Ubuntu: Setting Up a WordPress Website with LEMP – Part 1

KB ID 0001318 

Problem

At the time of writing this site is running on CentOS7 LAMP (Linux Apache MySQL and PHP). Well I’m actually using MariaDB not MySQL as it’s ‘supposed’ to be a little faster, but they are similar enough to be accepted. I’m planning to migrate to Ubuntu 17 LEMP (Linux ‘EnginX’ MySQL and PHP) again with MariaDB. As the site is getting more traffic I want to utilise the better performance of nginx (I know I called it EnginX above but LNMP stack doesn’t sound so good, and nginx is ‘pronounced ‘engine x’).

So the following series of articles will be how to install nginx, MariaDB, PHP and WordPress.

Solution

Installing Linux

You have essentially two choices, do what most people do and go to a hosting company and rent a VPS, (virtual private server) for a monthly fee. Then when you set it up you can select what flavour of Linux you require, press go, and by the time you have had a coffee, they will have emailed you the IP and logon details, and Linux is already installed for you. You can of course install linux on your own server, and as long as you can make it publicly available use that.

The main difference is, if your hosting company build it for you, the root user will be enabled and you will connect with the root user and password. If you build your own server you will connect with user account and root will be disabled. If you know nothing about Linux that means to execute any system level commands you need to prefix them with ‘sudo’ (or type su and enter the root password). If you are logged in as root and use sudo it does not make any difference so I will prefix all the commands I use below with sudo to make things easier, just remember the first time you use sudo it will ask for your password again.

Why Ubuntu? Well I use CentOS presently, but while doing research there was little information on getting nginx and PHP7 running on CentOS, but there was for Ubuntu that’s the only reason I’m switching OS.

Update The Server

It might have been built from an image, but that does not mean that the image was up to date, thankfully that’s simple to do, run the following command to see if there’s any updates.

[box]sudo apt update[/box]

In my example theres two updates, I can upgrade to them with the following command, (you may be asked to answer ‘y’ for yes);

[box]sudo apt upgrade[/box]

Change the Linux SSH Port

Note: If you built the server, you may need to install openssh server.

[box]sudo apt-get install openssh-server[/box]

I’ve had servers compromised in the past so let’s start with some basic security, I always change the default SSH port, in this example I’ll use 2223 (instead of the default SSH port of 22).

Edit the SSH config file;

[box]sudo nano /etc/ssh/sshd_config[/box]

Uncomment and change the Port number to something other than 22, (make it above 1024 to be on the safe side, I’m using 2223).

Note: If you built your own server, and you are allowing root access to SSH you may want to see the following article;

Ubuntu: Allow SSH access for ‘root’ user

Don’t forget to restart the service;

[box]sudo service ssh restart[/box]

Protect Your Web Server With a Firewall

Traditionally Linux uses iptables, (or FirewallD for CentOS.) I like iptables, because like all things Linux I worked out how to set it up, and wrote it down. Ubuntu has a ‘front-end’ to iptables thats still command driven, it’s called UFW (uncomplicated firewall). Which I didn’t want to learn about because I use iptables! But in all honestly UFW is so simple it’s painfully easy.

I want to allow TCP 80 (http), TCP 443 (https), and TCP 2223 (for my SSH server). And that’s it, block everything else incoming, allow the server to speak out, and secure the server.

Run the following commands;

[box]

sudo ufw default allow outgoing
sudo ufw default deny incoming
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 2223/tcp

[/box]

Then enable the firewall, and set it so that it starts when the server reboots, you can also check its status for peace of mind;

[box]

sudo ufw enable
sudo ufw status

[/box]

Install and Configure MariaDB

Like most things Linux, installing MariaDB is simple, run the following command;

[box]sudo apt install mariadb-server mariadb-client[/box]

Then make sure it’s up and running;

[box]systemctl status mysql[/box]

Note: If it looks like it’s frozen, press Ctrl+C to get the cursor back

Set MariaDB to start when the server restarts;

[box]systemctl enable mariadb[/box]

Secure MariaDB: At the moment MariaDB will have a blank root password, (it has its own root user). So to secure it you simply run;

[box]sudo mysql_secure_installation[/box]

Note: It immediately asks for a password, (it will be blank so hit (Enter},) answer ‘Y’ to set a root password, set a fresh one (you will need it in a minute, so remember what it is!) Then accept all the defaults by just pressing {Enter}.

Create Your WordPress Database

WordPress needs a database, to get WordPress talking to MariaDB (or MySQL) you need three things;

  • A database name.
  • A username to access the database.
  • A password for that user.

So in the following example I will use;

  • Database Name: PETESDATABASE
  • Username: petesuser
  • Password: P@ssword12345

Execute the following commands one by one;

[box]

sudo mysql -u root -p
{Enter the root password you just set for MariaDB}
CREATE DATABASE PETESDATABASE;
CREATE USER 'petesuser'@'localhost' IDENTIFIED BY 'P@ssword12345';
GRANT ALL ON PETESDATABASE.* TO 'petesuser'@'localhost' IDENTIFIED BY 'P@ssword12345';
FLUSH PRIVILEGES;
exit

[/box]

 

In Part Two, we will install nginx and PHP.

Related Articles, References, Credits, or External Links

NA

Linux (CentOS) Securing and Hardening SSH / Shell Access

KB ID 0000881 

Problem

The following is by no means an extensive list of everything that can be done. It’s just a run though of what I would consider ‘good practice’.

Solution

Create a user for SSH and Remove Shell access for the ‘root’ user.

1. Connect to the server via SSH or open a terminal session and su to root. Create a new user then set and confirm the new users password.

[box] useradd {username}
passwd {username} [/box]

2. Test access for your new user.

3. To make changes to shell access, you need to edit the sshd_config file, to do that I’m using the nano editor.

Note: If you do not have nano installed, run ‘yum install nano’.

[box] nano /etc/ssh/sshd_config[/box]

4. Locate PermitRootLogin and change it to no.

5. Locate the PermitRootLogin without-password”. line and comment it out (prefix it with a hash #, (or pound if you’re American).

[box] # PermitRootLogin without-password”.[/box]

Limit SSH / Shell access to particular User(s)

6. Add the following line to allow the user you create above only.

[box] AllowUsers {username}[/box]

Note: If you had multiple users, you can add them separated by a space.

Disable SSH Version 1 and Force SSH Version2

7. Ensure Protocol 2 is NOT hashed out and activation of protocol 1 IS hashed out.

Change the SSH / shell Port Number

8. SSH by default runs over TCP port 22, this is a well know port to advertise to the outside world, to change it (in this case to 2200), change the existing Port 22 line;

[box] Port 2200[/box]

Note: There is not hard and fast rule on what port to use, but for production, I would suggest a random number above 1024 but below 65535.

9. At this point close nano and save the changes, (press CTRL+W and Y to save the changes).

10. The changes will not take effect until after you have restarted the SSH service/daemon.

[box] service sshd restart[/box]

11. At this point you can check that the root user no longer has SSH / Shell access.

12. But your SSH user has.

 

Related Articles, References, Credits, or External Links

NA