Setup VPS for Linux Noobs!




new password?
login
X
debian logo image

This is the Lite version of the fully featured LEMP (with Nginx) 4 Debian Stackscript. Run it on a new distribution & your Nginx-powered domain is set up and ready to browse to: new user, Nginx, PHP-FPM, Suhosin, XCache, MySQL, Postfix for email, iptables, SSHD security, logrotate and more, the whole darn lot totally tweaked-tastic!

Lite versions don’t need an authentication key which is friendlier for newbies and handy for webmasters deploying multiple boxes. Otherwise, it’s the same.

This script implements the newly possible PHP-FPM from source repository installation method and supersedes the LEMP Lite Debian 5 stackscript.

Complete with full instructions, launch your Debian server distribution and setup the DNS to be able to run this script and be working on your sites within a few minutes. Full spec below.

Setup Unmanaged VPS: The Ubuntu-Nginx Guide

Take your virtual private server from zero to hero

  .. from blank box to cute-as server ..  

with this easy-to-follow copy/paste guide.

22+ parts with video, here’s the index.

Not good enough? Prefer Apache, want Ubuntu? Check out more stackscripts here.

Debian: Package Spec & Running Order

In order of installation, here’s what the script does:-

  • ensures you have the right repositories
  • carries out a system update and safe-upgrade
  • creates locale and character set
  • adds a user with password, root-elevation privilege & a /home/USER directory
  • amends bashrc with useful alias shortcut commands
  • sets up a public authentication key (the Lite version does not)
  • hardens SSH security
  • implements SSH authentication keys (non-Lite scripts only)
  • configures an iptables firewall
  • configures Postfix for email (ideal for Google Apps)
  • installs and secures MySQL *
  • PHP with PHP-FPM (from repositories)
  • .. secured with Suhosin
  • .. caching with Memcache (easily changed if you like)
  • .. installs essential php5 modules
  • .. with easily swapped variables for other suggested mods
  • Nginx web server (compiled from source)
  • sets up your web directory tree with proper permissions
  • configures your first site’s virtual host (configuration) file
  • configures logrotate to manage site logs to your preference
  • sets up a welcome screen to browse to at your domain
  • reboots the server

* MySQL Secure Installation

This is the one time the script needs a prompt by you, a few minutes from kick-off.

The questions are self-explanatory but here’s what to do anyway.

Give your chosen root MySQL password, then type n for no and hit ENTER, then type y for yes four times, hitting ENTER after each.

The script will continue to its end after this, taking about 8 minutes in total.

Debian Locales

Actually, I lied .. Debian scripts will also stop to prompt you to set your machine’s language options.

Simply check-mark alongside the locales you want and follow the prompts. Locales can be reset at any time.

LEMP/Debian 5: How To Run It

Basically, launch your Linux distro, setup the DNS (or do that after if you prefer), run the script and head to the domain. Here’s the detail.

Distro & DNS

Launch the latest Debian distribution from your VPS provider’s control panel.

Here is how – Set Up a VPS Linux Distribution.

Configure the Nameservers at your domain registrar to point your domain to your VPS provider.

They’re called something like ns1.vpsprovider.com and ns2.vpsprovider.com. You may have more. Check with your VPS provider.

Read Moving Day! How to Move Your Blog or Site for site move strategies and DNS tips.

Setup your DNS at your VPS control panel, else using Bind, to create your domain’s registration records.

Follow Add a Domain Zone to Your VPS for how to do that.

Authentication Keys

For basic scripts you should do this manually afterwards and refer to the linked tuts.

Create SSH authentication keys to suit either your Windows or Linux local machine:-

  • If you run Windows locally follow Encrypt Data with OpenSSH & Auto-Login with PuTTY, stopping before the section Add the Public Key to Your Remote VPS. I’d recommend you also to carry out the later section in that guide, Even Faster Login Using Pageant although that’s not essential.
  • As the above linked tutorial spells out, you want your local private key somewhere safe on your PC. For the public key, open its file with Notepad and copy it into the authentication key variable (explained below).
  • If you run Linux locally follow Create a Basic Local to Remote Server SSH Connection but do not upload the public key. Or just do this (Linux is easier to sum up.)
    • Create the keys following the prompts and, I suggest, with a passphrase:-
      ssh-keygen -t rsa

    • Open the public key with some text editor like gedit:-
      gedit /home/USERNAME/.ssh/id_rsa.pub
Stackscript Variables

Bear in mind that the server we end up with is highly configured. To make that possible we edit a few values and, for some, to carry out some basic research.

The values to change are found at the top of the script (scroll down for that) in the section marked YOU MUST EDIT SOME VARIABLES HERE. So that’s original.

Fortunately I’ve detailed each value you may need to edit although, in practice, most can be left at their defaults.

These notes are pretty much recycled across all vpsBible stacks so you can ignore the variables not mentioned at the top of this particular script.

LEMP/LAMP

General Notes

These notes refer to all scripts.

A typical variable entry reads:-

export USER="username"

Only change the text within the “quotation marks” so, in the example above, we would only change username.

Many variables need not be changed. For instance, package versions will be updated by me every so often. Then again, if you do change them that’s up to you but, be warned, the script has only been tested with the versions shown and these versions are therefore recommended to avoid errors.

Unless there is a note to the contrary values must not be left blank.

Some special characters used in your password export commands – only &,/,!,(,),{ and } AFAIK – may disable script functionality. To use these place a backslash “” in front.

.. For instance, instead of export MYSQL_PASSWORD=”wh!skey” you must use export MYSQL_PASSWORD=”wh!skey” and the actual password is then wh!skey.

If anything breaks, explodes or something let me know, thank you.

VPS User Variables

These details will set up your user, password, your /home/USER directory and be used for pretty much everything in the script.

export USER=”vpsUser”  Choose a VPS username. Don’t use root.

export PASSWORD=”vpsUserPassword”  The password is for your username, not the root password (which you likely created when you launched the server distribution). You can always change passwords later if you want to.

Logrotate to Manage Log Files

The logrotate utility controls the size of website log files. By default this runs daily, keeping compressed logs for the last 28 days.

export LOG_FREQUENCY=”daily”  
You may prefer “weekly” logs. Hourly log rotation should be set up with a cronjob instead.

export LOG_ROTATE=”26″  The number of days to keep logs.

To later manually edit the log rotation file you can find it here:-

/etc/logrotate.d/DOMAIN

Hardened SSH Security

These values are extremely important for server security but, due to the authentication keys being a trifle tricky for noobs to set up, are included in the advanced LEMP/LAMP stackscripts only.

You may prefer to run the basic script that omits these variables and to add them manually afterwards. Either way you do need these anti-hack variables.

How Do I Edit SSH Variables By Hand?

The configuration file edited by the advanced scripts is /etc/ssh/sshd_config. To edit manually follow the guide:-

In that tutorial you can ignore the firewall reference as that is set up automatically in all the LEMP/LAMP scripts.

When you have manually reset SSH variables remember to restart SSH:-

sudo /etc/init.d/ssh restart

export PORT=”22″  This is the port by which you connect to the server with a terminal. The system default is 22, and hackers love it. Change to some five figure number under 65000.

How Do I Login With My New Port?

To log in, post-script, you will now need to specify the new port locally.

For Windows locally, in PuTTY change the Port in PuTTY Configuration.

For local Linux users:-

ssh -p 54321 username@123.45.67.890

.. where 54321 is an example port.

export PERMITROOTLOGIN=”no”  This sets whether or not to refuse login by the root user. The system default is yes. It should be changed to no. Then you can only login with a username, which is all you need. You can still assume root/SuperUser privileges when logged in, so no worries there.

export PASSWORDAUTHENTICATION=”yes”  This says whether or not to use passwords to login to the server. It is more secure, by far, to say no and use authentication keys instead. The system default is yes and I have left that to prevent lock-out. Experienced users will change this to no. Otherwise, leave as yes and then, having tested your keys by logging in after the script completes, change to no in the configuration file.

How Do I Set Up Authentication Keys?

Check the links above. Cornerstone security.

But I Need Access from Various Computers

Then use your private key on those, keeping it on a pen drive. Only turn Passwordauthentication to no when you have to.

export X11FORWARDING=”no”  X11 is a protocol enabling a GUI option which we don’t use for servers. The system default is yes. Keep it to no.

export USEDNS=”UseDNS no”  Adding this prevents possible reverse host lookup problems. The variable does not exist by default but most should leave this as I have set. If you know better, change the variable to yes.

export AllowUsers=”AllowUsers $USER”  Allow only specific users to log in. By default this setting does not exist. It should. Leave my setting and edit the file later to add more users as required.

export PUBLIC_KEY=”ssh-rsa .. etc .. == host@local  The public of the two keys. Again, optional so if you don’t want it, use non-secured script and edit the other sshd_conf variables manually. In the scripts where this variable is present, having generated your keys, swap the example for your key, typically id_rsa.pub. That will be sent to the server and the proper permissions created.

Sites & Email

These variables are used to set up your initial site, its directory structure (geared for adding sites) and its configuration (virtual host) file.

It is also used to set up Postfix so that your server can process your website’s email using the recommendable, free and spam killing Google Apps. Check out those links for the detail and to see how to set up Google Apps after running the script.

export HOSTNAME=”mail.yourdomain.com” should be replaced with your whatever hostname you want to use.

export DOMAIN=”yourdomain.com” should be replaced with your domain name.

export SHORTDOMAIN=”yourdomain” is your domain minus the .tld, .com or whatever.

export POSTFIX_FIX=”$domain” is the same as SHORTDOMAIN except leaving the $. In other words, change $domain to $yourdomain.

MySQL

All we need for MySQL is a root password.

export MYSQL_PASSWORD=”mysqlPassword”  Your chosen root password for MySQL. Make this original and hot-damn complicated.

LEMP ONLY

Nginx

Nginx will be compiled before its installation with SSL (Secure Socket Layer or https) built in.

export NGX_VER=”1.0.4″  Change this value to the latest stable version which can be ascertained at the Nginx wiki’s download page.

PHP Modules

The variable allows you to pick and choose. It’s explained in the script to be clear. Just leave a space between each, no commas.

Caching Modules

Memcache is added in the variable – php5-memcache – but you can swap that for php5-xcache if you prefer. APC etc aren’t php-modded so install afterwards if you like.)

Login to VPS

Login to your VPS using a terminal. In case you don’t know how:-

Problems Logging into the VPS?

If you’ve launched a new distro on a VPS that you’ve used before you may get a warning saying you can’t log in. This tends to happen when you redeploy a new Linux distribution with a previously used IP address.

In that case you need to delete a line from a local file. Read the message carefully as it pinpoints the precise line and from what file to delete that line. The file will be:-

Windows  C:WINDOWSsystem32driversetchosts

Linux  /home/USERNAME/.ssh/known-hosts

Quite likely the problem line is the last one. If you’re unsure, rather than delete the line just comment it out by prepending with a #hash.

Run the Script

At last the easy bit! At the terminal, logged into you new VPS, do this:-

nano script

Paste your script with the variables edited. Talking of which, here it is. (Scroll down to below the script for more instructions.)


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

Run the Script contd.

Save and close the file by typing CTRL X, then y for yes, then ENTER. Now we create permissions to run the script like this:-

chmod u+x script


And kick up some dust:-

./script

The stackscript does its thing, eventually gets bored and issues a sulky reboot.

Log In Post-Script

If you changed the port as explained in the Stackscript Variables notes, remember to use that, as well as to use your new username. If you ran an advanced script using authentication keys, no password is required. Otherwise, use your new password.

Delete the Script

Do not leave stackscripts hanging around on your VPS.

sudo rm /root/script

Browse to Site

You may as well check to make sure you have a webpage:-

http://yourDOMAIN.com

To edit it (deleting my automated spiel) and check out your PHP at the same time:-

echo "<?php phpinfo();?>" > /home/USERNAME/public_html/yourDOMAIN.com/public/index.php

Then delete that phpinfo request too, else you’re offering clues to hackers:-

echo "whatever holding page content" > /home/USERNAME/public_html/yourDOMAIN.com/public/index.php

What Else Should I Do?

Go to your web directory by typing:-

www

That’s one of the aliases the stack created in the bashrc file. Nice huh?

Check out the other aliases we created, and create more yourself, by typing:-

ebrc

(That’s another alias .. long commands are just sooo boooring.)

Scroll to the bottom of the file and look for everything under the section:-

##################
### My Aliases ###
##################

Have a play and read Edit bashrc for User-Friendly Linux, plus System Updates

Scour this site for cool administration tips and pop by the forum to say Hi too.

More scripts on the way … upgrades, security in depth, backup setup etc.

Oh yes, and goto your VPS forum and tell folks how cool vpsBible is!

(.. that last bit’s pretty important) :P

Enjoy.

Setup Unmanaged VPS: The Ubuntu-Nginx Guide

Take your virtual private server from zero to hero

with this easy-to-follow copy/paste guide.

“My local PC runs Windows” Show me for Linux/Mac

22+ parts with video, here’s the index ..

Manage Unmanaged VPS: Ubuntu-Nginx Administration

Already set it up? We’d best maintain it then.

Toggle to the ..  Ubuntu-Nginx Admin Index

Manage Unmanaged VPS: Ubuntu-Nginx Administration

Maintain your virtual private server with ..

.. cheatsheets, tutorials, tips & guides.

Head back to the ..  Ubuntu-Nginx Installation Index

Nginx Admin: In the Works ..

This lot’s marked for addition already:-

  • Setup or Edit DNS using Bind
  • Network Tools Troubleshooting Guide
  • The Comprehensive Permissions Guide
  • Configuring Nginx Rewrites
  • Custom Website Error Page
  • Setting up Cron Jobs
  • Rsync for Incremental Remote-to-Local Backup
  • Cron & Rsync for Automatic Backup
  • Cron & mysqldump for Auto DB Backup
  • Safeguard Bandwidth with Hotlink Protection
  • Block Access with Nginx’ IP Deny



Got a Question? Want to Comment?

This site has no comments system. We've got a better system!

Please use the link at the top of the post and goto this topic's forum thread:-

  • to help build community
  • for a superior knowledge base
  • to keep info in one place, not diluted between forum & comments.

For those posts ported from Guvnr.com (pre-Feb/2010), archive comments remain.

Handy info from these comments is in the process of being ported to the forum and attributed to the original author.

If you think this idea sucks, let me know.

Thank you.