Shortdark Software Development

Setting up a Linux Webserver with SSH in 20 Steps (Debian 8)

Development19th Mar 2017.Time to read: 12 mins

ApacheDebianFail2banLinuxMySQLPHPPostfixSecuritySendmailSSHTutorialUFWUnattended Upgrades

Here is a guide to Setting up a Linux Webserver with SSH. This is for Debian 8 (Jessie) although other versions of Debian will be similar, and Debian-based versions of Linux, like Ubuntu will also use similar commands. I'll just call it the webserver because it can be a dedicated server, a VPS, or a cloud instance.

A lot of this comes from these excellent guides... Getting Started with Linode and Securing your Server... but I'd say that searching around and getting different information from different sources is definitely a good way to go. I wanted to install PHP 7.0 so some of this guide is different to other guides, which tend to use PHP 5.6. This guide is also primarily for people using a Windows PC to talk to a remote Linux webserver, but other operating systems will be the same for most of the stages. Most of the contents of this guide uses a terminal and an SSH connection, which windows needs software for (e.g. Putty), but other operating systems may have it built-in. This guide doesn't talk about FTPing (or SFTPing) much, but a good SFTP client for Windows is WinSCP.

There is often more than one way to get the same results. For example, you can reboot the system in a number of different ways. I tend to use the methods that appear simplest to me.

Requirements

  • A linux server (Debian 8, in this case).

  • The IP address of the server.

  • The root password of the server.

  • A computer to access your remote linux webserver, in this case a Windows PC with Putty installed.

Contents

  1. Login to the server with SSH
  2. Update/upgrade
  3. Install Apache2
  4. Find your webserver's IP address
  5. Set a Hostname
  6. Configure the Apache virtual hosts
  7. Create the web directory
  8. Install PHP7
  9. Your webserver's Timezone
  10. Unattended upgrades
  11. Install Sudo
  12. Add a user
  13. Public/private key pair
  14. Turn off root login
  15. Sending email
  16. Fail2ban
  17. Firewall: UFW
  18. Install MySQL and PHPmyAdmin
  19. Monitor
  20. Apache Config file

Conclusion

1) Login to the server with SSH

With Windows you can download and install some software, such as Putty, then connecting to your instance should be pretty straight-forward with the login information from your hosting company. To begin with you'll probably be logging in as "root" so you will not need to type sudo as root is the master login (this is handy because sudo is not installed, yet). The commands on this guide may need sudo adding at the beginning if you are not logging in as "root".

2) Update/upgrade

Once you are logged in the first thing to do is to make sure everything is updated so that you are installing the latest versions of everything when you get to that stage.

apt-get update && apt-get upgrade

or, later if you login as another user, you'll need sudo...

sudo apt-get update && sudo apt-get upgrade

3) Install Apache2

First, you can check if Apache is already installed by typing...

which apache2

If it is not already installed, i.e. the above does not give you any results. To install Apache type...

apt-get install apache2

4) Find your webserver's IP address

If your hosting company has not told you what the IP address is, this shows all IP's installed on your instance...

hostname -I

5) Set a Hostname

The hostname can be anything. If you have more than one instance you might name your instances so that they are all plant species, stars, geographical locations, chemical elements, Roman Emperors or Greek philosophers.

Add the hostname by opening up the hosts file in nano...

nano /etc/hosts

Then, the hosts file might look like using the IP address that you already know, above...

127.0.0.1    myhostnamegoeshere.example.com myhostnamegoeshere localhost
127.0.1.1       myhostnamegoeshere
123.123.456.789     example.com

Also, edit the hostname file...

nano /etc/hostname

Then, after this you'll need to reboot the instance from the control panel of the hosting company or by rebooting from the control panel: shutdown -r now.

The hostname and FQDN are important for all kinds of server functions. Test your hostname settings like this...

hostname hostname

hostname -i ip address

hostname -f or hostname --fqdn fully qualified domain name

6) Configure the Apache Virtual Hosts

Make sure 000-default.conf is off, copy it to mywebsite.com.conf and enable. link

cd /etc/apache2/sites-available
cp 000-default.conf example.com.conf
nano example.com.conf

Then, edit the example.com.conf so that it looks like this...

ServerAdmin webmaster@localhost
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example.com

Then, enable the site by typing...

a2ensite example.com

7) Create the web directory

We specified the DocumentRoot should be /var/www/example.com, above. So, now we need to make it!

Move to the place for all your web directories...

cd /var/www/

Then, create the web directory...

mkdir example.com

Once you have the directory you can add an index.html inside it.

If you have not restarted apache2 since typing the a2ensite command you need to do that before the domain name will work in your browser. Restart then test it by typingthe domain name into a browser.

8) Install PHP7

You can install any version of PHP. For Debian 8, it seems that PHP5.6 is the default, whereas with Ubuntu 16.04 LTS PHP7.0 is the default. I wanted to go with PHP7.0 so followed this guide for setting it up on Debian 8... Installing PHP7

Add these two lines to your /etc/apt/sources.list file:

deb http://packages.dotdeb.org jessie all
deb-src http://packages.dotdeb.org jessie all

Add the GPG key:

wget https://www.dotdeb.org/dotdeb.gpg
apt-key add dotdeb.gpg

Install PHP 7:

apt-get update
apt-get install php7.0

Then, straight away before you do too much else you'll want to add the other modules you need. There is information abput some common ones from here..

apt-get install php7.0-cli php7.0-common libapache2-mod-php7.0 php7.0 php7.0-mysql php7.0-fpm php7.0-curl php7.0-gd php7.0-bz2

You can then test out the PHP by making a page that has phpinfo(); on it to show you 1) that it's working and 2) the modules that are installed and enabled. Assuming everything works fine it's time to do more setting up...

At this stage I normally make sure everything is installed that I'll need for phpmyadmin. Then enable mod_rewrite...

a2enmod rewrite

9) Your webserver's Timezone

Set your server timezone by typing the following command...

dpkg-reconfigure tzdata

Then, this command shows you the current time on your server...

date

10) Unattended upgrades

You will want to keep everything as up-to-date as possible on your instance. You can do this by configuring the Unattended upgrades... Automatic updates. Then if you don't want to have to login to your instance and reboot/restart it after every upgrade, you can automatically reboot, if needed, after upgrading. First install the package...

apt-get install unattended-upgrades

Then configure the settings you want in nano...

nano /etc/apt/apt.conf.d/50unattended-upgrades

To test unattended-upgrades as root or with sudo run...

unattended-upgrade -d

11) Install sudo

From Installing sudo on Debian...

apt-get install sudo

12) Add a user

adduser myname

Then, add the user to sudo...

usermod -aG sudo myname

You can check which users are in the group sudo by running...

getent group sudo

Then logout of root, login as myname and test sudo out by doing something that requires sudo privileges, e.g. restarting apache: service apache2 restart.

13) Public/private key pair

This is the main thing that is different on Windows PCs than it is with either Linux or Macs. For Windows PCs you have to use downloadable software, such as putty. This guide: Use Public Key Authentication with SSH talks you through the process.

The most important thing to note is that you should either be logged in as the user you want to make the key pair for when you make the ~/.ssh directory and put the authorized_keys file in it, or if you do it as root the location should be "/home/yourusername/.ssh/authorized_keys" and the owner should the yourusername not root. So, if you're logged in as root you can run su yourusername to login as the user you've just created, then when you go to cd ~/ it will take you to "/home/yourusername/". If you do it this way you have to make sure to check that the owner of the "authorized_keys" file is yourusername... chown yourusername:yourusername -R ~/.ssh as suggested here.

Then, logout of root and login with your user to check that the new user works correctly with the public key authentication. You should be asked for the keyphrase, as opposed to the password.

14) Turn off root login

If you can login with the username you set up with the public/private key pair you can "turn off" root logins.

Turn off root logins and turn off password authentication in the sshd_config file using nano...

nano /etc/ssh/sshd_config

For the changes you have made to work, you will need to restart SSH...

service ssh restart

15) Sending email

You will need to be able to send emails from the server to get the unattended-upgrades emails (if you have asked it to send emails).

Rather than send the emails manually this guide walks you through setting up postfix with Mailgun.

The only thing I found a little confusing was the mapping on this line...

sammy@your_hostname sender@your_subdomain_for_mailgun

Really, as you'll mainly be sending emails as a user (e.g. www-data or root) you should have lines like this to allow that...

If you've set up your Mailgun account to use a subdomain, e.g. mail.example.com you can still use an address like [email protected] here!

Alternatively, https://www.debian.org/releases/jessie/amd64/ch08s05.html.en allows server to send email.

16) Fail2ban

Fail2ban

apt-get install fail2ban

Then, you can edit the config file, and/or make a local file...

nano /etc/fail2ban/fail2ban.conf

17) Firewall

For a firewall, UFW (Uncomplicated Firewall) is there for Debian systems. This is a good guide: Configure firewall with UFW

apt-get install ufw

As the guide says, you'll have to be very careful when switching on the firewall that you do not lock yourself out of SSH.

18) Install MySQL and PHPmyAdmin

Here are two useful guides: MySQL and MySQL on PHP7.

apt-get install mysql-server
mysql_secure_installation
apt-get install libapache2-mod-php7.0 php7.0-mysql php7.0-curl php7.0-json

Then, once MySQL is installed there is more MySQL information here about how to create a database and a new user.

A good place to begin before installing PHPmyAdmin is by checking the phpmyadmin prerequisites and installing everything needed (e.g. mbstring). If 500 server errors, check the prerequisites again, installing anything that isn't already installed, then re-install phpmyadmin to get rid of the error. Install PHPmyAdmin on Debian 8

sudo apt-get install phpmyadmin

For each virtual host that you would like to give access to your PHPMyAdmin installation, create a symbolic link from the document root to the phpMyAdmin installation location (/usr/share/phpmyadmin). You do this by moving into the public directory of each virtual host, then creating a symlink...

cd /var/www/example.com/public_html
sudo ln -s /usr/share/phpmyadmin

19) Monitor

You can monitor the performance and usage of the web server by using top... Just type top into the terminal and you'll get a summary of the usage every few seconds.

Linux TOP command explained

You can also set up a script that will email you if certain conditions are met (RAM usage, for example).

20) Apache Config file

It's a good thing to take a look at the apache2 config file to make sure it is configured correctly. One of the things you'll want to check is that KeepAlive is set to off. From Setting up LAMP on Debian 8.

sudo nano /etc/apache2/apache2.conf
KeepAlive Off

TL;DR / Conclusion

Different setups are all slightly different. If you are getting errors the best thing to do is to either examine the error itself or find the relevant error logs and do some problem solving. Unix & Linux Stack Exchange and Server Fault tend to have a lot of problems already answered.

This is just a general guide to setting up a Linux Webserver with SSH with a Windows PC talking to a Debian 8 remote webserver. You may want to change the order I have followed here and there may well be steps I've missed out here, errors I get that you do not get, or vice versa. But, I hope it can be useful to someone.

After getting this far there will probably still be thing you need to do to your webserver. There will be other PHP and Apache modules that your web applications and/or frameworks require, such as mod_rewrite... As before, figure out what you need for your application and add it as required. Have fun!


Previous: How to write a WordPress PluginNext: Converting a Website to HTTPS (Adding SSL Encryption) Tutorial