sudo aptitude install apache2 php5 mysql-server php5-mysql libapache2-mod-php5
Setting up a secure LAMP stack (Linux, Apache MySQL & PHP) on Ubuntu may be daunting at first, but it’s relatively simple once you understand a few of the core principles behind it.
In this tutorial, we’ll be focussing on the core essentials needed for running a secure, web-application hosting environment, which can power any of your favourite web applications, such as:
- Joomla, and, or
So, let’s start by:
Updating and Upgrading your Packages with ‘apt-get’
apt-get update && apt-get upgrade
Running the above command will simply update and upgrade all the packages that are installed on your VPS.
The string contains two core paramaters that are bound together using &&, and will run a cross-check of all the packages installed on your machine.
Apache is the industry standard, open-source web-server that thousands of happy developers and hard-core nerds are using today. Luckily it’s not only for them, we too, as designers can install this web-server with ease using apt-get.
apt-get install apache2
service apache2 start
Why don’t you head over to your assigned IP address and check it out. You should receive a nice default index.html.
You can locate the default index.html document by running:
You can restart Apache at any time by executing:
service apache2 restart
Or stop Apache, by running:
service apache2 stop
If you’re trying to run a web-application, chances are you require MySQL or some form of database architecture.
Let’s install MySQL, along with its PHP counter-part by executing:
apt-get install mysql-server mysql-client php5-mysql
When the process has reached its completion, you should be prompted to create a MySQL root password. Set the root MySQL password, and simply hit enter.
You can login to your MySQL server by running:
mysql -u root -p
Upon arrival, enter the root password you allocated previously to access your MySQL server.
In order to secure your MySQL installation, run:
Follow the prompts through. If you are unsure what to permit, hit ‘y’ for everything, excluding the first question, as we’ve already set a root password.
Whilst inside the MySQL server, you can run commands such as:
- show databases;
- create database
- drop database
Installing PHP5 with PHP Pear
Okay, let’s begin by installing PHP5 with PHP Pear.
Simply execute the following command to install both instances at once:
apt-get install php5 && apt-get install php-pear
Secure your VPS against common Attacks & Vulnerabilities
Attacks generally lie in the hands of the web-application. This section only covers minor threats to your virtual environment. You need to regularly update and maintain your chosen web-application.
Suhosin essentially patches vulnerabilities that lie within PHP’s core.
To install Suhosin, simply execute the following command:
apt-get install php5-suhosin
Check for weaknesses in php.ini
A great tool to check for weaknesses within PHP’s configuration file (php.ini) is called PHPSecInfo.
To run PHPSecInfo, run the following commands:
cd /var/www/ wget http://phpsec.org/projects/phpsecinfo/phpsecinfo.zip unzip phpsecinfo.zip
If you run into an error while doing so, try installing ‘unzip’ by executing:
apt-get install unzip
To modify PHP’s default configuration (php.ini) settings, execute:
Common paramaters to modify * include, however are not limited to:
- allow_url_fopen = Off
- display_errors = Off
- display_startup_errors = Off
- log_errors = On
- error_reporting = E_ALL
- error_log = /var/
- expose_php = Off
- magic_quotes_gpc = On
- magic_quotes_sybase = Off
- register_globals = Off
Make sure to uncomment the paramater first, by removing the prefixed semicolon ‘;’.
Firewall your Installation using UFW (Uncomplicated Firewall)
UFW is a simple firewall that provides an easy-to-use interface for iptables.
To get started using UFW, let’s install it by running:
apt-get install ufw
Depending on your configuration, I’m blocking all ports (including IMAP/POP3) on the server, excluding HTTPS, HTTP, and SSH.
ufw allow 80 ufw allow 443 ufw allow 22
To check what ports are enabled on UFW, run:
Testing UFW using NMAP
NMAP is a network vulnerability tool that checks for open ports (primarily) and other tid-bits that may be useful to your VPS’ health.
To install NMAP, simply execute:
apt-get install nmap
To run an NMAP check on your server, run:
nmap -r -v -o <IP Address>
Do you have any suggestions or questions? Let me know in the comments below.