Ubuntu How-To: LAMP Stack Build on 11.10x Install

tl;dr

sudo aptitude install apache2 php5 mysql-server php5-mysql libapache2-mod-php5

Setting up a secure LAMP stack (Linux, Apache MySQL & PHP) on Ubuntu may be daunting at first, but it’s relatively simple once you understand a few of the core principles behind it.

In this tutorial, we’ll be focussing on the core essentials needed for running a secure, web-application hosting environment, which can power any of your favourite web applications, such as:

  • WordPress
  • Magento
  • OpenCart
  • Joomla, and, or
  • Drupal

So, let’s start by:

Updating and Upgrading your Packages with ‘apt-get’

apt-get update && apt-get upgrade

Running the above command will simply update and upgrade all the packages that are installed on your VPS.

The string contains two core paramaters that are bound together using &&, and will run a cross-check of all the packages installed on your machine.

Installing Apache

Apache is the industry standard, open-source web-server that thousands of happy developers and hard-core nerds are using today. Luckily it’s not only for them, we too, as designers can install this web-server with ease using apt-get.

apt-get install apache2

Run Apache:

service apache2 start

That’s it.

Why don’t you head over to your assigned IP address and check it out. You should receive a nice default index.html.

You can locate the default index.html document by running:

cd /var/www/

You can restart Apache at any time by executing:

service apache2 restart

Or stop Apache, by running:

service apache2 stop

Installing MySQL

If you’re trying to run a web-application, chances are you require MySQL or some form of database architecture.

Let’s install MySQL, along with its PHP counter-part by executing:

apt-get install mysql-server mysql-client php5-mysql

When the process has reached its completion, you should be prompted to create a MySQL root password.  Set the root MySQL password, and simply hit enter.

You can login to your MySQL server by running:

mysql -u root -p

Upon arrival, enter the root password you allocated previously to access your MySQL server.

In order to secure your MySQL installation, run:

/usr/bin/mysql_secure_installation

Follow the prompts through. If you are unsure what to permit, hit ‘y’ for everything, excluding the first question, as we’ve already set a root password.

Whilst inside the MySQL server, you can run commands such as:

  • show databases;
  • create database ;
  • drop database ;

Installing PHP5 with PHP Pear

Okay, let’s begin by installing PHP5 with PHP Pear.

Simply execute the following command to install both instances at once:

apt-get install php5 && apt-get install php-pear

Secure your VPS against common Attacks & Vulnerabilities

Preamble:

Attacks generally lie in the hands of the web-application. This section only covers minor threats to your virtual environment. You need to regularly update and maintain your chosen web-application.

Installing Suhosin

Suhosin essentially patches vulnerabilities that lie within PHP’s core.

To install Suhosin, simply execute the following command:

apt-get install php5-suhosin

Check for weaknesses in php.ini

A great tool to check for weaknesses within PHP’s configuration file (php.ini) is called PHPSecInfo.

To run PHPSecInfo, run the following commands:

cd /var/www/
wget http://phpsec.org/projects/phpsecinfo/phpsecinfo.zip
unzip phpsecinfo.zip

If you run into an error while doing so, try installing ‘unzip’ by executing:

apt-get install unzip
View PHPSecInfo in action by pointing to your web address, followed by /phpsecinfo/
x.x.x.x/phpsecinfo

To modify PHP’s default configuration (php.ini) settings, execute:

nano /etc/php5/apache2/php.ini

Common paramaters to modify * include, however are not limited to:

  • allow_url_fopen = Off
  • display_errors = Off
  • display_startup_errors = Off
  • log_errors = On
  • error_reporting = E_ALL
  • error_log = /var/
  • expose_php = Off
  • magic_quotes_gpc = On
  • magic_quotes_sybase = Off
  • register_globals = Off

Make sure to uncomment the paramater first, by removing the prefixed semicolon ‘;’.

Firewall your Installation using UFW (Uncomplicated Firewall)

UFW is a simple firewall that provides an easy-to-use interface for iptables.

To get started using UFW, let’s install it by running:

apt-get install ufw

Depending on your configuration, I’m blocking all ports (including IMAP/POP3) on the server, excluding HTTPS, HTTP, and SSH.

ufw allow 80
ufw allow 443
ufw allow 22

To check what ports are enabled on UFW, run:

ufw status

Testing UFW using NMAP

NMAP is a network vulnerability tool that checks for open ports (primarily) and other tid-bits that may be useful to your VPS’ health.

To install NMAP, simply execute:

apt-get install nmap

To run an NMAP check on your server, run:

nmap -r -v -o <IP Address>

Do you have any suggestions or questions? Let me know in the comments below.

  • Markus Konojacki

    You need to change “ufw enable 80″ to “ufw allow 80″ etc. Otherwise it’ll not work.
    But thanks for the good quick reference to the basics. :)

  • Phillip Booth

    You need these for the basic ports

    80 <-Apache/http
    443<-SSL (if using an SSL Cert otherwise deny)
    3306<-MySQL
    8080<-Varnish (if installed)

    ufw allow port 80;
    ufw allow port 443;
    ufw allow port 3306;
    ufw allow port 8080;

    587<-email
    25<-email
    993<-email
    465<-email
    22<-SSH (Default port recommend you change)

    ufw allow port 587;
    ufw allow port 28;
    ufw allow port 993;
    ufw allow port 465;
    ufw allow port 22;

    If you are using a service for email like gmail you can just set the email ports to out only i.e.

    ufw deny port 587;
    ufw allow out port 587/tcp;

    Also if you need to remove something you check what is setup by using

    ufw status;

    then remove what you do not want

    ufw delete allow port 587

    But if you are not sure what to do/a noob use this

    sudo ufw disable;
    sudo ufw –force reset;
    sudo ufw reload;
    sudo ufw default deny;
    sudo ufw default deny incoming;
    sudo ufw default allow outgoing;
    sudo ufw allow http;
    sudo ufw allow www;
    sudo ufw allow ssh;
    sudo ufw allow imaps;
    sudo ufw allow pop3;
    sudo ufw allow mysql;
    sudo ufw allow submission;
    sudo ufw reload;

    then to enable use when you are 100% sure about your settings: sudo ufw enable;

    * if you have changed the default SSH port then you will need to add this as well as sudo ufw allow ssh just adds allow port 22

  • http://drewsymo.com/ Drew

    Thanks, Markus. I’ll update that now.