This guide will help you set up the following:
- Zend Server CE (Apache/PHP)
- Postfix (for outgoing mail)
Some of these steps are taken from the Rackspace Cloud Server Knowledgebase.
Create a new server instance
Log in to http://manage.rackspacecloud.com and create a new server instance with Ubuntu 9.10. Any instance size is great. I’d recommend naming your server with your FQDN as it saves a few changes later on.
Securing the server
The Rackspace Cloud Server comes with the root account enabled and no firewall setup. This is not a good thing for a public server. So the first thing we will do is create a new administrator account which we will use to log in via SSH, and then we will set up Iptables as our firewall.
Rackspace will email you the IP address and password of your new server instance.
Log in over SSH to your server instance. If you have a Mac just open a terminal window and enter something like the following:
If you use windows download putty, enter the IP address in the host box and click connect.
You should now be logged in to your new Cloud Server.
The first thing we are going to do is change the root password.
Change the password by using:
Since we don’t want to log in as root anymore, we need to create a new user.
We want the admin user to be able to become a super user so we need to add admin to the visudo file by entering this:
Nano will open a file; add the following to the bottom of the file.
admin ALL=(ALL) ALL
Next we will make some changes to the SSH configuration file. It is also a good idea to change the port SSH uses for security. We will also disable root logins and enable admin to log in via SSH.
Port 54321 PermitRootLogin no X11Forwarding no UsePAM no UseDNS no AllowUsers admin
To make those changes take effect, restart SSH. You will not be disconnected, but if you do disconnect, you will need to reconnect using your new username and new port.
This server will be a web host so very few ports will be opened.
- HTTP 80
- HTTPS 443
- HTTP 10081 (Zend Server CE)
- SSH 54321
All other ports are dropped.
Create a file named iptables.test.rules in /etc and open it using nano.
Add the file lines to that file. Make changes where required.
* filter :INPUT DROP [1:48] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [129:20352] # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't -A INPUT -i lo -j ACCEPT -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT #Accept SSH connections -A INPUT -p tcp -m state --state NEW --dport 54321 -j ACCEPT #Accept Established connections -A INPUT -m state --state RELATED,ESTABLISH -j ACCEPT #Accept HTTP connections -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 10081 -j ACCEPT #Accept all PING requests on ICMP -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # Reject all other inbound - default deny unless explicitly allowed policy -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT
Now we are going to load the file to check for errors and to ensure the configuration is valid and our firewall works as expected.
iptables-restore < /etc/iptables.test.rules
You can view the active firewall rules by running this command.
If everything is satisfactory, save the rules into a new file which we will then configure to be automatically loaded upon boot.
iptables-save > /etc/iptables.up.rules
Now we need to add a line to the network interface’s initialization script so that our firewall rules will be loaded upon boot.
Add the following line after ‘iface lo inet loopback’:
pre-up iptables-restore < /etc/iptables.up.rules
Now before we do anything else, we need to test the configuration. We don’t want to inadvertently lock ourselves out of the server, so we will test the firewall by opening a new SSH connection in a new window. As long as we don’t close our currently active connection we can still make changes if our new SSH connection fails.
If you can successfully connect to the server with the new account on the new port with the firewall rules enabled, then you should reboot the server and verify that iptables loads your configuration file on boot.
You will be disconnected from both your SSH sessions.
Try reconnecting after 20 or 30 seconds, log in and then check your firewall configuration.
If the rules load successfully then we can move onto the next step.
Time Synchronization Setup
Run the timezone package configuration wizard selecting your time zone.
sudo dpkg-reconfigure tzdata
Create a cron job script:
sudo nano /etc/cron.daily/ntpdate
Enter the following in the /etc/cron.daily/ntpdate file:
sudo ntpdate ntp.ubuntu.com
Change permissions of the cron job script:
sudo chmod 755 /etc/cron.daily/ntpdate
Configure User Locales:
sudo locale-gen en_US.UTF-8
Configure local time zone:
sudo ln -sf /usr/share/zoneinfo/America/Toronto /etc/localtime
Outgoing Mail Server Setup
Install postfix and mail tools:
sudo apt-get install postfix mailx
Run the following command to install MySQL:
sudo apt-get install mysql-server
Zend Server CE Setup
I prefer the manual installation method. Instructions can be found here on Zend’s site.
I use a portion of those instructions in my setup.
Define a new package repository by opening the following file: /etc/apt/sources.list and adding the line:
deb http://repos.zend.com/zend-server/deb server non-free
Now download the GPG key:
sudo wget http://repos.zend.com/deb/zend.key -O- |sudo apt-key add -
Update the package list:
sudo apt-get update
Install Zend Server with PHP 5.3. Note: Zend does provide Zend Server with PHP 5.2 packages. View the Zend Server CE documentation for more information.
sudo apt-get install zend-server-ce-php-5.3
I like to install phpmyadmin but it is optional:
sudo apt-get install phpmyadmin-zend-server
[ad#Google Adsense 728×90]
Thanks a ton! Great walkthrough on getting a reasonable secure web server running quickly.
Great walkthrough thank you very much. At the beginning you made the comment “I’d recommend naming your server with your FQDN as it saves a few changes later on.” What changes were you referring to in that statement if we don’t name the server the FQDN?
Thanks so much,
Rackspace automatically adds the name you specify to the /etc/hosts file and I think a few other places as well. If you use your FQDN right away then you don’t have to worry about changing it later.
Okay, I’ve already named our instance in a way that does not correspond to our FQDN. Any resources you can point us to that outlines the changes we should make (to the /etc/hosts file and any others)?
/etc/hostname -> should just contain fqdn
/etc/hosts -> see following
127.0.0.1 localhost localhost.localdomain
your public ip fqdn
That’s the only places I noticed the fqdn
I have installed zend ce on my local machine and when I am trying to access phpmyadmin it is asking for username and password.
I checked the file config.inc for the credentials and the username is root while the password is blank there.
when I try these details it is not allowing me to enter into phpmyadmin.
I tried 1234 and every possible combination but no success. can you please help me out with this.
Do you have mysql installed on your local machine? by default if you installed MySQL and phpmyadmin through the Zend Installer the default password is blank and the username is root.
Great tutorial, thanks. A couple questions (perhaps I’m a bit of a noob)…
It’s mainly around the adjustments to the ssh config file. First I don’t have reference to ‘z11forwarding’, is this a typo for ‘x11forwarding’ that I see? I also cannot see ‘useDNS’ or ‘allow users’.
Lastly, am I able to open any port I desire as a means of protection, or do you suggest 54321 for any particular reason aside from being memorable?
You are correct Z11Forwarding should be X11Forwarding. I have updated the post.
UseDNS and allow users can be added to the config file. They are not there by default.
I just randomly picked 54321. Most any 5 digit port should be fine as the goal is to discourage attackers from attacking by not using the standard SSH port. This of course does not prevent an attacker from simple scanning your IP for open ports.