LAMP server used to be installed as default. For 18.04 and 20.04, LAMP server can be installed as below.
$sudo apt install tasksel $sudo tasksel install lamp-server
For 22.04, Apache and MySQL server gets installed for LAMP server as below.
$sudo apt install apache2 $sudo apt install mysql-server $sudo apt install php libapache2-mod-php php-mysql
Update
It is often recommended to run sudo apt-get update and sudo apt-get upgrade before installing packages. You can run sudo unattended-upgrade for security updates.
Scripts
Some scripts help you to automate maintenance along with crontab jobs. Here are a couple of useful scripts. This is fixing permission and ownership issue when more than one person are working on files in web spaces.
#!/bin/bash
chown -R www-data:www-data /var/www
find /var/www -type f -exec chmod 664 {} ";"
find /var/www -type d -exec chmod 775 {} ";"
chmod 775 /var/www
MySQL can be backed up with the script below. You need to tweak it for your usage. This script performs full-bakcup on Sunday and it performs incremental backup on other days.
#!/bin/bash
#mysqldump --database db-name --add-drop-table -u root -pPassword > /databasebackup/file-name.sql
if [ "`date +%A`" == "Sunday" ]; then
mysqldump -A -Y --flush-logs --delete-master-logs --master-data=2 --add-drop-table --lock-all-tables -uroot -pPassword > /databasebackup/file-name.sql
else
today=`date +%A`
logno=`ls -d /var/log/mysql/mysql-bin.?????? | sed 's/^.*\.//' | sort -g | tail -n 1`
mysqladmin -uroot -pPassword flush-logs
mysqlbinlog /var/log/mysql/mysql-bin.$logno > /databasebackup/$today.sql
fi
Crontab
It is possible to create/edit Crontab job in your account by typing crontab -e, or sudo crontab -e will created Crontab jobs in root account. It will look like below.
# m h dom mon dow command # */15 * * * * /scripts/server_mon 05 07 1 * * /scripts/set_www_perms 00 22 * * * /scripts/db_backup
Backup
My organization uses EMC NetWorker. So, this is how client get installed on your server for backup. First, need to delete old client.
$sudo dpkg -l | grep “lgt” $sudo dpkg --remove lgtoclnt $sudo rm -rf /nsr/
After deleting old client, the new client can be installed as below.
$sudo dpkg --configure -a
$sudo dpkg -i package_file.deb
$sudo apt-get -f install (to complete dependencies)
$sudo nsrexecd (This will create the /nsr directory)
$sudo kill `pidof nsrexecd`
$sudo vi /nsr/res/servers
your.org.backup.com
$sudo /etc/init.d/networker restart
$sudo systemctl restart networker
$sudo vi /.nsr
$sudo nsrports -S 7937-7941
Authentication
SSH password authentication can be enabled by editing /etc/ssh/sshd_config
$sudo vi /etc/ssh/sshd_config PasswordAuthentication yes
SSH public key authentication can be set up as followed. On your machine you run
$mkdir ~/.ssh $chmod 700 ~/.ssh $ssh-keygen -t rsa -b 4096
Transfer client key to host from your machine.
$ssh-copy-id <username>@<host>
Transfer client key after copying public key.
$cp authorized_keys authorized_keys_Backup $cat id_rsa.pub >> authorized_keys $sudo vi /etc/ssh/sshd_config PasswordAuthentication no PubkeyAuthentication yes RSAAuthentication yes $sudo service ssh restart
Firewall
It is possible to start firewall for your server locally. UFW is the right tool for this job. Just make it sure open ports first specially SSH port (22). Otherwise, you will be kicked out from your SSH connection when UFW is enabled.
$sudo ufw allow 22
$sudo ufw allow 80/tcp
$sudo ufw allow 443/tcp
$sudo ufw allow 7937:7941/tcp
$sudo ufw allow 3306
$sudo ufw allow 3306/tcp
$sudo ufw allow samba
$sudo ufw enable
$sudo ufw status
To Action From
-- ------ ----
22 ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
3306/tcp ALLOW Anywhere
8080/tcp ALLOW Anywhere
Samba ALLOW Anywhere
If your server is on AWS and it uses AWS Firewall, you can create a white list that enables to send request with APIs. You can register any servers who need to talk to severs behind Firewall. First, login to AWS Console. Then, search for “ASW Firewall Manager”. Under “AWS WAF”, you can click “IP sets”
After that you can Create IP set and Add IP address.
Adding User
You can create a user with useradd command and add that user in to the proper groups. It is also good to change the user’s main group to “www-data” if that user works as a web developer. It will create less head ache for permission issues.
- $sudo useradd -s /bin/bash -m -c 'John Doe' -G www-data jdoe - $sudo usermod -a -G sudo jdoe - $ sudo usermod -g www-data jdoe
Samba
If file server is needed, Samba can be installed and used.
$sudo apt-get install samba $sudo ufw allow samba
Configuration file can be found in /etc/samba/smb.conf.
[global]
server min protocol = LANMAN1
security = user
[SharedDir]
comment = Ubuntu File Server Share
path = /SharedDir
browsable = yes
guest ok = no
read only = no
create mask = 0755
valid users = jdoe
admin users = jdoe
Directory and users for Samba can be created as below
$sudo mkdir -p /SharedDir $sudo chown nobody:nogroup /SharedDir/ $sudo useradd -m -c 'John Doe' -G www-data jdoe $sudo smbpasswd -a jdoe $ sudo service smbd restart $ sudo service nmbd restart
How to prevent Kernel update
Kernel get updated automatically when updates are available. This automated update can fill up /Boot partition pretty quickly. So, it might be necessary to hold updates.
$uname -r Output: x.xx.x-xx-generic $sudo apt-mark hold x.xx.x-xx-generic
PDF file handling
It is possible to merge PDF files with pdfunite command.
$sudo apt-get update $sudo apt-get install poppler-utils $pdfunite source1.pdf source2.pdf merged_output.pdf
It is also possible to split PDF files with qpdf command.
$sudo apt-get update $sudo apt-get install qpdf $qpdf --empty --pages infile.pdf 1-5 -- outfile.pdf
Postfix
Postfix can be secured to use TLS. I found it causes less bounce backs from receiving mail servers.
$sudo apt-get install libsasl2-modules $sudo apt-get install postfix $sudo vi /etc/postfix/main.cf
#smtp_use_tls = yes #smtp_tls_security_level = encrypt smtp_tls_security_level = may smtp_tls_cert_file=/etc/ssl/certs/server.crt smtp_tls_key_file=/etc/ssl/certs/server.key #smtp_tls_key_file=/etc/ssl/private/server.key # where to find CA certificates smtp_tls_CAfile = /etc/ssl/certs/server-ca.crt
$sudo service postfix restart
Postfix can be test as below after configurations are changed.
$sudo apt install mailutils $ echo "body of your email" | mail -s "This is a Subject" -a "From: test@test.ca" test@test.ca
Postfix file too large error can be fixed as below.
$sudo tail -f /var/log/mail.log $postconf -d | grep size $sudo postconf -e mailbox_size_limit=0 $sudo postconf -e message_size_limit=0 $sudo /etc/init.d/postfix restart
It is possible to configure Postfix to relay emails to specific email server. However, I could not make it work. I am just leaving my attempts here.
$sudo apt-get install libsasl2-modules $sudo apt-get install sasl2-bin $sudo apt-get install postfix $sudo vi /etc/postfix/sasl_passwd
bulkmail.test.ca user_name:password [bulkmail.test.ca] user_name: password [bulkmail.test.ca]:465 user_name: password [bulkmail.test.ca]:587 user_name: password
$sudo chmod 400 /etc/postfix/sasl_passwd $sudo postmap /etc/postfix/sasl_passwd $sudo chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db $sudo chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db $sudo vi /etc/postfix/main.cf
# Enable STARTTLS encryption smtp_tls_security_level = may #smtp_use_tls = yes #smtp_tls_security_level = encrypt # where to find CA certificates smtp_tls_cert_file=/etc/ssl/certs/server.crt #smtp_tls_key_file=/etc/ssl/certs/server.key smtp_tls_key_file=/etc/ssl/private/server.key smtp_tls_CAfile = /etc/ssl/certs/server-ca.crt # enable SASL authentication relayhost = [bulkmail.test.ca]:587 # relayhost = [bulkmail.test.ca]:465 # relayhost = [bulkmail.test.ca]:submission # smtp_tls_wrappermode = yes smtp_sasl_auth_enable = yes smtp_sasl_mechanism_filter = plain, login # disallow methods that allow anonymous authentication. smtp_sasl_security_options = noanonymous #smtp_sasl_tls_security_options = noanonymous # where to find sasl_passwd smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
$sudo service postfix restart