Here is a guide to Setting up a Linux Webserver with SSH. This is for Debian 8 (Jessie) although other versions of Debian will be similar, and Debian-based versions of Linux, like Ubuntu will also use similar commands. I’ll just call it the webserver because it can be a dedicated server, a VPS, or a cloud instance.
A lot of this comes from these excellent guides… Getting Started with Linode and Securing your Server… but I’d say that searching around and getting different information from different sources is definitely a good way to go. I wanted to install PHP 7.0 so some of this guide is different to other guides, which tend to use PHP 5.6. This guide is also primarily for people using a Windows PC to talk to a remote Linux webserver, but other operating systems will be the same for most of the stages. Most of the contents of this guide uses a terminal and an SSH connection, which windows needs software for (e.g. Putty), but other operating systems may have it built-in. This guide doesn’t talk about FTPing (or SFTPing) much, but a good SFTP client for Windows is WinSCP.
There is often more than one way to get the same results. For example, you can reboot the system in a number of different ways. I tend to use the methods that appear simplest to me.
With Windows you can download and install some software, such as Putty, then connecting to your instance should be pretty straight-forward with the login information from your hosting company. To begin with you’ll probably be logging in as “root” so you will not need to type sudo
as root is the master login (this is handy because sudo is not installed, yet). The commands on this guide may need sudo adding at the beginning if you are not logging in as “root”.
Once you are logged in the first thing to do is to make sure everything is updated so that you are installing the latest versions of everything when you get to that stage.
apt-get update && apt-get upgrade
or, later if you login as another user, you’ll need sudo…
sudo apt-get update && sudo apt-get upgrade
First, you can check if Apache is already installed by typing…
which apache2
If it is not already installed, i.e. the above does not give you any results. To install Apache type…
apt-get install apache2
If your hosting company has not told you what the IP address is, this shows all IP’s installed on your instance…
hostname -I
The hostname can be anything. If you have more than one instance you might name your instances so that they are all plant species, stars, geographical locations, chemical elements, Roman Emperors or Greek philosophers.
Add the hostname by opening up the hosts file in nano…
nano /etc/hosts
Then, the hosts file might look like using the IP address that you already know, above…
127.0.0.1 myhostnamegoeshere.example.com myhostnamegoeshere localhost127.0.1.1 myhostnamegoeshere123.123.456.789 example.com
Also, edit the hostname file…
nano /etc/hostname
Then, after this you’ll need to reboot the instance from the control panel of the hosting company or by rebooting from the control panel: shutdown -r now
.
The hostname and FQDN are important for all kinds of server functions. Test your hostname settings like this…
hostname
hostname
hostname -i
ip address
hostname -f
or hostname --fqdn
fully qualified domain name
Make sure 000-default.conf
is off, copy it to mywebsite.com.conf
and enable. link
cd /etc/apache2/sites-availablecp 000-default.conf example.com.confnano example.com.conf
Then, edit the example.com.conf so that it looks like this…
ServerAdmin webmaster@localhostServerName example.comServerAlias www.example.comDocumentRoot /var/www/example.com
Then, enable the site by typing…
a2ensite example.com
We specified the DocumentRoot should be /var/www/example.com, above. So, now we need to make it!
Move to the place for all your web directories…
cd /var/www/
Then, create the web directory…
mkdir example.com
Once you have the directory you can add an index.html inside it.
If you have not restarted apache2 since typing the a2ensite
command you need to do that before the domain name will work in your browser. Restart then test it by typingthe domain name into a browser.
You can install any version of PHP. For Debian 8, it seems that PHP5.6 is the default, whereas with Ubuntu 16.04 LTS PHP7.0 is the default. I wanted to go with PHP7.0 so followed this guide for setting it up on Debian 8… Installing PHP7
Add these two lines to your /etc/apt/sources.list file:
deb http://packages.dotdeb.org jessie alldeb-src http://packages.dotdeb.org jessie all
Add the GPG key:
wget https://www.dotdeb.org/dotdeb.gpgapt-key add dotdeb.gpg
Install PHP 7:
apt-get updateapt-get install php7.0
Then, straight away before you do too much else you’ll want to add the other modules you need. There is information abput some common ones from here..
apt-get install php7.0-cli php7.0-common libapache2-mod-php7.0 php7.0 php7.0-mysql php7.0-fpm php7.0-curl php7.0-gd php7.0-bz2
You can then test out the PHP by making a page that has phpinfo();
on it to show you 1) that it’s working and 2) the modules that are installed and enabled. Assuming everything works fine it’s time to do more setting up…
At this stage I normally make sure everything is installed that I’ll need for phpmyadmin. Then enable mod_rewrite…
a2enmod rewrite
Set your server timezone by typing the following command…
dpkg-reconfigure tzdata
Then, this command shows you the current time on your server…
date
You will want to keep everything as up-to-date as possible on your instance. You can do this by configuring the Unattended upgrades… Automatic updates. Then if you don’t want to have to login to your instance and reboot/restart it after every upgrade, you can automatically reboot, if needed, after upgrading. First install the package…
apt-get install unattended-upgrades
Then configure the settings you want in nano…
nano /etc/apt/apt.conf.d/50unattended-upgrades
To test unattended-upgrades as root or with sudo run…
unattended-upgrade -d
From Installing sudo on Debian…
apt-get install sudo
adduser myname
Then, add the user to sudo…
usermod -aG sudo myname
You can check which users are in the group sudo by running…
getent group sudo
Then logout of root, login as myname and test sudo out by doing something that requires sudo privileges, e.g. restarting apache: service apache2 restart
.
This is the main thing that is different on Windows PCs than it is with either Linux or Macs. For Windows PCs you have to use downloadable software, such as putty. This guide: Use Public Key Authentication with SSH talks you through the process.
The most important thing to note is that you should either be logged in as the user you want to make the key pair for when you make the ~/.ssh
directory and put the authorized_keys file in it, or if you do it as root the location should be “/home/yourusername/.ssh/authorized_keys” and the owner should the yourusername not root. So, if you’re logged in as root you can run su yourusername
to login as the user you’ve just created, then when you go to cd ~/
it will take you to “/home/yourusername/“. If you do it this way you have to make sure to check that the owner of the “authorized_keys” file is yourusername… chown yourusername:yourusername -R ~/.ssh
as suggested here.
Then, logout of root and login with your user to check that the new user works correctly with the public key authentication. You should be asked for the keyphrase, as opposed to the password.
If you can login with the username you set up with the public/private key pair you can “turn off” root logins.
Turn off root logins and turn off password authentication in the sshd_config file using nano…
nano /etc/ssh/sshd_config
For the changes you have made to work, you will need to restart SSH…
service ssh restart
You will need to be able to send emails from the server to get the unattended-upgrades emails (if you have asked it to send emails).
Rather than send the emails manually this guide walks you through setting up postfix with Mailgun.
The only thing I found a little confusing was the mapping on this line…
sammy@your_hostname sender@your_subdomain_for_mailgun
Really, as you’ll mainly be sending emails as a user (e.g. www-data or root) you should have lines like this to allow that…
root [email protected]
If you’ve set up your Mailgun account to use a subdomain, e.g. mail.example.com you can still use an address like [email protected] here!
Alternatively, https://www.debian.org/releases/jessie/amd64/ch08s05.html.en allows server to send email.
apt-get install fail2ban
Then, you can edit the config file, and/or make a local file…
nano /etc/fail2ban/fail2ban.conf
For a firewall, UFW (Uncomplicated Firewall) is there for Debian systems. This is a good guide: Configure firewall with UFW
apt-get install ufw
As the guide says, you’ll have to be very careful when switching on the firewall that you do not lock yourself out of SSH.
Here are two useful guides: MySQL and MySQL on PHP7.
apt-get install mysql-servermysql_secure_installationapt-get install libapache2-mod-php7.0 php7.0-mysql php7.0-curl php7.0-json
Then, once MySQL is installed there is more MySQL information here about how to create a database and a new user.
A good place to begin before installing PHPmyAdmin is by checking the phpmyadmin prerequisites and installing everything needed (e.g. mbstring). If 500 server errors, check the prerequisites again, installing anything that isn’t already installed, then re-install phpmyadmin to get rid of the error. Install PHPmyAdmin on Debian 8
sudo apt-get install phpmyadmin
For each virtual host that you would like to give access to your PHPMyAdmin installation, create a symbolic link from the document root to the phpMyAdmin installation location (/usr/share/phpmyadmin). You do this by moving into the public directory of each virtual host, then creating a symlink…
cd /var/www/example.com/public_htmlsudo ln -s /usr/share/phpmyadmin
You can monitor the performance and usage of the web server by using top… Just type top
into the terminal and you’ll get a summary of the usage every few seconds.
You can also set up a script that will email you if certain conditions are met (RAM usage, for example).
It’s a good thing to take a look at the apache2 config file to make sure it is configured correctly. One of the things you’ll want to check is that KeepAlive is set to off. From Setting up LAMP on Debian 8.
sudo nano /etc/apache2/apache2.confKeepAlive Off
Different setups are all slightly different. If you are getting errors the best thing to do is to either examine the error itself or find the relevant error logs and do some problem solving. Unix & Linux Stack Exchange and Server Fault tend to have a lot of problems already answered.
This is just a general guide to setting up a Linux Webserver with SSH with a Windows PC talking to a Debian 8 remote webserver. You may want to change the order I have followed here and there may well be steps I’ve missed out here, errors I get that you do not get, or vice versa. But, I hope it can be useful to someone.
After getting this far there will probably still be thing you need to do to your webserver. There will be other PHP and Apache modules that your web applications and/or frameworks require, such as mod_rewrite
… As before, figure out what you need for your application and add it as required. Have fun!
Quick Links
Legal Stuff