Configuring Zend Server CE in Ubuntu 9.10 on a Rackspace Cloud Server

Cloud Computing & Cloud Hosting by Rackspace

Overview

This guide will help you set up the following:

  • Zend Server CE (Apache/PHP)
  • Iptables
  • SSH
  • MySQL
  • Postfix (for outgoing mail)

Some of these steps are taken from the Rackspace Cloud Server Knowledgebase.

Create a new server instance

Log in to http://manage.rackspacecloud.com and create a new server instance with Ubuntu 9.10. Any instance size is great. I’d recommend naming your server with your FQDN as it saves a few changes later on.

Securing the server

The Rackspace Cloud Server comes with the root account enabled and no firewall setup. This is not a good thing for a public server. So the first thing we will do is create a new administrator account which we will use to log in via SSH, and then we will set up Iptables as our firewall.

Rackspace will email you the IP address and password of your new server instance.

Log in over SSH to your server instance. If you have a Mac just open a terminal window and enter something like the following:

ssh root@your_server_ip

If you use windows download putty, enter the IP address in the host box and click connect.

You should now be logged in to your new Cloud Server.

The first thing we are going to do is change the root password.

Change the password by using:

passwd

Since we don’t want to log in as root anymore, we need to create a new user.

adduser admin

We want the admin user to be able to become a super user so we need to add admin to the visudo file by entering this:

visudo

Nano will open a file; add the following to the bottom of the file.

admin ALL=(ALL) ALL

Next we will make some changes to the SSH configuration file. It is also a good idea to change the port SSH uses for security. We will also disable root logins and enable admin to log in via SSH.

nano /etc/ssh/sshd_config

Port 54321
PermitRootLogin no
X11Forwarding no
UsePAM no
UseDNS no
AllowUsers admin

To make those changes take effect, restart SSH. You will not be disconnected, but if you do disconnect, you will need to reconnect using your new username and new port.

/etc/init.d/ssh restart

Firewall Configuration

This server will be a web host so very few ports will be opened.

  • HTTP 80
  • HTTPS 443
  • HTTP 10081 (Zend Server CE)
  • SSH 54321

All other ports are dropped.

Create a file named iptables.test.rules in /etc and open it using nano.

nano /etc/iptables.test.rules

Add the file lines to that file. Make changes where required.

* filter
:INPUT DROP [1:48]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [129:20352]  
  

#  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT

    

#Accept SSH connections
-A INPUT -p tcp -m state --state NEW --dport 54321 -j ACCEPT    

#Accept Established connections
-A INPUT -m state --state RELATED,ESTABLISH -j ACCEPT    

#Accept HTTP connections
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10081 -j ACCEPT

    

#Accept all PING requests on ICMP
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
    

# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT  

COMMIT

Now we are going to load the file to check for errors and to ensure the configuration is valid and our firewall works as expected.

iptables-restore < /etc/iptables.test.rules

You can view the active firewall rules by running this command.

iptables -L

If everything is satisfactory, save the rules into a new file which we will then configure to be automatically loaded upon boot.

iptables-save > /etc/iptables.up.rules

Now we need to add a line to the network interface’s initialization script so that our firewall rules will be loaded upon boot.

nano /etc/network/interfaces

Add the following line after ‘iface lo inet loopback’:

pre-up iptables-restore < /etc/iptables.up.rules

Now before we do anything else, we need to test the configuration. We don’t want to inadvertently lock ourselves out of the server, so we will test the firewall by opening a new SSH connection in a new window. As long as we don’t close our currently active connection we can still make changes if our new SSH connection fails.

If you can successfully connect to the server with the new account on the new port with the firewall rules enabled, then you should reboot the server and verify that iptables loads your configuration file on boot.

sudo reboot

You will be disconnected from both your SSH sessions.
Try reconnecting after 20 or 30 seconds, log in and then check your firewall configuration.

iptables -L

If the rules load successfully then we can move onto the next step.

Time Synchronization Setup

Run the timezone package configuration wizard selecting your time zone.

sudo dpkg-reconfigure tzdata

Create a cron job script:

sudo nano /etc/cron.daily/ntpdate

Enter the following in the /etc/cron.daily/ntpdate file:

sudo ntpdate ntp.ubuntu.com

Change permissions of the cron job script:

sudo chmod 755 /etc/cron.daily/ntpdate

Configure User Locales:

sudo locale-gen en_US.UTF-8

Configure local time zone:

sudo ln -sf /usr/share/zoneinfo/America/Toronto /etc/localtime

Outgoing Mail Server Setup

Install postfix and mail tools:

sudo apt-get install postfix mailx

MySQL Installation

Run the following command to install MySQL:

sudo apt-get install mysql-server

Zend Server CE Setup

I prefer the manual installation method. Instructions can be found here on Zend’s site.
I use a portion of those instructions in my setup.

Define a new package repository by opening the following file: /etc/apt/sources.list and adding the line:

deb http://repos.zend.com/zend-server/deb server non-free

Now download the GPG key:

sudo wget http://repos.zend.com/deb/zend.key -O- |sudo apt-key add -

Update the package list:

sudo apt-get update

Install Zend Server with PHP 5.3. Note: Zend does provide Zend Server with PHP 5.2 packages. View the Zend Server CE documentation for more information.

sudo apt-get install zend-server-ce-php-5.3

I like to install phpmyadmin but it is optional:

sudo apt-get install phpmyadmin-zend-server

9 comments

  1. Great walkthrough thank you very much. At the beginning you made the comment “I’d recommend naming your server with your FQDN as it saves a few changes later on.” What changes were you referring to in that statement if we don’t name the server the FQDN?

    Thanks so much,

  2. Rackspace automatically adds the name you specify to the /etc/hosts file and I think a few other places as well. If you use your FQDN right away then you don’t have to worry about changing it later.

  3. Okay, I’ve already named our instance in a way that does not correspond to our FQDN. Any resources you can point us to that outlines the changes we should make (to the /etc/hosts file and any others)?

    Thanks again,

  4. /etc/hostname -> should just contain fqdn
    /etc/hosts -> see following

    127.0.0.1 localhost localhost.localdomain
    your public ip fqdn

    That’s the only places I noticed the fqdn

  5. I have installed zend ce on my local machine and when I am trying to access phpmyadmin it is asking for username and password.

    I checked the file config.inc for the credentials and the username is root while the password is blank there.
    when I try these details it is not allowing me to enter into phpmyadmin.

    I tried 1234 and every possible combination but no success. can you please help me out with this.

    noddy

  6. Do you have mysql installed on your local machine? by default if you installed MySQL and phpmyadmin through the Zend Installer the default password is blank and the username is root.

  7. Great tutorial, thanks. A couple questions (perhaps I’m a bit of a noob)…

    It’s mainly around the adjustments to the ssh config file. First I don’t have reference to ‘z11forwarding’, is this a typo for ‘x11forwarding’ that I see? I also cannot see ‘useDNS’ or ‘allow users’.

    Lastly, am I able to open any port I desire as a means of protection, or do you suggest 54321 for any particular reason aside from being memorable?

  8. You are correct Z11Forwarding should be X11Forwarding. I have updated the post.

    UseDNS and allow users can be added to the config file. They are not there by default.

    I just randomly picked 54321. Most any 5 digit port should be fine as the goal is to discourage attackers from attacking by not using the standard SSH port. This of course does not prevent an attacker from simple scanning your IP for open ports.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.