How to Set Up a LAMP server on Linode
- Why Linode and CentOS?
- Getting Started
- Connecting to Your Server
- Naming Your Server
- Final Server Setup
- Creating a Second User
- Securing Your Server Connections
- Lock Down Remote Access
- Setting up Your Firewall
- Installing Fail2Ban
- Installing Apache
- Installing MySQL
- Installing PHP
- Setting Up Your Domain
- Where to Go From Here?
Lock Down Remote Access
Log back in to your Linode server. Enter this command at the prompt:
sudo nano /etc/ssh/sshd_config
This step makes it more difficult for malicious users to find your server and make their way in.
Notice the command in front: sudo. This tells the system you’d like to temporarily escalate your permission to execute this next command.
In this case, you’re opening a text editor to modify the SSH configuration file, which only the root user is allowed to do. Modify the file as instructed below:
- Find the setting
PasswordAuthenticationand change it from
no. This disables password logins so everyone will need to log in with key pairs.
- Find the setting
#PermitRootLogin, remove the leading
#character, then change the setting from
no. This prevents the root user from logging in to the server directly.
- Find the line with
#Portand remove the leading
#character. Change the value from
22to any value between
65536; I chose
23456as it’s easy to remember. This changes the default port to make it more difficult for strangers out there to find your server.
- Go to the very bottom of the file and add the line
AllowUsers remote_user. This explicitly tells the SSH service to let your user in regardless of other settings.
Save and exit, then restart the SSH daemon to reload your configuration file as follows:
sudo /etc/init.d/sshd reload
To test that it works, open a new Terminal tab with Command-T (you want to keep your old tab open still logged in to the server, in case you made a typo with your SSH configuration). Then make sure that you can no longer log in as root by issuing the following command:
ssh -p 7415 email@example.com
Replace 127.0.0.1 with your server’s IP as usual. You should now get an error that says “Permission denied (publickey,gssapi-keyex,gssapi-with-mic).”.
Now repeat this with the user that is allowed to log in with SSH:
ssh -p 23456 firstname.lastname@example.org
Replace 127.0.0.1 with your server’s IP, and 23456 with the port you chose. If you successfully get in, your SSH is now locked down!
Setting up Your Firewall
Once you’ve taken care of server access, your next step is to set up a firewall to filter out undesirable network traffic such as bots and people trying to gain unauthorized access to your server. A tool called Fail2Ban lets you to setup rules to ban undesirable network traffic from even talking to your server – the traffic your mother warned you about. :]
Execute the following command:
You could edit the firewall rules directly by hand, but it’s quite complicated and the wrong move can open your server to attacks — or worse, prevent you from logging in! Using
system-config-firewall-tui to make changes is slightly easier to use as it’s a text-based GUI. You use the tab and arrow keys to navigate and the space bar to make a selection – press once to select, press again to de-select.
The first screen has a fairly obvious option to enable the firewall, as shown below:
Press the spacebar to select this option; you’ll see a * appear beside the option. Use the arrow keys to reach the Customize button and hit the spacebar again to select it.
Select the following protocols to allow through the firewall:
- IPSec – allows the IP Security protocol to authenticate/authorize certain connections
- SSH – allows you to remote into your server (like you are doing now)
- Secure WWW (HTTPS) – allows HTTPS traffic
- WWW (HTTP) – allows HTTP traffic
As your server needs grow, you may revisit this list and allow other protocols through; for example, SMTP and IMAP/POP3 for email hosting, or DNS to run your own name server. Select Forward and move onto the next page,
Arrow over and select Add to add a custom port. Now that you have SSH running on port 23456, you need to tell the firewall to allow connections on that port — otherwise, you won’t be able to log in. Set the Port to 23456 and the Protocol to tcp like so:
Select OK to add the new custom port and then select Forward to the next page.
Because this is a fairly basic server setup for web hosting, you don’t need to expose any networks on the Trusted Interfaces screen. You’d typically allow eth+ if this server was going to act as a traffic filter or router for other servers on your network, but you don’t need to change anything for this tutorial. Select Forward to get to the next page.
The same is true for this screen – all options can be left blank. Masquerading lets multiple servers appear to be coming from one address, known as NAT, or Network Address Translation) Again, this is a simple server so you don’t need this. Forward on!
You won’t change anything on this page either but it’s important to know what this screen is for. You can add an entry on this page if you need to map one port to another.
Why would you do this? Well, say you have an application that only looks for an SSH connection on port 22, but you changed yours to 23456. With an entry on this page, you could say port 23456 actually maps to port 22. Any traffic that came from port 23456 would be sent to port 22 and your application would work as expected.
You don’t need to set this up right now, so select Forward to move on.
The ICMP Filter page actually has something you’ll change! Yippee!
This screen lists several types of protocols used by your server to communicate information about itself to the outside world. Enable the Destination Unreachable and Source Quench protocols; the first one tells other servers that your server is not available for communicating. The second one helps optimize bandwidth and is used by network routers to request that servers speed up or slow down their data rates.
Select Forward from this screen and then Close. You’re returned back to the main screen, so hit OK and accept the warning about overriding Firewall rules.
Exit your SSH session and log in again to make sure your access is still OK with these new firewall rules.
Whew – another piece finished!