Over the years I’ve used many different hosting solutions. From shared hosting, a dedicated server, to several VPSes. These all came with a graphical control panel, most often Plesk, from which the server could be administered. The downside was the cost of the licence. So a little while ago I took the plunge and purchased a standard cloud-based VPS from Fasthosts with no control panel, taking on the job of system administrator for the first time.
Read on to learn how it’s fairly straightforward to set up a general-purpose Ubuntu 14.04 server, administering it over SSH.
The Aim
I wanted to get up a fairly bog-standard server that would have a LAMP stack to serve websites, and SMTP and POP3/IMAP services running to handle email.
The Purpose Of This Article
This is kind of a brain-dump of the notes that I made when setting up my server. A lot of the time I was just lifting a little material from the Ubuntu website, or other software vendors’ websites to get the packages that I needed installed. So rather than write an in-depth post I’m going to briefly cover each step and link back to the page where I originally learned about it.
It’s kind of a cheat-sheet that I might use in the future for setting up Linux servers, and hopefully it’ll help others out there.
Root Access To Your Server
What you’ll probably get when you purchase your server is an IP address and root access. So that’s basically and IP address and a password. That will enable you to connect to the server via SSH and get started.
Change The Root Password
The first job is to change the root password. This is either to make it more secure (longer) or more memorable, or both.
So SSH into the server, run the following command, and follow the instructions.
$ passwd |
(Ideally you would disable logins via password in favour of key-based authentication, but that’s outside the scope of what we’re aiming for here.)
Take SSH Off Port 22
By default the SSH daemon listens on port 22. This means that as soon as your new server goes online you will already have numerous would-be hackers trying to break in. It may be security by obscurity, but moving SSH off port 22 is a quick way to mitigate this danger.
https://help.ubuntu.com/14.04/serverguide/openssh-server.html
Choose An Acceptable SSH Port Number
Many port numbers are already taken, so choose one that’s not going to clash with another service:
http://linuxlookup.com/howto/change_default_ssh_port
Check That iptables Isn’t Going To Block Your Chosen Port
Your server could have IP rules already set up. Check whether iptables is configured and that it won’t block your new SSH port. And if a rule needs adding to allow the new port, persist the new rules across reboots with iptables-persistent.
https://help.ubuntu.com/community/IptablesHowTo
Fasthosts-Specific Firewall Change
I found, through trial and error, that Fasthosts sets up their servers with a hook added in /etc/rc.local to call /etc/sysconfig/firewall, which will overwrite iptables-persistent, and allow/deny the standard ports again uon reboot. So ensure rules are added to that file or remove the file (and the hook) and use iptables-persistent.
Install NTP To Keep The Clock Synchronised
By default your server probably won’t be set up to keep its clock synchronised, so install NTP to take care of that:
https://help.ubuntu.com/14.04/serverguide/NTP.html
Install landscape-common Package For Useful Stats On Login
landscape-sysinfo is based on the last login, so remove the noupdate option:
http://ubuntuforums.org/showthread.php?t=2230444
Install update-notifier-common
This is linked to the previous step:
https://help.ubuntu.com/14.04/serverguide/pam_motd.html
Setup Apache Web Server
Remember to open the firewall port 80.
https://help.ubuntu.com/14.04/serverguide/httpd.html
When creating a vhost if you specify custom access and error logs remember to either store them in the same ${APACHE_LOG_DIR} or set up custom log rotation:
http://www.rackspace.com/knowledge_center/article/sample-logrotate-configuration-and-troubleshooting
Turn off Indexes, ServerSignature and ServerTokens
This makes your Apache setup a little more secure, by not showing an index of files (if an index file does not exist), and not disclosing its version etc…
The changes are made in the following files:
/etc/apache2/apache2.conf /etc/apache2/conf-enabled/security.conf
Disable The javascript-common Config Or Your /javascript/ Directory Won’t Work
Apache conveniently allows a directory of shared JavaScript files, which is aliased. But if you’re not using that feature then any /javascript/ directories in your vhosts will not work.
a2disconf javascript-common |
Install MySQL
https://help.ubuntu.com/14.04/serverguide/mysql.html
Install PHP
https://help.ubuntu.com/14.04/serverguide/php5.html
Set Up The Mail Server
The most complicated part of configuring a server is getting the mail server right. I found this great step-by-step guide.
https://www.exratione.com/2014/05/a-mailserver-on-ubuntu-1404-postfix-dovecot-mysql/
Set Up Local DNS
If you’re going to be running a mail server, the chances are that you will make use of a DNSBL or RBL in an effort to stop email spam. The guide above uses Spamhaus, which offers a free service for non-commercial, low-volume (fewer than 100,000 SMTP connections per day) organisations. Unless you set up a local DNS, your hosting provider’s DNS will almost always exceed those numbers and will be cut off.
I have a separate article that covers this in more depth: You Should Use Your Own DNS Server With Spamhaus.
Copy Email Over
Email can be basically SCPd over (preserving timestamps) from the old server if the directory structure is similar.
http://www.howtoforge.com/forums/showthread.php?t=65442
This script can convert Courier to Dovecot UIDs once email has been copied over:
http://wiki2.dovecot.org/Migration/Courier
That’s All, Folks!
That should be everything to get set up and serve your websites and handle email. It’s not perfect and there is room for tweaks and improvements but I think it covers the basic of getting a general-purpose server up and running with minimal hassle.
I’d love to hear your thoughts so please leave a comment below.