FROM UBUNTU ZERO TO HERO
Table of Contents Preface..................................................................................................................................................2 Ubuntu and you....................................................................................................................................3 Creating a LAMP server..................................................................................................................4 .........................................................................................................................................................4 Setting the root password.................................................................................................................5 Hosting one (or multiple) HTML websites on your server..............................................................7 SFTP to your server.........................................................................................................................8 Configuring the website(s)...............................................................................................................9 Server Security...............................................................................................................................10 Server Performance........................................................................................................................12 Swap file...................................................................................................................................12 Cloudflare..................................................................................................................................12 Managing your databases...............................................................................................................13 Advanced Commands.........................................................................................................................14 Install, update and remove packages.............................................................................................14 DPKG........................................................................................................................................14 Apt-Get......................................................................................................................................15 Aptitude.....................................................................................................................................15 Network configuration...................................................................................................................17 Ethernet.....................................................................................................................................17 IP Addresses..............................................................................................................................17 Remote Administration..................................................................................................................18 SSH...........................................................................................................................................18 SSH Keys..................................................................................................................................18 Puppet........................................................................................................................................19
www.netshock.co.uk
Preface This ebook was written by Netshock (www.netshock.co.uk) with the sole purpose of helping individuals go from being complete beginners to relatively competent when it comes to Ubuntu server management. This guide will take you through the process of setting up static HTML websites on your server, followed by detailed guides that cover the management of your newly created servers (including performance, security, package and resource management).
www.netshock.co.uk
Ubuntu and you... If you're like me, you're probably opening this guide, ready to learn to take your infrastructure to the next level. That kind of enthusiasm is important, Ubuntu is not for the feint hearted and is certainly more of a struggle to get to grips with than a Windows server. That said, once you do become familiar with the Ubuntu server commands, you'll find it is much more rewarding to work with than its Windows equivalent – both in terms of usability and let's not forget that smug feeling you'll have, knowing that you've saved yourself a lot of money by deploying Ubuntu instead of Windows. Before we can even start looking at Ubuntu commands, we will need to set up a server – in this case, I'll be creating a VPS (Virtual Private Server) through Digital Ocean. There are a lot of benefits of using a VPS in place of a shared host, the biggest of which, is the dedicated resource allocation. What this means is you'll always have xGB of RAM at your disposal, rather than fighting with hundreds, if not thousands, of other customers on your shared hosting server. Additionally, you can host whatever you like on your VPS without being penalized by the hosting company for using too much compute power. All in all, this is a much more flexible solution for your business as it provides you with infrastructure which can be scaled to grow with your business – meaning, if you have certain days or times that your service is particularly in demand (like the Apple store when a new phone is released), you can set your servers to automatically expand to cope with the additional demand from your users – giving your users consistent performance. Even though this ebook runs through the setup of servers on Digital Ocean, the Ubuntu commands throughout will work for all other cloud services, including Amazon Web Services, Microsoft Azure, Linode and others. Without further ado, let's get started!
www.netshock.co.uk
Creating a LAMP server There are several ways that you could go about setting up your server – you could install Ubuntu and then go about installing each of the applications you need to run your website, one at a time. This is time consuming and isn't a particularly efficient way to launch your services as there are core applications / services which are used by almost all basic deployments on Ubuntu servers. Those core applications / services are: Linux, Apache, MySQL and PHP. Apache is a web server which controls what your server does when a visitor comes along. It tells the server which website the user is looking for and in which directory to find that website. We will be using Apache throughout this ebook. MySQL is a database server which is used to store structured data (for example an orders database). This is a robust and well tested solution that is one of the leading products in the market (and it's free). Finally, we have PHP which is an engine which enables your server to interpret and display PHP documents to your users. We refer to the installation of all these components as a LAMP Stack. Luckily for us, Digital Ocean (and most other providers) have a ready-made image for us, so we don't need to mess around installing everything. To set up your LAMP server, follow the below steps. 1. Log in to your Digital Ocean account 2. Click “create droplet” in the top right 3. Name your droplet anything you want 4. Under the applications tab, select 'LAMP on 14.04'
5. Click 'Create Droplet'
You will then see a progress bar appear on the page. Once this is complete, your server is up and running- congratulations, you're officially an Ubuntu server owner!
www.netshock.co.uk
Setting the root password Now that you've created your server you'll need to check your inbox. You see, when you create a new droplet with Digital Ocean you will be emailed an auto generated password for your server. You should try and change this as soon as possible to maintain the security of your droplet. In order to change the password you will need to become familiar with SSH (Secure Shell). As a bit of background, SSH is an industry standard, secure method of accessing and administering servers remotely. The benefit of SSH is that it enables you to manage your servers without physically needing to plug a keyboard into them. If you have a Windows desktop, you can SSH on to your servers by downloading a tool called Putty. Once you've done that, run the application – you'll need to enter the your droplets IP address and then hit 'open'.
The two details above are all you need, just click “open” and your server terminal will appear. Type 'root' as the username and enter the password that you received in the email (you can right click in the terminal and select 'paste' to make this easier). You will now be prompted to enter a new password.
www.netshock.co.uk
If you're not using an Windows desktop, you can open your terminal and simply type 'sudo ssh root@yourIPaddress'. This will then prompt you for your existing password (as above).
www.netshock.co.uk
Hosting one (or multiple) HTML websites on your server Your initial setup and configuration phase is not complete. You have a server with Linux, Apache, MySQL and PHP installed on it. You also now know how to SSH to your server, which will help us very shortly. Currently though, you don't have any websites on your server, and in its current state, it would be no use uploading them either. There is a little bit of required configuration work before you'll be able to see your website running on the server. In order to host websites on your droplet, you will need to use a method called SFTP (Secure File Transfer Protocol) to connect to your server. Essentially, this gives you access to the directory structure of your server and all the files held within it. The next section covers installing and using Filezilla – an FTP client.
www.netshock.co.uk
SFTP to your server In order to SFTP to your server, you'll need to do is download Filezilla onto your desktop computer. This is available for both Windows and Ubuntu desktop. To connect your website, click File > Site Manager. Within this screen, enter the host details (which is your servers IP address), the logon type (which is interactive), protocol (which is SFTP) and the username (which is root).
Once you've filled all of that in you can go ahead and click 'connect' – you will be prompted to enter your password – hopefully, you're now connected to your server. You'll see a folder with three dots (…) at the top of your screen, click that. On the subsequent page, find the directory named 'var'. Within that, open 'html'.
www.netshock.co.uk
Configuring the website(s) Now that you have the correct directory open, you can go ahead and follow the below commands. 1.Add your website address as a folder (e.g. var/www/example.com) 2.Within your new folder, create a sub folder called 'public_html' 3.Navigate to '/etc/apache2/sites-available' 4.Copy the '000-default.conf 'to your desktop 5.Edit the file name to be yourdomain.com.conf 6.Within the file edit the server admin email (to your email address) 7.Then edit the document root (to point at your new public_html folder) 8.Finally, add these two lines (replacing 'domain.com' with your web address): ServerName domain.com ServerAlias www.domain.com 9.Open the terminal via SSH 10.Connect to your server 11.Type 'sudo a2ensite example.com.conf' (replacing example.com with your URL) 12.Restart apache by typing 'sudo service apache2 restart' Now that you've done that, you can start uploading all of your web pages, CSS and images to that folder. As soon as your domain has been pointed at the server, you'll be able to navigate to your new website.
www.netshock.co.uk
Server Security You've got all of your website files uploaded to your server. Unless you really don't care whether someone attacks your website, I would assume that you want to implement a few security provisions – we will start with your firewall. The firewall is your first line of defence against the bad guys that are trying to attack your system. Ubuntu has a firewall inbuilt called the Uncomplicated Firewall (UFW). As the name suggests, it's pretty straightforward and uncomplicated. The below table shows some of the commands you can use to manage your firewall. Command ufw enable ufw disable ufw status ufw allow port ufw allow ssh ufw allow www ufw deny port ufw deny from ip ufw reject out ssh ufw delete reject out ssh ufw reset ufw deny proto tcp from 12.34.56.78 to any port 22 ufw app list ufw app info name ufw allow name ufw logging on
Description enables the firewall disables the firewall show the status of the firewall and all rules allow a particular port of the firewall open the SSH port of the firewall open port 80 for web traffic close port on the firewall restrict access from a particular IP reject outgoing ssh traffic delete a rule reset all firewall settings back to default deny tcp traffic from a particular IP to port 22 list of applications with a ufw profile view information in the application profile allow the application profile print firewall messages to the system log
For now, we will simply block everything except for web traffic and SSH connections. To to this, open your server terminal (through SSH) and type the below commands. •ufw enable •Sudo ufw allow ssh •Sudo ufw allow www
www.netshock.co.uk
As a further enhancement to security on your server, you can block SSH access for your root user. This user has maximum privileges, so, you don't want to make it accessible to the world. Before you restrict this, you'll need to make sure that you have another administrative user (referred to as su (super user)) that you can use in the place of root. To add a user to the sudo group just type 'sudo adduser <username> sudo' to your terminal. Now, if you SFTP to your server and navigate to /etc/ssh, you will find a file called sshd_config. If you open this file, you will see a line that says 'PermitRootLogin'. Remove 'yes' and replace this with 'no'. This stops anyone from connecting to the server through SSH using the root username and password. To view these changes, you'll need to restart the SSH service on your server.
You can do this by typing 'sudo service ssh restart' into the terminal. You should now find that your root login no longer works (both over SFTP and SSH).
www.netshock.co.uk
Server Performance Swap file Now that you have your security looking good, I'll show you how to configure your server for more consistent performance. I find that the best way to do this is through a swap file. Essentially, a swap file is a dedicated portion of your hard drive, which is used as an extension of your RAM - helping to alleviate any memory constraints you might have. This is particularly useful for php websites with high load (e.g. a popular Wordpress website). In order to set up your swap file, take a look below. 1.Check whether you already have a swap file by typing 'free -m' into the terminal 2.The swap file can be created with the following command (this command may take a few seconds to run). This essentially builds a file of the specified size (in this case 2GB): 'sudo dd if=/dev/zero of=/swapfile bs=1G count=2' 3.Let's check that the space has been allocated by using: 'ls -lh /swapfil' Now we have our swap file created, we just need to enable it. 1.Adjust permissions by typing 'sudo chmod 600 /swapfile' 2.Verify the output with 'ls -lh /swapfile' 3.Set up the swap space with 'sudo mkswap /swapfile' 4.Enable the file 'sudo swapon /swapfile' 5.Verify that the process was successful 'sudo swapon -s' When we reboot, the file will not automatically be enabled. To make that happen, edit the file 'sudo nano /etc/fstab' and add '/swapfile none swap sw 0 0' at the bottom of the file.
Cloudflare Further to setting up a swap file, you can enable better website performance through the use of a content delivery network (CDN) like Cloudflare. This tool enables you to cache your entire website (meaning it loads faster for visitors) and also let's you asynchronously load your javascript and css files â&#x20AC;&#x201C; leading to much shorter load times. The Cloudflare servers are positioned in strategic locations across the globe. That means that no matter where in the world your customers are, they'll be routed to the closest possible server, reducing latency and improving response times. In addition to the performance improvements, Cloudflare also has many security features which could help you protect from brute force attacks.
www.netshock.co.uk
Managing your databases If you're migrating an existing website or application to your new server, you may have an existing MySQL database, if you're not migrating, you might want to create a new database. Either way, the best way to do that is through PHPMyAdmin. The reason I like this tool so much is that it applies a nice user interface to a relatively complex procedure. Before you get started, you'll need to know what your MySQL root password is. This is created automatically during the installation of the LAMP stack. You can find the root password within the following file: /etc/motd.tail. In order to install PHPMyAdmin, just follow the steps below (the install process is covered in more detail in the 'advanced commands' section of this ebook): 1. sudo apt-get -y update 2. sudo apt-get -y install phpmyadmin During the installation, you'll be prompted to answer a few questions. The first of those questions asks you which web server you're using – if you've been with us since the beginning of this guide, you are running Apache2. The next question, just hit yes – this will configure PHPMyAdmin so that it's usable. The next two screens will ask you for passwords, the first is the MySQL root password that you found in the motd.tail folder (as above) and the second is the password that you would like to use to login to PHPMyAdmin. That should be it, the installation is complete. All you need to do now is make a few Apache configuration amendments. 1. Locate the file /etc/apache2/apache.conf 2. Add the line 'include /etc/phpmyadmin/apache.conf' to the bottom of the file 3. From the terminal run: 'sudo service apache2 restart' to restart the Apache server with your new configuration. You should now be able to navigate to www.yourdomain.com/phpmyadmin – why not go ahead and log in.
www.netshock.co.uk
Advanced Commands Install, update and remove packages If you're looking to manage your Ubuntu servers effectively, you'll probably want to install some management software (such as Ajenti). You can do this through the Ubuntu package management system. The package management system is a derivative of that used in Debian Linux, whereby each package will contain all of the required files, data and instructions to deploy a new piece of software to your system. The process to install and upgrade software will vary, depending on what you're trying to install, however the commands available to you through the Ubuntu terminal are always the same and are outlined below.
DPKG The first command is dpkg â&#x20AC;&#x201C; this particular package can help you to install or remove software from your Ubuntu OS, however, it will not automatically download and install dependencies that your software many have (for example Wordpress is dependent on MySQL). This tool is therefore best used for those packages that are local to your machine. Command
Description
Dpkg -l
This command lists all of the packages that are currently installed on your system.
Dpkg -l | grep apache2
To find out if a specific package is installed (without trawling through the entire list of installed packages), you'll want to use the grep function. This lets you search for a specific package name (in this case Apache)
Dpkg -L apache2
This particular function lists all of the files which are installed by a package.
Dpkg -S
This command will tell you which package installed a particular file. For example dpkg -S /var/www/config.conf The output of this command will show you what package the file 'config.conf' belongs to.
Sudo dpkg -i filename.deb
If you've downloaded a .deb package file to your system, you can use this command to install it.
www.netshock.co.uk
Sudo dpkg -r packagename
While it is not recommended that you use dpkg to remove packages (because it will not manage dependencies), you can do do it.
Apt-Get The apt-get command works with Ubuntu's Advanced Packaging Tool (APT) to help install and upgrade packages. You can add packages to your sources list (/etc/apt/sources.list). Command
Description
Sudo apt-get install packagename
To install a package you simply use the command to the left. You can add multiple packages in a single command, just put a space between each of the package names.
Sudo apt-get remove packagename
To remove a package, you just replace the word 'install' with 'remove'. You can add multiple packages in a single command, just put a space between each of the package names.
Sudo apt-get update
A package index is a list of available packages, as defined in your /etc/apt/sources.list file. To update this, you can just type the command to the left.
Sudo apt-get upgrade
After you've updated your package index (as above), you can update all of the out of date packages on your system.
Whenever you run an apt-get command, it makes a log of what you did. This can be found under /var/log/dpkg.log.
Aptitude Install, remove and upgrade commands can be carried out with single-key commands through a menu driven interface (making life a little bit simpler for those of us that dislike the terminal). To open aptitude just type 'sudo aptitude' into the terminal. You can exit aptitude by typing 'q' into the terminal. Command
Description
Install a package
You can locate the package you want to install via the 'not installed packages' menu (by using keyboard arrows). When you hit enter, the package line will turn green (this means it has been marked for installation. If you press the 'g' button, you'll receive a summary of the
www.netshock.co.uk
actions you're about to take (i.e. the install). By pressing 'g' one more time, you'll kick off the install. Remove a package
You can locate the package you want to remove via the 'installed packages' menu (by using keyboard arrows). Select the package that you would like to remove and press the '-' key. This will result in the package being highlighted in pink. If you press the 'g' button, you'll receive a summary of the actions you're about to take (i.e. the uninstall). By pressing 'g' one more time, you'll kick off the removal.
Update package index
As mentioned above, the package index houses a list of all the available packages. To update this list just press the 'u' key.
Upgrade packages
Once you've updated the list, you'll want to upgrade the packages on your system. To do this, press the 'u' key on all of the packages with updates. If you press the 'g' button, you'll receive a summary of the actions you're about to take (i.e. the upgrades). By pressing 'g' one more time, you'll kick off the upgrade.
The package list uses the below key to describe the state of the packages: Key
Description
I
Installed
C
Not installed (but config remains on system)
P
Purged
V
Virtual
B
Broken
U
Unzipped but not configured
C
Part configured
H
Part installed
www.netshock.co.uk
Network configuration Ubuntu is a very versatile distribution of the Linux operating system, as such you have a lot of flexibility over your network configuration. This is an area of the operating system that you can't just pick up and understand, even with a guide like this, you'll probably want to test your changes on a development / test environment before hitting a live site with your new skills. I'll keep this section light as most of the network configuration is handled by cloud hosts through a visual interface.
Ethernet You can have several Ethernet interfaces configured on your server, these are identified by the naming convention ethX (x is replaced with a numeric value to help identify your connection (starting with eth0)). Command
Comments
If config -a | grep eth
Helps you to identify all available ethernet interfaces. This particular command will list the MAC address of the hardware and provide the ethernet interface id (ethx).
Sudo lshw -class network
This provides you with a more in depth view of the above. It'll let you know more details about the product (including the vendor) and it'll also detail size, capacity and conguration.
Sudo apt-get install ethtool
Ethtool is a management tool that will let you change ethernet card settings (e.g. port speed). Using the command to the left, you'll be able to install it.
Changes made using the ethtool are temporary and will be wiped on reboot. If you'd like to retain your changes, you can add the command you ran in ethtool (as a pre-up statement) to the ethernet interface configuration file, which can be found here: /etc/network/interfaces. An example pre-up statement (taken from the official Ubuntu documentation) is shown below. This statement will permanently configure port speed to 1,000 mb/s running on full duplex mode. pre-up /sbin/ethtool -s eth0 speed 1000 duplex full
IP Addresses If you're using a cloud service such as AWS or Digital Ocean, then the likelihood is that they will cover this section for you. My instances are always created with public and private IP addresses already assigned and configured, so I'll assume that yours are too!
www.netshock.co.uk
Remote Administration The first, and most useful bit of configuration you can do is around remote administration. I mean, you can't be sitting next to your sever all the time – imagine if it goes down at 3am! I know I would much rather get up and sit in my pyjamas at home than jump in the car and drive to my data centre. That being said, we need to ensure that we have secure methods of administering our servers remotely.
SSH SSH is a standard and secure method of administering servers remotely. This protocol enables you to run commands directly in the server terminal and also enables you to shift files to and from your server. Open SSH (or equivalent) will already be installed on your Digital Ocean instances, enabling SSH – but, just incase you have your own, completely blank server, please follow the below. Open SSH is a freely available version of SSH is OpenSSH, which provides a secure and encrypted SSH service to manage your servers. The way that OpenSSH works is it continuously listens for clients trying to connect with it. When it hears a client shouting 'LET ME CONNECT!' it authenticates the client and lets the user carry out their business. Installing OpenSSH is simple: 1. sudo apt-get install openssh-client 2. sudo apt-get install openssh-server Once all that is done you'll need to edit your sshd_config file. This can be done through the terminal or it can be done by using an FTP client to download the file, make changes in notepad and upload the file to the server again – whichever option you prefer. You don't have to change anything, but, by leaving your SSH port as port 22, you're giving your potential hacker something to work with - they know it's port 22, so they know where they should start. So, let's get that changed. Within the sshd_config file (found under /etc/ssh/), change port number from 22 to a port of your choice, e.g. 7626. Once you've done that, type 'sudo service ssh restart' into your terminal and then type 'ufw allow <your chosen port number>'. Try to SSH through port 22 - it should be blocked.
SSH Keys To add security to your server, you'll want to use SSH keys. Essentially, it provides two encrypted keys (public and private), when these keys are bought together, they authenticate and allow you access to the server. This is much more secure than a simple password as it is harder to break into your server through brute force attacks. www.netshock.co.uk
In order to generate your SSH keys simply type: ssh-keygen -t rsa into the terminal on your desktop. This will generate an rsa key which will be stored (by default) at ~/.ssh/id_rsa (private key) and ~/.ssh/id_rsa.pub (public key). In order to use these keys, you'll need to copy your id_rsa.pub to your server and append it to the existing file by entering: ssh-copy-id username@remotehost. You can grant permissions to this file on your server by typing: chmod 600 .ssh/authorized_keys. If everything has worked as expected, you'll now be able to remote to your server without being prompted for a password.
Puppet Puppet is a configuration management solution that enables you to define and enforce the state of your infrastructure. It can help to define every step of the infrastructure lifecycle, from provisioning machines (physical and virtual) to reporting, testing, provisioning updates and production releases. This enables us to ensure that we have consistency, reliability and stability in our infrastructure. There are hundreds of detailed puppet guides across the web, so I won't go into any more detail here. The purpose of this guide is to help you understand the different components of Ubuntu and use the most important of those components, rather than being an all in one guide to everything.
www.netshock.co.uk