Building the Perfect Ubuntu 10.04 LAMP Server
This post will detail the series of steps that are required to set-up and configure a LAMP server using Ubuntu 10.04 LTS. The server will have all of the normal features that everyone has come to expect.
Specifically, it will have the following features:
- Locales will be set properly.
- MySQL will be secured.
- MySQL Query Caching will be configured.
- Iptables will be configured (optional).
- Alternative PHP Cache (APC) will be installed and configured.
- Web directory permissions will be set.
- Virtual hosts will be created.
A couple assumptions are made concerning this procedure:
- Ubuntu Server 10.04 LTS was used as the installation distribution.
- The only task chosen during the installation process was SSH server.
Initial Server Pre-LAMP Install Configuration
First, the root account should be enabled temporarily. It saves time and eliminates some annoyances. At the end of the procedure, the root account can be disabled and sudo can be used once again for all tasks.
To disable the root account, log into the account that was created during the install process and use the following command, and then enter a new password (choose something secure):
sudo passwd root
Log out and then log back in as root.
Distributions are always in a constant state of updating. Therefore, the distribution should be updated to include all of the latest packages for performance and security reasons. Perform the following to update the system:
aptitude update aptitude upgrade
Set the locales to the appropriate setting:
/usr/sbin/locale-gen en_US.UTF-8 /usr/sbin/update-locale LANG=en_US.UTF-8
Iptables Configuration (Optional)
Iptables is a software firewall. This server will only be listening on ports 22 (SSH), 80 (http), and 443 (https). This is a fairly small surface area for attack. Therefore, having a software firewall may be considered not needed. However, it is being included here for completeness.
Iptables is installed by default on Ubuntu Server. Therefore, installing it via aptitude is not needed. To begin the configuration process, flush any current rules:
Now add the following rules via the command line:
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p tcp --dport ssh -j ACCEPT iptables -A INPUT -p tcp --dport www -j ACCEPT iptables -A INPUT -p tcp --dport https -j ACCEPT iptables -A INPUT -j DROP iptables -A OUTPUT -j ACCEPT iptables -A INPUT -j LOG iptables -A INPUT -j REJECT
Save the rules to a file in the etc directory:
iptables-save > /etc/iptables.rules
Edit the /etc/network/interfaces to include the following:
auto eth0 iface eth0 inet dhcp pre-up iptables-restore < /etc/iptables.rules
Depending on the number of packages that may have been updated in the previous section, a reboot may be in order. Additionally, a reboot will ensure that the iptable rules are restored properly. To view the currently active iptable rules, use the following:
To install the Apache 2 web server, issue the following command:
aptitude install apache2
Activate several commonly used modules:
a2enmod rewrite a2enmod headers a2enmod expires
Initiate an Apache restart to ensure that the modules are active:
If everything is working correctly, the browsing to the server via the IP address should display a page claiming that the server is working.
To install PHP5, perform the following command:
aptitude install php5 php5-curl php5-gd php5-mcrypt
To install APC:
aptitude install php-apc
To install MySQL, issue the following command:
aptitude install mysql-server mysql-client php5-mysql
During the install process, a prompt for a root password will be shown. Choose a secure root password.
Secure the MySQL installation using the following and choose the defaults for all of the prompts:
Add the following to the [mysqld] section of the /etc/mysql/my.cnf file:
[mysqld] # Query Caching query-cache-type = 1
# Default to InnoDB default-storage-engine=innodb
Restart Apache and MySQL to ensure that all of the configuration changes are active:
service mysql restart /etc/init.d/apache restart