Category Archives: Linux

How To Create a SSL Certificate on Apache for Ubuntu 14.04

Introduction

TLS, or transport layer security, and its predecessor SSL, secure sockets layer, are secure protocols created in order to place normal traffic in a protected, encrypted wrapper.

These protocols allow traffic to be sent safely between remote parties without the possibility of the traffic being intercepted and read by someone in the middle. They are also instrumental in validating the identity of domains and servers throughout the internet by establishing a server as trusted and genuine by a certificate authority.

In this guide, we’ll cover how to create a self-signed SSL certificate for Apache on an Ubuntu 14.04 server, which will allow you to encrypt traffic to your server. While this does not provide the benefit of third party validation of your server’s identity, it fulfills the requirements of those simply wanting to transfer information securely.

Note: You may want to consider using Let’s Encrypt instead of a self-signed certificate. Let’s Encrypt is a new certificate authority that issues free SSL/TLS certificates that are trusted in most web browsers. Check out the tutorial to get started: How To Secure Apache with Let’s Encrypt on Ubuntu 14.04

Prerequisites

Before you begin, you should have some configuration already taken care of.

We will be operating as a non-root user with sudo privileges in this guide. You can set one up by following steps 1-4 in our Ubuntu 14.04 initial server setup guide.

You are also going to need to have Apache installed. If you don’t already have that up and running, you can quickly fix that by typing:

sudo apt-get update
sudo apt-get install apache2

Step One — Activate the SSL Module

SSL support actually comes standard in the Ubuntu 14.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

sudo a2enmod ssl

After you have enabled SSL, you’ll have to restart the web server for the change to be recognized:

sudo service apache2 restart

With that, our web server is now able to handle SSL if we configure it to do so.

Step Two — Create a Self-Signed SSL Certificate

Let’s start off by creating a subdirectory within Apache’s configuration hierarchy to place the certificate files that we will be making:

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

Let’s go over exactly what this means.

  • openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
  • req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
  • -x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
  • -nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
  • -days 365: This specifies that the certificate we are creating will be valid for one year.
  • -newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn’t create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
  • -keyout: This parameter names the output file for the private key file that is being created.
  • -out: This option names the output file for the certificate that we are generating.

When you hit “ENTER”, you will be asked a number of questions.

The most important item that is requested is the line that reads “Common Name (e.g. server FQDN or YOUR name)”. You should enter the domain name you want to associate with the certificate, or the server’s public IP address if you do not have a domain name.

The questions portion looks something like this:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company
Organizational Unit Name (eg, section) []:Department of Kittens
Common Name (e.g. server FQDN or YOUR name) []:your_domain.com
Email Address []:your_email@domain.com

The key and certificate will be created and placed in your /etc/apache2/ssl directory.

Step Three — Configure Apache to Use SSL

Now that we have our certificate and key available, we can configure Apache to use these files in a virtual host file. You can learn more about how to set up Apache virtual hosts here.

Instead of basing our configuration file off of the 000-default.conf file in the sites-availablesubdirectory, we’re going to base this configuration on the default-ssl.conf file that contains some default SSL configuration.

Open the file with root privileges now:

sudo nano /etc/apache2/sites-available/default-ssl.conf

With the comments removed, the file looks something like this:

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
        SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                        SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                        SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-6]" \
                        nokeepalive ssl-unclean-shutdown \
                        downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
    </VirtualHost>
</IfModule>

This may look a bit complicated, but luckily, we don’t need to worry about most of the options here.

We want to set the normal things we’d configure for a virtual host (ServerAdmin, ServerName, ServerAlias, DocumentRoot, etc.) as well as change the location where Apache looks for the SSL certificate and key.

In the end, it will look something like this. The entries in red were modified from the original file:

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerAdmin admin@example.com
        ServerName your_domain.com
        ServerAlias www.your_domain.com
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/apache.crt
        SSLCertificateKeyFile /etc/apache2/ssl/apache.key
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                        SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                        SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-6]" \
                        nokeepalive ssl-unclean-shutdown \
                        downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
    </VirtualHost>
</IfModule>

Save and exit the file when you are finished.

Step Four — Activate the SSL Virtual Host

Now that we have configured our SSL-enabled virtual host, we need to enable it.

We can do this by typing:

sudo a2ensite default-ssl.conf

We then need to restart Apache to load our new virtual host file:

sudo service apache2 restart

This should enable your new virtual host, which will serve encrypted content using the SSL certificate you created.

Step Five — Test your Setup

Now that you have everything prepared, you can test your configuration by visiting your server’s domain name or public IP address after specifying the https:// protocol, like this:

https://server_domain_name_or_IP

You will get a warning that your browser cannot verify the identity of your server because it has not been signed by one of the certificate authorities that it trusts.

apache ssl warning

This is expected since we have self-signed our certificate. While our certificate will not validate our server for our users because it has had no interaction with a trusted certificate authority, it will still be able to encrypt communication.

Since this is expected, you can hit the “Proceed anyway” button or whatever similar option you have in your browser.

You will now be taken to content in the DocumentRoot that you configured for your SSL virtual host. This time your traffic is encrypted. You can check this by clicking on the lock icon in the menu bar:

apache ssl encrypted

You can see in the middle green section that the connection is encrypted.

Conclusion

You should now have SSL enabled on your website. This will help to secure communication between visitors and your site, but it will warn each user that the browser cannot verify the validity of the certificate.

If you are planning on launching a public site and need SSL, you will be better off purchasing an SSL certificate from a trusted certificate authority.

If you want to learn more about how to configure Apache, click here. Check out this link for more ideas on how to secure your Linux server.

How To Set Up a Basic Iptables Firewall on Centos 6

Intro

This article will show how to create a simple firewall on a Centos VPS. It will only open up ports that we want and close up other services. I will also show how to prevent simpler attacks, and how to let yourself back in to the VPS if you deny access to yourself by accident.

The tutorial is not by any means exhaustive and only shows how to open up a few incoming ports: for apache, SSH and email and close all the others. We will not be blocking any outgoing traffic, and only create a few most common rules to block the usual scripts and bots that look for vulnerable VPS.

iptables is a simple firewall installed on most linux distributions. The linux manual page for iptables says it is an administration tool for IPv4 packet filtering and NAT, which, in translation, means it is a tool to filter out and block Internet traffic. iptables firewall is included by default in Centos 6.4 linux images provided by DigitalOcean.

We will set up firewall one by one rule. To simplify: a firewall is a list of rules, so when an incomming connection is open, if it matches any of the rules, this rule can accept that connection or reject it. If no rules are met, we use the default rule.

Note: This tutorial covers IPv4 security. In Linux, IPv6 security is maintained separately from IPv4. For example, “iptables” only maintains firewall rules for IPv4 addresses but it has an IPv6 counterpart called “ip6tables”, which can be used to maintain firewall rules for IPv6 network addresses.

If your VPS is configured for IPv6, please remember to secure both your IPv4 and IPv6 network interfaces with the appropriate tools. For more information about IPv6 tools, refer to this guide: How To Configure Tools to Use IPv6 on a Linux VPS

Decide which ports and services to open

To start with, we want to know what services we want to open to public. Let’s use the typical web-hosting server: it is a web and email server, and we also need to let ourselves in by SSH server.

First, we want to leave SSH port open so we can connect to the VPS remotely: that is port 22.

Also, we need port 80 and 443 (SSL port) for web traffic. For sending email, we will open port 25 (regular SMTP) and 465 (secure SMTP). To let users receive email, we will open the usual port 110 (POP3) and 995 (secure POP3 port).

Additionally, we’ll open IMAP ports, if we have it installed: 143 for IMAP, and 993 for IMAP over SSL.Note: It is recommended to only allow secure protocols, but that may not be an option, if we cannot influence the mail service users to change their email clients.

Block the most common attacks

DigitalOcean VPSs usually come with the empty configuration: all traffic is allowed. Just to make sure of this, we can flush the firewall rules – that is, erase them all:

iptables -F

We can then add a few simple firewall rules to block the most common attacks, to protect our VPS from script-kiddies. We can’t really count on iptables alone to protect us from a full-scale DDOS or similar, but we can at least put off the usual network scanning bots that will eventually find our VPS and start looking for security holes to exploit. First, we start with blocking null packets.

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

We told the firewall to take all incoming packets with tcp flags NONE and just DROP them. Null packetsare, simply said, recon packets. The attack patterns use these to try and see how we configured the VPS and find out weaknesses. The next pattern to reject is a syn-flood attack.

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Syn-flood attack means that the attackers open a new connection, but do not state what they want (ie. SYN, ACK, whatever). They just want to take up our servers’ resources. We won’t accept such packages. Now we move on to one more common pattern: XMAS packets, also a recon packet.

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

We have ruled out at least some of the usual patterns that find vulnerabilities in our VPS.

Open up ports for selected services

Now we can start adding selected services to our firewall filter. The first such thing is a localhost interface:

iptables -A INPUT -i lo -j ACCEPT

We tell iptables to add (-A) a rule to the incoming (INPUT) filter table any trafic that comes to localhost interface (-i lo) and to accept (-j ACCEPT) it. Localhost is often used for, ie. your website or email server communicating with a database locally installed. That way our VPS can use the database, but the database is closed to exploits from the internet.

Now we can allow web server traffic:

iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

We added the two ports (http port 80, and https port 443) to the ACCEPT chain – allowing traffic in on those ports. Now, let’s allow users use our SMTP servers:

iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT

Like stated before, if we can influence our users, we should rather use the secure version, but often we can’t dictate the terms and the clients will connect using port 25, which is much more easier to have passwords sniffed from. We now proceed to allow the users read email on their server:

iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT

Those two rules will allow POP3 traffic. Again, we could increase security of our email server by just using the secure version of the service. Now we also need to allow IMAP mail protocol:

iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT

Limiting SSH access

We should also allow SSH traffic, so we can connect to the VPS remotely. The simple way to do it would be with this command:

iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

We now told iptables to add a rule for accepting tcp traffic incomming to port 22 (the default SSH port). It is advised to change the SSH configuration to a different port, and this firewall filter should be changed accordingly, but configuring SSH is not a part of this article.

However, we could do one more thing about that with firewall itself. If our office has a permanent IP address, we could only allow connections to SSH from this source. This would allow only people from our location to connect.

First, find out your outside IP address. Make sure it is not an address from your LAN, or it will not work. You could do that simply by visiting the whatismyip.com site. Another way to find it out is to type:

w

in the terminal, we should see us logged in (if we’re the only one logged in’ and our IP address written down.

The output looks something like this:

root@iptables# w
 11:42:59 up 60 days, 11:21,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root   pts/0    213.191.xxx.xxx  09:27    0.00s  0.05s  0.00s w

Now, you can create the firewall rule to only allow traffic to SSH port if it comes from one source: your IP address:

iptables -A INPUT -p tcp -s YOUR_IP_ADDRESS -m tcp --dport 22 -j ACCEPT

Replace YOUR_IP_ADDRESS with the actuall IP, of course.

We could open more ports on our firewall as needed by changing the port numbers. That way our firewall will allow access only to services we want. Right now, we need to add one more rule that will allow us to use outgoing connections (ie. ping from VPS or run software updates);

iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

It will allow any established outgoing connections to receive replies from the VPS on the other side of that connection. When we have it all set up, we will block everything else, and allow all outgoing connections.

iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP

Now we have our firewall rules in place.

Save the configuration

Now that we have all the configuration in, we can list the rules to see if anything is missing.

iptables -L -n

The -n switch here is because we need only ip addresses, not domain names. Ie. if there is an IP in the rules like this: 69.55.48.33: the firewall would go look it up and see that it was a digitalocean.com IP. We don’t need that, just the address itself. Now we can finally save our firewall configuration:

iptables-save | sudo tee /etc/sysconfig/iptables

The iptables configuration file on CentOS is located at /etc/sysconfig/iptables. The above command saved the rules we created into that file. Just to make sure everything works, we can restart the firewall:

service iptables restart

The saved rules will persist even when the VPS is rebooted.

Flush to unlock yourself

If we made an accident in our configuration, we may have blocked ourselves from accessing the VPS. Perhaps we have put in the incorrect IP address so the firewall does not allow connections from our workstation. Now we can’t reach those rules, and if we saved them, even a restart won’t help us. Luckily, the DO web interface allowes us to connect to server via console:

Console

Once connected, we log in as root and issue the following command:

iptables -F

This will flush the filters, we’ll be able to get in the VPS again.

Conclusion

This article is not exhaustive, and it only scratched the surface of running a simple firewall on a linux machine. It will do enough for a typical web and email server scenario for a developer not familiar with linux command line or iptables.

However, a lot more could be done. There are good tutorials and samples on the internet to help us provide more robust configuration. For production environments, it would be advised to create a more detailed configuration or to have a security expert prepare the configuration.

Hopefully, the short instructions will provide basic security to new VPSs.

How To Use SFTP to Securely Transfer Files with a Remote Server

What is SFTP?

FTP, or “File Transfer Protocol” is a popular method of transferring files between two remote systems.

SFTP, which stands for SSH File Transfer Protocol, or Secure File Transfer Protocol, is a separate protocol packaged with SSH that works in a similar way over a secure connection. The advantage is the ability to leverage a secure connection to transfer files and traverse the filesystem on both the local and remote system.

In almost all cases, SFTP is preferable to FTP because of its underlying security features and ability to piggy-back on an SSH connection. FTP is an insecure protocol that should only be used in limited cases or on networks you trust.

Although SFTP is integrated into many graphical tools, this guide will demonstrate how to use it through its interactive command line interface.

How to Connect with SFTP

By default, SFTP uses the SSH protocol to authenticate and establish a secure connection. Because of this, the same authentication methods are available that are present in SSH.

Although passwords are easy to use and set up by default, we recommend you create SSH keys and transfer your public key to any system that you need to access. This is much more secure and can save you time in the long run.

Please see this guide to set up SSH keys in order to access your server if you have not done so already.

If you can connect to the machine using SSH, then you have completed all of the necessary requirements necessary to use SFTP to manage files. Test SSH access with the following command:

ssh username@remote_hostname_or_IP

If that works, exit back out by typing:

exit

We can establish an SSH connection and then open up an SFTP session using that connection by issuing the following command:

sftp username@remote_hostname_or_IP

You will connect the the remote system and your prompt will change to an SFTP prompt.

Getting Help in SFTP

The most useful command to learn first is the help command. This gives you access to a summary of the SFTP help. You can call it by typing either of these in the prompt:

help
?

This will a list of the available commands:

Available commands:
bye                                Quit sftp
cd path                            Change remote directory to 'path'
chgrp grp path                     Change group of file 'path' to 'grp'
chmod mode path                    Change permissions of file 'path' to 'mode'
chown own path                     Change owner of file 'path' to 'own'
df [-hi] [path]                    Display statistics for current directory or
                                   filesystem containing 'path'
exit                               Quit sftp
get [-Ppr] remote [local]          Download file
help                               Display this help text
lcd path                           Change local directory to 'path'
. . .

We will explore some of the commands you see in the following sections.

Navigating with SFTP

We can navigate through the remote system’s file hierarchy using a number of commands that function similarly to their shell counterparts.

First, let’s orient ourselves by finding out which directory we are in currently on the remote system. Just like in a typical shell session, we can type the following to get the current directory:

pwd
Remote working directory: /home/demouser

We can view the contents of the current directory of the remote system with another familiar command:

ls
Summary.txt     info.html       temp.txt        testDirectory

Note that the commands within the SFTP interface are not the normal shell commands and are not as feature-rich, but they do implement some of the more important optional flags:

ls -la
drwxr-xr-x    5 demouser   demouser       4096 Aug 13 15:11 .
drwxr-xr-x    3 root     root         4096 Aug 13 15:02 ..
-rw-------    1 demouser   demouser          5 Aug 13 15:04 .bash_history
-rw-r--r--    1 demouser   demouser        220 Aug 13 15:02 .bash_logout
-rw-r--r--    1 demouser   demouser       3486 Aug 13 15:02 .bashrc
drwx------    2 demouser   demouser       4096 Aug 13 15:04 .cache
-rw-r--r--    1 demouser   demouser        675 Aug 13 15:02 .profile
. . .

To get to another directory, we can issue this command:

cd testDirectory

We can now traverse the remote file system, but what if we need to access our local file system? We can direct commands towards the local file system by preceding them with an “l” for local.

All of the commands discussed so far have local equivalents. We can print the local working directory:

lpwd
Local working directory: /Users/demouser

We can list the contents of the current directory on the local machine:

lls
Desktop			local.txt		test.html
Documents		analysis.rtf		zebra.html

We can also change the directory we wish to interact with on the local system:

lcd Desktop

Transferring Files with SFTP

Navigating the remote and local filesystems is of limited usefulness without being able to transfer files between the two.

Transferring Remote Files to the Local System

If we would like download files from our remote host, we can do so by issuing the following command:

get remoteFile
Fetching /home/demouser/remoteFile to remoteFile
/home/demouser/remoteFile                       100%   37KB  36.8KB/s   00:01

As you can see, by default, the “get” command downloads a remote file to a file with the same name on the local file system.

We can copy the remote file to a different name by specifying the name afterwards:

get remoteFile localFile

The “get” command also takes some option flags. For instance, we can copy a directory and all of its contents by specifying the recursive option:

get -r someDirectory

We can tell SFTP to maintain the appropriate permissions and access times by using the “-P” or “-p” flag:

get -Pr someDirectory

Transferring Local Files to the Remote System

Transferring files to the remote system is just as easily accomplished by using the appropriately named “put” command:

put localFile
Uploading localFile to /home/demouser/localFile
localFile                                     100% 7607     7.4KB/s   00:00

The same flags that work with “get” apply to “put”. So to copy an entire local directory, you can issue:

put -r localDirectory
Note

There is currently a bug in the versions of OpenSSH shipped with current Ubuntu releases (at least 14.04 to 15.10) that prevents the above command from operating correctly. Upon issuing the command above to transfer content to a server using the buggy version of OpenSSH, the following error will be given: Couldn't canonicalise: No such file or directory.

To work around this issue, create the destination directory on the remote end first by typing mkdir localDirectory. Afterwards, the above command should complete without error.

One familiar tool that is useful when downloading and uploading files is the “df” command, which works similar to the command line version. Using this, you can check that you have enough space to complete the transfers you are interested in:

df -h
    Size     Used    Avail   (root)    %Capacity
  19.9GB   1016MB   17.9GB   18.9GB           4%

Please note, that there is no local variation of this command, but we can get around that by issuing the “!” command.

The “!” command drops us into a local shell, where we can run any command available on our local system. We can check disk usage by typing:

!
df -h
Filesystem      Size   Used  Avail Capacity  Mounted on
/dev/disk0s2   595Gi   52Gi  544Gi     9%    /
devfs          181Ki  181Ki    0Bi   100%    /dev
map -hosts       0Bi    0Bi    0Bi   100%    /net
map auto_home    0Bi    0Bi    0Bi   100%    /home

Any other local command will work as expected. To return to your SFTP session, type:

exit

You should now see the SFTP prompt return.

Simple File Manipulations with SFTP

SFTP allows you to perform the type of basic file maintenance that is useful when working with file hierarchies.

For instance, you can change the owner of a file on the remote system with:

chown userID file

Notice how, unlike the system “chmod” command, the SFTP command does not accept usernames, but instead uses UIDs. Unfortunately, there is no easy way to know the appropriate UID from within the SFTP interface.

An involved work around could be accomplished with:

get /etc/passwd
!less passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
. . .

Notice how instead of giving the “!” command by itself, we’ve used used it as a prefix for a local shell command. This works to run any command available on our local machine and could have been used with the local “df” command earlier.

The UID will be in the third column of the file, as delineated by colon characters.

Similarly, we can change the group owner of a file with:

chgrp groupID file

Again, there is no easy way to get a listing of the remote system’s groups. We can work around it with the following command:

get /etc/group
!less group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
. . .

The third column holds the ID of the group associated with name in the first column. This is what we are looking for.

Thankfully, the “chmod” command works as expected on the remote file system:

chmod 777 publicFile
Changing mode on /home/demouser/publicFile

There is no command for manipulating local file permissions, but you can set the local umask, so that any files copied to the local system will have the appropriate permissions.

That can be done with the “lumask” command:

lumask 022
Local umask: 022

Now all regular files downloaded (as long as the “-p” flag is not used) will have 644 permissions.

SFTP allows you to create directories on both local and remote systems with “lmkdir” and “mkdir” respectively. These work as expected.

The rest of the file commands target only the remote filesystem:

ln
rm
rmdir

These commands replicate the basic behavior of the shell versions. If you need to perform these actions on the local file system, remember that you can drop into a shell by issuing this command:

!

Or execute a single command on the local system by prefacing the command with “!” like so:

!chmod 644 somefile

When you are finished with your SFTP session, use “exit” or “bye” to close the connection.

bye

Conclusion

Although SFTP is a simple tool, it is very useful for administrating servers and transferring files between them.

If you are used to using FTP or SCP to accomplish your transfers, SFTP is a good way to leverage the strengths of both. While it is not appropriate for every situation, it is a flexible tool to have in your repertoire.

How To Install and Secure phpMyAdmin on Ubuntu 14.04

Introduction

While many users need the functionality of a database management system like MySQL, they may not feel comfortable interacting with the system solely from the MySQL prompt.

phpMyAdmin was created so that users can interact with MySQL through a web interface. In this guide, we’ll discuss how to install and secure phpMyAdmin so that you can safely use it to manage your databases on Ubuntu 14.04.

Note: phpMyAdmin can be installed automatically on your Droplet by adding this script to its User Data when launching it. Check out this tutorial to learn more about Droplet User Data.

Prerequisites

Before you get started with this guide, you need to have some basic steps completed.

First, we’ll assume that you are using a non-root user with sudo privileges, as described in steps 1-4 in theinitial server setup of Ubuntu 14.04.

We’re also going to assume that you’ve completed a LAMP (Linux, Apache, MySQL, and PHP) installation on your Ubuntu 14.04 server. If this is not completed yet, you can follow this guide on installing a LAMP stack on Ubuntu 14.04.

Once you are finished with these steps, you’re ready to get started with this guide.

Step One — Install phpMyAdmin

To get started, we can simply install phpMyAdmin from the default Ubuntu repositories.

We can do this by updating our local package index and then using the apt packaging system to pull down the files and install them on our system:

sudo apt-get update
sudo apt-get install phpmyadmin

This will ask you a few questions in order to configure your installation correctly.

Warning

When the first prompt appears, apache2 is highlighted, but not selected. If you do not hit “SPACE” to select Apache, the installer will not move the necessary files during installation. Hit “SPACE”, “TAB”, and then “ENTER” to select Apache.

  • For the server selection, choose apache2.
  • Select yes when asked whether to use dbconfig-common to set up the database
  • You will be prompted for your database administrator’s password
  • You will then be asked to choose and confirm a password for the phpMyAdmin application itself

The installation process actually adds the phpMyAdmin Apache configuration file into the/etc/apache2/conf-enabled/ directory, where it is automatically read.

The only thing we need to do is explicitly enable the php5-mcrypt extension, which we can do by typing:

sudo php5enmod mcrypt

Afterwards, you’ll need to restart Apache for your changes to be recognized:

sudo service apache2 restart

You can now access the web interface by visiting your server’s domain name or public IP address followed by /phpmyadmin:

http://domain_name_or_IP/phpmyadmin

phpmyadmin login screen

You can now log into the interface using the root username and the administrative password you set up during the MySQL installation.

When you log in, you’ll see the user interface, which will look something like this:

phpmyadmin user interface

Step Two — Secure your phpMyAdmin Instance

We were able to get our phpMyAdmin interface up and running fairly easily. However, we are not done yet. Because of its ubiquity, phpMyAdmin is a popular target for attackers. We need to secure the application to help prevent unauthorized use.

One of the easiest way of doing this is to place a gateway in front of the entire application. We can do this using Apache’s built-in .htaccess authentication and authorization functionalities.

Configure Apache to Allow .htaccess Overrides

First, we need to enable the use of .htaccess file overrides by editing our Apache configuration file.

We will edit the linked file that has been placed in our Apache configuration directory:

sudo nano /etc/apache2/conf-available/phpmyadmin.conf

We need to add an AllowOverride All directive within the <Directory /usr/share/phpmyadmin>section of the configuration file, like this:

<Directory /usr/share/phpmyadmin>
    Options FollowSymLinks
    DirectoryIndex index.php
    AllowOverride All
    . . .

When you have added this line, save and close the file.

To implement the changes you made, restart Apache:

sudo service apache2 restart

Create an .htaccess File

Now that we have enabled .htaccess use for our application, we need to create one to actually implement some security.

In order for this to be successful, the file must be created within the application directory. We can create the necessary file and open it in our text editor with root privileges by typing:

sudo nano /usr/share/phpmyadmin/.htaccess

Within this file, we need to enter the following information:

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/phpmyadmin/.htpasswd
Require valid-user

Let’s go over what each of these lines mean:

  • AuthType Basic: This line specifies the authentication type that we are implementing. This type will implement password authentication using a password file.
  • AuthName: This sets the message for the authentication dialog box. You should keep this generic so that unauthorized users won’t gain any information about what is being protected.
  • AuthUserFile: This sets the location of the password file that will be used for authentication. This should be outside of the directories that are being served. We will create this file shortly.
  • Require valid-user: This specifies that only authenticated users should be given access to this resource. This is what actually stops unauthorized users from entering.

When you are finished, save and close the file.

Create the .htpasswd file for Authentication

Now that we have specified a location for our password file through the use of the AuthUserFiledirective within our .htaccess file, we need to create this file.

We actually need an additional package to complete this process. We can install it from our default repositories:

sudo apt-get install apache2-utils

Afterward, we will have the htpasswd utility available.

The location that we selected for the password file was “/etc/phpmyadmin/.htpasswd“. Let’s create this file and pass it an initial user by typing:

sudo htpasswd -c /etc/phpmyadmin/.htpasswd username

You will be prompted to select and confirm a password for the user you are creating. Afterwards, the file is created with the hashed password that you entered.

If you want to enter an additional user, you need to do so without the -c flag, like this:

sudo htpasswd /etc/phpmyadmin/.htpasswd additionaluser

Now, when you access your phpMyAdmin subdirectory, you will be prompted for the additional account name and password that you just configured:

http://domain_name_or_IP/phpmyadmin

phpMyAdmin apache password

After entering the Apache authentication, you’ll be taken to the regular phpMyAdmin authentication page to enter your other credentials. This will add an additional layer of security since phpMyAdmin has suffered from vulnerabilities in the past.

Conclusion

You should now have phpMyAdmin configured and ready to use on your Ubuntu 14.04 server. Using this interface, you can easily create databases, users, tables, etc., and perform the usual operations like deleting and modifying structures and data.

To learn how to further secure your interactions with the server by encrypting your communication with SSL, check out our article on setting up SSL certificates with phpMyAdmin.

How To Install Linux, Apache, MySQL, PHP (LAMP) stack on Ubuntu 14.04

Introduction

A “LAMP” stack is a group of open source software that is typically installed together to enable a server to host dynamic websites and web apps. This term is actually an acronym which represents the Linux operating system, with the Apache web server. The site data is stored in a MySQL database, and dynamic content is processed by PHP.

In this guide, we’ll get a LAMP stack installed on an Ubuntu 14.04 Droplet. Ubuntu will fulfill our first requirement: a Linux operating system.

Note: The LAMP stack can be installed automatically on your Droplet by adding this script to its User Data when launching it. Check out this tutorial to learn more about Droplet User Data.

Prerequisites

Before you begin with this guide, you should have a separate, non-root user account set up on your server. You can learn how to do this by completing steps 1-4 in the initial server setup for Ubuntu 14.04.

Step 1: Install Apache

The Apache web server is currently the most popular web server in the world, which makes it a great default choice for hosting a website.

We can install Apache easily using Ubuntu’s package manager, apt. A package manager allows us to install most software pain-free from a repository maintained by Ubuntu. You can learn more about how to use apt here.

For our purposes, we can get started by typing these commands:

sudo apt-get update
sudo apt-get install apache2

Since we are using a sudo command, these operations get executed with root privileges. It will ask you for your regular user’s password to verify your intentions.

Afterwards, your web server is installed.

You can do a spot check right away to verify that everything went as planned by visiting your server’s public IP address in your web browser (see the note under the next heading to find out what your public IP address is if you do not have this information already):

http://your_server_IP_address

You will see the default Ubuntu 14.04 Apache web page, which is there for informational and testing purposes. It should look something like this:

Ubuntu 14.04 Apache default

If you see this page, then your web server is now correctly installed.

How To Find your Server’s Public IP Address

If you do not know what your server’s public IP address is, there are a number of ways you can find it. Usually, this is the address you use to connect to your server through SSH.

From the command line, you can find this a few ways. First, you can use the iproute2 tools to get your address by typing this:

ip addr show eth0 | grep inet | awk '{ print $2; }' | sed 's/\/.*$//'

This will give you one or two lines back. They are both correct addresses, but your computer may only be able to use one of them, so feel free to try each one.

An alternative method is to use an outside party to tell you how it sees your server. You can do this by asking a specific server what your IP address is:

curl http://icanhazip.com

Regardless of the method you use to get your IP address, you can type it into your web browser’s address bar to get to your server.

Step 2: Install MySQL

Now that we have our web server up and running, it is time to install MySQL. MySQL is a database management system. Basically, it will organize and provide access to databases where our site can store information.

Again, we can use apt to acquire and install our software. This time, we’ll also install some other “helper” packages that will assist us in getting our components to communicate with each other:

sudo apt-get install mysql-server php5-mysql

Note: In this case, you do not have to run sudo apt-get update prior to the command. This is because we recently ran it in the commands above to install Apache. The package index on our computer should already be up-to-date.

During the installation, your server will ask you to select and confirm a password for the MySQL “root” user. This is an administrative account in MySQL that has increased privileges. Think of it as being similar to the root account for the server itself (the one you are configuring now is a MySQL-specific account however).

When the installation is complete, we need to run some additional commands to get our MySQL environment set up securely.

First, we need to tell MySQL to create its database directory structure where it will store its information. You can do this by typing:

sudo mysql_install_db

Afterwards, we want to run a simple security script that will remove some dangerous defaults and lock down access to our database system a little bit. Start the interactive script by running:

sudo mysql_secure_installation

You will be asked to enter the password you set for the MySQL root account. Next, it will ask you if you want to change that password. If you are happy with your current password, type “n” for “no” at the prompt.

For the rest of the questions, you should simply hit the “ENTER” key through each prompt to accept the default values. This will remove some sample users and databases, disable remote root logins, and load these new rules so that MySQL immediately respects the changes we have made.

At this point, your database system is now set up and we can move on.

Step 3: Install PHP

PHP is the component of our setup that will process code to display dynamic content. It can run scripts, connect to our MySQL databases to get information, and hand the processed content over to our web server to display.

We can once again leverage the apt system to install our components. We’re going to include some helper packages as well:

sudo apt-get install php5 libapache2-mod-php5 php5-mcrypt

This should install PHP without any problems. We’ll test this in a moment.

In most cases, we’ll want to modify the way that Apache serves files when a directory is requested. Currently, if a user requests a directory from the server, Apache will first look for a file called index.html. We want to tell our web server to prefer PHP files, so we’ll make Apache look for an index.php file first.

To do this, type this command to open the dir.conf file in a text editor with root privileges:

sudo nano /etc/apache2/mods-enabled/dir.conf

It will look like this:

<IfModule mod_dir.c>
    DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm
</IfModule>

We want to move the PHP index file highlighted above to the first position after the DirectoryIndexspecification, like this:

<IfModule mod_dir.c>
    DirectoryIndex index.php index.html index.cgi index.pl index.xhtml index.htm
</IfModule>

When you are finished, save and close the file by pressing “CTRL-X”. You’ll have to confirm the save by typing “Y” and then hit “ENTER” to confirm the file save location.

After this, we need to restart the Apache web server in order for our changes to be recognized. You can do this by typing this:

sudo service apache2 restart

Install PHP Modules

To enhance the functionality of PHP, we can optionally install some additional modules.

To see the available options for PHP modules and libraries, you can type this into your system:

apt-cache search php5-

The results are all optional components that you can install. It will give you a short description for each:

php5-cgi - server-side, HTML-embedded scripting language (CGI binary)
php5-cli - command-line interpreter for the php5 scripting language
php5-common - Common files for packages built from the php5 source
php5-curl - CURL module for php5
php5-dbg - Debug symbols for PHP5
php5-dev - Files for PHP5 module development
php5-gd - GD module for php5
. . .

To get more information about what each module does, you can either search the internet, or you can look at the long description in the package by typing:

apt-cache show package_name

There will be a lot of output, with one field called Description-en which will have a longer explanation of the functionality that the module provides.

For example, to find out what the php5-cli module does, we could type this:

apt-cache show php5-cli

Along with a large amount of other information, you’ll find something that looks like this:

. . .
SHA256: 91cfdbda65df65c9a4a5bd3478d6e7d3e92c53efcddf3436bbe9bbe27eca409d
Description-en: command-line interpreter for the php5 scripting language
 This package provides the /usr/bin/php5 command interpreter, useful for
 testing PHP scripts from a shell or performing general shell scripting tasks.
 .
 The following extensions are built in: bcmath bz2 calendar Core ctype date
 dba dom ereg exif fileinfo filter ftp gettext hash iconv libxml mbstring
 mhash openssl pcntl pcre Phar posix Reflection session shmop SimpleXML soap
 sockets SPL standard sysvmsg sysvsem sysvshm tokenizer wddx xml xmlreader
 xmlwriter zip zlib.
 .
 PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used
 open source general-purpose scripting language that is especially suited
 for web development and can be embedded into HTML.
Description-md5: f8450d3b28653dcf1a4615f3b1d4e347
Homepage: http://www.php.net/
. . .

If, after researching, you decide you would like to install a package, you can do so by using the apt-get install command like we have been doing for our other software.

If we decided that php5-cli is something that we need, we could type:

sudo apt-get install php5-cli

If you want to install more than one module, you can do that by listing each one, separated by a space, following the apt-get install command, like this:

sudo apt-get install package1 package2 ...

At this point, your LAMP stack is installed and configured. We should still test out our PHP though.

Step 4: Test PHP Processing on your Web Server

In order to test that our system is configured properly for PHP, we can create a very basic PHP script.

We will call this script info.php. In order for Apache to find the file and serve it correctly, it must be saved to a very specific directory, which is called the “web root”.

In Ubuntu 14.04, this directory is located at /var/www/html/. We can create the file at that location by typing:

sudo nano /var/www/html/info.php

This will open a blank file. We want to put the following text, which is valid PHP code, inside the file:

<?php
phpinfo();
?>

When you are finished, save and close the file.

Now we can test whether our web server can correctly display content generated by a PHP script. To try this out, we just have to visit this page in our web browser. You’ll need your server’s public IP address again.

The address you want to visit will be:

http://your_server_IP_address/info.php

The page that you come to should look something like this:

Ubuntu 14.04 default PHP info

This page basically gives you information about your server from the perspective of PHP. It is useful for debugging and to ensure that your settings are being applied correctly.

If this was successful, then your PHP is working as expected.

You probably want to remove this file after this test because it could actually give information about your server to unauthorized users. To do this, you can type this:

sudo rm /var/www/html/info.php

You can always recreate this page if you need to access the information again later.

Conclusion

Now that you have a LAMP stack installed, you have many choices for what to do next. Basically, you’ve installed a platform that will allow you to install most kinds of websites and web software on your server.