Ubuntu How-To: LAMP Stack Build on 11.10x Install

tl;dr

sudo aptitude install apache2 php5 mysql-server php5-mysql libapache2-mod-php5

Setting up a secure LAMP stack (Linux, Apache MySQL & PHP) on Ubuntu may be daunting at first, but it’s relatively simple once you understand a few of the core principles behind it.

In this tutorial, we’ll be focussing on the core essentials needed for running a secure, web-application hosting environment, which can power any of your favourite web applications, such as:

  • WordPress
  • Magento
  • OpenCart
  • Joomla, and, or
  • Drupal

So, let’s start by:

Updating and Upgrading your Packages with ‘apt-get’

apt-get update && apt-get upgrade

Running the above command will simply update and upgrade all the packages that are installed on your VPS.

The string contains two core paramaters that are bound together using &&, and will run a cross-check of all the packages installed on your machine.

Installing Apache

Apache is the industry standard, open-source web-server that thousands of happy developers and hard-core nerds are using today. Luckily it’s not only for them, we too, as designers can install this web-server with ease using apt-get.

apt-get install apache2

Run Apache:

service apache2 start

That’s it.

Why don’t you head over to your assigned IP address and check it out. You should receive a nice default index.html.

You can locate the default index.html document by running:

cd /var/www/

You can restart Apache at any time by executing:

service apache2 restart

Or stop Apache, by running:

service apache2 stop

Installing MySQL

If you’re trying to run a web-application, chances are you require MySQL or some form of database architecture.

Let’s install MySQL, along with its PHP counter-part by executing:

apt-get install mysql-server mysql-client php5-mysql

When the process has reached its completion, you should be prompted to create a MySQL root password.  Set the root MySQL password, and simply hit enter.

You can login to your MySQL server by running:

mysql -u root -p

Upon arrival, enter the root password you allocated previously to access your MySQL server.

In order to secure your MySQL installation, run:

/usr/bin/mysql_secure_installation

Follow the prompts through. If you are unsure what to permit, hit ‘y’ for everything, excluding the first question, as we’ve already set a root password.

Whilst inside the MySQL server, you can run commands such as:

  • show databases;
  • create database ;
  • drop database ;

Installing PHP5 with PHP Pear

Okay, let’s begin by installing PHP5 with PHP Pear.

Simply execute the following command to install both instances at once:

apt-get install php5 && apt-get install php-pear

Secure your VPS against common Attacks & Vulnerabilities

Preamble:

Attacks generally lie in the hands of the web-application. This section only covers minor threats to your virtual environment. You need to regularly update and maintain your chosen web-application.

Installing Suhosin

Suhosin essentially patches vulnerabilities that lie within PHP’s core.

To install Suhosin, simply execute the following command:

apt-get install php5-suhosin

Check for weaknesses in php.ini

A great tool to check for weaknesses within PHP’s configuration file (php.ini) is called PHPSecInfo.

To run PHPSecInfo, run the following commands:

cd /var/www/
wget http://phpsec.org/projects/phpsecinfo/phpsecinfo.zip
unzip phpsecinfo.zip

If you run into an error while doing so, try installing ‘unzip’ by executing:

apt-get install unzip
View PHPSecInfo in action by pointing to your web address, followed by /phpsecinfo/
x.x.x.x/phpsecinfo

To modify PHP’s default configuration (php.ini) settings, execute:

nano /etc/php5/apache2/php.ini

Common paramaters to modify * include, however are not limited to:

  • allow_url_fopen = Off
  • display_errors = Off
  • display_startup_errors = Off
  • log_errors = On
  • error_reporting = E_ALL
  • error_log = /var/
  • expose_php = Off
  • magic_quotes_gpc = On
  • magic_quotes_sybase = Off
  • register_globals = Off

Make sure to uncomment the paramater first, by removing the prefixed semicolon ‘;’.

Firewall your Installation using UFW (Uncomplicated Firewall)

UFW is a simple firewall that provides an easy-to-use interface for iptables.

To get started using UFW, let’s install it by running:

apt-get install ufw

Depending on your configuration, I’m blocking all ports (including IMAP/POP3) on the server, excluding HTTPS, HTTP, and SSH.

ufw allow 80
ufw allow 443
ufw allow 22

To check what ports are enabled on UFW, run:

ufw status

Testing UFW using NMAP

NMAP is a network vulnerability tool that checks for open ports (primarily) and other tid-bits that may be useful to your VPS’ health.

To install NMAP, simply execute:

apt-get install nmap

To run an NMAP check on your server, run:

nmap -r -v -o <IP Address>

Do you have any suggestions or questions? Let me know in the comments below.

  • http://drewsymo.com/ Drew

    Thanks, Markus. I’ll update that now.