Category: Tutorials

Today we are going to setup a web server using the ever so popular LAMP Stack. This tutorial assumes you:

1. Own a VPS or Dedicated Server (you can get a cheap one here [its only $5])
2. Have configured ssh and are currently logged in. (If not, learn how here)
3. Optional: Have secured your vps from hackers

Step 1 – Install LAMP  xD

First update and install tasksel

apt-get update && apt-get install tasksel

Next… and Finally we install lamp

tasksel install lamp-server

Pretty simple right? Normally people go through the trouble in installing PHP, MySQL and Apache manually but why? When ubuntu already knows how to do it all 🙂

When it comes to securing a server from malicious bruteforcers, Fail2Ban is an extremely powerful tool and my goto application on every server I setup. While that position was once held by denyhosts, as of Ubuntu 14.04, denyhosts is no longer in the official ubuntu repo and so is recommend that it no longer be used… Before we get into how to configure Fail2Ban, lets take a look at how it works….

Fail2Ban works by constantly scanning your log files and takes predetermined actions based on what is set in its configuration file. For example, we can set Fail2Ban to ban the IP Address of anyone who tries and fails to login 3 or more times. To do this, every few seconds, Fail2Ban will scan the server’s access log and keep and record of every failed attempt. When the limit of 3 is reached, it will immedieately set a rule in the built in iptables firewall for said ip address, effectively rejecting it from all further communication with the server.

Step 1 – Installing Fail2Ban

To install fail2ban we need to run 3 commands, the first to update our apt-cache, the second to upgrade any old packages in our system and the third to install Fail2Ban itself

apt-get update
apt-get upgrade
apt-get install fail2ban

Now that it is installed let us make a copy of the configuration file (so that the original can serve as a template in the future) and open it in our editor of preference

Step 2 – Configure Fail2Ban

cd /etc/fail2ban/
cp jail.conf jail.local && nano jail.local

By default fail2ban comes preconfigured with a great set of options so we will only be making a few changes. I also highly recommend you read though the config file to see what fail2ban is capable of in case you wish to tweak it more in the future.

Find and change in the open config file to match the following

# add your ip to exceptions list so you dont accidentally lock youself out
ignoreip = 127.0.0.1/8 192.168.1.2
#increase bantimee to an hour
bantime = 3600
.....
[ssh]
enabled = true
port = 4444 ; If you are using a custom ssh port, change this to your chosen port
filter = sshd
logpath = /var/log/auth.log
maxretry = 6

Remember, ctrl + x to close file, and Y to save

Step 3 – Apply Changes

We finish up by restartting the fail2ban service so that our changes come into effect

service fail2ban restart

Final Notes: fail2ban consists of alot more features such as sending an email whenever an ip is banned or using custom iptable templates but those (once again, in my opinion) are not necessary as the preset config is, for the average server, near perfect.

Now that your server is secure let us move on to Setting up a LAMP Server or a LEMP Server on Ubuntu/Debian.

So you just got a new VPS and/or dedicated server and you want to use it as a webserver, fileserver, mailserver or maybe even all of the above. Buy before you do any of that, you KNOW that you gotta harden the security on it right… rightt??? Of course you do… In this tutorial we are going to go through the steps of locking down a server out there on the internet and making it safe enough to host our applications.

Note: While I am writing this for ubuntu 14.04, it should be exactly the same for debian and any other debian based distro (including previous versions of ubuntu)

Step 1 – Login to the Server

Before we can start configuring we need to login to said server, to do this, assuming you have windows we can either download putty (easy and just works) or cygwin (my preferred option but you need to select ssh during installation). If you have linux or mac, just open up your ‘terminal’ and type

ssh root@192.168.1.1

Replace ‘192.168.1.1’ with your server’s ip address and ‘root’ with the login for your server, if you are unsure what your username is, leave it as root.

Accept whatever certificate it provides and enter your password when it prompts you for it.

Step 2 – Change the root Password

Now that we have logged into our server we want to immedieately change the root password, to do this we type

passwd

At the prompt enter and confirm your new password.

Step 3 – Change Default SSH Port

Now that we have changed out default password, to make it even more difficult for intruders we change the default ssh port. Open up config file
nano /etc/ssh/sshd_config

find the line that says

Port 22

and replace 22 with any number between 1000 and 65000 and is not already found in the TCP area of this wiki article.

Tip: to exit nano press Ctrl + Z. It will ask you to save.. type Y then enter to overwrite.

Step 4 – Reload SSH

To restart the ssh service type

service ssh restart

you can now logout of your server

logout

and relog with the command

ssh root@10.0.10.20 -p 4444

with 4444 being the port you previously chose.

Thats it for this tutorial, if you are still a bit paranoid about your server, we can secure it even more by installing denyhosts, or you can skip that and move on to Setting up an Ubuntu/Debian LAMP Server or maybe you would prefer to Setup a LEMP Server.