How to Set Up a LAMP server on Linode

Lock Down Remote Access

Log back in to your Linode server. Enter this command at the prompt:

sudo nano /etc/ssh/sshd_config

This step makes it more difficult for malicious users to find your server and make their way in.
Notice the command in front: sudo. This tells the system you’d like to temporarily escalate your permission to execute this next command.

In this case, you’re opening a text editor to modify the SSH configuration file, which only the root user is allowed to do. Modify the file as instructed below:

• Find the setting PasswordAuthentication and change it from yes to no. This disables password logins so everyone will need to log in with key pairs.
• Find the setting #PermitRootLogin, remove the leading # character, then change the setting from yes to no. This prevents the root user from logging in to the server directly.
• Find the line with #Port and remove the leading # character. Change the value from 22 to any value between 1025 and 65536; I chose 23456 as it’s easy to remember. This changes the default port to make it more difficult for strangers out there to find your server.
• Go to the very bottom of the file and add the line AllowUsers remote_user. This explicitly tells the SSH service to let your user in regardless of other settings.

Save and exit, then restart the SSH daemon to reload your configuration file as follows:

sudo /etc/init.d/sshd reload

To test that it works, open a new Terminal tab with Command-T (you want to keep your old tab open still logged in to the server, in case you made a typo with your SSH configuration). Then make sure that you can no longer log in as root by issuing the following command:

ssh -p 7415 root@127.0.0.1

Replace 127.0.0.1 with your server’s IP as usual. You should now get an error that says “Permission denied (publickey,gssapi-keyex,gssapi-with-mic).”.

Now repeat this with the user that is allowed to log in with SSH:

ssh -p 23456 remote_user@127.0.0.1

Replace 127.0.0.1 with your server’s IP, and 23456 with the port you chose. If you successfully get in, your SSH is now locked down!

Setting up Your Firewall

Once you’ve taken care of server access, your next step is to set up a firewall to filter out undesirable network traffic such as bots and people trying to gain unauthorized access to your server. A tool called Fail2Ban lets you to setup rules to ban undesirable network traffic from even talking to your server – the traffic your mother warned you about. :]

Execute the following command:

sudo system-config-firewall-tui

You could edit the firewall rules directly by hand, but it’s quite complicated and the wrong move can open your server to attacks — or worse, prevent you from logging in! Using system-config-firewall-tui to make changes is slightly easier to use as it’s a text-based GUI. You use the tab and arrow keys to navigate and the space bar to make a selection – press once to select, press again to de-select.

The first screen has a fairly obvious option to enable the firewall, as shown below:

Press the spacebar to select this option; you’ll see a * appear beside the option. Use the arrow keys to reach the Customize button and hit the spacebar again to select it.

Trusted Services

Select the following protocols to allow through the firewall:

• IPSec – allows the IP Security protocol to authenticate/authorize certain connections
• SSH – allows you to remote into your server (like you are doing now)
• Secure WWW (HTTPS) – allows HTTPS traffic
• WWW (HTTP) – allows HTTP traffic

As your server needs grow, you may revisit this list and allow other protocols through; for example, SMTP and IMAP/POP3 for email hosting, or DNS to run your own name server. Select Forward and move onto the next page,

Other Ports

Arrow over and select Add to add a custom port. Now that you have SSH running on port 23456, you need to tell the firewall to allow connections on that port — otherwise, you won’t be able to log in. Set the Port to 23456 and the Protocol to tcp like so:

Select OK to add the new custom port and then select Forward to the next page.

Trusted Interfaces

Because this is a fairly basic server setup for web hosting, you don’t need to expose any networks on the Trusted Interfaces screen. You’d typically allow eth+ if this server was going to act as a traffic filter or router for other servers on your network, but you don’t need to change anything for this tutorial. Select Forward to get to the next page.

Masquerading

The same is true for this screen – all options can be left blank. Masquerading lets multiple servers appear to be coming from one address, known as NAT, or Network Address Translation) Again, this is a simple server so you don’t need this. Forward on!

Port Forwarding

You won’t change anything on this page either but it’s important to know what this screen is for. You can add an entry on this page if you need to map one port to another.

Why would you do this? Well, say you have an application that only looks for an SSH connection on port 22, but you changed yours to 23456. With an entry on this page, you could say port 23456 actually maps to port 22. Any traffic that came from port 23456 would be sent to port 22 and your application would work as expected.

You don’t need to set this up right now, so select Forward to move on.

ICMP Filter

The ICMP Filter page actually has something you’ll change! Yippee!

This screen lists several types of protocols used by your server to communicate information about itself to the outside world. Enable the Destination Unreachable and Source Quench protocols; the first one tells other servers that your server is not available for communicating. The second one helps optimize bandwidth and is used by network routers to request that servers speed up or slow down their data rates.

Select Forward from this screen and then Close. You’re returned back to the main screen, so hit OK and accept the warning about overriding Firewall rules.

Exit your SSH session and log in again to make sure your access is still OK with these new firewall rules.

Whew – another piece finished!