Ubuntu Lucid VPS Base Build

This post is an update to Ubuntu Jaunty Base Server Build, but focuses on Ubuntu Server 10.04 (Lucid). Unfortunately, I was planning on just updating using do-release-upgrade, however, after what seemed like a successful upgrade the VPS never came back to life and as it was remote I could not attempt to fix it. I had planned for failure, so I had a backup of all my instructions on this blog and the data too.

The aim is to provide a basic build that is secure for living out on the internet, has a basic web server stack (i.e. LAMP: Apache HTTP Server, MySql, PHP) and any other useful basic utilities. Future posts will rely on this build when covering additional application installations.

Base install

The initial image I was given was Ubuntu Server 10.04 with root being the only interactive user (i.e. able to log on). ssh was available using passwords. Apache2 and PHP packages were installed in addition to the essentials. The following command can be run to provide information about the installation, which may be of use when asking for help on forums:

lsb_release -a

Note: It is best practice to log into the server as a non-root user and when necessary use elevated permissions through the sudo command. The standard Ubuntu installation does not expose the root user, instead you create a user during the installation and login using that user. Setting up the user is covered in a later section called Users and Sudoers. Regardless of this, all commands that require sudo have been prefixed with it as it is good practice to get use to this.

Getting up-to-date

Ubuntu uses apt as its default package manager. Run the following commands to upgrade the installed packages to the latest version.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

For more information visit the Ubuntu Community Documentation AptGet HowTo

The server can also be configured to apply automatic updates for certain categories of updates, e.g. all, security. Alternatively, the apticron package can be used for notification of any updates that are available. See automatic updates in the server guide for more details.

Additional util packages

The following packages are also useful to have installed, so run the following command:

sudo apt-get install nano bash-completion aptitude curl

Configure hostname

Its a good idea to give your machine the correct hostname as early as possible. Some packages may use the hostname during installation and therefore if you change it later you may encounter some issues.

The simplest way to set the host name permanently is to modify (or create if not present) the /etc/hostname file:

echo servername.domainname | sudo tee /etc/hostname

The above command will take effect after a reboot. You can also change the hostname for the current boot of the VPS using the hostname command:

sudo hostname servername.domainname

You also need to update /etc/hosts with DNS entries and aliases like the following:

127.0.0.1 localhost.localdomain localhost
127.0.1.1 servername.domainname alias.domainname

The following commands should respond suitably:

uname -n
hostname -a
hostname -s
hostname -d
hostname -f
hostname

Correcting the server time

Depending on the image used, the server may be in the wrong timezone. Run the following commands to reconfigure and utilise NTP to sync the clock:

sudo dpkg-reconfigure tzdata
sudo apt-get install ntpdate

Note that it may require a change by the VPS provider to fix the host machines clock if the time is still incorrect but the server is in the correct timezone.

For more information visit the Ubuntu Community Time documentation.

Users and Sudoers

Sudoers controls who can run what commands as which users on which machines. Therefore, it is good practice to create an administrator with the appropriate permissions and use sudo as required.

Run the following command to add a user:

sudo adduser <username>

Add the user to additional groups as required, e.g.:

sudo usermod -a -G sudo,adm,www-data <username>

By adding the user to the sudo group the user should be granted full sudo priviledges. If this is not the case, or you wish to modify the priviledges, then modify /etc/sudoers accordingly using visudo:

sudo visudo

Adding the following entry would give the user the same rights as root:

username ALL=(ALL) ALL

For more information visit the Ubuntu Community Documentation Sudoers Guide.

Note: now that you have a user, it would be a good idea to log out as root and log in as the new user in line with best practices.

Email forwarding

Email is used as a primary notification mechanism for linux, however, by default, email is stored on the server. If you do not intend to set the server up as an email server (e.g. POP3 or IMAP), it is useful to forward email to an appropriate external email address. There are two main approaches to this (with sendmail which is the default MTA):

  1. root maintains email addresses in /etc/aliases
  2. each user maintains their email address in ~/.forward

It is possible to also combined the two approaches, by aliasing root to a given user and then the user being able to allocate the email address as they see fit.

This is covered in the man pages for aliases:

man aliases

Modifying aliases

e.g. alias root to another user, edit /etc/aliases, adding:

root:           <otheruser>

e.g. alias root to external email addresses (comma separated), edit /etc/aliases, adding:

root:           user1@example.com, user2@example.com

Note: after modifying /etc/aliases you must run newaliases to refresh the alias database for the changes to take affect, e.g.:

sudo newaliases

Creating .forward

The simplest way to do this is to log in as the user required and run the following command (replacing the email address as appropriate):

echo username@example.com > ~/.forward

Secure Shell (SSH)

Secure shell (ssh) is the defacto standard for remote shell access.

Client

You can connect to a remote machine using the following command:

ssh username@hostname

You will usually be prompted for your password.

Rather than using a password you can use key based authentication. On your client machine, create a key and use a string pass phrase:

ssh-keygen -v -t rsa

This will create a ~/.ssh directory containing id_rsa which is your private key and id_rsa.pub which is your public key. Its important to have the correct permissions, so check the output of ls -la ~/.ssh is similar for the following entries:

drwx------   5 user  group   170 22 Mar 07:04 .
-rwx------   1 user  group  1743 22 Mar 07:04 id_rsa
-rwxr--r--   1 user  group   397 22 Mar 07:04 id_rsa.pub

You can copy you public key up to a server using the following command:

scp ~/.ssh/id_rsa.pub username@hostname:~/.ssh/authorized_keys

You should now be able to ssh to the server without being challenged for a password, e.g:

ssh username@hostname

Depending on the client and your preference, you can either enter the passphrase for you private key each time you connect, or run ssh-agent and register the key using ssh-add.

Server

sshd is the ssh daemon and is responsible for providing ssh access to the server. Its important to ensure that this is secure as possible. There are a number of articles out there about changing the configuration of sshd to make it more secure, in particular I like to turn off password authentication (forcing the use of public/private key pairs) and disable root login. Of course, you should ensure that you have a suitable user able to log in using a key that you have tested before you lock yourself out permanently.

The configuration for sshd is found at /etc/ssh/sshd_config. Modify it to have the following lines:

PasswordAuthentication no
PermitRootLogin no

Restart sshd for your changes to take effect:

sudo /etc/init.d/ssh restart

Basic web server stack

The basic stack of Apache HTTP Server (A), MySQL (M) and PHP (P) is known as AMP due to the initials, or LAMP on Linux.

Apache HTTP Server and PHP were already installed and available on the VPS, however, you can make sure by running the following:

sudo apt-get install apache2 php5

As part of the MySQL installation, I like to install phpMyAdmin as this is a really useful admin application. Install mysql server and phpMyAdmin packages, entering suitable values when prompted:

sudo apt-get install mysql-server phpMyAdmin

Check connectivity by accessing the site using http://servername/phpmyadmin.

phpmyadmin could be used by hackers to brute force attack your databases as it provides a form on the web to attempt log ons. As always, you should use suitably strong passwords to ensure that this is not easily done, and also use suitable permissions for the database users to minimise external access. The best way to avoid attack is to only have phpmyadmin available when you are using it. This can be achieved by removing the symlink in /etc/apache2/conf.d and managing phpmyadmin’s availability using the a2ensite and a2dissite commands:

sudo rm /etc/apache2/conf.d/phpmyadmin.conf
sudo ln -s /etc/phpmyadmin/apache.conf /etc/apache2/sites-available/phpmyadmin

You can then enable it using:

sudo a2ensite phpmyadmin
sudo /etc/init.d/apache2 reload

And disable it using:

sudo a2dissite phpmyadmin
sudo /etc/init.d/apache2 reload

System Monitoring

Keeping an eye on utilisation

Disk space can be checked using df. Memory usage can be checked using free.

Issues

Something went wrong

The Ubuntu Server Guide should be able to help you. If not then try to post on a suitable forum or mailing list with as much detail as possible.

Comments

blog comments powered by Disqus
Fork me on GitHub