front.

.. For instance, instead of export MYSQL_PASSWORD=”wh!skey” you must use export MYSQL_PASSWORD=”wh!skey” and the actual password is then wh!skey.

If anything breaks, explodes or something let me know, thank you.

VPS User Variables

These details will set up your user, password, your /home/USER directory and be used for pretty much everything in the script.

export USER=”vpsUser”  Choose a VPS username. Don’t use root.

export PASSWORD=”vpsUserPassword”  The password is for your username, not the root password (which you likely created when you launched the server distribution). You can always change passwords later if you want to.

System Location & Character Encoding

Tell Linux where your sites are based and what character encoding to use.

export LOCALE=”en_GB”  This locale example en_GB means English language/Great Britain. Change for your language and country.

To find your country code go here, then to see if that code is supported paste this:-

nano /usr/share/i18n/SUPPORTED

export CHARSET=”UTF-8″  The charset UTF-8 is right for most of us.

Hardened SSH Security

These values are extremely important for server security but, due to the authentication keys being a trifle tricky for noobs to set up, are included in the advanced LEMP/LAMP stackscripts only.

You may prefer to run the basic script that omits these variables and to add them manually afterwards. Either way you do need these anti-hack variables.

How Do I Edit SSH Variables By Hand?

The configuration file edited by the advanced scripts is /etc/ssh/sshd_config. To edit manually follow the guide:-

In that tutorial you can ignore the firewall reference as that is set up automatically in all the LEMP/LAMP scripts.

When you have manually reset SSH variables remember to restart SSH:-

sudo /etc/init.d/ssh restart

export PORT=”22″  This is the port by which you connect to the server with a terminal. The system default is 22, and hackers love it. Change to some five figure number under 65000.

How Do I Login With My New Port?

To log in, post-script, you will now need to specify the new port locally.

For Windows locally, in PuTTY change the Port in PuTTY Configuration.

For local Linux users:-

ssh -p 54321 username@123.45.67.890

.. where 54321 is an example port.

export PERMITROOTLOGIN=”no”  This sets whether or not to refuse login by the root user. The system default is yes. It should be changed to no. Then you can only login with a username, which is all you need. You can still assume root/SuperUser privileges when logged in, so no worries there.

export PASSWORDAUTHENTICATION=”yes”  This says whether or not to use passwords to login to the server. It is more secure, by far, to say no and use authentication keys instead. The system default is yes and I have left that to prevent lock-out. Experienced users will change this to no. Otherwise, leave as yes and then, having tested your keys by logging in after the script completes, change to no in the configuration file.

How Do I Set Up Authentication Keys?

.. because really you should ..

But I Need Access from Various Computers

Then use your private key on those, keeping it on a pen drive. Only turn Passwordauthentication to no when you have to.

export X11FORWARDING=”no”  X11 is a protocol enabling a GUI option which we don’t use for servers. The system default is yes. Keep it to no.

export USEDNS=”UseDNS no”  Adding this prevents possible reverse host lookup problems. The variable does not exist by default but most should leave this as I have set. If you know better, change the variable to yes.

export AllowUsers=”AllowUsers $USER”  Allow only specific users to log in. By default this setting does not exist. It should. Leave my setting and edit the file later to add more users as required.

export PUBLIC_KEY=”ssh-rsa .. etc .. == host@local  The public of the two keys. Again, optional so if you don’t want it, use non-secured script and edit the other sshd_conf variables manually. In the scripts where this variable is present, having generated your keys, swap the example for your key, typically id_rsa.pub. That will be sent to the server and the proper permissions created.

Sites & Email

These variables are used to set up your initial site, its directory structure (geared for adding sites) and its configuration (virtual host) file.

It is also used to set up Postfix so that your server can process your website’s email using the recommendable, free and spam killing Google Apps. Check out those links for the detail and to see how to set up Google Apps after running the script.

export HOSTNAME=”mail.yourdomain.com” should be replaced with your whatever hostname you want to use.

export DOMAIN=”yourdomain.com” should be replaced with your domain name.

export SHORTDOMAIN=”yourdomain” is your domain minus the .tld, .com or whatever.

export POSTFIX_FIX=”$domain” is the same as SHORTDOMAIN except leaving the $. In other words, change $domain to $yourdomain.

PHP Tweaks

I’ll be adding some security tweaks to this section. Pop back for the detail as they can be added manually easily enough.

export MEMORY=”48M”  Some will want to adjust the amount of RAM that a single script can consume. Here’s your chance, else leave it for now.

MySQL

All we need for MySQL is a root password.

export MYSQL_PASSWORD=”mysqlPassword”  Your chosen root password for MySQL. Make this original and hot-damn complicated.

LAMP ONLY

Apache Security

There are many things we can do later to improve Apache security. For now we’ll just add a couple of tweaks.

export SERVERSIGNATURE=”Off”  When there’s a page error your server version is exposed. Hackers are happy. Turn off this info leak with my default, else choose On for development servers or Email if you want to include an email address rather than the server info. Those options again: On | Off | Email.

export EMAIL=”apache@yourdomain.com”  If you set the above to email, provide an email. If you didn’t then this will not be used. Don’t leave this blank.

LEMP ONLY

Nginx

Nginx will be compiled before its installation with SSL (Secure Socket Layer or https) built in.

export NGX_VER=”0.7.67″  Change this value to the latest stable version which can be ascertained at the Nginx wiki’s download page.

PHP (with PHP-FPM)

PHP needs to be connected up to Nginx with a middleman called FastCGI and the best flavor is called FPM.

However, the package has to be compiled before installation and is basically a royal pain. No sweat, the script does the lot and these variables refer to that.

You should change the DATE_TIMEZONE.

Otherwise, unless you are a PHP pro don’t change the other values (not just any package version will work with another). These values will be changed by me as and when new tested stable releases are available.

export DATE_TIMEZONE=”Europe/London”  Swap for yours which can be found here.

export PHP_VER=”5.3.0″  The PHP version.

export AC_VER=”2.13″  The Autoconf compiler version.

export LE_VER=”1.4.12-stable”  The Libevent (a PHP dependency) version.

export SU_VER=”0.9.31″  The hardened PHP security patch, Suhosin.

XCache for Caching

These are the XCache values you’ll most likely want to consider tweaking.

Alternatively, override default XCache settings later by amending your php.ini configuration file:-

sudo nano /etc/php5/cgi/php.ini

export XC_VER=”1.3.0″  The XCache (for caching) version.

export XC_ZEND=”20090626″  The Xcache-Zend extension reference.

export XCACHE_SIZE=”64M”  See below.

export XCACHE_VAR_SIZE=”64M”  The above 2 values should match and refer to the amount of RAM you wish to dedicate to caching. I have 512MB of RAM, as a guideline, but ask at your VPS forum.

export XCACHE_COUNT=”4″  See below.

export XCACHE_VAT_COUNT=”4″  Again the above 2 values match. They refer to the number of processors in your machine. To find out, having first launched your new Linux distribution, paste:-

cat /proc/cpuinfo | grep -c processor

Login to VPS

Login to your VPS using a terminal. In case you don’t know how:-

Problems Logging into the VPS?

If you’ve launched a new distro on a VPS that you’ve used before you may get a warning saying you can’t log in. This tends to happen when you redeploy a new Linux distribution with a previously used IP address.

In that case you need to delete a line from a local file. Read the message carefully as it pinpoints the precise line and from what file to delete that line. The file will be:-

Windows  C:WINDOWSsystem32driversetchosts

Linux  /home/USERNAME/.ssh/known-hosts

Quite likely the problem line is the last one. If you’re unsure, rather than delete the line just comment it out by prepending with a #hash.

Run the Script

At last the easy bit! At the terminal, logged into you new VPS, do this:-

nano script

Paste your script with the variables edited. Talking of which, here it is. (Scroll down to below the script for more instructions.)


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

Run the Script contd.

Save and close the file by typing CTRL X, then y for yes, then ENTER. Now we create permissions to run the script like this:-

chmod u+x script


And kick up some dust:-

./script

The stackscript does its thing, eventually gets bored and issues a sulky reboot.

Log In Post-Script

If you changed the port as explained in the Stackscript Variables notes, remember to use that, as well as to use your new username. If you ran an advanced script using authentication keys, no password is required. Otherwise, use your new password.

Delete the Script

Do not leave stackscripts hanging around on your VPS.

sudo rm /root/script

Browse to Site

You may as well check to make sure you have a webpage:-

http://yourDOMAIN.com

To edit it (deleting my automated spiel) and check out your PHP at the same time:-

echo "<?php phpinfo();?>" > /home/USERNAME/public_html/yourDOMAIN.com/public/index.php

Then delete that phpinfo request too, else you’re offering clues to hackers:-

echo "whatever holding page content" > /home/USERNAME/public_html/yourDOMAIN.com/public/index.php

What Else Should I Do?

Go to your web directory by typing:-

www

That’s one of the aliases the stack created in the bashrc file. Nice huh?

Check out the other aliases we created, and create more yourself, by typing:-

ebrc

(That’s another alias .. long commands are just sooo boooring.)

Scroll to the bottom of the file and look for everything under the section:-

##################
### My Aliases ###
##################

Have a play and read Edit bashrc for User-Friendly Linux, plus System Updates

Scour this site for cool administration tips and pop by the forum to say Hi too.

More scripts on the way … upgrades, security in depth, backup setup etc.

Oh yes, and goto your VPS forum and tell folks how cool vpsBible is!

(.. that last bit’s pretty important) :P

Enjoy.

Setup Unmanaged VPS: The Ubuntu-Nginx Guide

Take your virtual private server from zero to hero

with this easy-to-follow copy/paste guide.

“My local PC runs Windows” Show me for Linux/Mac

22+ parts with video, here’s the index ..

Manage Unmanaged VPS: Ubuntu-Nginx Administration

Already set it up? We’d best maintain it then.

Toggle to the ..  Ubuntu-Nginx Admin Index

Manage Unmanaged VPS: Ubuntu-Nginx Administration

Maintain your virtual private server with ..

.. cheatsheets, tutorials, tips & guides.

Head back to the ..  Ubuntu-Nginx Installation Index

Nginx Admin: In the Works ..

This lot’s marked for addition already:-

  • Setup or Edit DNS using Bind
  • Network Tools Troubleshooting Guide
  • The Comprehensive Permissions Guide
  • Configuring Nginx Rewrites
  • Custom Website Error Page
  • Setting up Cron Jobs
  • Rsync for Incremental Remote-to-Local Backup
  • Cron & Rsync for Automatic Backup
  • Cron & mysqldump for Auto DB Backup
  • Safeguard Bandwidth with Hotlink Protection
  • Block Access with Nginx’ IP Deny


«
»

Got a Question? Want to Comment?

This site has no comments system. We've got a better system!

Please use the link at the top of the post and goto this topic's forum thread:-

  • to help build community
  • for a superior knowledge base
  • to keep info in one place, not diluted between forum & comments.

For those posts ported from Guvnr.com (pre-Feb/2010), archive comments remain.

Handy info from these comments is in the process of being ported to the forum and attributed to the original author.

If you think this idea sucks, let me know.

Thank you.