Spinning up a new Virtual Machine

Most of my websites are low volume and so I host them on the same VPS at Linode. For a new project, I decided to put the websites on a separate VPS. I spent a day researching the current choices and you probably won’t go wrong with any of them. For me, it came down to either Linode (which I’ve been happy with) or Digital Ocean (which I’ve used for backups and helping my nephew learn programming). Since I don’t need a lot of space right now and I had a referral code, I decided to go with the $5/mo Digital Ocean plan.

Since I’m familiar with it, I installed Ubuntu 14.04.2 LTS with Apache, MySQL, and PHP. I have some customizations that I made to make it consistent with my current server.

Users, Permissions, and Groups

The first thing I did was log in as root and create a new user—me and add myself to the sudoer’s table.


   adduser myusername

There are a couple of ways to do this but for now I just added my user name directly instead of creating a sudoers group like I normally do.


    myusername ALL=(ALL:ALL) ALL

Without logging out of the root account, I logged in with my username and edited the /etc/ssh/sshd_config. This was a test to see whether I could log in as myself and that I could edit files owned by root using sudo. I then changed PermitRootLogin to no


    # Authentication:
    PermitRootLogin no

To get the changes to take effect, I restarted the SSH daemon with sudo service ssh restart.

I like to have a group that is able to edit all of the files in www. I call this different things on different machines, e.g. ‘staff’, ‘web-admin’, ‘www’. On this machine I’m using ‘www’.

If you type the command groups, you can see which groups you belong to. To add a new group you can edit the groups file or use these commands to add a group and add a member to a group.


    sudo groupadd www
    sudo usermod -a -G www myusername

Fail2ban

I don’t know how they find random IP addresses to attach, but 7 minutes after installing Fail2ban it banned the first site. Installation is straightforward. I didn’t make any customizations except to add my IP address and change the email address for notifications.


    sudo apt-get install fail2ban
    sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
    sudo vi /etc/fail2ban/jail.local
    sudo service fail2ban restart
    sudo iptables -L

Updating Apache

First, I updated my .profile as I described in an earlier post. Then I changed the default location for my web pages from /var/www/html to /srv/www. First I created a www directory in srv. Then made a symlink to it in root.

I want everyone in the web admin group to be able to edit the files so I ran sudo chown myusername:www www

I edited the /etc/apache2/apache2.conf file to change the default location to /www and prevent directory listing—I removed Indexes from Options.


    <Directory /www/*>
        Options FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>

I don’t want people to see the contents of my .inc files. Some people add the suffix .php to them to hide them, but I prefer to make them all invisible to browsers.


# We don't want people to see .inc files
<Files  ~ "\.inc$">
  Order allow,deny
  Deny from all
</Files>

I also don’t want people to see the Subversion files from my WordPress installs and backups from old projects that used Subversion (nowadays I use git).


Order deny,allow
Deny from all

And I don’t want anyone to see .git files, although best practice says don’t put them in document root.


Order deny,allow
Deny from all

Since I don’t have a domain name attached to this IP address, I added these lines to the bottom of the conf file.


    # Suppress the warning message when restarting Apache until we get a FQDN
    ServerName localhost

I have a couple of templates for websites so I put one in the www directory for testing. Then I changed the DocumentRoot in 000-default.conf to that directory and restarted Apache.

Miscellaneous

I don’t plan to use a database for these websites, but I decided to set up MySQL and PhpMyAdmin. I followed the instructions at Digital Ocean to change the root password and add myself as a user.

phpMyAdmin install is straightforward, except that you need to add this line:


Include /etc/phpmyadmin/apache.conf

to the end of your /etc/apache2/apache2.conf and restart Apache—even if you are running the latest version of Ubuntu LTS.

Then I installed git using the command sudo apt-get install git-core.

Finally, I often convert MySQL databases to SQLite databases for use in Apple Apps so I installed SQLite.


    apt-get install php5-sqlite
    sudo apt-get install sqlite3