Ubuntu 18.04 LAMP Setup

Note: Because this is my personal cheat sheet, I’m installing a few PHP modules that you may not need if you’re not running SilverStripe 4.x.x. Otherwise this is a pretty standard and secure LAMP installation.

SECURITY FIRST: Add a sudo user, require public key authentication and disable root login

Log into the remote machine as root: ssh [email protected]

First, add the admin user.

adduser <username>

Add user to sudo’ers:

gpasswd -a <username> sudo

Add your .pub key to authorized_keys and set permissions

mkdir /home/username/.ssh

nano /home/username/.ssh/authorized_keys

Paste your key into the authorized_keys file and save.

chown -R newuser:newuser /home/username/.ssh

chmod 700 /home/username/.ssh

chmod 600 /home/username/.ssh/authorized_keys

Edit the SSH configuration file to enable public key authentication only and disable password login:

nano /etc/ssh/sshd_config

Set this parameter to ‘yes’:

PubkeyAuthentication

Set these parameters to ‘no’:

PermitRootLogin, ChallengeResponseAuthentication, PasswordAuthentication, UsePAM

Save, close and reload the SSH config file:

sudo service ssh reload

Exit the remote machine:

exit

Try to reconnect as the new user. You should not be prompted for a password:

ssh [email protected]

Trying to SSH into the server from another machine you should receive this error: Permission denied (publickey)

Disable root login

As the admin user:

sudo passwd -l root

You will be prompted to enter the sudo user’s password.

SECURITY SECOND: Add a firewall.

sudo apt-get install ufw

Make sure IPv6 is enabled (you are using IPv6, correct?)

sudo nano /etc/default/ufw

IPV6=yes

Save and close and set up rules.

Allow connections:

sudo ufw allow <port>/<optional: protocol>

Examples:

sudo ufw allow 80/tcp or sudo ufw allow 80 or sudo ufw allow www

Deny Connections:

sudo ufw deny <port>/<optional: protocol>

Example:

sudo ufw deny 3306 (Deny default mysql port)

Start by denying all incoming and enabling all outgoing:

sudo ufw default deny incoming

sudo ufw default allow outgoing

Then allow incoming for services you need:

sudo ufw allow ssh

sudo ufw allow http

sudo ufw allow https

Finally, enable the firewall

sudo ufw enable

Common inbound ports to leave open

  • 80 http
  • 443 https
  • 22 ssh

Common inbound ports to close

  • everything else

LAMP installation and setup (mod_php)

Install Apache

sudo apt-get update

sudo apt-get install apache2 -y

Install MariaDB

sudo apt-get install software-properties-common

sudo apt install mariadb-server mariadb-client

You might be prompted to give root a password. Just leave it blank

Run the MySQL secure installation

sudo mysql_secure_installation

Remember to set a root password. By default connections to MariaDB are done through unix_socket. In the next steps you will create a non-root user. For that user you can use password authentication is necessary.

  1. Database creation

Log into MariaDB

sudo mysql -u root

Create a new database

CREATE DATABASE mydb;
  1. User creation
CREATE USER [email protected] IDENTIFIED BY 'newuserpassword';
  1. Grant all privileges to the on a specific database. Only allow access from localhost (this is the most secure and common configuration you will use for a web application)
GRANT ALL privileges ON mydb.* TO [email protected];
  1. Apply changes made

Exit MySQL

exit;

Install PHP

sudo apt-get install libapache2-mod-php php-gd php-curl php7.2-xml php-mysql php-gettext php-mbstring php-xdebug php-intl

Set date.timezone in php.ini

date.timezone = America/Los_Angeles

upload_max_filesize = 20M

post_max_size = 20M

For development:

display_errors = On

Enable Apache mods

sudo a2enmod rewrite headers deflate expires

Optionally install mailutils

sudo apt-get install mailutils

Postfix is now set up with a default configuration. If you need to make changes, edit /etc/postfix/main.cf

After modifying main.cf, be sure to run ‘/etc/init.Distinctlm.com/postfix reload’

Leave a Reply

Your email address will not be published. Required fields are marked *