openUptown changes to Ubuntu 16.04.02

Building Ubuntu servers on DigitalOcean

openUptown’s development and production servers have been changed from CentOS 6.x to Ubuntu 16.04.02 LTS. I have also converted one of my Windows 10 desktops to Ubuntu Gnome 16.04.02. The desktop and the LAMP configuration portion of the servers I will cover in another post.

openUptown servers are virtual machines hosted on DigitalOcean servers in Toronto. Toronto because it’s closest to Chicago and the USA is getting crazier every day. You’ll notice you can pay by the hour which can be very useful.

If you would like to test this out, here’s a signup link that will give you $10 free credit. Note you do have to enter a valid credit card to activate, but you can cancel before the $10 runs out.
https://m.do.co/c/0f84cad763bc

Installing Ubuntu is a very pain free process. Pick the details of the droplet you want. There are 2 points I will make before you click on ‘Create’.

  • It is very easy to scale the droplet up. It is not as easy to scale down. Once your initial droplet is created, you can scale it up and back down without changing the HD size. If you scale up the HD size, you cannot scale it back down and will be stuck at that level.
  • The hostname should be a fully qualified domain name (FQDN) if you would like to address the server by name rather than IP address. This can be changed later too.

With these decisions made, click on ‘Create’. When created select the ‘More’ dropdown on the right side of the droplet list, and then ‘Access console’. Login as root with the password emailed to you, change the password when prompted etc.

To update the system to the newest software for your version, type from a root prompt:
# apt update
# apt -y upgrade

Set the timezone:
# timedatectl set-timezone America/Chicago

Add yourself as a new user:
# adduser yourlogin

Disable root logins:
# vi /etc/ssh/sshd_config

# service ssh restart

When I install new operating systems, the first thing I am concerned with is access. No access or limited access for others, and full for me. There is a lot one can do here, but I am just going to cover the basics.

Enable the Firewall with SSH and check status

# ufw app list
# ufw allow OpenSSH ## OR the next line is better if you have a predictable IP address
# ufw allow proto tcp from 192.168.1.50 to any port 22 ## substitute your IP
# ufw enable
# ufw status numbered

Install the FTP Server

# apt install vsftpd
# vi /etc/vsftpd.conf

# ufw allow 21 ## OR the next line is better if you have a predictable IP address
# ufw allow proto tcp from 192.168.1.50 to any port 21 ## substitute your IP

# systemctl restart vsftpd

Note, there is much more that can be done to add security with the configuration of the Firewall and Secure Shell. The above is basic, but highly effective.

OK, stay tuned for the next installment installing Apache, MySQL and PHP.

Thanks!
-Yehuda

CentOS 6.x on VMware Player: Part 7

Note these documents are subject to update, this one was last edited 05/28/2014

selinux_banner

Part 7: Setting SELinux to enforcing

  • SELinux was originally written by the National Security Administration and is mostly used to confine daemons. The stock policy has come a long way and with the following additions this basic implementation is an important part of a multi-pronged security approach.
  • # ls -Z in this case / and in addition to standard permissions, user and group you will also see the SELinux contexts of user:role:type:level before the file name.

  • # setenforce permissive
  • # yum provides /usr/sbin/semanage
  • # yum install -y policycoreutils-python
  • # yum install -y setroubleshoot
  • This script with proper edits will get your web server’s SELinux in basic order:

  • Edit to your configuration, put script in /usr/local/bin with the appropriate permissions and execute.
  • # vi /etc/sysconfig/selinux
  • Edit SELINUX=permissive to SELINUX=enforcing. Save and quit vi.
  • # setenforce 1 then # getenforce to confirm it is enforcing.
  • Additional SELinux booleans and associated file permissions can be a significant part of a thorough security plan – be sure and check back for more!
  • I do expect to update this substantially over time so be sure and check back.

If you have any questions or suggestions don’t hesitate to reach out to me!

CentOS 6.x on VMware Player: Part 6

Note these documents are subject to update, this one was last edited 05/28/2014

Part 6: Installing WordPress

  • Note that many things in this WordPress installation are dependent on configurations in previous parts of this series.
  • Firefox your way to wordpress.org and download the .zip version of WordPress.
  • Choose Save File then OK.
  • # cp /home/you/Downloads/wordpress-3.9.zip /www/yourdomain.com
  • # cd /www/yourdomain.com
  • # unzip ./w* ; cd wordpress ; mv * .. ; cd .. ; rm -fr wordpress
  • # cp -a wp-config-sample.php wp-config.php
  • # chown -R apache ../*
  • # mysql -uroot -pyourpassword
  • mysql> create database databasename;
  • mysql> use databasename;
  • mysql> grant all on *.* to wp_service@’localhost’ identified by ‘password’;
  • mysql> flush privileges;
  • mysql> exit
  • # vi wp-config.php
  • These lines need to be edited with the database, service user and password made above, do not use root.

  • Save and exit the file.
  • Browse to your site address and you should now see something like this:

centos6.08

  • VERY IMPORTANT: Fill out the obvious and for Username do NOT use admin, administrator, root, your name, name of the site or domain name. I highly recommend you use something cryptic and impossible to guess for the Username.
  • Think of the WordPress Username as the 1st password the hacker bots have to guess. Towards the end of this post we will fix up the publicly displayed name associated with your Username.
  • Go ahead Install and in 1 or 2 seconds you should have Success! Go ahead and login.

centos6.09

  • On to configuring MultiSite, Dashboard > Settings > PermaLinks
  • Choose Day and name. Select Save Changes.
  • Be sure all plugins are deactivated.
  • # vi wp-config.php — above the line /* That’s all, stop editing! Happy blogging. */ insert:

  • Refresh your browser to continue.
  • Dashboard > Tools > Network Setup – choose sub-domains and Select Install.
  • Add the following to your wp-config.php file above the line reading /* That’s all, stop editing! Happy blogging. */

  • Add the following to your .htaccess file in /www/yourdomain.com/, replacing other WordPress rules:

  • After completing these steps, log in again using the link provided. You might have to clear your browser’s cache and cookies in order to log in.
  • Here are the plugins I’ll recommend for security and functionality:
  • Dashboard > Plugins > Add New > WordPress MU Domain Mapping > Install Now > Network Activate.
    • Priority install and essential plugin for managing multiple domains.
    • # cp -a /www/yourdomain.com/wp-content/plugins/wordpress-mu-domain-mapping/sunrise.php /www/yourdomain.com/wp-content
    • Dashboard > Settings > Domain Mapping > Put in your Server IP Address and check Permanent redirect then Save.
    • Dashboard > Settings > Domains – you can add additional domains here, do not add your base domain.
  • Dashboard > Plugins > Add New > WangGuard > Install Now > Network Activate.
    • Priority install and a great essential plugin. It will save you from tons of annoying bot logins. Not only is WangGuard my #1 favorite plugin but my #1 favorite plugin developer. José at WangGuard gives amazingly personally attentive support.
    • Get (free) or enter an existing WangGuard API key good for all sites at Dashboard > WangGuard > Configuration.
  • Dashboard > Plugins > Add New > Login Security Solution > Install Now > Network Activate.
    • Priority install and essential plugin.
    • Requires very strong passwords, repels brute force login attacks, prevents login information disclosures, expires idle sessions, notifies admins of attacks and breaches, permits administrators to disable logins for maintenance or emergency reasons and reset all passwords.
  • Dashboard > Plugins > Askimet > Network Activate.
    • Priority install and essential plugin.
    • Every individual site will have to get (free) or enter an existing API key at Site Dashboard > Settings > Askimet.
    • This plugin will protect you from spam comments etc.
  • I’m sure you’re anxious to add content to WordPress however I highly recommend you install and configure the above priority installs first. The plugins below may or may not be applicable to your site plans.
  • Dashboard > Plugins > Add New > Multisite User Management > Install Now > Network Activate.
    • Essential for Multisite.
  • Dashboard > Plugins > Add New > Simple Access Control > Install Now > Network Activate.
    • This will allow you to set whether users must be logged in or not to view individual pages. The settings are in page edit mode.
  • Dashboard > Plugins > Add New > WordPress Importer > Install Now > Network Activate.
    • This will allow you to import site content from various platforms including WordPress.
  • Dashboard > Plugins > Add New > WP Crontrol > Install Now > Network Activate.
    • Gives you some control and visibility into the cron job scheduling process on WordPress. Ultimately WordPress cron is worthy of being ditched for a Linux cron especially on busy sites.
  • Dashboard > Plugins > Add New > bbPress > Install Now > Network Activate.
  • Dashboard > Plugins > Add New > GD bbPress Attachments > Install Now > Network Activate.
  • Dashboard > Plugins > Add New > GD bbPress Tools > Install Now > Network Activate.
  • Dashboard > Plugins > Add New > Contact Form 7 > Install Now > Network Activate.
  • Dashboard > Plugins > Add New > Page Links To > Install Now > Network Activate.
  • Dashboard > Plugins > Add New > Twitter Profile Field > Install Now > Network Activate.
  • Now to fix a huge security hole in WordPress, for any user that has any kind of admin privileges go and edit the users Nickname and Display name publicly as to something completely unrelated to the Username.
  • Then be sure to go to a MySQL prompt or in MySQL Workbench and execute something like the following for every user with admin privileges:

  • VERY IMPORTANT: The ‘shadowshift’ portion of the update above I would recommend being exactly the same as your profile Nickname and Display name publicly. I stress all 3 of these name versions should be nothing like your Username.
  • Otherwise anyone will be able to see the real Username used to login and have half the equation to hack admin accounts even if it is highly unlikely mathematically for them to brute force a good password.
  • Example: http://shadowshift.com/author/shadowshift Trust me, bots will scrape this URL from Google for your Username.
  • The net effect of this change is all day and night hackers and bots try to guess the password of an account that does not exist, in this case: shadowshift – a great URL and a lousy Username.
  • OK Installing WordPress is done for now but I do expect to update this substantially over time so be sure and check back.

If you have any questions or suggestions don’t hesitate to reach out to me!

CentOS 6.x on VMware Player: Part 5

Note these documents are subject to update, this one was last edited 04/26/2014

Part 5: Configuring Apache

  • Note that many things in this Apache configuration and later WordPress are dependent on configurations in previous parts of this series.
  • # cp -a /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.orig
  • I would just download this httpd.conf, you will see it is well documented when changed from original by #Change added tag and you can easily compare diffences from your original httpd.conf

httpd.conf unavailable currently

  • # mkdir /www/yourdomain.com
  • # chown apache /www/yourdomain.com
  • # chkconfig httpd on
  • # service httpd start
  • Fire up Firefox and browse your server, you should get the Apache Test Page.

centos6.07

  • # cat >> /www/yourdomain.com/index.html

  • Then ctrl-d on a blank line to end and save file.
  • # service httpd restart
  • Browse your server again and you should see a blank page with hello!
  • OK Configuring Apache is done for now but I do expect to update this substantially over time so be sure and check back. There are also still important configurations and setting up WordPress so please continue to Part 6.

If you have any questions or suggestions don’t hesitate to reach out to me!

Next: Part 6 – Installing WordPress