This post is an update to Ubuntu Jaunty Base Server Build, but focuses on Ubuntu Server 10.04 (Lucid). Unfortunately, I was planning on just updating using do-release-upgrade, however, after what seemed like a successful upgrade the VPS never came back to life and as it was remote I could not attempt to fix it. I had planned for failure, so I had a backup of all my instructions on this blog and the data too.
The aim is to provide a basic build that is secure for living out on the internet, has a basic web server stack (i.e. LAMP: Apache HTTP Server, MySql, PHP) and any other useful basic utilities. Future posts will rely on this build when covering additional application installations.
The initial image I was given was Ubuntu Server 10.04 with root being the only interactive user (i.e. able to log on). ssh was available using passwords. Apache2 and PHP packages were installed in addition to the essentials. The following command can be run to provide information about the installation, which may be of use when asking for help on forums:
Note: It is best practice to log into the server as a non-root user and when necessary use elevated permissions through the
sudo command. The standard Ubuntu installation does not expose the root user, instead you create a user during the installation and login using that user. Setting up the user is covered in a later section called Users and Sudoers. Regardless of this, all commands that require sudo have been prefixed with it as it is good practice to get use to this.
apt as its default package manager. Run the following commands to upgrade the installed packages to the latest version.
sudo apt-get update sudo apt-get upgrade sudo apt-get dist-upgrade
For more information visit the Ubuntu Community Documentation AptGet HowTo
The server can also be configured to apply automatic updates for certain categories of updates, e.g. all, security. Alternatively, the
apticron package can be used for notification of any updates that are available. See automatic updates in the server guide for more details.
Additional util packages
The following packages are also useful to have installed, so run the following command:
sudo apt-get install nano bash-completion aptitude curl
Its a good idea to give your machine the correct hostname as early as possible. Some packages may use the hostname during installation and therefore if you change it later you may encounter some issues.
The simplest way to set the host name permanently is to modify (or create if not present) the
echo servername.domainname | sudo tee /etc/hostname
The above command will take effect after a reboot. You can also change the hostname for the current boot of the VPS using the
sudo hostname servername.domainname
You also need to update
/etc/hosts with DNS entries and aliases like the following:
127.0.0.1 localhost.localdomain localhost 127.0.1.1 servername.domainname alias.domainname
The following commands should respond suitably:
uname -n hostname -a hostname -s hostname -d hostname -f hostname
Correcting the server time
Depending on the image used, the server may be in the wrong timezone. Run the following commands to reconfigure and utilise NTP to sync the clock:
sudo dpkg-reconfigure tzdata sudo apt-get install ntpdate
Note that it may require a change by the VPS provider to fix the host machines clock if the time is still incorrect but the server is in the correct timezone.
For more information visit the Ubuntu Community Time documentation.
Users and Sudoers
Sudoers controls who can run what commands as which users on which machines. Therefore, it is good practice to create an administrator with the appropriate permissions and use
sudo as required.
Run the following command to add a user:
sudo adduser <username>
Add the user to additional groups as required, e.g.:
sudo usermod -a -G sudo,adm,www-data <username>
By adding the user to the sudo group the user should be granted full sudo priviledges. If this is not the case, or you wish to modify the priviledges, then modify
/etc/sudoers accordingly using
Adding the following entry would give the user the same rights as root:
username ALL=(ALL) ALL
For more information visit the Ubuntu Community Documentation Sudoers Guide.
Note: now that you have a user, it would be a good idea to log out as root and log in as the new user in line with best practices.
Email is used as a primary notification mechanism for linux, however, by default, email is stored on the server. If you do not intend to set the server up as an email server (e.g. POP3 or IMAP), it is useful to forward email to an appropriate external email address. There are two main approaches to this (with sendmail which is the default MTA):
- root maintains email addresses in
- each user maintains their email address in
It is possible to also combined the two approaches, by aliasing root to a given user and then the user being able to allocate the email address as they see fit.
This is covered in the man pages for aliases:
e.g. alias root to another user, edit
e.g. alias root to external email addresses (comma separated), edit
root: firstname.lastname@example.org, email@example.com
Note: after modifying
/etc/aliases you must run
newaliases to refresh the alias database for the changes to take affect, e.g.:
The simplest way to do this is to log in as the user required and run the following command (replacing the email address as appropriate):
echo firstname.lastname@example.org > ~/.forward
Secure Shell (SSH)
Secure shell (ssh) is the defacto standard for remote shell access.
You can connect to a remote machine using the following command:
You will usually be prompted for your password.
Rather than using a password you can use key based authentication. On your client machine, create a key and use a string pass phrase:
ssh-keygen -v -t rsa
This will create a
~/.ssh directory containing
id_rsa which is your private key and
id_rsa.pub which is your public key. Its important to have the correct permissions, so check the output of
ls -la ~/.ssh is similar for the following entries:
drwx------ 5 user group 170 22 Mar 07:04 . -rwx------ 1 user group 1743 22 Mar 07:04 id_rsa -rwxr--r-- 1 user group 397 22 Mar 07:04 id_rsa.pub
You can copy you public key up to a server using the following command:
scp ~/.ssh/id_rsa.pub username@hostname:~/.ssh/authorized_keys
You should now be able to ssh to the server without being challenged for a password, e.g:
Depending on the client and your preference, you can either enter the passphrase for you private key each time you connect, or run
ssh-agent and register the key using
sshd is the ssh daemon and is responsible for providing ssh access to the server. Its important to ensure that this is secure as possible. There are a number of articles out there about changing the configuration of sshd to make it more secure, in particular I like to turn off password authentication (forcing the use of public/private key pairs) and disable root login. Of course, you should ensure that you have a suitable user able to log in using a key that you have tested before you lock yourself out permanently.
The configuration for sshd is found at
/etc/ssh/sshd_config. Modify it to have the following lines:
PasswordAuthentication no PermitRootLogin no
Restart sshd for your changes to take effect:
sudo /etc/init.d/ssh restart
Basic web server stack
The basic stack of Apache HTTP Server (A), MySQL (M) and PHP (P) is known as AMP due to the initials, or LAMP on Linux.
Apache HTTP Server and PHP were already installed and available on the VPS, however, you can make sure by running the following:
sudo apt-get install apache2 php5
As part of the MySQL installation, I like to install phpMyAdmin as this is a really useful admin application. Install mysql server and phpMyAdmin packages, entering suitable values when prompted:
sudo apt-get install mysql-server phpMyAdmin
Check connectivity by accessing the site using
phpmyadmin could be used by hackers to brute force attack your databases as it provides a form on the web to attempt log ons. As always, you should use suitably strong passwords to ensure that this is not easily done, and also use suitable permissions for the database users to minimise external access. The best way to avoid attack is to only have phpmyadmin available when you are using it. This can be achieved by removing the symlink in
/etc/apache2/conf.d and managing phpmyadmin’s availability using the
sudo rm /etc/apache2/conf.d/phpmyadmin.conf sudo ln -s /etc/phpmyadmin/apache.conf /etc/apache2/sites-available/phpmyadmin
You can then enable it using:
sudo a2ensite phpmyadmin sudo /etc/init.d/apache2 reload
And disable it using:
sudo a2dissite phpmyadmin sudo /etc/init.d/apache2 reload
Keeping an eye on utilisation
Disk space can be checked using
df. Memory usage can be checked using
Something went wrong
The Ubuntu Server Guide should be able to help you. If not then try to post on a suitable forum or mailing list with as much detail as possible.