How to Set Up a LAMP server on Linode
Learn how to securely set up a basic LAMP server with Centos, MySQL, and Apache on a Linode machine. By Chris Lowe.
Final Server Setup
By default, the server timezone is set to GMT; it’s up to you to set your local time zone.
Enter the following command:
tzselect
This launches the following text-based Timezone Select Tool:
Simply answer the questions about your location one by one, and at the end of the process the server prompts you to confirm that the time is setup correctly.
Of course, you’ll want to have the latest and greatest versions of all software packages installed on your shiny new system.
Run the following command and accept the updates one by one as the system prompts you for confirmation:
yum update
yum is the gateway to package management and installation on CentOS. You should run the update command on a weekly or monthly basis to keep your system safe by eliminating known vulnerabilities in installed software packages.
Creating a Second User
Up to this point, you’ve been using root to perform all changes on your server. root is the super-admin account on your server and has permission to do anything and everything/ This makes it really easy to configure your server, but it also makes it easy to do bad things and cause disaster down the road.
A tenet of good security is to use the lowest level of permissions possible for an action. This protects the system in case an account gets compromised. Hence, it’s a best practice to create a second user account for most tasks, and then to switch to the root user only when needed. This adds one more level of safety and security to your server.
Enter the following command:
adduser remote_user
This creates a new user with the name remote_user.
Next, enter the following command:
passwd remote_user
The passwd program both unlocks and sets a new password for the user. Just as you did when setting the root password while creating the server, make sure this password is complicated and difficult to guess or crack.
User accounts that are allowed to act as root have what are known as sudo permissions. The name comes from the program of the same name, which performs a temporary upgrade to your permissions to perform an action, and then returns to your ordinary permissions when you’re done.
Enter the following command at the prompt to start the text editor:
nano /etc/sudoers
Go about two-thirds of the way down the page and find a line that looks like root ALL=(ALL) ALL. Add the following line below that:
remote_user ALL=(ALL) ALL
Your file should look like the following:
Save and close the file by hitting Control-X.
It’s time to say goodbye to your omnipotent days of using root and embrace the loving embrace of your newest user: remote_user. Log out of the Linode server by typing exit in Terminal.
Securing Your Server Connections
The next step to a more secure server experience is setting up an SSH key pair. This means the SSH connection knows who you are based on your secret key. The key is also protected with a passphrase which you’ll need to unlock your key.
Ensure that you’ve logged out of your Linode server and that you’re back to your local machine in Terminal.
The good new is that you may already have a key if you use SSH, or use a key to push to services like GitHub.
You can find out if you already have a key by executing the following command:
ls ~/.ssh/id_rsa*
If you see id_rsa and id_rsa.pub listed, then you’re all set! You can skip the next step of creating a key pair.
However, if you don’t see any files listed or get a “No such file or directory” error – you’ll need to create your own key.
Enter the following command at the shell prompt:
ssh-keygen
Hit Enter to save the files in the default location provided and be sure to use a good passphrase. A passphrase is much like a password, but as the name suggests, can be a phrase or sentence for extra security.
The above command creates two files in a hidden directory on your file system in ~/.ssh named id_rsa and id_rsa.pub. id_rsa.pub is your public key and can be given out freely. id_rsa is your private or secret key and it’s critical that you not share this file with anyone! As an extra line of defence, the private key is secured with the passphrase.
Now that your keys are generated, the next step is to let your Linode server know about the public key.
Enter the following command:
scp ~/.ssh/id_rsa.pub remote_user@127.0.0.1:
Replace the IP address above with the IP address of your sever, and don’t forget about the colon at the end of the command. Usually after the colon you’d list the path to save the file, but if you leave it blank it will save the file in the user’s home directory.
scp stands for “secure copy” and copies the public key file to remote_user‘s home directory.
Now reconnect to your server, but as your new user this time:
ssh remote_user@127.0.0.1
Again, fill in your server’s actual IP address instead of 127.0.0.1 above.
Enter the following commands to set up your key file on the server:
mkdir .ssh
mv id_rsa.pub .ssh/authorized_keys
Just as the key files on your computer were in the .ssh folder, the key files on the server need to live in a matching directory. mkdir stands for “make directory” and creates a new .ssh folder on your server.
em moves the public key file from your computer into authorized_keys, which contains a list of all the public keys that can be used to log in as this user. You can add more keys here later to allow other other people to log in to this server.
Enter the command below:
chown -R remote_user:remote_user .ssh
chmod 700 .ssh
chmod 600 .ssh/authorized_keys
Here you ensure only the right people have access to the .ssh folder and its contents.
The first line uses chown (“change owner”) to recursively set the owner of all files in the .ssh folder to remote_user. The next two lines use chmod (“change mode”) to set the permissions on .ssh to only be accessible by remote_user, and likewise for the authorized_keys file.
Note: For more details on Linux file permissions, check out the official documentation from Linux.org.
We made it through that section alive – there’s not much left to do!
Okay — here’s the acid test. Type exit in Terminal and log back in: you should no longer be prompted for your server password! As an added bonus, Keychain can save your passphrase, so simply logging into your server as remote_user account will log you in automatically.
As you expand your server empire, you can just copy your public key to each server using the same method; that way, your single key and passphrase will give you access to all of your servers.